WO2011074824A2 - Système et procédé destinés à mettre à jour une base de données de signatures et appareil permettant la mise à jour d'une base de données d'un terminal client - Google Patents

Système et procédé destinés à mettre à jour une base de données de signatures et appareil permettant la mise à jour d'une base de données d'un terminal client Download PDF

Info

Publication number
WO2011074824A2
WO2011074824A2 PCT/KR2010/008750 KR2010008750W WO2011074824A2 WO 2011074824 A2 WO2011074824 A2 WO 2011074824A2 KR 2010008750 W KR2010008750 W KR 2010008750W WO 2011074824 A2 WO2011074824 A2 WO 2011074824A2
Authority
WO
WIPO (PCT)
Prior art keywords
database
version
information
client terminal
update
Prior art date
Application number
PCT/KR2010/008750
Other languages
English (en)
Korean (ko)
Other versions
WO2011074824A3 (fr
Inventor
양용철
김건우
Original Assignee
주식회사 안철수연구소
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안철수연구소 filed Critical 주식회사 안철수연구소
Publication of WO2011074824A2 publication Critical patent/WO2011074824A2/fr
Publication of WO2011074824A3 publication Critical patent/WO2011074824A3/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • G06F16/2308Concurrency control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • G06F16/2358Change logging, detection, and notification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to a database update, and more particularly, to a signature database update system and method capable of updating a database in a client terminal using a version-specific transaction log, and a database update apparatus of a client terminal.
  • Malware is software that is intentionally designed to perform malicious activities, such as destroying the system or leaking information, contrary to the user's wishes and interests.
  • malicious code types include hacking tools such as viruses, worms, trojans, backdoors, logic bombs, and trap doors, and malicious spyware. spyware and ad-ware.
  • hackers and ad-ware Through self-replicating or automatic propagation functions, they can leak personal information such as user IDs and passwords, control target systems, change / delete files, destroy systems, refuse applications / systems, leak critical data, and install other hacking programs. It is causing the damage is also very diverse and serious.
  • Such an antivirus program for blocking malicious code includes a database in which a signature pattern related to a malicious code file is stored, and the signature pattern stored in the database is produced and distributed by a company producing an antivirus program.
  • a method of updating a database in which a signature pattern is stored includes a method of applying a binary delta that updates a change of a binary file.
  • a related prior art is U.S. Patent No. 7509636 (registered date: March 24, 2009). Is disclosed. This method is to create and apply changes of binary file by version. It is mainly used to add, remove and replace the contents of the file based on the offset information of the binary file. That is, after generating a binary file for adding, removing, or replacing the contents of a specific signature pattern stored in the database, the specific signature pattern file stored in the database is updated using the binary file.
  • the present invention has been made in view of the above points, and after generating transaction information for each version using changes in the database, the transaction log for each version is generated using transaction information for each version, and using the transaction log in the client terminal. It provides a signature database update system and method for updating a database.
  • a transaction generation unit for generating the version-specific transaction information based on the version-specific changes to the database and stores it in the storage unit, and the transaction information of the version different from the latest version of the transaction information in the version-specific transaction information
  • a transaction log generating unit generating a transaction log for each version by comparing transaction information and storing it in the storage unit, and the transaction log in the storage unit based on the version information as version information of the database in the client terminal is received.
  • a signature database update system including an update server device for extracting and updating the database in the client terminal by transmitting the extracted transaction log to the client terminal.
  • a version-specific transaction log generated by comparing a transaction information of a latest version with transaction information of another version in version-specific transaction information generated based on a version-specific change to a database, the latest version
  • An apparatus for updating a database of a client terminal using an update system that manages the integrity information and a snapshot of the latest version comprising: a transaction log and a transaction log suitable for the version information after providing version information of the database of the client terminal to the system;
  • the transaction log application unit which receives the integrity information and updates the database of the client terminal to the latest version using the provided transaction log, and the integrity information provided by the transaction log application unit.
  • the database updating device of the client device including a resolver integrity to test the integrity of the database updated to the latest version is available.
  • a version-specific transaction log generated by comparing transaction information of a latest version with transaction information of another version in version-specific transaction information generated based on version-specific changes to a database, the latest version
  • a method of updating a database of a client terminal using an update system that manages integrity information of the latest version and a snapshot of the latest version the method comprising: providing version information of the database in the client terminal to the system;
  • a signature database update method comprising the steps of receiving a transaction log corresponding to and updating the database of the client terminal with the latest version of the database using the transaction log.
  • the present invention generates transaction information for each version using the changes of the database, and then creates a transaction log for each version using transaction information for each version, and according to the database version information received from the client terminal.
  • FIG. 1 is a block diagram illustrating an update system for updating a signature database according to an embodiment of the present invention.
  • FIG. 2 is a block diagram illustrating an information generating device in the signature database update system of FIG. 1.
  • FIG. 3 is a block diagram illustrating an update server device in the signature database update system of FIG. 1;
  • FIG. 4 is a block diagram illustrating an update apparatus in the signature database update system of FIG. 1.
  • FIG. 5 is a flowchart illustrating a process of updating a database of a client terminal by using a signature database update system according to an exemplary embodiment of the present invention.
  • the signature database update system includes an information generating device 100 for generating a transaction log for updating, an update server device 120 for providing a transaction log corresponding to database version information in the client terminal, and a transaction log mounted in the client terminal. It may be configured as an update device 140 to perform an update by using.
  • FIG. 2 is a block diagram of the information generating apparatus 100 of the signer database update system of FIG. 1.
  • the information generating apparatus 100 generates a version-specific transaction log and the latest version of the integrity information.
  • the transaction generator 210, the transaction log generator 214, and the integrity information generator are illustrated. 216 and a storage unit 212.
  • the transaction generation unit 210 generates version-specific transaction information based on the change 200 of the signature database for each version.
  • the signature database may be composed of a plurality of files having a form of a plurality of tables composed of a plurality of records. Accordingly, the signature database may be divided into logical and physical changes. Version-specific transaction information generated by the transaction generator 210 is stored in the storage 212.
  • changes to the signature database 200 can include logical and physical changes, as shown in Tables 1 and 2 below, namely adding data to the table and deleting any records in the table ( Logical changes, such as Delete, update some records in a table, move parts within an arbitrary table to another table, add and remove tables, and update table attributes (Add, Drop, Update) And physical changes such as deleting files, moving parts within a file to another file, and so on.
  • Table 1 Example of change type Example of contents Add tuple Add_tuple (file1, table1, ⁇ field1, field2,...>) Delete tuple Delete_tuple (file1, table1, tuple1) Update tuple Update_tuple (file1, table1, tuple1, ⁇ field1, field2,...>) Move tuple into table Move_tuple (file1, table1, [tuple1..tuple50], table2) Description: Move tuple1 to tuple50 from table1 to table2. Add table Add_table (table1, ⁇ attribute1, attribute2,...>) Drop table Drop_table (table2) Update table Update_table (table1, ⁇ attribute1, attribute2,...>) etc
  • the transaction log generator 214 compares the transaction information of the previous versions and the transaction information of the latest version stored in the storage unit 212 to generate the transaction log 204 for each version.
  • the latest version of the update is 2.0.
  • 1.5, 1.6, 1,7, 1.8, 1.9 as the update information of the previous version the transaction log for version 1.5 is generated by comparing the version 1.5 and version 2.0
  • the version 1.6 version is compared by comparing the version 1.6 and version 2.0.
  • Each version of the transaction log represents a change to update from that version to the latest version. For example, the transaction login “TxLog n-1 to n” assumes that the latest version is n and immediately changes the previous version to n-1. Assuming changes from version n-1 to version n.
  • the transaction log generator 214 may generate a transaction log for all previous versions or generate a transaction log 204 only for the last d preset versions.
  • d may be a value set by an administrator or set in a system.
  • the version-specific transaction log generated as described above is stored in the storage unit 212.
  • the integrity information generator 216 may store the updated version of the database in the storage unit 212 when the database in the update device 140 of the client terminal is updated with the latest version of the database through the transaction log 204 for each version.
  • the integrity information 206 that can determine whether or not the shot 202 is the same is generated and stored in the storage unit 212.
  • the integrity information 206 may be formed based on the latest version of the database.
  • the storage unit 212 stores version-specific transaction information, version-specific transaction log 204, the latest version snapshot 202 for the latest version of the database, and the integrity information 206.
  • the latest version snapshot 202 for the latest version of the database stores a snapshot of each file in the latest version of the database.
  • FIG. 3 is a block diagram showing a simplified configuration of the update server device 120 in the signature database update system of FIG.
  • the update server apparatus 120 receives the data generated by the information generating apparatus 100 and temporarily stores the data, and then updates the database according to the version information of the database in the client terminal from the update apparatus 140 of the client terminal.
  • it may be composed of a temporary storage unit 310, information selection unit 320 and the server communication unit 330.
  • the temporary storage unit 310 stores a transaction log 300 for each version generated by the information generating apparatus 100, a snapshot of the latest version 302, and integrity information 304.
  • the information selection unit 320 receives the version information of its database from the update device 140 of any client terminal through the server communication unit 330, the information selection unit 320 corresponds to the version information through the search of the temporary storage unit 310. It is determined whether a transaction log exists, and based on the determination result, the transaction log is transmitted to the update device 140 of the arbitrary client terminal or the latest version snapshot of the latest version of the database is updated on the client device ( 140). In this case, when the information is transmitted to the update device 140 of any client terminal, a part of the integrity information may be transmitted to the update device 140 of the client terminal to check the integrity after the database in the client terminal is updated to the latest version. .
  • FIG. 4 is a block diagram illustrating an update apparatus 140 in the signature database update system of FIG. 1.
  • the update device 140 is installed in the client terminal and performs a function of updating its database to the latest version of the database.
  • the client communication unit 400 for communicating with the update server device 120 and a transaction log
  • the application unit 402, the integrity checker 404, and the client database 406 may be configured.
  • the client communication unit 400 is a means for performing communication with the update server apparatus 120. After transmitting the version information of the client database 406 to the update server apparatus 120, data for update corresponding to the version information is transmitted. Received. That is, the client communication unit 400 downloads the transaction log and integrity information corresponding to the version information from the update server device 120 and provides it to the transaction log applying unit 402 or downloads the file snapshot and the integrity information to apply the transaction log. To the unit 402.
  • the transaction log application unit 402 updates the client database 406 with the latest version of the database by using the transaction log or the latest version of the file snapshot provided through the client communication unit 400.
  • the transaction log applying unit 402 reflects and stores the integrity information provided through the client communication unit 400 in the client database 406.
  • the integrity checking unit 404 verifies the integrity of the client database 406 updated to the latest version by using the integrity information stored in the client database 406, that is, the integrity of each file stored in the client database 406. The integrity of the database 406 for clients updated to the latest version is checked against the information.
  • the integrity checking unit 404 notifies the transaction log applying unit 402, and the transaction log applying unit ( The 402 requests and receives a file snapshot from the update server device 120 through the client communication unit 400, and updates the client database 406 back to the latest version using the received file snapshot.
  • the update server device 120 includes a separate temporary storage unit 310 to receive and store data generated by the information generating device 100.
  • the information generating device ( The storage unit 212 of the 100 may be shared and used. That is, the update server device 120 does not use the temporary storage unit 310 when searching for a transaction log corresponding to the version information provided from the update device 140 of the client terminal, and the storage unit of the information generating device 100. Search at 212 and provide.
  • the apparatus by updating the client database 406 using the transaction log of the database, it is possible to update the client database 406 through a small amount of data transfer You can speed up the update.
  • FIG. 5 is a flowchart illustrating a process of updating a database of a client terminal by using a signature database update system according to an exemplary embodiment of the present invention.
  • the update device 140 of the client terminal transmits version information of the client database 406 to the update server device 120 through the client communication unit 400 (S500).
  • the update server device 120 receives the version information through the server communication unit 330 and provides it to the information selection unit 320, the information selection unit 320 matches the version information through the search of the temporary storage unit 310 It is determined whether a transaction log exists (S502). As a result of the determination in S502, when there is a transaction log, the information selecting unit 320 updates the transaction log corresponding to the version information and the integrity information stored in the temporary storage unit 310 through the server communication unit 330. In this case, the update device 140 receives the transaction log and the integrity information through the client communication unit 400 (S504).
  • the update device 140 provides the received transaction log and integrity information to the transaction log applying unit 402, and the transaction log applying unit 402 stores the integrity information in the database 406 for the client, and the transaction log.
  • the transaction log applying unit 402 stores the integrity information in the database 406 for the client, and the transaction log.
  • the integrity checking unit 404 checks the integrity of the client database 406 after the update using the integrity information stored in the client database 406 to determine whether there is an abnormality ( S508).
  • the integrity checking unit 404 notifies the transaction log applying unit 402 that there is an error in the database for the client 406, and accordingly the transaction log applying unit 402
  • the update server device 120 is requested through the client communication unit 400 to receive a file snapshot of the latest version (S510).
  • the transaction log applying unit 402 updates the client database 406 with the latest version by using the latest version of the file snapshot (S512).
  • the information selecting unit 320 updates the latest version of the file snapshot and the integrity information through the server communication unit 330 to update the client terminal 140.
  • the update device 140 receives the latest file snapshot and integrity information through the client communication unit 400 (S514), and then proceeds to S506 to perform a subsequent step. That is, the transaction log applying unit 402 stores the integrity information in the client database 406 and updates the client database 406 to the latest version using the latest file snapshot.
  • various updates such as modification information of a specific table, moving to another file, changing or removing a diagnosis name, and the like may be performed by applying a database transaction log instead of a file unit, as well as integrity after updating.
  • the information can be used to verify that the file is securely organized.
  • the present invention can be embodied as computer readable codes on a computer readable recording medium.
  • the computer-readable recording medium includes all kinds of recording devices in which data that can be read by a computer system is stored. Examples of computer-readable recording media include ROM, RAM, CO-ROM, magnetic tape, floppy disks, optical data storage devices, and the like, which may also be implemented in the form of carrier waves (for example, transmission over the Internet). Include.
  • the computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Physics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

La présente invention concerne un système de mise à jour de base de données de signatures comprenant : une unité de génération d'informations sur des transactions qui génère des informations sur une transaction pour chaque version de base de données sur la base de détails de modification pour chaque version de base de données et mémorise les informations sur la transaction générées dans une unité de mémorisation ; une unité de génération de journal de transactions compare les informations sur la transaction de la version la plus récente et les informations sur la transaction des autres versions parmi les informations sur la transaction pour chaque version de base de données afin de générer des journaux de transactions pour chaque version de base de données et mémorise les journaux de transactions générés dans l'unité de mémorisation ; et un serveur de mise à jour qui extrait un journal de transactions de l'unité de mémorisation sur la base des informations de la version de base de données à réception des informations de la version de base de données d'un terminal client et transmet le journal de transactions extrait au terminal client afin de mettre à jour la base de données du terminal client.
PCT/KR2010/008750 2009-12-18 2010-12-08 Système et procédé destinés à mettre à jour une base de données de signatures et appareil permettant la mise à jour d'une base de données d'un terminal client WO2011074824A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020090126644A KR101183083B1 (ko) 2009-12-18 2009-12-18 시그니처 데이터베이스 업데이트 시스템 및 방법과 클라이언트 단말기의 데이터베이스 업데이트 장치
KR10-2009-0126644 2009-12-18

Publications (2)

Publication Number Publication Date
WO2011074824A2 true WO2011074824A2 (fr) 2011-06-23
WO2011074824A3 WO2011074824A3 (fr) 2011-11-17

Family

ID=44167833

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2010/008750 WO2011074824A2 (fr) 2009-12-18 2010-12-08 Système et procédé destinés à mettre à jour une base de données de signatures et appareil permettant la mise à jour d'une base de données d'un terminal client

Country Status (2)

Country Link
KR (1) KR101183083B1 (fr)
WO (1) WO2011074824A2 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110958116A (zh) * 2019-12-06 2020-04-03 中山大学 一种基于格签名的多副本云数据完整性审计方法

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101277623B1 (ko) * 2012-01-27 2013-06-21 주식회사 안랩 화이트리스트 동기화 서버 및 클라이언트 장치
KR101524668B1 (ko) * 2014-02-18 2015-06-01 에스케이 텔레콤주식회사 데이터 동기화 방법 및 장치

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030233566A1 (en) * 2001-08-01 2003-12-18 Networks Associates Technology, Inc. Malware scanning wireless service agent system and method
KR100495777B1 (ko) * 2005-02-23 2005-06-16 노태호 에이전트를 활용한 클라이언트 통합 관리 시스템
KR20070079780A (ko) * 2006-02-03 2007-08-08 엘지엔시스(주) 보안장비의 룰 최적화 장치 및 방법
KR100832804B1 (ko) * 2006-08-14 2008-05-28 (주)모니터랩 프로파일링 기반 데이터베이스 보안 시스템 및 방법
KR20080071861A (ko) * 2007-01-31 2008-08-05 삼성전자주식회사 휴대 단말기의 면역 데이터베이스 갱신 장치 및 그 방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030233566A1 (en) * 2001-08-01 2003-12-18 Networks Associates Technology, Inc. Malware scanning wireless service agent system and method
KR100495777B1 (ko) * 2005-02-23 2005-06-16 노태호 에이전트를 활용한 클라이언트 통합 관리 시스템
KR20070079780A (ko) * 2006-02-03 2007-08-08 엘지엔시스(주) 보안장비의 룰 최적화 장치 및 방법
KR100832804B1 (ko) * 2006-08-14 2008-05-28 (주)모니터랩 프로파일링 기반 데이터베이스 보안 시스템 및 방법
KR20080071861A (ko) * 2007-01-31 2008-08-05 삼성전자주식회사 휴대 단말기의 면역 데이터베이스 갱신 장치 및 그 방법

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110958116A (zh) * 2019-12-06 2020-04-03 中山大学 一种基于格签名的多副本云数据完整性审计方法
CN110958116B (zh) * 2019-12-06 2021-02-26 中山大学 一种基于格签名的多副本云数据完整性审计方法

Also Published As

Publication number Publication date
KR20110070012A (ko) 2011-06-24
KR101183083B1 (ko) 2012-09-20
WO2011074824A3 (fr) 2011-11-17

Similar Documents

Publication Publication Date Title
EP3474176B1 (fr) Système et procédé de détection d'un fichier malveillant
US9154517B2 (en) System and method for preventing spread of malware in peer-to-peer network
CN100416585C (zh) 源代码修复方法和代码管理库系统
EP2452287B1 (fr) Balayage anti-virus
CN100423016C (zh) 源代码修复方法和代码管理库系统
US9639697B2 (en) Method and apparatus for retroactively detecting malicious or otherwise undesirable software
Egele et al. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks
US7801840B2 (en) Threat identification utilizing fuzzy logic analysis
CN107066883B (zh) 用于阻断脚本执行的系统和方法
JP5967107B2 (ja) マルウェアに対処するための方法及び装置
RU2680736C1 (ru) Сервер и способ для определения вредоносных файлов в сетевом трафике
EP2245572B1 (fr) Détection d'outils de dissimulation d'activité sur un réseau de stockage
US9147073B2 (en) System and method for automatic generation of heuristic algorithms for malicious object identification
US7716736B2 (en) Apparatus, methods and articles of manufacture for computer virus testing
US8392996B2 (en) Malicious software detection
US20130167236A1 (en) Method and system for automatically generating virus descriptions
JP6726429B2 (ja) ドメイン生成アルゴリズム(dga)のマルウェアを検出するためのシステムおよび方法
US20120102569A1 (en) Computer system analysis method and apparatus
CN1773417A (zh) 聚集反病毒软件应用程序的知识库的系统和方法
US8307276B2 (en) Distributed content verification and indexing
US20130227692A1 (en) System and method for optimization of antivirus processing of disk files
US20050120063A1 (en) Automatic regeneration of computer files
CN103473501A (zh) 一种基于云安全的恶意软件追踪方法
EP2417552B1 (fr) Détermination de maliciels
WO2011074824A2 (fr) Système et procédé destinés à mettre à jour une base de données de signatures et appareil permettant la mise à jour d'une base de données d'un terminal client

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10837820

Country of ref document: EP

Kind code of ref document: A1

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10837820

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205N DATED 24/08/2012)

122 Ep: pct application non-entry in european phase

Ref document number: 10837820

Country of ref document: EP

Kind code of ref document: A2