WO2017135249A1 - Dispositif de diagnostic d'icône, procédé et programme de diagnostic d'icône - Google Patents

Dispositif de diagnostic d'icône, procédé et programme de diagnostic d'icône Download PDF

Info

Publication number
WO2017135249A1
WO2017135249A1 PCT/JP2017/003410 JP2017003410W WO2017135249A1 WO 2017135249 A1 WO2017135249 A1 WO 2017135249A1 JP 2017003410 W JP2017003410 W JP 2017003410W WO 2017135249 A1 WO2017135249 A1 WO 2017135249A1
Authority
WO
WIPO (PCT)
Prior art keywords
icon
file
unit
diagnosis
risk
Prior art date
Application number
PCT/JP2017/003410
Other languages
English (en)
Japanese (ja)
Inventor
法道 内田
Original Assignee
株式会社ラック
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2016020955A external-priority patent/JP5954915B1/ja
Priority claimed from JP2016116611A external-priority patent/JP6068711B1/ja
Application filed by 株式会社ラック filed Critical 株式会社ラック
Publication of WO2017135249A1 publication Critical patent/WO2017135249A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/01Input arrangements or combined input and output arrangements for interaction between user and computer
    • G06F3/048Interaction techniques based on graphical user interfaces [GUI]
    • G06F3/0481Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to an icon diagnosis apparatus, an icon diagnosis method, and a program.
  • This application claims priority based on Japanese Patent Application No. 2016-20955 filed in Japan on February 5, 2016 and Japanese Patent Application No. 2016-116611 filed on Japan on June 10, 2016, and the contents thereof. Is hereby incorporated by reference.
  • malware icon is disguised as a document icon or an archive icon.
  • document icons include Microsoft Office (registered trademark) or Adobe Acrobat (registered trademark).
  • Archive icons include, for example, the zip format or the lzh format.
  • the compressed file is decompressed by the user, a file in which an icon is disguised is created, and the user may be prompted to click the icon.
  • the user may be prompted to click an icon by entering a large amount of space in the name of the file and hiding the extension (a character string that identifies the type of file).
  • the extension a character string that identifies the type of file.
  • an icon is camouflaged, it is possible to determine whether it is malware or not by looking at the extension of the icon.
  • the extension is displayed in the default settings of Windows (registered trademark). In some cases, it was difficult to distinguish. Even if the extension of the icon is set to be displayed, since the icon is more visible than the extension, many people recognize only the icon and recognize the file format or content. There were cases where it was difficult to notice the child.
  • the extension is misidentified, or a control character called RLO (Right-to-Left Override) is used to impersonate the extension of the icon. In many cases, it is difficult to identify malware just by visually checking the extension.
  • RLO Light-to-Left Override
  • the embodiment of the present invention provides an icon diagnosis apparatus, an icon diagnosis method, and a program capable of diagnosing whether or not an icon is a disguised malware.
  • An icon diagnosis apparatus is extracted by an icon extraction unit that extracts an icon of a diagnosis target file, a file format determination unit that determines a format of the diagnosis target file, and the icon extraction unit.
  • the icon is compared with a first reference icon that is a reference icon corresponding to the format determined by the file format determination unit, and the icon extracted by the icon extraction unit and the first reference icon
  • An icon comparison unit that compares a second reference icon other than.
  • the icon comparison unit compares the icon extracted by the icon extraction unit with the first reference icon, and acquires a degree of divergence between the icons. To do.
  • the icon comparison unit compares the icon extracted by the icon extraction unit with the second reference icon, and acquires the similarity between the icons. To do.
  • the icon diagnosis apparatus according to an aspect of the present invention further includes a risk determination unit that performs a risk determination based on a result of comparison by the icon comparison unit.
  • the risk determination unit performs a determination regarding the degree of risk.
  • the degree of the danger is that there is the danger or is two or more stages of the danger.
  • the risk determination unit may determine the risk based on a determination result regarding the signature attached to the diagnosis target file and a comparison result by the icon comparison unit. I do.
  • an icon diagnosis apparatus extracts an icon of a file to be diagnosed, the icon diagnosis apparatus determines a format of the diagnosis object file, and the icon diagnosis apparatus includes: The extracted icon is compared with a first reference icon that is a reference icon corresponding to the determined format, and the extracted icon and a second reference icon other than the first reference icon Compare
  • a program includes a step of extracting an icon of a diagnosis target file, a step of determining a format of the diagnosis target file, the extracted icon, and a criterion corresponding to the determined format
  • a program for causing a computer to compare a first reference icon, which is an icon, and a step of comparing the extracted icon and a second reference icon other than the first reference icon. is there.
  • the icon diagnosis apparatus According to the icon diagnosis apparatus, the icon diagnosis method, and the program according to the embodiment of the present invention described above, it is possible to diagnose whether or not the icon is a disguised malware.
  • FIG. 1 is a diagram illustrating a schematic configuration example of an icon processing apparatus 11 according to an embodiment of the present invention.
  • the icon processing apparatus 11 according to the present embodiment includes an input unit 31, an output unit 32, a storage unit 33, and a control unit 34.
  • the input unit 31 inputs information from outside.
  • the input unit 31 may include an interface for inputting information output from an external recording medium or another device.
  • the input unit 31 may include an operation unit that inputs information corresponding to an operation performed by the user, for example.
  • the output unit 32 outputs information to the outside.
  • the output unit 32 includes, for example, a display unit 71 that displays and outputs information.
  • the display unit 71 is, for example, a display screen.
  • the icon processing device 11 includes the display unit 71
  • the display unit 71 is provided separately from the icon processing device 11, and the icon processing device 11 is provided. May be communicably connected.
  • the output unit 32 may include an interface that outputs information to an external recording medium or another device.
  • the storage unit 33 stores information.
  • the storage unit 33 stores file information 91, for example.
  • the file information 91 includes information on one or more files.
  • the storage unit 33 stores a file format list 92, for example.
  • the file format list 92 includes information on various file formats (file formats).
  • the file format list 92 includes, for example, extension information and characteristic information in the file, and holds correspondence between such information and file formats.
  • the file format list 92 may hold correspondences between various file information and file formats.
  • the file format list 92 may be updated as needed, for example, by the icon processing device 11 or the user.
  • the storage unit 33 stores a reference icon list 93, for example.
  • the reference icon list 93 holds correspondences between various file formats and reference icon (reference icon) information.
  • the reference icon list 93 may be updated as needed by, for example, the icon processing device 11 or the user.
  • the control unit 34 controls various processes in the icon processing apparatus 11.
  • the control unit 34 includes an icon diagnosis unit 111 and a diagnosis result output unit 112.
  • the icon diagnosis unit 111 includes a file format determination unit 131, an icon extraction unit 132, an icon comparison unit 133, and a risk determination unit 134.
  • the diagnosis result output unit 112 includes a display control unit 151.
  • control unit 34 various functions of the control unit 34 are divided into a plurality of parts, but these functions may be provided in other ways.
  • the various functions are combined into one program. Or may be divided into two or more programs in any way.
  • FIG. 2 is a flowchart showing an example of icon diagnosis processing performed by the icon processing apparatus 11 according to an embodiment of the present invention. The process of the flowchart shown in FIG. 2 will be described. This process is a process for determining (diagnosis) a risk related to a file in which an icon is camouflaged. This process is performed by the icon diagnosis unit 111 of the control unit 34 of the icon processing apparatus 11.
  • the icon diagnosis unit 111 acquires information on a diagnosis target file from the file information 91 stored in the storage unit 33.
  • the icon diagnosis unit 111 may set a file specified by an operation performed by the user as a diagnosis target, or search a file corresponding to a predetermined condition according to a predetermined processing procedure as a diagnosis target. It is good.
  • the file format determination unit 131 refers to the contents of the file format list 92 stored in the storage unit 33. Then, the file format determination unit 131 determines the format of the file based on the contents of the file format list 92 and information on the diagnosis target file.
  • the file format determination unit 131 compares the correspondence held in the file format list 92 (correspondence between the file information and the file format) with the information on the diagnosis target file, and corresponds to the information on the file.
  • the file format is specified, and the specified file format is acquired as a determination result.
  • Step S2 the file format determination unit 131 determines whether or not the file includes icon data based on the result of determining the format of the diagnosis target file. As a result of this determination, if it is determined that the file contains icon data (step S2: YES), the process proceeds to steps S3 to S6. On the other hand, as a result of this determination, if it is determined that the file does not contain icon data (step S2: NO), the process proceeds to step S8.
  • Step S3 When it is determined in step S2 that the diagnosis target file includes icon data, the icon extraction unit 132 extracts the icon data.
  • the icon comparison unit 133 refers to the content of the reference icon list 93 stored in the storage unit 33. Then, the icon comparison unit 133 acquires the reference icon data of the diagnosis target file based on the contents of the reference icon list 93 and the file format determined by the file format determination unit 131. For example, the icon comparison unit 133 compares the correspondence held in the reference icon list 93 (correspondence between the file format and the reference icon information) with the format of the diagnosis target file and corresponds to the format of the file. A reference icon is specified and data of the reference icon is acquired. The icon comparison unit 133 compares the icon data extracted by the icon extraction unit 132 with the acquired reference icon data, and calculates the degree of divergence between the icon and the reference icon.
  • the degree of divergence between the icon and the reference icon is calculated using, for example, a predetermined mathematical formula.
  • a value indicating the magnitude of the difference between the icon image and the reference icon image is used.
  • the divergence degree for example, a value based on one or more of a hash value, a color ratio, a contour shape, and the like may be used.
  • a value of 0 [%] or more and 100 [%] or less representing the degree of difference may be used.
  • any one of a value indicating a difference and a value indicating a difference may be used.
  • the degree of divergence is, for example, a value indicating a difference when a value of 0 [%] or more and 100 [%] or less indicating the degree of difference exceeds a predetermined threshold, It may be a value indicating that there is no difference when a value between 0% and 100% is equal to or less than the predetermined threshold value.
  • Step S5 the icon comparison unit 133 acquires data of reference icons other than the reference icon of the diagnosis target file based on the content of the reference icon list 93 and the file format determined by the file format determination unit 131.
  • the icon comparison unit 133 compares the icon data extracted by the icon extraction unit 132 with the acquired reference icon data, and calculates the similarity between the icon and the reference icon.
  • the icon comparison unit 133 calculates the similarity for each acquired reference icon. Note that the order of the process of step S4 and the process of step S5 may be reversed.
  • the similarity between the icon and the reference icon is calculated using, for example, a predetermined mathematical formula.
  • a value representing the size of similarity between the icon image and the reference icon image is used.
  • a value based on one or more of a hash value, a color ratio, a contour shape, and the like may be used.
  • a value of 0 [%] to 100 [%] representing the degree of similarity may be used.
  • any one of a value indicating similarity and a value indicating dissimilarity may be used.
  • the similarity is, for example, a value indicating similarity when a value of 0 [%] or more and 100 [%] or less representing the degree of similarity exceeds a predetermined threshold, while the degree of similarity is It may be a value indicating that the value not less than 0% and not more than 100% is not similar when the value is equal to or less than the predetermined threshold.
  • the mathematical formula for calculating the degree of divergence between the icon and the reference icon may be used for different formulas for the mathematical formula for calculating the degree of divergence between the icon and the reference icon and the mathematical formula for calculating the similarity between the icon and the reference icon.
  • the same formula may be used.
  • the substantially same expression is, for example, an expression in which the degree of divergence and similarity between the icon and the reference icon are added to each other to become a constant value (for example, 100 [%], etc.) It is an expression that has a relationship that becomes a constant value (for example, 1).
  • Step S6 the risk determination unit 134 calculates the risk based on the calculation result of the degree of deviation between the icon of the diagnosis target file and the reference icon and the calculation result of the similarity between the icon of the file and the other reference icon. To do. Then, the risk determination unit 134 determines whether or not the calculated risk exceeds a predetermined threshold value.
  • the predetermined threshold value may be stored in advance in the storage unit 33, or may be designated at an arbitrary timing from an external device or a user.
  • step S6 YES
  • the process proceeds to step S7.
  • step S6: NO the process proceeds to step S8.
  • the risk level of the icon is calculated using, for example, a predetermined mathematical formula.
  • a value based on the degree of deviation between the icon and the reference icon and the degree of similarity between the icon and another reference icon is used as the risk level of the icon.
  • the degree of risk increases when the degree of divergence is large. If is small, the degree of danger is small, and the degree of danger is used.
  • the similarity between the icon of the file to be diagnosed and a reference icon that does not correspond to the format of the file an icon that is not originally expected
  • the greater the similarity, the greater the risk, and the similarity If the degree is small, the degree of danger becomes small, and the degree of danger is used.
  • the similarity for all other reference icons may be used, or the similarity for one other reference icon having the largest similarity. Degrees may be used.
  • Step S7 When it is determined that the degree of risk calculated in the process of step S6 exceeds the threshold, the risk determination unit 134 determines that there is a risk. Then, the process of this flow ends.
  • Step S8 When it is determined that the degree of risk calculated in the process of step S6 does not exceed the threshold, the risk determination unit 134 determines that there is no risk. Then, the process of this flow ends. Even when it is determined in the process of step S2 that the diagnosis target file does not include icon data, the risk determination unit 134 determines that there is no risk. Then, the process of this flow ends.
  • the risk determination unit 134 determines the presence or absence of risk for the file to be diagnosed. As another configuration example, the risk determination unit 134 determines the file to be diagnosed. If there is a risk, a more detailed degree of risk may be determined.
  • the data of each icon may be identified based on predetermined information (hereinafter also referred to as “icon identification information”).
  • the predetermined information may be, for example, an icon size (image size), a name attached to the icon, or a number attached to the icon. Or other information.
  • the size of the icon may be, for example, the amount of data.
  • the file format determination unit 131 for example, if the diagnosis target file includes one or more icon data, the file includes icon data. It is determined that
  • the icon extraction unit 132 extracts data of one or more predetermined icons when the diagnosis target file includes data of two or more icons.
  • the predetermined one or more icon data includes at least icon data used for the comparison performed by the icon comparison unit 133.
  • K is an integer equal to or greater than 1
  • the icon extraction unit 132 extracts at least the K icon data.
  • the icon data used for the comparison performed by the icon comparison unit 133 may be identified by, for example, icon identification information.
  • the icon data used for the comparison performed by the icon comparison unit 133 may be data of K icons from the larger size.
  • the icon extraction unit 132 extracts data of K icons from a larger size from a diagnosis target file including data of K or more icons. In this case, for example, when the diagnosis target file includes data of less than K icons, the icon extraction unit 132 may extract data of all the icons less than K.
  • the icon extraction unit 132 selects (identifies) and extracts icon data used for the comparison performed by the icon comparison unit 133.
  • the icon extraction unit 132 extracts data of all icons included in the diagnosis target file, and the icon comparison unit 133 uses the icon data used for comparison from the extracted data of all icons. May be selected (identified).
  • the icon comparison unit 133 uses part of the data of two or more icons included in the file to be diagnosed for comparison.
  • the icon comparison unit 133 may be configured to use data of all icons included in the diagnosis target file for comparison regardless of the number of icon data included in the diagnosis target file.
  • the icon extraction unit 132 extracts data of all icons included in the diagnosis target file.
  • the icon comparison unit 133 extracts the icon data extracted by the icon extraction unit 132 for each of one or more icon data determined in advance to be used for comparison. And the obtained reference icon data are compared to calculate the degree of divergence between the icon and the reference icon.
  • the icon comparison unit 133 compares the data of two or more icons included in the diagnosis target file, as an example, the comparison result of all the data of the two or more icons is considered.
  • the total value may be adopted as the final divergence.
  • the total value may be, for example, an average value or a total value of divergence degrees calculated for each of the data of these two or more icons, or may be another value.
  • the icon comparison unit 133 compares data of two or more icons included in a diagnosis target file, as another example, the data of one icon of the data of these two or more icons
  • the calculated divergence degree may be adopted as the final divergence degree.
  • the final divergence degree may be, for example, the divergence degree having the largest value among the divergence degrees calculated for each of the data of the two or more icons.
  • the icon comparison unit 133 extracts the icon data extracted by the icon extraction unit 132 for each of one or more icon data that is predetermined for comparison. And the obtained reference icon data are compared to calculate the similarity between the icon and the reference icon.
  • the icon comparison unit 133 compares the data of two or more icons included in the diagnosis target file, as an example, the comparison result of all the data of the two or more icons is considered.
  • the total value may be adopted as the final similarity.
  • the total value may be, for example, an average value or total value of similarities calculated for each of the data of these two or more icons, or may be another value.
  • the icon comparison unit 133 compares data of two or more icons included in a diagnosis target file, as another example, the data of one icon of the data of these two or more icons
  • the calculated similarity may be adopted as the final similarity.
  • the final similarity may be, for example, the similarity having the largest value among the similarities calculated for each of the data of the two or more icons.
  • the degree of divergence calculated by the icon comparison unit 133 with respect to the data of one icon (herein referred to as “icon A1”) among the data of two or more icons included in the diagnosis target file.
  • the icon A1 and the icon A2 are An example that could be different is given.
  • the icon comparison unit 133 calculates both the degree of divergence and the degree of similarity for each of the data of two or more icons included in the diagnosis target file, and finally, based on the calculation results of both.
  • the data of one icon to be adopted as the divergence degree and the final similarity degree may be determined.
  • the data of the one icon may be, for example, icon data that is determined to have the highest degree of risk when the calculated degree of divergence and the calculated degree of similarity are comprehensively determined.
  • the risk level may be calculated by the same calculation method as the risk level calculated by the risk determination unit 134, for example.
  • the reference icon list 93 relates to a file format including data of a plurality of icons, for example, and holds information on the reference icons for each of the plurality of icons.
  • the reference icon corresponding to each icon may be identified using, for example, the same information (for example, icon identification information) as the information for identifying the data of each icon.
  • the icon comparison unit 133 includes, for example, one icon data to be compared and one reference icon data corresponding to the icon data. And the degree of divergence is calculated.
  • the icon comparison unit 133 when the file to be diagnosed includes data of two or more icons, the icon comparison unit 133, for example, other than one icon data to be compared and one reference icon corresponding to the icon data The similarity is calculated by comparing with the data of the reference icon.
  • the reference icon data other than one reference icon corresponding to the icon data includes, for example, reference icon data corresponding to other icon data included in the diagnosis target file (that is, the same file).
  • Other reference icon data in the format may or may not be included (that is, only the reference icon data in other file formats, except for the reference icon data in the same file format). May be included).
  • the icon comparison unit 133 can compare the data of all icons extracted by the icon extraction unit 132 and determine one or both of the divergence degree and the similarity degree as a total value. Is possible. As another example, the icon comparison unit 133 compares the data of all icons extracted by the icon extraction unit 132, and determines one or both of the degree of deviation and the degree of similarity as the highest risk level. It is possible to judge by. As another example, the icon comparison unit 133 may compare the data of one icon having the largest size among the data of all icons extracted by the icon extraction unit 132. In general, it is considered that an icon having a larger size (large image) has a higher accuracy of comparison and can provide an accurate result.
  • FIG. 3 is a flowchart illustrating an example of icon display processing performed by the icon processing apparatus 11 according to an embodiment of the present invention. The process of the flowchart shown in FIG. 3 will be described. This process is a process for displaying the danger associated with the file with the icon impersonated. This process is performed by the diagnosis result output unit 112 of the control unit 34 of the icon processing apparatus 11.
  • This flow shows a case where the risk determination unit 134 of the icon diagnosis unit 111 of the control unit 34 determines the degree of risk for a diagnosis target file.
  • the risk determination unit 134 indicates that the file to be diagnosed has no risk, has a low risk, has a medium risk, or has a high risk. Judge one of them.
  • the danger determination unit 134 compares the degree of danger with two or more different thresholds to determine the degree of danger. As a specific example, the risk determination unit 134 determines that there is no risk when the risk level is equal to or lower than the first threshold value, and the risk level exceeds the first threshold value and is equal to or lower than the second threshold value.
  • the risk level is determined to be moderate.
  • the threshold value of 3 is exceeded, it is determined that the degree of risk is high.
  • the first threshold ⁇ the second threshold ⁇ the third threshold. In this flow, when there is a low degree of danger, the same processing as when there is no danger is performed.
  • Step S21 The display control unit 151 determines whether or not there is no risk for the display target file based on the determination result regarding the risk.
  • the display control unit 151 may display, for example, a file designated by an operation performed by the user, or display a file corresponding to a predetermined condition according to a predetermined processing procedure. It is good.
  • the display control unit 151 displays the reference icon of the file to be displayed based on the content of the reference icon list 93 stored in the storage unit 33 and the format of the file.
  • step S21 if it is determined that the file to be displayed is not dangerous (that is, there is a risk) (step S21: NO), the process proceeds to step S22.
  • information on the result of determination regarding the risk made by the risk determination unit 134 is stored in the storage unit 33.
  • the display control unit 151 refers to the information.
  • Step S22 If it is determined in step S21 that the display target file is not dangerous, the display control unit 151 determines that the display target file has a medium risk (see FIG. 3 is determined as to whether or not it is “hazard (medium)”. As a result of this determination, if it is determined that the file to be displayed has a medium risk (step S22: YES), the process proceeds to step S24. On the other hand, as a result of this determination, if it is determined that the file to be displayed is not a medium risk (step S22: NO), the process proceeds to step S23.
  • Step S23 When it is determined in the process of step S22 that the file to be displayed is not a medium risk, the display control unit 151 determines a high risk (for the display target file) based on the determination result regarding the risk ( It is determined whether or not it is “Danger (High)” in FIG. As a result of this determination, if it is determined that the file to be displayed has a high degree of risk (step S23: YES), the process proceeds to step S25. On the other hand, as a result of this determination, if it is determined that the file to be displayed is not at high risk (step S23: NO), the processing of this flow ends.
  • the display control unit 151 displays the reference icon of the file to be displayed based on the content of the reference icon list 93 stored in the storage unit 33 and the format of the file.
  • this case includes, for example, a case where there is a low degree of danger for the file to be displayed.
  • Step S24 When it is determined in the process of step S22 that the file to be displayed has a medium risk, the display control unit 151 displays the contents of the reference icon list 93 stored in the storage unit 33 and the relevant file for the display target file. Based on the file format, the reference icon of the file is displayed. Further, the display control unit 151 displays a mark indicating a medium danger for the reference icon. In the present embodiment, the display control unit 151 displays the mark so as to overlap the reference icon. Then, the process of this flow ends.
  • Step S25 When it is determined in the process of step S23 that the file to be displayed has a high degree of risk, the display control unit 151 displays the contents of the reference icon list 93 stored in the storage unit 33 and the relevant file for the display target file. Based on the file format, the reference icon of the file is displayed. Further, the display control unit 151 displays a mark indicating a high degree of danger for the reference icon. In the present embodiment, the display control unit 151 displays the mark so as to overlap the reference icon. Then, the process of this flow ends.
  • the display control unit 151 may store a correspondence between a file and information (icon information) for displaying a reference icon and a mark in a memory such as a cache memory. Then, the display control unit 151 may display icon information corresponding to the file to be displayed based on the correspondence stored in the memory.
  • icon information memorize stored in the said memory, only the icon information in which the mark regarding danger is displayed may be sufficient, for example, and all the icon information may be sufficient as it.
  • FIGS. 4 to 8 are diagrams each showing an example of icon display according to an embodiment of the present invention.
  • FIG. 4 is a diagram illustrating an example of icon information (icon information 211) of a file determined to have no risk.
  • the icon information 211 is the same as the information of the reference icon 212 of the file.
  • FIG. 5 is a diagram illustrating an example of icon information (icon information 221) of a file determined to have a medium risk.
  • the icon information 221 is information in which a mark 223 indicating a medium danger is superimposed on the reference icon 222 of the file.
  • FIG. 6 is a diagram illustrating an example of icon information (icon information 231) of a file determined to have a medium risk.
  • the icon information 231 is information in which a mark 233 indicating a medium danger is superimposed on the reference icon 232 of the file.
  • the mark 223 according to the example of FIG. 5 and the mark 233 according to the example of FIG. 6 are different marks.
  • the mark 233 according to the example of FIG. 6 includes character information that calls attention to the user (in the example of FIG. 6, “open attention!”).
  • FIG. 7 is a diagram illustrating an example of icon information (icon information 241) of a file determined to have a high degree of risk.
  • the icon information 241 is information in which a mark 243 indicating a high degree of danger is superimposed on the reference icon 242 of the file.
  • FIG. 8 is a diagram illustrating an example of icon information (icon information 251) of a file determined to have a high degree of risk.
  • the icon information 251 is information in which a mark 253 indicating a high degree of danger is superimposed on the reference icon 252 of the file.
  • the mark 243 according to the example of FIG. 7 and the mark 253 according to the example of FIG. 8 are different marks.
  • the mark 253 according to the example of FIG. 8 includes character information that calls attention to the user (“open danger” in the example of FIG. 8).
  • each of the marks 223, 233, 243, 253 may have any color.
  • the color of the mark may be different depending on the degree of danger.
  • the marks 223 and 233 indicating a medium risk may have a yellow color in a large portion
  • the marks 243 and 253 indicating a high risk may have a red color in a large portion. Good.
  • a configuration in which a mark indicating a low level of danger is not displayed for a file having a low level of risk is shown.
  • a configuration that displays a mark indicating a low degree of danger may be used.
  • 3 to 8 show a configuration in which three levels of risk, low, medium, and high, are determined, and display is performed according to the determination result.
  • a configuration may be used in which a one-stage risk of “no” (presence / absence of danger) is determined and display is performed according to the determination result.
  • a configuration may be used in which a two-stage risk is determined and display is performed according to the determination result.
  • a configuration may be used in which the risk in four or more stages is determined and display is performed according to the determination result.
  • the display control unit 151 is configured to display the marks 223, 233, 243, and 253 so as to overlap the reference icons 222, 232, 242, and 252.
  • Other arrangements may be used as the arrangement to be displayed.
  • a configuration in which the display control unit 151 displays the mark at a position where a part of the reference icon and a part of the mark overlap may be used.
  • the position may be one of up, down, left, right, or diagonal positions with respect to the reference icon.
  • a configuration in which the display control unit 151 displays a mark at a position adjacent to and in contact with the reference icon may be used.
  • the position may be one of up, down, left, right, or diagonal positions with respect to the reference icon.
  • a configuration may be used in which the display control unit 151 displays a mark at a position near a predetermined distance from the reference icon.
  • the position may be one of up, down, left, right, or diagonal positions with respect to the reference icon.
  • a mark indicating danger a mark including various figures or characters may be used. Various colors may be used as marks indicating danger.
  • the configuration in which the diagnosis result output unit 112 of the control unit 34 displays the mark indicating the danger by the display control unit 151 is shown.
  • a configuration may be used in which the diagnosis result output unit 112 of the control unit 34 displays a dialog indicating information such as a warning or a warning regarding danger by the display control unit 151.
  • a configuration in which the diagnosis result output unit 112 of the control unit 34 outputs a sound (including sound) indicating danger may be used.
  • the display control unit 151 may display the mark indicating the danger on the reference icon. That is, for example, any configuration may be used as long as a mark indicating danger is seen when the user visually looks at the icon.
  • the display control unit 151 may display a mark indicating the danger on the reference icon by rewriting (or replacing) the icon data included in the file to be displayed.
  • the display control unit 151 uses a configuration in which a mark indicating a danger is displayed over the reference icon without rewriting (or replacing) the icon data included in the display target file. May be.
  • a configuration is used in which a mark indicating danger is displayed over the reference icon by control performed by the application displaying the icon. May be.
  • the application displaying the icon is configured to have the function of the display control unit 151, and the icon data may be rewritten (or replaced) by the control performed by the application. ) Good.
  • the icon data may be rewritten (or replaced) by the control of the application displaying the icon. Also good.
  • the application that displays the icon may be various applications, such as Explorer (registered trademark).
  • the method for determining whether or not the file includes icon data by the file format determination unit 131 and the method for extracting icon data included in the file by the icon extraction unit 132 are not particularly limited.
  • the file format determining unit 131 can determine whether the file includes icon data based on the structure of the executable file. Further, based on the structure of the execution file, the icon extraction unit 132 can extract icon data included in the file.
  • FIG. 9 is a diagram showing an example of an executable file structure according to an embodiment of the present invention.
  • the example of FIG. 9 is an example of the structure of a general execution file (EXE file).
  • the execution file is, for example, binary information.
  • the execution file includes a calling header structure 311 and a stub program 312, a PE header 313, and section data.
  • Section data includes a section header 314, a text section 315, a data section 316, a resource section 317, and the like.
  • the icon data is considered to be included in, for example, the resource section 317.
  • processing by the file format determination unit 131 and processing by the icon extraction unit 132 are performed based on the contents of the resource section 317. It may be broken.
  • an MZ signature (a character string “MZ”) exists at the top of the executable file, and whether or not the file is an executable file may be determined according to the presence or absence of the MZ signature.
  • the icon extraction unit 132 may extract the icon data included in the file based on the icon image. Good. In this case, for example, the icon extraction unit 132 may perform image recognition processing to extract data corresponding to the icon image.
  • the file holding the icon is only the executable file format, and the Windows (registered trademark) displays the icon associated with the extension of the file of the other format.
  • the embodiment of the present invention may be applied to such a new file format.
  • Arbitrary timings may be used as the timing at which the icon diagnosis unit 111 performs icon diagnosis processing.
  • any timing may be used as the timing for performing the icon display processing by the diagnosis result output unit 112.
  • the icon diagnosis process and the icon display process may be performed at independent timings.
  • an icon display process related to the diagnosis result may be performed at a timing when the icon diagnosis process is completed.
  • timing that can be used as timing for performing icon diagnosis processing or timing for performing icon display processing.
  • one or both of icon diagnosis processing and icon display processing may be performed at a timing when a file is opened by double-clicking or the like by an operation performed by a user in a computer.
  • the danger display may be performed before the file is opened.
  • a target such as a desktop or a folder is opened by an operation performed by a user in a computer
  • one or both of icon diagnosis processing and icon display processing may be performed on a file existing on the target.
  • a display regarding danger may be performed.
  • a file of a program resident in the computer may be used as the file existing in the target.
  • a computer when a check of a file stored in a memory is executed periodically or in a timely manner, one or both of icon diagnosis processing and icon display processing is performed for the file at the execution timing. It may be broken.
  • a file attached by an e-mail when a file attached by an e-mail is received, when a file attached by an e-mail is expanded, when a file is displayed by a web browser, or by a web browser
  • One or both of the icon diagnosis process and the icon display process may be performed for the corresponding file at one or more timings of downloading the file.
  • one or both of icon diagnosis processing and icon display processing may be performed on the identified file at the timing when the file is identified from communication packets transmitted over the network in the computer.
  • the control unit 34 may block transmission of a file that is determined to be dangerous or a file that is determined to have a risk exceeding a predetermined threshold.
  • the computer may be, for example, a personal computer (PC) or a computer such as a router or a switch in a network.
  • PC personal computer
  • a computer such as a router or a switch in a network.
  • the icon diagnosis unit 111 performs diagnosis processing using a signature. For example, the icon diagnosis unit 111 verifies the signature attached to the file to be diagnosed, and determines whether or not the certificate related to the signature is issued by a legitimate organization. If the icon diagnosis unit 111 determines that the certificate is issued by a legitimate organization, the icon diagnosis unit 111 determines that there is no risk of the file with respect to the signature. On the other hand, when the icon diagnosis unit 111 determines that the certificate is not issued from a legitimate organization, the icon diagnosis unit 111 determines that the file has a risk regarding the signature. Note that, for example, information for identifying a legitimate institution may be stored in the storage unit 33 in advance or at any time, and the icon diagnosis unit 111 may make a determination with reference to the information.
  • the icon diagnosis unit 111 may determine the degree of risk when there is a risk of the file to be diagnosed. For example, if the icon diagnosis unit 111 determines that a certificate is not given to the file, the icon diagnosis unit 111 may determine that there is a high degree of risk regarding the signature. For example, when the icon diagnosis unit 111 determines that a self-certificate is given to the file, the icon diagnosis unit 111 may determine that there is a medium risk regarding the signature.
  • the degree of these dangers is an example, and arbitrary degrees of danger may be used.
  • the icon diagnosis unit 111 performs a diagnosis process using a signature together with a diagnosis process using an icon for a diagnosis target file, and based on the result of each diagnosis process, Alternatively, the overall risk level may be determined. Note that, for example, the correspondence between each diagnosis processing result and the overall risk level or the overall risk level is stored in the storage unit 33 in advance or at any time, and the icon diagnosis unit 111 refers to the correspondence. A determination may be made.
  • diagnosis processing using icons is shown, but the icon diagnosis unit 111 may be configured to perform diagnosis processing using a white list.
  • the white list is stored in the storage unit 33.
  • the white list includes information regarding a file to be determined as having no risk.
  • the information related to the file may include, for example, one or more information of the file name, the file size, the file icon, and the like. Even when the icon diagnosis unit 111 determines that the file to be diagnosed is dangerous in the result of the diagnosis process using the icon, if the information on the file is included in the white list, the risk is Judge that there is no.
  • the icon processing apparatus 11 can detect malware in which an icon is camouflaged by performing icon diagnosis processing on a diagnosis target file. Thereby, in the icon processing apparatus 11, for example, it is possible to easily find malware that is difficult for a user to identify as malware. Thus, in the icon processing apparatus 11 according to the present embodiment, it is possible to accurately diagnose whether or not the icon is a disguised malware.
  • the icon processing apparatus 11 there is a danger or a more detailed degree of danger by performing an icon display process using a mark indicating danger on the display target file. Can be shown in the icon.
  • the icon processing apparatus 11 it can be recognized that there is a danger at a glance by the user by the appearance of the icon. For example, even if the user has little knowledge of computers or malware, the user can grasp the presence or absence of the displayed icon file or the more detailed degree of danger, and do not open the dangerous file. Measures such as making it possible are possible.
  • the icon processing apparatus 11 according to the present embodiment it is possible to display that the icon is a camouflaged malware in a manner that is easy for the user to distinguish.
  • a file format determination unit (file format determination unit 131 in the example of FIG. 1) that determines the format of a diagnosis target file
  • an icon extraction unit extracts an icon of the diagnosis target file.
  • the icon extraction unit 132) compares the icon extracted by the icon extraction unit with the reference icon corresponding to the format determined by the file format determination unit, the icon extracted by the icon extraction unit, and the file Based on the result of the comparison by the icon comparison unit (icon comparison unit 133 in the example of FIG. 1) that compares a reference icon other than the reference icon corresponding to the format determined by the format determination unit, and the comparison result by the icon comparison unit.
  • An icon diagnosis device (example in FIG.
  • the icon diagnosis apparatus compares the icon extracted by the icon extraction unit with the reference icon corresponding to the format determined by the file format determination unit, and determines the degree of divergence between the two. get.
  • the icon comparison unit compares the icon extracted by the icon extraction unit with a reference icon other than the reference icon corresponding to the format determined by the file format determination unit. Get the similarity of.
  • the risk determination unit performs determination regarding the degree of risk.
  • the degree of risk is that there is a risk, or the degree of risk is two or more stages.
  • the risk determination unit performs the risk determination based on the determination result regarding the signature attached to the diagnosis target file and the comparison result by the icon comparison unit.
  • the icon diagnosis apparatus determines the format of the diagnosis target file, the icon diagnosis apparatus extracts the icon of the diagnosis target file, and the icon diagnosis apparatus determines the extracted icon and the determined format.
  • the icon diagnosis device compares the extracted icon with a reference icon other than the reference icon corresponding to the determined format, and the icon diagnosis device determines the risk based on the comparison result. Is an icon diagnosis method (in the example of FIG. 1, a method of processing performed by the icon processing device 11).
  • the step of determining the format of the file to be diagnosed the step of extracting the icon of the file to be diagnosed, comparing the extracted icon with a reference icon corresponding to the determined format,
  • a program for causing a computer to execute a step of comparing an extracted icon with a reference icon other than the reference icon corresponding to the determined format, and a step of making a determination regarding danger based on a result of the comparison In the example of FIG. 1, the program is executed by the icon processing device 11.
  • an icon extraction unit that extracts an icon of a diagnosis target file, an icon extracted by the icon extraction unit, and a first reference icon are compared, and an icon extracted by the icon extraction unit;
  • An icon diagnostic apparatus comprising: an icon comparison unit that compares a second reference icon other than the first reference icon.
  • the icon diagnosis apparatus includes a risk determination unit that performs a risk determination based on a result of comparison by the icon comparison unit.
  • the icon diagnosis apparatus includes a file format determination unit that determines the format of a file to be diagnosed, and the icon comparison unit includes an icon extracted by the icon extraction unit and a format determined by the file format determination unit Is compared with the first reference icon corresponding to the icon, and the icon extracted by the icon extraction unit is compared with the second reference icon.
  • the icon diagnosis device extracts an icon of a file to be diagnosed, the icon diagnosis device compares the extracted icon with the first reference icon, and extracts the extracted icon and the first This is an icon diagnosis method for comparing with a second reference icon other than the reference icon.
  • a step of extracting an icon of a file to be diagnosed, comparing the extracted icon and the first reference icon, and extracting the extracted icon and a second other than the first reference icon A program for causing a computer to execute a step of comparing with a reference icon.
  • an icon extraction unit that extracts an icon of a diagnosis target file, a file format determination unit that determines the format of the diagnosis target file, an icon extracted by the icon extraction unit, and a file format determination unit
  • An icon comparison unit that compares a first reference icon that is a reference icon corresponding to the format that has been created, and that compares an icon extracted by the icon extraction unit with a second reference icon other than the first reference icon
  • an icon diagnostic device extracts an icon of a diagnosis target file
  • the icon diagnosis device determines the format of the diagnosis target file
  • the icon diagnosis device determines the extracted icon and the determined format.
  • a step of extracting an icon of a diagnosis target file a step of determining a format of the diagnosis target file, an extracted icon, and a first reference that is a reference icon corresponding to the determined format
  • a program for realizing the function of the device (for example, the icon processing device 11) according to the above-described embodiment is recorded (stored) in a computer-readable recording medium (storage medium).
  • the processing may be performed by causing the computer system to read and execute the program recorded on the recording medium.
  • the “computer system” may include an operating system (OS) or hardware such as a peripheral device.
  • the “computer-readable recording medium” means a flexible disk, a magneto-optical disk, a ROM (Read Only Memory), a writable nonvolatile memory such as a flash memory, a portable medium such as a DVD (Digital Versatile Disk), A storage device such as a hard disk built in a computer system.
  • the “computer-readable recording medium” refers to a volatile memory (for example, DRAM (DRAM)) inside a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. And a program that holds a program for a certain period of time, such as Dynamic Random Access Memory)).
  • the program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium.
  • the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
  • a network such as the Internet
  • a communication line such as a telephone line.
  • the above program may be for realizing a part of the functions described above.
  • the above program may be a so-called difference file (difference program) that can realize the above-described functions in combination with a program already recorded in the computer system.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • User Interface Of Digital Computer (AREA)

Abstract

La présente invention concerne ce dispositif de diagnostic d'icône qui comporte : une unité d'extraction d'icône qui extrait l'icône d'un fichier devant être diagnostiqué ; une unité de détermination de format de fichier qui détermine le format du fichier devant être diagnostiqué ; et une unité de comparaison d'icône qui compare l'icône extraite par l'unité d'extraction d'icône et une première icône de référence, qui est une icône de référence correspondant au format déterminé par l'unité de détermination de format de fichier et compare l'icône extraite mentionnée ci-dessus par l'unité d'extraction d'icône et une seconde icône de référence autre que la première icône de référence mentionnée ci-dessus.
PCT/JP2017/003410 2016-02-05 2017-01-31 Dispositif de diagnostic d'icône, procédé et programme de diagnostic d'icône WO2017135249A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2016-020955 2016-02-05
JP2016020955A JP5954915B1 (ja) 2016-02-05 2016-02-05 アイコン診断装置、アイコン診断方法およびプログラム
JP2016116611A JP6068711B1 (ja) 2016-06-10 2016-06-10 アイコン診断装置、アイコン診断方法およびプログラム
JP2016-116611 2016-06-10

Publications (1)

Publication Number Publication Date
WO2017135249A1 true WO2017135249A1 (fr) 2017-08-10

Family

ID=59499640

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/003410 WO2017135249A1 (fr) 2016-02-05 2017-01-31 Dispositif de diagnostic d'icône, procédé et programme de diagnostic d'icône

Country Status (2)

Country Link
TW (1) TWI622932B (fr)
WO (1) WO2017135249A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102017120209A1 (de) 2017-09-01 2019-03-07 SCi Kontor GmbH Gerät zum Zerkleinern von Lebensmitteln sowie dessen Verwendung

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010198565A (ja) * 2009-02-27 2010-09-09 Hitachi Ltd 不正プログラム検知方法、不正プログラム検知プログラム、および情報処理装置
US8256000B1 (en) * 2009-11-04 2012-08-28 Symantec Corporation Method and system for identifying icons
JP2015191458A (ja) * 2014-03-28 2015-11-02 エヌ・ティ・ティ・ソフトウェア株式会社 ファイル危険性判定装置、ファイル危険性判定方法、及びプログラム

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070056035A1 (en) * 2005-08-16 2007-03-08 Drew Copley Methods and systems for detection of forged computer files
JP4733509B2 (ja) * 2005-11-28 2011-07-27 株式会社野村総合研究所 情報処理装置、情報処理方法およびプログラム
CN103078864B (zh) * 2010-08-18 2015-11-25 北京奇虎科技有限公司 一种基于云安全的主动防御文件修复方法
CN102395128B (zh) * 2011-06-30 2015-12-09 北京邮电大学 一种移动智能终端的恶意信息发送防御方法及其系统
US8869274B2 (en) * 2012-09-28 2014-10-21 International Business Machines Corporation Identifying whether an application is malicious
TWI461952B (zh) * 2012-12-26 2014-11-21 Univ Nat Taiwan Science Tech 惡意程式偵測方法與系統
CN103077353B (zh) * 2013-01-24 2015-12-02 北京奇虎科技有限公司 主动防御恶意程序的方法和装置
CN103729593B (zh) * 2013-12-31 2017-04-12 安一恒通(北京)科技有限公司 一种文件安全性的识别方法和系统
CN104504335B (zh) * 2014-12-24 2017-12-05 中国科学院深圳先进技术研究院 基于页面特征和url特征的钓鱼app检测方法及系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010198565A (ja) * 2009-02-27 2010-09-09 Hitachi Ltd 不正プログラム検知方法、不正プログラム検知プログラム、および情報処理装置
US8256000B1 (en) * 2009-11-04 2012-08-28 Symantec Corporation Method and system for identifying icons
JP2015191458A (ja) * 2014-03-28 2015-11-02 エヌ・ティ・ティ・ソフトウェア株式会社 ファイル危険性判定装置、ファイル危険性判定方法、及びプログラム

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102017120209A1 (de) 2017-09-01 2019-03-07 SCi Kontor GmbH Gerät zum Zerkleinern von Lebensmitteln sowie dessen Verwendung

Also Published As

Publication number Publication date
TW201734774A (zh) 2017-10-01
TWI622932B (zh) 2018-05-01

Similar Documents

Publication Publication Date Title
US11188650B2 (en) Detection of malware using feature hashing
US8732587B2 (en) Systems and methods for displaying trustworthiness classifications for files as visually overlaid icons
JP6526608B2 (ja) 辞書更新装置およびプログラム
WO2015165412A1 (fr) Procédé pour modifier une page web et appareil pour modifier une page web
US20120110459A1 (en) Automated adjustment of input configuration
US20130145466A1 (en) System And Method For Detecting Malware In Documents
US20110271118A1 (en) Password generation methods and systems
US11797668B2 (en) Sample data generation apparatus, sample data generation method, and computer readable medium
EP3105677B1 (fr) Systèmes et procédés d'information des utilisateurs concernant les applications disponibles au téléchargement
EP3079091B1 (fr) Procédé et dispositif d'identification de virus, support de stockage non volatile et dispositif
US10691791B2 (en) Automatic unpacking of executables
JP2015191458A (ja) ファイル危険性判定装置、ファイル危険性判定方法、及びプログラム
Choi et al. All‐in‐One Framework for Detection, Unpacking, and Verification for Malware Analysis
JP2012088803A (ja) 悪性ウェブコード判別システム、悪性ウェブコード判別方法および悪性ウェブコード判別用プログラム
JP5441043B2 (ja) プログラム、情報処理装置、及び情報処理方法
US10896252B2 (en) Composite challenge task generation and deployment
JP6069685B1 (ja) アイコン表示装置、アイコン表示方法およびプログラム
WO2017135249A1 (fr) Dispositif de diagnostic d'icône, procédé et programme de diagnostic d'icône
JP6068711B1 (ja) アイコン診断装置、アイコン診断方法およびプログラム
JP5954915B1 (ja) アイコン診断装置、アイコン診断方法およびプログラム
JP6976194B2 (ja) 脆弱性判定システム、脆弱性判定方法及びコンピュータプログラム
KR101544010B1 (ko) 프로세스의 동적 행위 정규화 및 악성 코드 탐지 방법
US11100237B2 (en) Identify and protect sensitive text in graphics data
EP2750066B1 (fr) Système et procédé de détection de maliciel qui interfère avec une interface utilisateur
WO2020194449A1 (fr) Dispositif d'avertissement, procédé de commande et programme

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17747405

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17747405

Country of ref document: EP

Kind code of ref document: A1