WO2006137657A1 - Method for intercepting malicious code in computer system and system therefor - Google Patents
Method for intercepting malicious code in computer system and system therefor Download PDFInfo
- Publication number
- WO2006137657A1 WO2006137657A1 PCT/KR2006/002318 KR2006002318W WO2006137657A1 WO 2006137657 A1 WO2006137657 A1 WO 2006137657A1 KR 2006002318 W KR2006002318 W KR 2006002318W WO 2006137657 A1 WO2006137657 A1 WO 2006137657A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- malicious code
- interception
- computer system
- policy
- interception policy
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 229960005486 vaccine Drugs 0.000 claims abstract description 22
- 230000000694 effects Effects 0.000 claims description 24
- 230000009545 invasion Effects 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 2
- 230000003213 activating effect Effects 0.000 claims 1
- 230000004913 activation Effects 0.000 claims 1
- 230000001172 regenerating effect Effects 0.000 claims 1
- 208000015181 infectious disease Diseases 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 42
- 238000011084 recovery Methods 0.000 description 8
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
Definitions
- the present invention relates to a computer system for intercepting a malicious code. More particularly, the present invention relates to a method for intercepting a malicious code which might propagate into computers through a network to damage the computer system, thereby minimizing the damage, and a system therefor.
- malware code generally refers to a program code that is intentionally created in order to do damage to the computer system.
- the malicious code includes a virus, a worm, a Trojan horse, a hacking program, and so on.
- an object of the present invention is to provide a method for intercepting a malicious code in order to protect a computer system from the invasion of the malicious code in real-time.
- Another object of the present invention is to provide a method for intercepting a malicious code in order to quarantine the operation of the malicious code within the computer network system.
- Still another object of the present invention is to provide an apparatus for intercepting the invasion and the operation of the malicious code in accordance with a policy for intercepting the malicious code.
- Still another object of the present invention is to provide a system for intercepting the malicious code, which creates an effective policy, for intercepting the malicious code, to be transmitted and applied to the computer system in real-time.
- a malicious code interception method comprising the steps of: [18] detecting a malicious code distributed through a network,
- a malicious code interception apparatus including: [24] a malicious code detector for classifying a program as a malicious code if the program that enters a computer system through a network has a bad effect on the computer system, [25] a policy management unit for managing an interception policy received from an external terminal or a server,
- an interception/preemption occupancy execution unit for intercepting the malicious codes according to the interception policy
- a log file management unit for generating an interception history, for analyzing an activity pattern of the malicious code in real-time and for recording the interception history of the malicious code in accordance with the interception policy, and
- a communication unit for transmitting the log file of the cure measure of the malicious code to the external terminal or the server providing the interception policy, and for receiving the interception policy from the external terminal or the server.
- a malicious code interception system including:
- an interception policy management apparatus for generating an interception policy to intercept the malicious code by means of the analysis of a method and a activity pattern of the malicious code that invades a computer system through a network, and for transmitting the interception policy to the computer system, and
- a computer system connected to the interception policy management apparatus through the network, for informing the interception policy management apparatus of the fact that the malicious code has been detected, intercepting the malicious code according to the interception policy received from the interception policy management apparatus, generating an intercepted history as a log file, and uploading the interception history on the interception policy management apparatus.
- the present invention is advantageous in that it can minimize damage on a computer system exposed to a malicious code, and an infection period.
- apparatus, and system for intercepting the malicious codes are advantageous in that they can minimize the amount of damage to a computer system that is exposed to the malicious code when a vaccine program has not yet been generated, because the interception policy is generated and applied at the very moment when a particular activity pattern of the malicious code spread through a network is detected.
- the present invention for protecting even from the invasion of the malicious code is advantageous in that it can significantly reduce the recovery cost that must be inevitably paid when treatment is impossible with any vaccine.
- a manager can select an interception policy needed for a system and can apply the selected interception policy.
- a malicious code can be precluded rapidly even in a system to which a vaccine program against the malicious code is not applied due to limited system resources. Accordingly, damage by variation can be minimized.
- e-mail including warning sentences is written and is then sent to a recipient with an original e-mail being attached thereto, unlike the related art method in which e-mail that has been infected with malicious codes or e- mail that is considered as a malicious code is deleted, or a portion of an original e-mail is changed. Therefore, the present invention is advantageous in that it can preclude malicious codes through e-mail while minimizing inconvenience incurred by complete interception of the original e-mail.
- FIG. 1 is a view illustrating the construction of a system for intercepting malicious codes according to an embodiment of the present invention
- FIG. 2 is an internal block diagram of a malicious code interception apparatus according to another embodiment of the present invention.
- FIG. 3 is a flowchart illustrating a malicious code interception method according to still another embodiment of the present invention.
- FIG. 1 is a view illustrating the construction of a system for intercepting malicious codes according to an embodiment of the present invention.
- the system for intercepting malicious codes includes an interception policy management apparatus 100, a computer system 200, a network 300, and a plurality of computer systems 400.
- the interception policy management apparatus 100 first generates and distributes an interception policy only using a minimum activity pattern set by a manager as soon as only one or twoactivity characteristics of the malicious codes are extracted.
- the interception policy management apparatus 100 also consistently finds the activity patterns or characteristics of the malicious codes, and reinforces the interception policy.
- the computer system 200 intercepts malicious codes by applying the in- terception policy in such a way to be suitable for characteristics of each system.
- the network 300 performs consistent information exchange between the interception policy management apparatus 100 and the computer system 200.
- the computer system 400 is connected to the computer system 200 via a network.
- the interception policy management apparatus 100 is a server computer for generating an interception policy by analyzing a path and a method in which malicious codes detected on the network invade a computer system, and a pattern in which the malicious codes that have invaded the computer system is active.
- the interception policy management apparatus 100 comprises a malicious code analyzing unit 110, an interception policy generating unit 120, an interception policy update unit 130 and a communication unit 140.
- the malicious codes analyzing unit 110 analyzes a pattern in which malicious codes are active can be known by extracting an IP used to gain access to a system by the malicious codes, a port number, a network protocol method, a network protocol, a name or a file nameof a program related to the malicious codes, the title of e-mail, the contents of e-mail, a file attached to an e-mail, a folder used by malicious codes, registr y, Mutex, semaphores, event information generated by malicious codes, and/or the like.
- the interception policy generating unit 120 of the interception policy management apparatus 100 If one or more of an invasion path, an invasion method of malicious codes, and an activity pattern of the malicious codes are detected, the interception policy generating unit 120 of the interception policy management apparatus 100 generates an interception policy based on the detected information. At this time, the interception policy management apparatus 100 generates an interception policy including the information about the name and version of an expected vaccine program for the malicious codes.
- the interception policy update unit 130 of the interception policy management apparatus 100 updates an interception policy by periodically complementing or deleting the interception policy in real-time whenever information about malicious codes is updated.
- the interception policy management apparatus 100 transmits a generated interception policy via the communication unit 140 to the computer system 200 from which malicious codes will be precluded. Furthermore, the interception policy management apparatus 100 distributes an interception policy to the computer system 200 via the communication unit 140 whenever the interception policy is upgraded. If a vaccine program corresponding to a malicious code is generated, the interception policy management apparatus 100 deletes an existing interception policy, downloads the vaccine program or patches an existing interception policy, thereby supplementing vulnerable parts. If the activity of a malicious code epidemic is stopped, the in- terception policy management apparatus 100 deletes an interception policy according to the malicious code so that the interception of the malicious code is stopped.
- the computer system 200 of the present invention precludes the malicious code effectively in such a way to be suitable for characteristics of each system.
- the computer system 200 is connected to the interception policy management apparatus 100 via the network 300 and exchanges data with the interception policy management apparatus 100.
- the computer system 200 is connected to the plural numbers of computer systems 400 via the network 300, and the interception policy can be distributed if the plural numbers of computer systems 400 request the interception policy.
- the computer system 200 includes a detector 210, an interception policy selection unit 230, an execution unit 250, a backup/recovery unit 260, a log file management unit 270, and a transmission unit 280.
- the detector 210 detects the malicious code which intrudes into the system.
- the interception policy selection unit 230 selects only an interception policy suitable for its own systemfrom interception policies received from the interception policy management apparatus 100.
- the execution unit 250 proceeds with the execution for intercepting the malicious code according to the interception policy. That is, the execution unit 250 must intercept only a malicious code in order to minimize variation in resources of the computer system 200 so that the computer system 200 is normally operated.
- the backup/recovery unit 260 serves to restore information about a specific file, a registry, and/or the like when the information about the specific file, the registry, and/ or the like is deleted due to unnecessary interception while the execution unit 250 intercepts malicious codes.
- the backup/recovery unit 260 backups the files and the registry that look suspiciously like the malicious code before the files and the registry are deleted, and recovers the files and the registry after they are once deleted if a manager chooses to do that.
- the log file management unit 270 generates a log file of the interception policy that was applied to the malicious code depending on its method, path, or activity pattern in which it invaded and was active in the computer system 200.
- the log file management unit 270 also manages the log files that contain a number of interception modules for performing the interception policy and collects real-time analysis of the results of the intercepting malicious codes.
- FIG. 2 is an internal block diagram of a malicious code interception apparatus according to another embodiment of the present invention.
- the malicious code interception apparatus 500 may be a computer such as a laptop computer, or a specific server connected to a number of terminals, which can be connected to the network 300.
- the malicious code interception apparatus 500 executes interception against detected malicious codes.
- the malicious code interception apparatus 500 is a unified system of a portion of the interception policy management apparatus 100 and the computer system 200 shown in Fig. 1 for one computer system to execute interception policy except that the apparatus 100 generates interception policy.
- the malicious code interception apparatus 500 may further include a malicious code detector 510, a malicious code analysis unit 520, a policy management unit 530, an interception/preemption execution unit 540, a display unit 550, a backup/recovery unit 560, a log file management unit 570, and a communication unit 580.
- the malicious code detector 510 classifies a program as a malicious code if the program that enters the malicious code interception apparatus 500 (i.e., the computer system) through the network has a bad effect on the computer system.
- the malicious code analysis unit 520 analyzes a method in which the malicious code detected in the malicious code detector 510 invades the computer system, an invasion path, a pattern in which the malicious code is active within the computer system, and so on. Furthermore, if a log file is received from the log file management module 570, the malicious code analysis unit 520 determines whether there exists a new activity pattern of the malicious code by analyzing the log file.
- the policy management unit 530 receives an interception policy corresponding to the malicious code from an external terminal or a server and manages the received interception policy, or updates the interception policy such as modification and deletion of the policy.
- the interception/preemption execution unit 540 which corresponds to the execution unit 250 of the computer system 200 shown in Fig. 1, includes at least one of a network interception module 541, an e-mail interception module 543, a file/folder interception module 545, a registry interception module 547, and a resource preemption module 549.
- the network interception module 541 precludes the computer system from gaining access to the network by precluding an access port number, an IP address on the network, a protocol represented by TCP/UDP, and so on, according to the interception policy, and transmits the result to the log file management module 570.
- the e-mail interception module 543 is a mail server that transmits e-mail according to the interception policy.
- the e-mail interception module 543 requests the e-mail to be first transmitted to the e-mail interception module 543 before being transmitted to a computer system of a recipient. If a malicious code is found by analyzing information about an intercepted e-mail, the e-mail interception module 543 generates a warning e- mail, as a file that cannot be executed, and transmits the e-mail to the computer system of the recipient with the warning e-mail being attached thereto.
- the file/folder interception module 545 precludes a program, a process or a file, which tries to gain access to a specific file or folder defined in the interception policy or to generate or modify a specific file or folder, from gaining access to the specific file or folder.
- the file/folder interception module 545 also releases the sharing of a specific folder, deletes a program, a process or a file itself, which is classified as malicious code, thus precluding the malicious codes, and then transmits the results to the log file management module 570.
- the registry interception module 547 precludes malicious codes, which try to gain access to a registry defined in the interception policy or to generate or modify a registry, from gaining access to the registry, or precludes the malicious codes from generating or modifying the registry. Furthermore, the registry interception module 547 precludes the activity of the malicious codes by directly precluding the registry and transmits a series of interception results to the log file management module 570.
- the resource preemption module 549 precludes malicious codes from being active within the system, by preempting necessary resources that are required for the malicious codes to be active within the system. If the interception policy is provided to the computer system, the resource preemption module 549 preempts resources used by malicious codes such as Mutex, an event, semaphores and a specific registry in order to preclude the malicious codes from being normally active. For example, the resource preemptionmodule 549 uses the resources previously so that the malicious codes determine that they are already active within the computer system. Accordingly, the activity of the malicious codes within the computer system is hindered.
- the display unit 550 displays for the users the information about a particular malicious code either that has already invaded or that is quarantined after the invasion.
- the backup/recovery module 560 restores the lost files or registry information in case they were deleted by the unnecessary intercepting of the interception/preemption execution unit 540.
- Backup/recovery module 560 can also have the file and the registry information saved even before the information of a particular file or registry is deleted.
- the log file management module 570 records the history of all the results of the interceptions of the malicious codes invading the computer system by the interception policy, and creates real-time log file of the record for analyzing the activity patterns of the malicious code.
- the communication unit 580 transmits the log file providing the interception policy to an external terminal or a server, or receives the interception policy from the external terminal or the server.
- Each component of the malicious code interception apparatus 500 is combined as one device, but it does not have to be physically one.
- the interception/ preemption execution unit 540 and the policy management unit 530 can interact via data transmitting device.
- FIG. 3 is a flowchart illustrating a malicious code interception method according to an embodiment of the present invention. If a malicious code is generated and distributed and an abnormal operation or irregular status by the malicious code is found in the computer system 200, it is determined that the abnormal patterns showing a constant activity is caused by a malicious code. If it is determined that the abnormal patterns arecaused by a malicious code, the malicious code is analyzed in reviewing a variety of factors such as a method or entry path in which the malicious code enters the computer system, the name of process in which the malicious code will be active, e- mail information, files and folders used, Mutex used and an event (S300). An interception policy including information about a subject to be precluded, a precluding method, information about a vaccine program corresponding to the malicious code, and so on is generated based on the analysis result of the step (S300), and then it is registered (S310).
- the generated interception policy is transmitted to a terminal from which the malicious code must be precluded (i.e., a computer system such as a desktop computer or a laptop computer) (S320).
- a terminal from which the malicious code must be precluded i.e., a computer system such as a desktop computer or a laptop computer
- the interception policy is upgraded in real-time.
- the computer system 200 gains access to the interception policy management server 100 that manages after generating the interception policy pe riodically or in real-time in order to download the upgraded interception policy from the interception policy management server 100.
- the computer system 200 selects an interception policy, which will be applied to the system, from the received interception policies. Even when the computer system 200 gains access to the interception policy management server 100 in order to download an upgraded interception policy, the computer system 200 can download only the selected interception policy (S330).
- the computer system 200 prevents the invasion of the malicious code or precludes the activity of the malicious code by employing the interception policy (S340).
- the computer system 200 generates a log file by policing the selected interception policy, an interception activity by the interception policy, the activity pattern of the malicious code, and so on, and uploads the generated log file onto the interception policy management server 100 (S350).
- the interception policy management server 100 analyzes the log file, upgrades the interception policy based on the analysis result, and transmits the upgraded interception policy to the computer system 200 (S360).
- the range and accuracy of the interception policy become higher while the contents of the interception policy are added and supplemented from the log file.
- the interception policy is consistently upgraded until a vaccine program corresponding to the malicious code is generated and distributed or it is determined that the activity of the malicious code has disappeared. Therefore, if the generated vaccine program is downloaded, the computer system 200 may stop the use of the interception policy or delete the interception policy itself (S370, S380).
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Quality & Reliability (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method for intercepting a malicious code in a computer system and a system therefor are herein disclosed. According to an aspect of the present invention, the malicious code interception method includes the steps of detecting a malicious code distributed through a network and analyzing the detected malicious code, generating an interception policy for intercepting the malicious code based on the analyzed result, transmitting the interception policy to a computer system through the network, and replacing the interception policy with the vaccine program in the case where a vaccine program for the malicious code is generated. Therefore, the present invention is advantageous in that it can minimize the damage on a computer system exposed to a malicious code, and an infection period of the malicious code.
Description
Description
METHOD FOR INTERCEPTING MALICIOUS CODE IN COMPUTER SYSTEM AND SYSTEM THEREFOR
Technical Field
[1] The present invention relates to a computer system for intercepting a malicious code. More particularly, the present invention relates to a method for intercepting a malicious code which might propagate into computers through a network to damage the computer system, thereby minimizing the damage, and a system therefor.
[2]
Background Art
[3] The term "malicious code" generally refers to a program code that is intentionally created in order to do damage to the computer system. The malicious code includes a virus, a worm, a Trojan horse, a hacking program, and so on.
[4] If a system is infected with a malicious code, the malicious code breaks or distorts a variety of resources within the system, thereby doing damage to the system. Accordingly, many cure-oriented vaccine programs for recovering the system infected with a malicious code have been developed.
[5] However, a certain period of time is consumed until a cure method and recovery- oriented vaccine program of the system infected with a new malicious code is developed. In other words, it takes time for a cure method to have been developed since a malicious code was found and the damage was reported.
[6] Malicious codes are created, distributed, and do damage to a system in shorter period of time due to widespread use of the Internet and the improvement of network technology nowadays. Therefore, even while vaccine programs are developed and distributed, a lot of systems are already infected with the malicious codes. The malicious codes are transferred to other systems, leading to a significant amount of damage.
[7] Furthermore, in the case of vaccines, the amount of system resources for recovery processes of damaged systems are increased and information about scores of thousands of malicious codes is consistently maintained. Accordingly, several systems left without the help of vaccines due to lack of resources and difficulties in management.
[8] There have been urgent needs for creating a solution to minimize damages occurring in the described series of processes above since the appearance of a malicious code until the development, distribution, and application of a new vaccine program.
[9] In response to the current problems, a new method, apparatus, and system has been
invented either to intercept the invasion of malicious codes or to prohibit the activity of the malicious codes within the system for minimizing damages to a computer system by the malicious codes from the time of the discovery of the malicious codes to the time of the full development of vaccine programs. [10]
Disclosure of Invention
Technical Problem [11] Therefore, an object of the present invention is to provide a method for intercepting a malicious code in order to protect a computer system from the invasion of the malicious code in real-time. [12] Another object of the present invention is to provide a method for intercepting a malicious code in order to quarantine the operation of the malicious code within the computer network system.
[13] Still another object of the present invention is to provide an apparatus for intercepting the invasion and the operation of the malicious code in accordance with a policy for intercepting the malicious code. [14] Still another object of the present invention is to provide a system for intercepting the malicious code, which creates an effective policy, for intercepting the malicious code, to be transmitted and applied to the computer system in real-time. [15] Other objects and advantages of this invention will be apparent from the ensuing disclosure and appended claims. [16]
Technical Solution [17] To achieve the above objects, according to a first aspect of the present invention, there is provided a malicious code interception method comprising the steps of: [18] detecting a malicious code distributed through a network,
[19] analyzing the malicious code for an interception policy,
[20] generating the interception policy for intercepting the malicious code based on the analyzed result,
[21] transmitting the interception policy to a computer system through the network, and
[22] replacing the interception policy with the vaccine program in the case where a vaccine program for the malicious code is generated. [23] Furthermore, according to a second aspect of the present invention, there is provided a malicious code interception apparatus including: [24] a malicious code detector for classifying a program as a malicious code if the program that enters a computer system through a network has a bad effect on the computer system,
[25] a policy management unit for managing an interception policy received from an external terminal or a server,
[26] an interception/preemption occupancy execution unit for intercepting the malicious codes according to the interception policy,
[27] a log file management unit for generating an interception history, for analyzing an activity pattern of the malicious code in real-time and for recording the interception history of the malicious code in accordance with the interception policy, and
[28] a communication unit for transmitting the log file of the cure measure of the malicious code to the external terminal or the server providing the interception policy, and for receiving the interception policy from the external terminal or the server.
[29] In a third aspect of the present invention, there is provided a malicious code interception system including:
[30] an interception policy management apparatus for generating an interception policy to intercept the malicious code by means of the analysis of a method and a activity pattern of the malicious code that invades a computer system through a network, and for transmitting the interception policy to the computer system, and
[31] a computer system connected to the interception policy management apparatus through the network, for informing the interception policy management apparatus of the fact that the malicious code has been detected, intercepting the malicious code according to the interception policy received from the interception policy management apparatus, generating an intercepted history as a log file, and uploading the interception history on the interception policy management apparatus.
[32] Therefore, the present invention is advantageous in that it can minimize damage on a computer system exposed to a malicious code, and an infection period.
[33] As ascribed above, according to the present method, apparatus, and system for intercepting the malicious codes are advantageous in that they can minimize the amount of damage to a computer system that is exposed to the malicious code when a vaccine program has not yet been generated, because the interception policy is generated and applied at the very moment when a particular activity pattern of the malicious code spread through a network is detected.
[34] Furthermore, the present invention for protecting even from the invasion of the malicious code is advantageous in that it can significantly reduce the recovery cost that must be inevitably paid when treatment is impossible with any vaccine.
[35] In addition, since a subject to be precluded is focused on a malicious code and the activity of the malicious code, computer system resources may be less distorted or changed. It is therefore possible to minimize damage incurred by variation in the system resources.
[36] Furthermore, a manager can select an interception policy needed for a system and
can apply the selected interception policy. In addition, a malicious code can be precluded rapidly even in a system to which a vaccine program against the malicious code is not applied due to limited system resources. Accordingly, damage by variation can be minimized.
[37] Additionally, in the present invention, e-mail including warning sentences is written and is then sent to a recipient with an original e-mail being attached thereto, unlike the related art method in which e-mail that has been infected with malicious codes or e- mail that is considered as a malicious code is deleted, or a portion of an original e-mail is changed. Therefore, the present invention is advantageous in that it can preclude malicious codes through e-mail while minimizing inconvenience incurred by complete interception of the original e-mail.
[38]
Brief Description of the Drawings
[39] Further objects and advantages of the invention can be more fully understood from the following detailed description taken in conjunction with the accompanying drawings in which:
[40] FIG. 1 is a view illustrating the construction of a system for intercepting malicious codes according to an embodiment of the present invention;
[41] FIG. 2 is an internal block diagram of a malicious code interception apparatus according to another embodiment of the present invention; and
[42] FIG. 3 is a flowchart illustrating a malicious code interception method according to still another embodiment of the present invention.
[43]
Best Mode for Carrying Out the Invention
[44] The present invention will now be described in detail in connection with preferred embodiments with reference to the accompanying drawings.
[45] FIG. 1 is a view illustrating the construction of a system for intercepting malicious codes according to an embodiment of the present invention.
[46] As shown inFIG. 1, the system for intercepting malicious codes includes an interception policy management apparatus 100, a computer system 200, a network 300, and a plurality of computer systems 400.
[47] The interception policy management apparatus 100 first generates and distributes an interception policy only using a minimum activity pattern set by a manager as soon as only one or twoactivity characteristics of the malicious codes are extracted. The interception policy management apparatus 100 also consistently finds the activity patterns or characteristics of the malicious codes, and reinforces the interception policy. The computer system 200 intercepts malicious codes by applying the in-
terception policy in such a way to be suitable for characteristics of each system. The network 300 performs consistent information exchange between the interception policy management apparatus 100 and the computer system 200. The computer system 400 is connected to the computer system 200 via a network. Furthermore, the interception policy management apparatus 100 is a server computer for generating an interception policy by analyzing a path and a method in which malicious codes detected on the network invade a computer system, and a pattern in which the malicious codes that have invaded the computer system is active.
[48] The interception policy management apparatus 100 comprisesa malicious code analyzing unit 110, an interception policy generating unit 120, an interception policy update unit 130 and a communication unit 140.
[49] The malicious codes analyzing unit 110 analyzes a pattern in which malicious codes are active can be known by extracting an IP used to gain access to a system by the malicious codes, a port number, a network protocol method, a network protocol, a name or a file nameof a program related to the malicious codes, the title of e-mail, the contents of e-mail, a file attached to an e-mail, a folder used by malicious codes, registr y, Mutex, semaphores, event information generated by malicious codes, and/or the like.
[50] If one or more of an invasion path, an invasion method of malicious codes, and an activity pattern of the malicious codes are detected, the interception policy generating unit 120 of the interception policy management apparatus 100 generates an interception policy based on the detected information. At this time, the interception policy management apparatus 100 generates an interception policy including the information about the name and version of an expected vaccine program for the malicious codes.
[51] The interception policy update unit 130 of the interception policy management apparatus 100 updates an interception policy by periodically complementing or deleting the interception policy in real-time whenever information about malicious codes is updated.
[52] The interception policy management apparatus 100 transmits a generated interception policy via the communication unit 140 to the computer system 200 from which malicious codes will be precluded. Furthermore, the interception policy management apparatus 100 distributes an interception policy to the computer system 200 via the communication unit 140 whenever the interception policy is upgraded. If a vaccine program corresponding to a malicious code is generated, the interception policy management apparatus 100 deletes an existing interception policy, downloads the vaccine program or patches an existing interception policy, thereby supplementing vulnerable parts. If the activity of a malicious code epidemic is stopped, the in-
terception policy management apparatus 100 deletes an interception policy according to the malicious code so that the interception of the malicious code is stopped.
[53] The computer system 200 of the present invention precludes the malicious code effectively in such a way to be suitable for characteristics of each system. The computer system 200 is connected to the interception policy management apparatus 100 via the network 300 and exchanges data with the interception policy management apparatus 100. The computer system 200 is connected to the plural numbers of computer systems 400 via the network 300, and the interception policy can be distributed if the plural numbers of computer systems 400 request the interception policy.
[54] The computer system 200 includes a detector 210, an interception policy selection unit 230, an execution unit 250, a backup/recovery unit 260, a log file management unit 270, and a transmission unit 280.
[55] The detector 210 detects the malicious code which intrudes into the system. The interception policy selection unit 230 selects only an interception policy suitable for its own systemfrom interception policies received from the interception policy management apparatus 100.
[56] The execution unit 250 proceeds with the execution for intercepting the malicious code according to the interception policy. That is, the execution unit 250 must intercept only a malicious code in order to minimize variation in resources of the computer system 200 so that the computer system 200 is normally operated.
[57] The backup/recovery unit 260 serves to restore information about a specific file, a registry, and/or the like when the information about the specific file, the registry, and/ or the like is deleted due to unnecessary interception while the execution unit 250 intercepts malicious codes. In addition, the backup/recovery unit 260 backups the files and the registry that look suspiciously like the malicious code before the files and the registry are deleted, and recovers the files and the registry after they are once deleted if a manager chooses to do that.
[58] The log file management unit 270 generates a log file of the interception policy that was applied to the malicious code depending on its method, path, or activity pattern in which it invaded and was active in the computer system 200. The log file management unit 270 also manages the log files that contain a number of interception modules for performing the interception policy and collects real-time analysis of the results of the intercepting malicious codes.
[59] FIG. 2 is an internal block diagram of a malicious code interception apparatus according to another embodiment of the present invention. In FIG. 2, the malicious code interception apparatus 500 may be a computer such as a laptop computer, or a specific server connected to a number of terminals, which can be connected to the
network 300. The malicious code interception apparatus 500 executes interception against detected malicious codes. The malicious code interception apparatus 500 is a unified system of a portion of the interception policy management apparatus 100 and the computer system 200 shown in Fig. 1 for one computer system to execute interception policy except that the apparatus 100 generates interception policy.
[60] The malicious code interception apparatus 500 may further include a malicious code detector 510, a malicious code analysis unit 520, a policy management unit 530, an interception/preemption execution unit 540, a display unit 550, a backup/recovery unit 560, a log file management unit 570, and a communication unit 580.
[61] The malicious code detector 510 classifies a program as a malicious code if the program that enters the malicious code interception apparatus 500 (i.e., the computer system) through the network has a bad effect on the computer system.
[62] The malicious code analysis unit 520 analyzes a method in which the malicious code detected in the malicious code detector 510 invades the computer system, an invasion path, a pattern in which the malicious code is active within the computer system, and so on. Furthermore, if a log file is received from the log file management module 570, the malicious code analysis unit 520 determines whether there exists a new activity pattern of the malicious code by analyzing the log file.
[63] The policy management unit 530 receives an interception policy corresponding to the malicious code from an external terminal or a server and manages the received interception policy, or updates the interception policy such as modification and deletion of the policy.
[64] The interception/preemption execution unit 540, which corresponds to the execution unit 250 of the computer system 200 shown in Fig. 1, includes at least one of a network interception module 541, an e-mail interception module 543, a file/folder interception module 545, a registry interception module 547, and a resource preemption module 549.
[65] If an event set in the interception policy is generated due to a program entering the computer system (i.e., the malicious code interception apparatus 500) through the network, the network interception module 541 precludes the computer system from gaining access to the network by precluding an access port number, an IP address on the network, a protocol represented by TCP/UDP, and so on, according to the interception policy, and transmits the result to the log file management module 570.
[66] The e-mail interception module 543 is a mail server that transmits e-mail according to the interception policy. The e-mail interception module 543 requests the e-mail to be first transmitted to the e-mail interception module 543 before being transmitted to a computer system of a recipient. If a malicious code is found by analyzing information about an intercepted e-mail, the e-mail interception module 543 generates a warning e-
mail, as a file that cannot be executed, and transmits the e-mail to the computer system of the recipient with the warning e-mail being attached thereto.
[67] The file/folder interception module 545 precludes a program, a process or a file, which tries to gain access to a specific file or folder defined in the interception policy or to generate or modify a specific file or folder, from gaining access to the specific file or folder. The file/folder interception module 545 also releases the sharing of a specific folder, deletes a program, a process or a file itself, which is classified as malicious code, thus precluding the malicious codes, and then transmits the results to the log file management module 570.
[68] The registry interception module 547 precludes malicious codes, which try to gain access to a registry defined in the interception policy or to generate or modify a registry, from gaining access to the registry, or precludes the malicious codes from generating or modifying the registry. Furthermore, the registry interception module 547 precludes the activity of the malicious codes by directly precluding the registry and transmits a series of interception results to the log file management module 570.
[69] The resource preemption module 549 precludes malicious codes from being active within the system, by preempting necessary resources that are required for the malicious codes to be active within the system. If the interception policy is provided to the computer system, the resource preemption module 549 preempts resources used by malicious codes such as Mutex, an event, semaphores and a specific registry in order to preclude the malicious codes from being normally active. For example, the resource preemptionmodule 549 uses the resources previously so that the malicious codes determine that they are already active within the computer system. Accordingly, the activity of the malicious codes within the computer system is hindered.
[70] The display unit 550 displays for the users the information about a particular malicious code either that has already invaded or that is quarantined after the invasion.
[71] The backup/recovery module 560 restores the lost files or registry information in case they were deleted by the unnecessary intercepting of the interception/preemption execution unit 540. Backup/recovery module 560 can also have the file and the registry information saved even before the information of a particular file or registry is deleted.
[72] The log file management module 570 records the history of all the results of the interceptions of the malicious codes invading the computer system by the interception policy, and creates real-time log file of the record for analyzing the activity patterns of the malicious code.
[73] The communication unit 580 transmits the log file providing the interception policy to an external terminal or a server, or receives the interception policy from the external terminal or the server.
[74] Each component of the malicious code interception apparatus 500 is combined as
one device, but it does not have to be physically one. For example, the interception/ preemption execution unit 540 and the policy management unit 530, as a separately combined entity from the others, can interact via data transmitting device.
[75] The operation of the system constructed above according to the present invention will be described below.
[76] FIG. 3 is a flowchart illustrating a malicious code interception method according to an embodiment of the present invention. If a malicious code is generated and distributed and an abnormal operation or irregular status by the malicious code is found in the computer system 200, it is determined that the abnormal patterns showing a constant activity is caused by a malicious code. If it is determined that the abnormal patterns arecaused by a malicious code, the malicious code is analyzed in reviewing a variety of factors such as a method or entry path in which the malicious code enters the computer system, the name of process in which the malicious code will be active, e- mail information, files and folders used, Mutex used and an event (S300). An interception policy including information about a subject to be precluded, a precluding method, information about a vaccine program corresponding to the malicious code, and so on is generated based on the analysis result of the step (S300), and then it is registered (S310).
[77] The generated interception policy is transmitted to a terminal from which the malicious code must be precluded (i.e., a computer system such as a desktop computer or a laptop computer) (S320).
[78] If the analysis result of the step (S300) is upgraded, the interception policy is upgraded in real-time. The computer system 200 gains access to the interception policy management server 100 that manages after generating the interception policy pe riodically or in real-time in order to download the upgraded interception policy from the interception policy management server 100.
[79] The computer system 200 selects an interception policy, which will be applied to the system, from the received interception policies. Even when the computer system 200 gains access to the interception policy management server 100 in order to download an upgraded interception policy, the computer system 200 can download only the selected interception policy (S330). The computer system 200 prevents the invasion of the malicious code or precludes the activity of the malicious code by employing the interception policy (S340). Furthermore, the computer system 200 generates a log file by policing the selected interception policy, an interception activity by the interception policy, the activity pattern of the malicious code, and so on, and uploads the generated log file onto the interception policy management server 100 (S350).
[80] The interception policy management server 100 analyzes the log file, upgrades the
interception policy based on the analysis result, and transmits the upgraded interception policy to the computer system 200 (S360). The range and accuracy of the interception policy become higher while the contents of the interception policy are added and supplemented from the log file. The interception policy is consistently upgraded until a vaccine program corresponding to the malicious code is generated and distributed or it is determined that the activity of the malicious code has disappeared. Therefore, if the generated vaccine program is downloaded, the computer system 200 may stop the use of the interception policy or delete the interception policy itself (S370, S380).
[81] The present invention can be easily carried out by an ordinary skilled person in the art. Many modifications and changes may be deemed to be with the scope of the present invention as defined in the following claims.
[82]
[83]
Claims
[1] A method for intercepting a malicious code comprising the steps of: detecting the malicious code distributed through a network; analyzing the malicious code for an interception policy; generating the interception policy for intercepting the malicious code based on the analyzed result; transmitting the interception policy to a computer system through the network; and replacing the interception policy with a vaccine program in case the vaccine program for the malicious code is generated.
[2] The method as defined in claim 1, wherein the step of said analyzing the malicious code further comprises analyzing a method in which the malicious code invades the computer system or a pattern in which the malicious code is active within the computer system.
[3] The method as defined in claim 2, wherein the pattern includes at least one of IPs used to gain access to the system by the malicious codes, a port number, a network protocol method, a network protocol, a folder or a file name of a program related to the malicious codes, a title of e-mail, a name of process for activating the malicious code, registry, Mutex, semaphores, and event information generated by the malicious code.
[4] The method as defined in claim 2 or 3, wherein the interception policy generated comprises: a first policy for preventing the malicious from invasion in accordance with the method in which the malicious code invades the computer system; and a second policy for intercepting the activation pattern of the malicious code in which the malicious code is active within the computer system.
[5] The method as defined in claim 4, wherein the generated interception policy further comprises a third policy for deleting the malicious code invaded in the computer system.
[6] The method as defined in claim 4, wherein the step of generating the interception policy further comprises the step of: regenerating the interception policy which includes another analysis result generated in the analyzing step; wherein the regenerated interception policy is transferred to the computer system or an external terminal via the network.
[7] The method as defined in claim 1, further comprising the steps of: selecting the interception policy suitable for the computer system after receiving
the interception policy related to the malicious code to be intercepted; intercepting the malicious code or precluding the malicious code from being active within the system by preempting necessary resources that are required for the malicious codes to be active within the system in case an event set according to the selected interception policy; and generating and restoring an intercepted history in accordance with the selected interception policy as a log file.
[8] The method as defined in claim 7, further comprising the steps of: uploading the generated log file periodically via the network from the computer system; and modifying or deleting the interception policy by comparing the log file with the analysis result of the malicious code.
[9] The method as defined in claim 7 or 8, wherein the intercepting step further comprises the step of precluding the computer system to gain access to the network, if an event set in the malicious code in accordance with the interception policy.
[10] The method as defined in claim 9, further comprising the steps of: generating a warning e-mail if the malicious code is found by analyzing information about an intercepted e-mail transmitted via the network; and generating the warning e-mail as a file that cannot be executed and transmitting the warning e-mail to the computer system of the recipient with the warning mail being attached thereto.
[11] The method as defined in claim 10, further comprising the step selected from the group consisting of: precluding the malicious code from accessing to a specific file or folder; releasing the sharing of a specific file or folder; and deleting a specific file or folder.
[12] The method as defined in claim 10, further comprising at least one or more steps selected group consisting of: precluding the malicious codes to gain access to a registry defined in the interception policy; precluding the malicious codes from generating or modifying the registry; and deleting the registry.
[13] The method as defined in claim 7 or 8, wherein the preempting necessary resources is conducted by the computer system preempting in accordance with the interception policy at least one of resources selected from the group consisting of Mutex, an event, a semaphore, and a specific registry.
[14] A malicious code interception apparatus comprising:
a malicious code detector for classifying a program as a malicious code if the program that enters a computer system through a network has a bad effect on the computer system; a policy management unit for managing an interception policy received from an external terminal or a server; an interception/preemption execution unit for intercepting the malicious codes according to the interception policy; a log file management unit for generating an interception history for analyzing an activity pattern of the malicious code in real-time and recording the interception history of the malicious code in accordance with the interception policy; and a communication unit for transmitting the log file of the malicious code to the external terminal or the server providing the interception policy, and for receiving the interception policy from the external terminal or the server.
[15] The apparatus as defined in claim 14, wherein the interception/preemption execution unit comprises at least one of the modules selected from the group consisting of: a network interception module for precluding entry or exit of the program to the computer system through the network or precluding the computer system to gain access to the network if an event set in the malicious code interception policy against the program is generated; an e-mail interception module for generating a warning e-mail, and for generating the warning e-mail as a file that cannot be executed and transmitting selectively the warning e-mail to the computer system of a recipient with the warning e-mail being attached thereto in case the malicious code is found in accordance with the analyzed information about an intercepted e-mail transmitted from a mail server via the network; a file/folder interception module for precluding access to or sharing of a specific file or a specific folder in which the malicious is activated in case the malicious code which tries to gain access to, modify, or generate the specific file or folder is found; a registry interception module for precluding the malicious code, which tries to gain access to, modify, or generate a registry defined in the interception policy or for deleting the registry in case the malicious code which tries to gain access to, modify, or generate the registry; and a resource preemption module for preempting one or more of Mutex, an event, a semaphore, and a specific registry according to the interception policy if the interception policy is input the computer system.
[16] A malicious code interception system comprising:
an interception policy management apparatus for analyzing a method in which the malicious code distributed through a network invades a computer system or an activity pattern after the invasion, generating an interception policy for intercepting the malicious code, and transmitting the interception policy to the computer system; and a computer system connected to the interception policy management apparatus through the network, for informing the interception policy management apparatus of the fact that the malicious code has been detected, intercepting the malicious code according to the interception policy received from the interception policy management apparatus, generating an intercepted history as a log file, and uploading the interception history on the interception policy management apparatus.
[17] The system as defined in claim 16, wherein the interception policy management apparatus comprises: a malicious code analyzing unit for analyzing a method for the malicious code invading to the computer system or a pattern in which the malicious code is active, and for extracting the pattern after analyzing the log file uploaded from the computer system; an interception policy generating unit for generating the interception policy based on the analyzed result from the malicious code analyzing unit; an interception policy update unit for updating the interception policy by periodically complementing or deleting the interception policy in real-time whenever information about the malicious code is updated; and a communication unit for transmitting the interception policy to the computer system and for receiving the result of execution of the interception policy and transmitting the result to the malicious code analyzing unit.
[18] The system as defined in claim 16 or 17, wherein the computer system further comprises: a detector for detecting the intruding malicious code; an execution unit for intercepting the malicious code according to the interception policy; a log file management unit for generating the interception policy selected from the computer system and the interception history of the malicious code as a log file; and a transmission unit for uploading the log file to the interception policy management apparatus and for downloading the interception policy demanded from another computer system on the network.
[19] The system as defined in claim 18, wherein the computer system further
comprises an interception policy selection unit for selecting and managing at least one of the interception policies.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2005-0053526 | 2005-06-21 | ||
KR20050053526A KR100690187B1 (en) | 2005-06-21 | 2005-06-21 | Method and apparatus and system for cutting malicious codes |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006137657A1 true WO2006137657A1 (en) | 2006-12-28 |
Family
ID=37570641
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2006/002318 WO2006137657A1 (en) | 2005-06-21 | 2006-06-16 | Method for intercepting malicious code in computer system and system therefor |
Country Status (2)
Country | Link |
---|---|
KR (1) | KR100690187B1 (en) |
WO (1) | WO2006137657A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7487543B2 (en) * | 2002-07-23 | 2009-02-03 | International Business Machines Corporation | Method and apparatus for the automatic determination of potentially worm-like behavior of a program |
CN116132194A (en) * | 2023-03-24 | 2023-05-16 | 杭州海康威视数字技术股份有限公司 | Method, system and device for detecting and defending unknown attack intrusion of embedded equipment |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8713680B2 (en) | 2007-07-10 | 2014-04-29 | Samsung Electronics Co., Ltd. | Method and apparatus for modeling computer program behaviour for behavioural detection of malicious program |
KR100922363B1 (en) * | 2007-08-31 | 2009-10-19 | 고려대학교 산학협력단 | Malicious code analysis apparatus and method for cyber threat trend and Recording medium using by the same |
KR101077855B1 (en) | 2009-05-19 | 2011-10-28 | 주식회사 안철수연구소 | Apparatus and method for inspecting a contents and controlling apparatus of malignancy code |
KR101043299B1 (en) * | 2009-07-21 | 2011-06-22 | (주) 세인트 시큐리티 | Method, system and computer readable recording medium for detecting exploit code |
KR101138746B1 (en) * | 2010-03-05 | 2012-04-24 | 주식회사 안철수연구소 | Apparatus and method for preventing malicious codes using executive files |
US9177154B2 (en) | 2010-10-18 | 2015-11-03 | Todd Wolff | Remediation of computer security vulnerabilities |
KR101234063B1 (en) * | 2010-12-21 | 2013-02-15 | 한국인터넷진흥원 | Malicious code, the system automatically collects |
US11200317B2 (en) | 2018-07-22 | 2021-12-14 | Minerva Labs Ltd. | Systems and methods for protecting a computing device against malicious code |
US10853492B2 (en) | 2018-07-22 | 2020-12-01 | Minerva Labs Ltd. | Systems and methods for protecting a computing device against malicious code |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20000063357A (en) * | 2000-06-29 | 2000-11-06 | 오경수 | Remote anti-virus system and method on the wireless network |
KR20010047844A (en) * | 1999-11-23 | 2001-06-15 | 오경수 | A remote computer anti-virus system and process on the network |
US20030159064A1 (en) * | 2002-02-15 | 2003-08-21 | Kabushiki Kaisha Toshiba | Computer virus generation detection apparatus and method |
JP2004206683A (en) * | 2002-12-11 | 2004-07-22 | Nihon Intelligence Corp | System management device, method and program, management server system and its control process, insurance method, security program, security management method, computer, and server computer |
-
2005
- 2005-06-21 KR KR20050053526A patent/KR100690187B1/en active IP Right Grant
-
2006
- 2006-06-16 WO PCT/KR2006/002318 patent/WO2006137657A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20010047844A (en) * | 1999-11-23 | 2001-06-15 | 오경수 | A remote computer anti-virus system and process on the network |
KR20000063357A (en) * | 2000-06-29 | 2000-11-06 | 오경수 | Remote anti-virus system and method on the wireless network |
US20030159064A1 (en) * | 2002-02-15 | 2003-08-21 | Kabushiki Kaisha Toshiba | Computer virus generation detection apparatus and method |
JP2004206683A (en) * | 2002-12-11 | 2004-07-22 | Nihon Intelligence Corp | System management device, method and program, management server system and its control process, insurance method, security program, security management method, computer, and server computer |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7487543B2 (en) * | 2002-07-23 | 2009-02-03 | International Business Machines Corporation | Method and apparatus for the automatic determination of potentially worm-like behavior of a program |
CN116132194A (en) * | 2023-03-24 | 2023-05-16 | 杭州海康威视数字技术股份有限公司 | Method, system and device for detecting and defending unknown attack intrusion of embedded equipment |
CN116132194B (en) * | 2023-03-24 | 2023-06-27 | 杭州海康威视数字技术股份有限公司 | Method, system and device for detecting and defending unknown attack intrusion of embedded equipment |
Also Published As
Publication number | Publication date |
---|---|
KR100690187B1 (en) | 2007-03-09 |
KR20060133728A (en) | 2006-12-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2006137657A1 (en) | Method for intercepting malicious code in computer system and system therefor | |
US10235524B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
US10291634B2 (en) | System and method for determining summary events of an attack | |
US9910981B2 (en) | Malicious code infection cause-and-effect analysis | |
EP3712793B1 (en) | Integrity assurance during runtime | |
US8104090B1 (en) | Method and system for detection of previously unknown malware components | |
US7784098B1 (en) | Snapshot and restore technique for computer system recovery | |
US7607041B2 (en) | Methods and apparatus providing recovery from computer and network security attacks | |
US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
US7231637B1 (en) | Security and software testing of pre-release anti-virus updates on client and transmitting the results to the server | |
US7533413B2 (en) | Method and system for processing events | |
KR20180097527A (en) | Dual Memory Introspection to Protect Multiple Network Endpoints | |
US20070067844A1 (en) | Method and apparatus for removing harmful software | |
WO2007035417A2 (en) | Method and apparatus for removing harmful software | |
WO2006137057A2 (en) | A method and a system for providing comprehensive protection against leakage of sensitive information assets using host based agents, content- meta-data and rules-based policies | |
CN108038380B (en) | Inoculator and antibody for computer security | |
US9785775B1 (en) | Malware management | |
CN100353277C (en) | Implementing method for controlling computer virus through proxy technique | |
RU96267U1 (en) | SYSTEM OF COMPLETING ANTI-VIRUS DATABASES UNDER THE DETECTION OF UNKNOWN MALIGNANT COMPONENTS | |
US8615805B1 (en) | Systems and methods for determining if a process is a malicious process | |
US11763004B1 (en) | System and method for bootkit detection | |
US12113814B2 (en) | User device agent event detection and recovery | |
WO2023130063A1 (en) | Zero trust file integrity protection | |
CN115510484A (en) | Safety protection method, device, equipment and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 06768909 Country of ref document: EP Kind code of ref document: A1 |