WO2014035043A1 - 악성 애플리케이션 진단 장치 및 방법 - Google Patents
악성 애플리케이션 진단 장치 및 방법 Download PDFInfo
- Publication number
- WO2014035043A1 WO2014035043A1 PCT/KR2013/006095 KR2013006095W WO2014035043A1 WO 2014035043 A1 WO2014035043 A1 WO 2014035043A1 KR 2013006095 W KR2013006095 W KR 2013006095W WO 2014035043 A1 WO2014035043 A1 WO 2014035043A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- file
- malicious
- unit
- application
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/128—Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
Definitions
- the present invention relates to an apparatus and method for diagnosing malicious applications. More specifically, the present invention relates to a malicious application diagnosis apparatus and method for diagnosing malicious targets of application executable files in a mobile operating system.
- Such smart phones are equipped with mobile operating systems such as Android, an operating system (i-OS), and windows mobile, and are actively developing applications that can be executed in various mobile operating systems.
- mobile operating systems such as Android, an operating system (i-OS), and windows mobile, and are actively developing applications that can be executed in various mobile operating systems.
- the Android platform is an open source platform released by Google's OHA (Open Handset Alliance). It is a Linux kernel, virtual machine (VM), framework and A software package that contains all of your applications.
- Google's OHA Open Handset Alliance
- the Android application market is activated.
- the demand for supply is rising.
- API Android package
- the Android package file includes a plurality of folders and files at the root, among which, the META-INF folder 20, the AndroidManifest.xml file 10, and the classes.dex file 30. And resources.arsc file 40 are required components. Without any of these prerequisites, the application will not install or run normally.
- the META-INF folder 20 essentially includes an RSA file 21, an SF file 22, and a MANIFEST.MF file 23 under it.
- hash values of the AndroidManifest.xml file 10 and the classes.dex file 30 that are determined to be malicious are stored in advance in a signature database.
- the malicious application was diagnosed and determined by comparing the hash value of the AndroidManifest.xml file 10 or the classes.dex file 30 extracted from the application to be diagnosed with the signature database.
- one malicious file can be diagnosed accurately, but there is a problem that a malicious file cannot be diagnosed with respect to a large number of variant files generated by using an automation tool or the like.
- Embodiment of the present invention apparatus and method for diagnosing malicious applications utilizing common characteristic information that is invariable or difficult to modify even in variant files, for execution files of malicious applications that can be run in a mobile operating system environment To provide.
- the malicious application diagnosis apparatus is a signature for diagnosing whether malicious feature executable file that can be run in a mobile operating system environment and common feature information of a variant file from the malicious application executable file is malicious.
- a signature storage unit for storing data
- an information collecting unit for collecting information corresponding to the common characteristic information from a diagnostic application execution file, and the collected characteristic information and the common characteristic information stored in the signature storage unit. Comparing with the comparison may include a diagnostic determination unit for determining whether the diagnosis target application executable file is malicious, and a result providing unit for providing a result of determining whether the diagnostic target application executable file is malicious.
- the malicious application diagnosis apparatus may further include a diagnostic rule storage unit configured to store a diagnostic rule for determining whether the diagnosis target application execution file is malicious by combining a plurality of pieces of common feature information, and the information collecting unit may include the diagnostic rule storage unit.
- the common feature information may be collected according to a rule.
- the malicious application diagnosis apparatus may further include a setting unit that may request setting of the diagnosis rule, and the diagnosis rule set according to a request by the setting unit may be stored in the diagnosis rule storage unit.
- the diagnostic application execution file is an APK (android package) file
- the information collecting unit may include an APK information collecting unit for collecting file path information or certificate information in the APK file.
- the APK information collecting unit may include a file tree structure extracting unit extracting a tree structure of files constituting the APK file to extract a hash value corresponding to a path of the files.
- the APK information collecting unit may include a file path extracting unit extracting a path of a specific file existing in the APK file to extract a hash value corresponding to the path of the corresponding file.
- the APK information collecting unit may include a certificate information extracting unit for extracting self-signed information of an RSA file existing in the META-INF folder in the APK file.
- the certificate information extracting unit may extract at least one of serial number, issure DN or validity from the self-signed information.
- the information collecting unit may include a DEX information collecting unit extracting features of JAVA class files by analyzing a DEX file in the diagnosis target application execution file.
- the DEX information collector may include an import class extractor that obtains a CRC using a list of external class information imported by JAVA files included in the DEX file.
- the DEX information collector may include a prototype extractor that collects a prototype list defined in the DEX file to obtain a CRC.
- the DEX information collecting unit may include a class list extractor which obtains a CRC by listing names of JAVA class files included in the DEX file.
- the DEX information collecting unit may include a class hash extracting unit extracting an attribute value or JAVA code command syntax within a class with respect to classes included in the DEX file.
- the information collecting unit may include a manifest information collecting unit which collects internal information from the androidManifest.xml file in the diagnosis target application execution file.
- the manifest information collection unit may include an application information extraction unit for extracting information about the application from the androidManifest.xml file.
- the manifest information collection unit may include an XML tree structure extraction unit that extracts XML tree structure information of the androidManifest.xml file as a hash value.
- the information collecting unit may include a resource information collecting unit for extracting form configuration information of resource structures in the resources.arsc file as a hash value.
- a method for diagnosing malicious applications includes signatures for diagnosing malicious characteristics of common feature information between a malicious application executable file that can be run in a mobile operating system environment and a variant file from the malicious application executable file. Storing the data as data, collecting information corresponding to the common characteristic information from a diagnostic application execution file, comparing the collected information with the common characteristic information stored as the signature data, and performing the diagnosis.
- the method may include determining whether the target application executable file is malicious or providing a result of determining whether the target application executable file is malicious.
- the method for diagnosing malicious applications may further include storing a diagnostic rule for determining whether the diagnosis target application execution file is malicious by combining a plurality of pieces of common feature information. Accordingly, the common feature information can be collected.
- the malicious application diagnosis method may further include receiving a request for setting the diagnosis rule, and may store the diagnosis rule according to the request of the setting.
- to store the common feature information of the malicious application executable file that can be run in the mobile operating system environment and the variant file from the malicious application executable file as the signature data for diagnosis of malicious And collecting information corresponding to the common feature information from a diagnostic application executable file, comparing the collected information with the common feature information stored as the signature data, and comparing the collected application executable file.
- Computer-readable program comprising instructions for performing each step according to the malicious application diagnostic method comprising the step of determining whether or not malicious, and providing a result of determining whether the diagnosis target application executable file is malicious. record It can provide the body.
- common feature information that is invariant or difficult to modify even in a variant file is used for diagnosing a malicious application, targeting an executable file of a malicious application that can be run in a mobile operating system environment.
- API Android package
- FIG. 2 is a block diagram of an apparatus for diagnosing malicious applications according to an embodiment of the present invention.
- FIG. 3 is a detailed configuration diagram of an information collecting unit according to an embodiment of the present invention.
- FIG. 4 is a detailed configuration diagram of the APK information collecting unit according to an embodiment of the present invention.
- FIG. 5 is a detailed configuration diagram of a DEX information collecting unit according to an embodiment of the present invention.
- FIG. 6 is a detailed configuration diagram of the manifest information collecting unit according to an embodiment of the present invention.
- FIG. 7 is a flowchart illustrating a malicious application diagnosis method according to an embodiment of the present invention.
- FIG. 2 is a block diagram of an apparatus for diagnosing malicious applications according to an embodiment of the present invention.
- the malicious application diagnosis apparatus 100 includes an information collecting unit 110, a diagnosis determining unit 120, a setting unit 130, a signature storage unit 140, a diagnosis rule storage unit 150, and a result providing unit. 160 and the like.
- the signature storage unit 140 may identify common feature information between a malicious application executable file that may be driven in a mobile operating system environment and a variant file from the malicious application executable file. Save as data.
- the signature storage unit 140 may store a plurality of pieces of common feature information related to one application executable file.
- the information collecting unit 110 collects information corresponding to common feature information stored in the signature storage unit 140 from a diagnosis target application executable file which is a target of diagnosing malicious.
- the information collecting unit 110 may collect information corresponding to common feature information from the application execution file according to the diagnostic rule stored in the diagnostic rule storage unit 150. That is, the information collection unit 110 may be said to collect common feature information with the malicious application executable file from the diagnostic application executable file.
- the diagnosis determining unit 120 compares the corresponding information of the common feature information collected by the information collecting unit 110 with the common feature information stored in the signature storage unit 140 to diagnose and determine whether the application execution file is malicious. do.
- the result providing unit 160 provides a result of determining whether the application executable file is malicious by the diagnosis determining unit 120 to the outside.
- the diagnostic rule storage unit 150 stores a diagnostic rule for determining whether the application execution file is malicious by combining a plurality of pieces of common feature information.
- the setting unit 130 provides an interface for inputting various commands to the malicious application diagnosis apparatus 100, and may request the setting of a diagnosis rule through the setting unit 130.
- the diagnosis determining unit 120 may set a diagnosis rule to be stored in the diagnosis rule storage unit 150.
- FIG. 3 is a detailed configuration diagram of the information collecting unit 110 according to an embodiment of the present invention.
- the information collecting unit 110 includes an APK information collecting unit 111, a DEX information collecting unit 112, a manifest information collecting unit 113, a resource information collecting unit 114, and the like.
- the APK information collecting unit 111 may collect file path information or certificate information in the APK compressed file.
- the DEX information collector 112 may analyze the DEX file to extract features of JAVA class files.
- the manifest information collecting unit 113 may collect internal information of the androidManifest.xml file.
- the resource information collecting unit 114 may extract form configuration information of resource structures in the resources.arsc file as a hash value.
- FIG. 4 is a detailed configuration diagram of the APK information collecting unit 111 according to an embodiment of the present invention.
- the APK information collecting unit 111 includes a file tree structure extracting unit 111a, a file path extracting unit 111b, a certificate information extracting unit 111c, and the like.
- the file tree structure extraction unit 111a may extract a hash value corresponding to a path of the files by extracting a tree structure of the files constituting the APK compressed file.
- the file path extracting unit 111b may extract a hash value corresponding to the path of the corresponding file by extracting the path of a specific file existing in the APK compressed file.
- the certificate information extracting unit 111c may extract the self-signed information of the RSA file existing in the META-INF folder in the APK compressed file.
- the certificate information extracting unit 111c may extract a serial number, an issure DN, or a validity from the self-signed information.
- FIG. 5 is a detailed configuration diagram of the DEX information collecting unit 112 according to an embodiment of the present invention.
- the DEX information collecting unit 112 includes an import class extracting unit 112a, a prototype extracting unit 112b, a class list extracting unit 112c, and a class hash extracting unit 112d.
- the import class extracting unit 112a may obtain a cyclic redundancy check (CRC) using a list of external class information imported by JAVA files included in a DEX file.
- CRC cyclic redundancy check
- the prototype extracting unit 112b may obtain a CRC by collecting a prototype list defined in the DEX file.
- the class list extractor 112c may obtain a CRC by listing the names of JAVA class files included in the DEX file.
- the class hash extracting unit 112d may extract an attribute value or JAVA code command syntax within the class for classes included in the DEX file.
- FIG. 6 is a detailed configuration diagram of the manifest information collecting unit 113 according to an embodiment of the present invention.
- the manifest information collecting unit 113 includes an application information extracting unit 113a and an XML tree structure extracting unit 113b.
- the application information extraction unit 113a may extract information about an application from the androidManifest.xml file.
- the XML tree structure extractor 113b may extract XML tree structure information of the androidManifest.xml file as a hash value.
- FIG. 7 is a flowchart illustrating a malicious application diagnosis method according to an embodiment of the present invention.
- the malicious application diagnosing method by the malicious application diagnosing apparatus 100 targets a malicious application executable file that can be run in a mobile operating system environment and a variant file from the malicious application executable file.
- a plurality of pieces of common feature information are stored as signature data for diagnosing malicious status, and a combination of a plurality of pieces of common feature information is stored in the file diagnosis mode in which a diagnostic rule for determining whether the application executable file is malicious is stored.
- the signature storage unit 140 of the malicious application diagnosis apparatus 100 may target a plurality of pieces of common feature information by targeting a malicious application executable file that may be driven in a mobile operating system environment and a variant file from the malicious application executable file. It is stored as signature data for diagnosis of malicious status.
- the plurality of pieces of common feature information that the signature storage unit 140 stores as signature data is extracted from a folder or file that is essentially included in the application execution file.
- a plurality of pieces of common feature information may be extracted from the META-INF folder 20 of the Android package (APK) file, the AndroidManifest.xml file 10, the classes.dex file 30, or the resources.arsc file 40. Can be.
- the signature data stored in the signature storage unit 140 is the same kind of information as the information collected by the information collecting unit 110 from the diagnostic target application executable file running in the mobile operating system environment. The detailed description of the signature data will be described in the information collecting process by the information collecting unit 110 in step S205.
- the malicious application diagnosing apparatus 100 may perform a file diagnosis mode through step S201, but before setting a diagnostic rule for diagnosing malicious applications. The process can be performed first.
- the setting unit 130 provides a user interface for inputting various commands to the malicious application diagnosing apparatus 100, and when the setting of the diagnostic rule is requested through the user interface, the setting unit 130 is malicious in the diagnosis rule storage unit 150.
- the diagnostic rule means designating which data (s) of the signature data stored in the signature storage unit 140 to be used for diagnosing a malicious application. That is, a combination of a plurality of pieces of common feature information stored in the signature storage unit 140 may designate and store a diagnostic rule for determining whether an application execution file is malicious.
- the malicious application diagnosis apparatus 100 enters a file diagnosis mode in a state in which the diagnostic rule is stored (S201).
- the diagnosis determination unit 120 checks the diagnosis rules previously stored in the diagnosis rule storage unit 150, and requests the information collection unit 110 to search for files and collect information according to the identified diagnosis rules. (S202).
- the information collecting unit 110 searches for a file in a mobile operating system environment (S203), and determines whether the searched file is a mobile operating system executable file (S204). For example, in the case of the Android platform, it is determined whether the file is an Android package (APK) file.
- S203 mobile operating system environment
- APIK Android package
- the information collecting unit 110 collects information corresponding to common feature information based on pre-stored diagnostic rules for the mobile operating system executable file (S205).
- the information collecting unit 110 configures the APK information collecting unit 111, the DEX information collecting unit 112, the manifest information collecting unit 113, and the resource information collecting unit 114 to the diagnostic rule storage unit 150.
- One or more may operate according to previously stored diagnostic rules.
- the APK information collecting unit 111 collects file path information or certificate information in the APK compressed file.
- the file tree structure extracting unit 111a, the file path extracting unit 111b, and the certificate information extracting unit 111c constituting the APK information collecting unit 111 may be configured according to the diagnostic rules previously stored in the diagnostic rule storage unit 150. Either or more than one can operate.
- the file tree structure extracting unit 111a extracts a tree structure of files constituting the APK compressed file and extracts a hash value corresponding to a path of the files.
- APK compressed files can be specified autonomously by the author, except for files that must exist.
- all the path names of the files can be extracted as hash values, and the hash values corresponding to all the path names of the extracted files can be used as signatures to distinguish files of the same type.
- the diagnosis rate of this method is effective because most malicious files are created once, and the internal file configuration is not changed even after the variants are created.
- the file path extraction unit 111b extracts a path of a specific file existing in the APK compressed file and extracts a hash value corresponding to the path of the corresponding file. In this way, the path of a specific file in the APK compressed file and the hash value of the file can be extracted and used as a signature to distinguish files of the same type. This can effectively diagnose a wider range of variant files than using the file tree structure extraction unit 111a.
- the certificate information extracting unit 111c extracts the self-signed information of the RSA file 21 existing in the META-INF folder 20 in the APK compressed file.
- the certificate information extracting unit 111c may extract a serial number, an issure DN, or a validity from the self-signed information.
- the certificate file exists in the META-INF folder 20 inside the APK compressed file as a MANIFEST.MF file 23, a user-specified file name.SF file 22, and a file name of the SF extension.RSA file 21. .
- the RSA file (21) contains a self-signed file in X.509 format, and extracts and combines Serial Number, Issure DN, and Validity (Not Before, Not After) among the contents of the X.509 certificate. Use as a distinguishing signature.
- the DEX information collector 112 analyzes the classes.dex file 30 to extract the features of JAVA class files.
- the classes.dex file 30 contains code written in JAVA programming language by an application creator in binary form. Analyze the classes.dex file 30 to extract the features of JAVA class files and use them as diagnostic points.
- the import class extracting unit 112a, the prototype extracting unit 112b, the class list extracting unit 112c, and the class hash extracting unit 112d constituting the DEX information collecting unit 112 include the diagnostic rule storing unit 150. Any one or more may operate according to the diagnostic rules stored in advance.
- the import class extracting unit 112a obtains a cyclic redundancy check (CRC) by using a list of external class information imported by JAVA files included in the classes.dex file 30 and utilizes it as a diagnostic point.
- CRC cyclic redundancy check
- the prototype extracting unit 112b collects a prototype list defined in the classes.dex file 30 to obtain a CRC and use the diagnostic point.
- User-defined classes, functions, and variables can only contain their types.
- the class list extracting unit 112c lists the names of JAVA class files included in the classes.dex file 30 to obtain a CRC and use the diagnostic point. Two CRCs are extracted. One is the CRC that lists only the name of the class, and the other contains the name and path information of the class. Actual malicious behavior occurs on JAVA code, and malicious information can be detected accurately using information extracted from the class. When the feature is extracted, the four levels of information are differentiated so that the code can be detected.
- the class hash extracting unit 112d extracts property values or JAVA code command syntaxes in the classes of the classes included in the classes.dex file 30.
- the first extractable information inside the class has the following values: static fields size, instance fields size, direct methods size, virtual methods size, static fields name & type, instance fields name & type, method name & type, method registers count, method In-out arguments, method tries length, method instruction size, etc.
- the second hash extraction target JAVA code instruction syntax is all opcodes, const value, all const *, return, if, goto, and const-string. A combination of one or more of the above items may be used to determine a malicious application by the diagnostic rules stored in the diagnostic rule storage unit 150.
- the manifold information collecting unit 113 collects internal information of the androidManifest.xml file 10.
- the application information extracting unit 113a and the XML tree structure extracting unit 113b constituting the manifold information collecting unit 113 may operate one or more according to the diagnostic rules previously stored in the diagnostic rule storage unit 150. Can be.
- the application information extraction unit 113a extracts information about the application from the androidManifest.xml file 10.
- the androidMainfest.xml file (10) describes the basic information that the system needs to know to run the application. Such information includes Package Name, Permission, Version (Product, SDK), Receiver, Activity, Service, etc., and it is often maintained with the same value or structure when the application is updated.
- the application information extracting unit 113a uses internal information of the androidManifest.xml file 10 that is not easily changed even when the application is updated for the diagnosis of the malicious application.
- the androidManifest.xml file 10 expresses information about an application in the form of a string. Since all the above-mentioned information such as package name and permission of the application can be extracted directly, unique information can be used as a string-based diagnostic signature.
- the XML tree structure extraction unit 113b extracts XML tree structure information of the androidManifest.xml file 10 as a hash value.
- the androidManifest.xml file (10) follows the standard specification of XML. All information is contained within the tree structure of each node.
- the tree structure in XML is the same as the skeleton of a living thing, and applications of similar functionality have the same structure. This structure can be extracted in hash form and used as a diagnostic signature.
- the resource information collecting unit 114 extracts form configuration information of resource structures in the resources.arsc file 40 as a hash value.
- a malicious mobile Trojan file has almost the same resources (pictures, strings) internally in its work. Therefore, if you use the characteristics of a resource that does not change very often as a diagnostic rule, you can diagnose many variant files at once.
- Android executables support a variety of resources (images, strings, icons, sounds, layouts, music, videos, etc.).
- the resources.arsc file 40 has a collection of structures of various types. For example, BASIC_HEADER, RESOURCE_HEADER, STRING_BLOCK, PACKAGE_BLOCK, TYPE_BLOCK, CONFIG_BLOCK, CONFIG_FLAGS, ENTRY_BLOCK, and the like.
- the resource information collecting unit 114 extracts the form of the resource structures in the resources.arsc file 40 in a hash form and uses the data as diagnostic data.
- a hash value of a start position array of each BASIC_HEADER structure and each BASIC_HEADER structure existing in the resources.arsc file 40 may be extracted and used as diagnostic data.
- the number of strings present in the STRING_BLOCK structure, the total string size, the hash value of the string position array, and the entire string hash value can be extracted and used as diagnostic data.
- the number of TYPE_BLOCK structures present in the PACKAGE_BLOCK structure and the hash value of the TypeId member array of the TYPE_BLOCK structure can be extracted and used as diagnostic data.
- the number of entries in the CONFIG_BLOCK structure, the hash value of the SpecNameId array, and the hash value of the entry buffer start position array can be extracted and used as diagnostic data.
- the resource diagnosis method using the information collected by the resource information collecting unit 114 is effective for variant malicious files using the same Graphical User Interface (GUI).
- GUI Graphical User Interface
- the information collecting unit 110 collects the information according to the diagnostic rule and provides the information to the diagnosis determining unit 120, and the diagnosis determining unit 120 stores the signature data and information previously stored in the signature storage unit 140.
- the information collected by the collection unit 110 is compared (S206), and the diagnosis and determination of whether the application executable file is malicious is determined according to the comparison result (S207).
- the result providing unit 160 performs malicious application processing such as providing an external result of determining whether the application executable file is malicious by diagnosis and determination. It performs (S208).
- Combinations of each block of the accompanying block diagram and each step of the flowchart may be performed by computer program instructions.
- These computer program instructions may be mounted on a processor of a general purpose computer, special purpose computer, or other programmable data processing equipment such that instructions executed through the processor of the computer or other programmable data processing equipment may not be included in each block or flowchart of the block diagram. It will create means for performing the functions described in each step.
- These computer program instructions may be stored in a computer usable or computer readable memory that can be directed to a computer or other programmable data processing equipment to implement functionality in a particular manner, and thus the computer usable or computer readable memory.
- instructions stored in may produce an article of manufacture containing instruction means for performing the functions described in each block or flowchart of each step of the block diagram.
- Computer program instructions may also be mounted on a computer or other programmable data processing equipment, such that a series of operating steps may be performed on the computer or other programmable data processing equipment to create a computer-implemented process to create a computer or other programmable data. Instructions that perform processing equipment may also provide steps for performing the functions described in each block of the block diagram and in each step of the flowchart.
- each block or step may represent a portion of a module, segment or code that includes one or more executable instructions for executing a specified logical function (s).
- a specified logical function s.
- the functions noted in the blocks or steps may occur out of order.
- the two blocks or steps shown in succession may in fact be executed substantially concurrently or the blocks or steps may sometimes be performed in the reverse order, depending on the functionality involved.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
Claims (21)
- 모바일 운영체제 환경에서 구동될 수 있는 악성 애플리케이션 실행 파일과 그 악성 애플리케이션 실행 파일로부터의 변종 파일과의 공통적인 특징 정보를 악성 여부의 진단을 위한 시그니처 데이터로 저장하는 시그니처 저장부와,진단 대상 애플리케이션 실행 파일로부터 상기 공통적인 특징 정보에 대응하는 정보를 수집하는 정보 수집부와,수집된 상기 대응하는 정보와 상기 시그니처 저장부에 저장된 상기 공통적인 특징 정보를 비교하여 상기 진단 대상 애플리케이션 실행 파일의 악성 여부를 판단하는 진단 판별부와,상기 진단 대상 애플리케이션 실행 파일의 악성 여부 판별 결과를 제공하는 결과 제공부를 포함하는악성 애플리케이션 진단 장치.
- 제 1 항에 있어서,상기 악성 애플리케이션 진단 장치는, 복수의 공통적인 특징 정보를 조합하여 상기 진단 대상 애플리케이션 실행 파일의 악성 여부를 판별하기 위한 진단 규칙을 저장하는 진단 규칙 저장부를 더 포함하고,상기 정보 수집부는 상기 진단 규칙에 따라 상기 공통적인 특징 정보를 수집하는악성 애플리케이션 진단 장치.
- 제 1 항에 있어서,상기 악성 애플리케이션 진단 장치는 상기 진단 규칙의 설정을 요청할 수 있는 설정부를 더 포함하며,상기 설정부에 의한 요청에 따라 설정된 상기 진단 규칙은 상기 진단 규칙 저장부에 저장되는악성 애플리케이션 진단 장치.
- 제 1 항에 있어서,상기 진단 대상 애플리케이션 실행 파일은 APK(android package) 파일이며,상기 정보 수집부는 상기 APK 파일 내의 파일 경로 정보 또는 인증서 정보를 수집하는 APK 정보 수집부를 포함하는악성 애플리케이션 진단 장치.
- 제 4 항에 있어서,상기 APK 정보 수집부는 상기 APK 파일을 구성하는 파일들의 트리 구조를 추출하여 파일들의 경로에 해당하는 해시값을 추출하는 파일 트리 구조 추출부를 포함하는악성 애플리케이션 진단 장치.
- 제 4 항에 있어서,상기 APK 정보 수집부는 상기 APK 파일 내에 존재하는 특정 파일의 경로를 추출하여 해당 파일의 경로에 해당하는 해시값을 추출하는 파일 경로 추출부를 포함하는악성 애플리케이션 진단 장치.
- 제 4 항에 있어서,상기 APK 정보 수집부는 상기 APK 파일 내의 META-INF 폴더에 존재하는 RSA 파일의 자가 서명 정보를 추출하는 인증서 정보 추출부를 포함하는악성 애플리케이션 진단 장치.
- 제 7 항에 있어서,상기 인증서 정보 추출부는 상기 자가 서명 정보 중에서 Serial Number, Issure DN 또는 Validity 중 적어도 하나를 추출하는악성 애플리케이션 진단 장치.
- 제 1 항에 있어서,상기 정보 수집부는 상기 진단 대상 애플리케이션 실행 파일 내의 DEX 파일을 분석하여 JAVA 클래스 파일들의 특징을 추출하는 DEX 정보 수집부를 포함하는악성 애플리케이션 진단 장치.
- 제 9 항에 있어서,상기 DEX 정보 수집부는 상기 DEX 파일에서 포함하는 JAVA 파일들이 임포트하는 외부 클래스 정보의 목록을 이용하여 CRC를 구하는 임포트 클래스 추출부를 포함하는악성 애플리케이션 진단 장치.
- 제 9 항에 있어서,상기 DEX 정보 수집부는 상기 DEX 파일에 정의된 프로토 타입 목록을 취합하여 CRC를 구하는 프로토 타입 추출부를 포함하는악성 애플리케이션 진단 장치.
- 제 9 항에 있어서,상기 DEX 정보 수집부는 상기 DEX 파일에 포함된 JAVA 클래스 파일들의 이름을 나열하여 CRC를 구하는 클래스 리스트 추출부를 포함하는악성 애플리케이션 진단 장치.
- 제 9 항에 있어서,상기 DEX 정보 수집부는 상기 DEX 파일에 포함된 클래스들에 대해 클래스 내부의 속성 값 또는 JAVA 코드 명령어 구문을 추출하는 클래스 해시 추출부를 포함하는악성 애플리케이션 진단 장치.
- 제 1 항에 있어서,상기 정보 수집부는 상기 진단 대상 애플리케이션 실행 파일 내의 androidManifest.xml 파일에서 내부 정보를 수집하는 메니페스트 정보 수집부를 포함하는악성 애플리케이션 진단 장치.
- 제 14 항에 있어서,상기 메니페스트 정보 수집부는 상기 androidManifest.xml 파일에서 애플리케이션에 관한 정보를 추출하는 애플리케이션 정보 추출부를 포함하는악성 애플리케이션 진단 장치.
- 제 14 항에 있어서,상기 메니페스트 정보 수집부는 상기 androidManifest.xml 파일의 XML 트리 구조 정보를 해시값으로 추출하는 XML 트리 구조 추출부를 포함하는악성 애플리케이션 진단 장치.
- 제 1 항에 있어서,상기 정보 수집부는 resources.arsc 파일 내의 리소스 구조체들의 형태적인 구성 정보를 해시값으로 추출하는 리소스 정보 수집부를 포함하는악성 애플리케이션 진단 장치.
- 모바일 운영체제 환경에서 구동될 수 있는 악성 애플리케이션 실행 파일과 그 악성 애플리케이션 실행 파일로부터의 변종 파일과의 공통적인 특징 정보를 악성 여부의 진단을 위한 시그니처 데이터로 저장하는 단계와,진단 대상 애플리케이션 실행 파일로부터 상기 공통적인 특징 정보에 대응하는 정보를 수집하는 단계와,수집된 상기 대응하는 정보와 상기 시그니처 데이터로 저장된 상기 공통적인 특징 정보를 비교하여 상기 진단 대상 애플리케이션 실행 파일의 악성 여부를 판단하는 단계와,상기 진단 대상 애플리케이션 실행 파일의 악성 여부 판별 결과를 제공하는 단계를 포함하는악성 애플리케이션 진단 방법.
- 제 18 항에 있어서,상기 악성 애플리케이션 진단 방법은 복수의 공통적인 특징 정보를 조합하여 상기 진단 대상 애플리케이션 실행 파일의 악성 여부를 판별하기 위한 진단 규칙을 저장하는 단계를 더 포함하고,상기 수집하는 단계는 상기 진단 규칙에 따라 상기 공통적인 특징 정보를 수집하는악성 애플리케이션 진단 방법.
- 제 19 항에 있어서,상기 악성 애플리케이션 진단 방법은 상기 진단 규칙의 설정을 요청 받는 단계를 더 포함하며,상기 설정의 요청에 따라 상기 진단 규칙을 저장하는악성 애플리케이션 진단 방법.
- 모바일 운영체제 환경에서 구동될 수 있는 악성 애플리케이션 실행 파일과 그 악성 애플리케이션 실행 파일로부터의 변종 파일과의 공통적인 특징 정보를 악성 여부의 진단을 위한 시그니처 데이터로 저장하는 단계와,진단 대상 애플리케이션 실행 파일로부터 상기 공통적인 특징 정보에 대응하는 정보를 수집하는 단계와,수집된 상기 대응하는 정보와 상기 시그니처 데이터로 저장된 상기 공통적인 특징 정보를 비교하여 상기 진단 대상 애플리케이션 실행 파일의 악성 여부를 판단하는 단계와,상기 진단 대상 애플리케이션 실행 파일의 악성 여부 판별 결과를 제공하는 단계를 포함하는 악성 애플리케이션 진단 방법에 따른 각각의 단계를 수행하는 명령어를 포함하는 프로그램이 기록된 컴퓨터 판독가능 기록매체.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015529660A JP5992622B2 (ja) | 2012-09-03 | 2013-07-09 | 悪意あるアプリケーション診断装置及び方法 |
US14/425,358 US9525706B2 (en) | 2012-09-03 | 2013-07-09 | Apparatus and method for diagnosing malicious applications |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2012-0097262 | 2012-09-03 | ||
KR20120097262A KR101246623B1 (ko) | 2012-09-03 | 2012-09-03 | 악성 애플리케이션 진단 장치 및 방법 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014035043A1 true WO2014035043A1 (ko) | 2014-03-06 |
Family
ID=48182424
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2013/006095 WO2014035043A1 (ko) | 2012-09-03 | 2013-07-09 | 악성 애플리케이션 진단 장치 및 방법 |
Country Status (4)
Country | Link |
---|---|
US (1) | US9525706B2 (ko) |
JP (1) | JP5992622B2 (ko) |
KR (1) | KR101246623B1 (ko) |
WO (1) | WO2014035043A1 (ko) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2017021777A (ja) * | 2015-06-30 | 2017-01-26 | エーオー カスペルスキー ラボAO Kaspersky Lab | 仮想スタックマシンで実行可能な有害なファイルを検出するためのシステムおよび方法 |
KR20180137117A (ko) * | 2017-06-16 | 2018-12-27 | 라인 가부시키가이샤 | 치팅 어플리케이션 식별 방법 및 시스템 |
Families Citing this family (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101416717B1 (ko) * | 2013-03-28 | 2014-07-09 | (주)엠더블유스토리 | 스마트 기기 기반 악성코드의 침입을 차단하기 위한 시스템 및 그 방법 |
KR20150044490A (ko) * | 2013-10-16 | 2015-04-27 | (주)이스트소프트 | 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법 |
US9313219B1 (en) * | 2014-09-03 | 2016-04-12 | Trend Micro Incorporated | Detection of repackaged mobile applications |
KR101628837B1 (ko) * | 2014-12-10 | 2016-06-10 | 고려대학교 산학협력단 | 악성 어플리케이션 또는 악성 웹사이트 탐지 방법 및 시스템 |
US9519780B1 (en) * | 2014-12-15 | 2016-12-13 | Symantec Corporation | Systems and methods for identifying malware |
KR101581262B1 (ko) * | 2014-12-30 | 2016-01-04 | 주식회사 안랩 | 모바일 단말기의 악성 코드 검사 방법 및 장치 |
TWI541669B (zh) * | 2015-01-05 | 2016-07-11 | Rangecloud Information Technology Co Ltd | Detection systems and methods for static detection applications, and computer program products |
KR101564999B1 (ko) | 2015-01-26 | 2015-11-03 | 주식회사 안랩 | 스크립트진단장치 및 스크립트 진단 방법 |
KR101718923B1 (ko) | 2015-08-04 | 2017-03-23 | 주식회사 안랩 | 다중 코어 프로세서에 기반한 악성 코드 탐지 장치 및 방법 |
US10505982B2 (en) * | 2015-10-23 | 2019-12-10 | Oracle International Corporation | Managing security agents in a distributed environment |
KR101842263B1 (ko) | 2016-08-26 | 2018-05-14 | 단국대학교 산학협력단 | 어플리케이션에 대한 역공학 차단 방법 및 장치 |
GB2555859B (en) * | 2016-11-15 | 2020-08-05 | F Secure Corp | Remote malware scanning |
KR101857001B1 (ko) * | 2017-03-03 | 2018-05-14 | 숭실대학교산학협력단 | 안드로이드 동적 로딩 파일 추출 방법, 이를 수행하기 위한 기록 매체 및 시스템 |
CN109558732A (zh) * | 2017-09-27 | 2019-04-02 | 武汉斗鱼网络科技有限公司 | 一种防止应用程序文件被篡改的方法及服务器 |
KR102011725B1 (ko) | 2017-12-28 | 2019-08-19 | 숭실대학교산학협력단 | 악성코드 검출을 위한 화이트리스트 구축 방법 및 이를 수행하기 위한 기록매체 및 장치 |
US10671370B2 (en) * | 2018-05-30 | 2020-06-02 | Red Hat, Inc. | Distributing file system states |
WO2020046463A1 (en) * | 2018-08-28 | 2020-03-05 | Symantec Corporation | Software supply chain hardening via two-factor application integrity certification and monitoring |
CN111045686B (zh) * | 2019-12-16 | 2023-05-30 | 北京智游网安科技有限公司 | 一种提高应用反编译速度的方法、智能终端及存储介质 |
US11436331B2 (en) | 2020-01-16 | 2022-09-06 | AVAST Software s.r.o. | Similarity hash for android executables |
KR102345016B1 (ko) * | 2020-02-26 | 2021-12-29 | 아주대학교 산학협력단 | 랜섬웨어 감지 방법 및 장치 |
WO2022025650A1 (ko) * | 2020-07-29 | 2022-02-03 | 시큐차트 비.브이. | 어플리케이션 검증 시스템 및 검증방법 |
EP4095727A1 (en) * | 2021-05-28 | 2022-11-30 | AO Kaspersky Lab | System and method for detecting potentially malicious changes in applications |
US11886584B2 (en) | 2021-05-28 | 2024-01-30 | AO Kaspersky Lab | System and method for detecting potentially malicious changes in applications |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20080074271A (ko) * | 2007-02-08 | 2008-08-13 | 삼성전자주식회사 | 휴대단말 악성코드 처리장치 및 그 처리 방법 |
KR20100005518A (ko) * | 2008-07-07 | 2010-01-15 | 주식회사 안철수연구소 | 확장자를 위장한 파일을 탐지하는 방법 및 그 장치 |
KR101161493B1 (ko) * | 2010-01-18 | 2012-06-29 | (주)쉬프트웍스 | 안드로이드 단말 플랫폼에서의 악성 코드와 위험 파일의 진단 방법 |
KR20120093564A (ko) * | 2011-02-15 | 2012-08-23 | 주식회사 안랩 | 벡터량 산출을 이용한 악성코드의 분류 및 진단 방법과 장치 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7210168B2 (en) * | 2001-10-15 | 2007-04-24 | Mcafee, Inc. | Updating malware definition data for mobile data processing devices |
JP3992136B2 (ja) * | 2001-12-17 | 2007-10-17 | 学校法人金沢工業大学 | ウイルス検出方法および装置 |
JP2008192122A (ja) * | 2007-01-09 | 2008-08-21 | Nec Corp | 悪意メール検出装置、検出方法およびプログラム |
US9235704B2 (en) * | 2008-10-21 | 2016-01-12 | Lookout, Inc. | System and method for a scanning API |
US9781148B2 (en) * | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses between collections of mobile communications devices |
US20110154495A1 (en) * | 2009-12-21 | 2011-06-23 | Stranne Odd Wandenor | Malware identification and scanning |
GB2531514B (en) * | 2014-10-17 | 2019-10-30 | F Secure Corp | Malware detection method |
-
2012
- 2012-09-03 KR KR20120097262A patent/KR101246623B1/ko active IP Right Grant
-
2013
- 2013-07-09 JP JP2015529660A patent/JP5992622B2/ja active Active
- 2013-07-09 WO PCT/KR2013/006095 patent/WO2014035043A1/ko active Application Filing
- 2013-07-09 US US14/425,358 patent/US9525706B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20080074271A (ko) * | 2007-02-08 | 2008-08-13 | 삼성전자주식회사 | 휴대단말 악성코드 처리장치 및 그 처리 방법 |
KR20100005518A (ko) * | 2008-07-07 | 2010-01-15 | 주식회사 안철수연구소 | 확장자를 위장한 파일을 탐지하는 방법 및 그 장치 |
KR101161493B1 (ko) * | 2010-01-18 | 2012-06-29 | (주)쉬프트웍스 | 안드로이드 단말 플랫폼에서의 악성 코드와 위험 파일의 진단 방법 |
KR20120093564A (ko) * | 2011-02-15 | 2012-08-23 | 주식회사 안랩 | 벡터량 산출을 이용한 악성코드의 분류 및 진단 방법과 장치 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2017021777A (ja) * | 2015-06-30 | 2017-01-26 | エーオー カスペルスキー ラボAO Kaspersky Lab | 仮想スタックマシンで実行可能な有害なファイルを検出するためのシステムおよび方法 |
KR20180137117A (ko) * | 2017-06-16 | 2018-12-27 | 라인 가부시키가이샤 | 치팅 어플리케이션 식별 방법 및 시스템 |
KR101992698B1 (ko) | 2017-06-16 | 2019-06-25 | 라인 가부시키가이샤 | 치팅 어플리케이션 식별 방법 및 시스템 |
Also Published As
Publication number | Publication date |
---|---|
JP2015526824A (ja) | 2015-09-10 |
US20150229673A1 (en) | 2015-08-13 |
KR101246623B1 (ko) | 2013-03-25 |
US9525706B2 (en) | 2016-12-20 |
JP5992622B2 (ja) | 2016-09-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2014035043A1 (ko) | 악성 애플리케이션 진단 장치 및 방법 | |
WO2017213400A1 (en) | Malware detection by exploiting malware re-composition variations | |
WO2015056885A1 (ko) | 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법 | |
WO2012091400A1 (en) | System and method for detecting malware in file based on genetic map of file | |
WO2013077538A1 (ko) | Api 기반 어플리케이션 분석 장치 및 방법 | |
WO2019054613A1 (ko) | 바이너리 파일에 기초하여 오픈소스 소프트웨어 패키지를 식별하는 방법 및 시스템 | |
WO2021243555A1 (zh) | 一种快应用检测方法、装置、设备及存储介质 | |
WO2014042297A1 (ko) | 코드분석과 화면분석을 이용한 안드로이드 어플의 자동실행 방법 | |
CN108090360B (zh) | 一种基于行为特征的安卓恶意应用分类方法及系统 | |
Alam et al. | Droidclone: Detecting android malware variants by exposing code clones | |
JP2011013917A (ja) | 解析システム、解析方法、及び解析プログラム | |
CN109857520B (zh) | 一种虚拟机自省中的语义重构改进方法及系统 | |
KR101256468B1 (ko) | 악성 파일 진단 장치 및 방법 | |
WO2019135425A1 (ko) | 오픈소스 소프트웨어의 라이선스를 검증하는 방법 및 시스템 | |
WO2018199366A1 (ko) | 덱스 파일의 난독화 적용 여부의 탐지 및 보안성 평가를 위한 방법 및 시스템 | |
WO2014010847A1 (ko) | 악성 애플리케이션 진단장치 및 방법 | |
WO2018194196A1 (ko) | Elf 파일의 난독화 적용 여부의 탐지 및 보안성 평가를 위한 방법 및 시스템 | |
WO2022107964A1 (ko) | 인접 행렬 기반의 악성 코드 탐지 및 분류 장치와 악성 코드 탐지 및 분류 방법 | |
WO2015126079A1 (ko) | 리패키징 탐지 방법 및 장치 | |
CN117610021A (zh) | 一种动静结合的移动应用隐私安全分析方法、系统及设备 | |
Dam et al. | Learning android malware | |
Guo et al. | ilibscope: Reliable third-party library detection for ios mobile apps | |
Mostafa et al. | Netdroid: Summarizing network behavior of android apps for network code maintenance | |
CN115828262A (zh) | 开源组件漏洞扫描方法、装置、设备及存储介质 | |
JP5828457B2 (ja) | Api実行制御装置およびプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13832282 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015529660 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14425358 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 13832282 Country of ref document: EP Kind code of ref document: A1 |