WO2018043885A1 - Système et procédé de détection de code malveillant - Google Patents

Système et procédé de détection de code malveillant Download PDF

Info

Publication number
WO2018043885A1
WO2018043885A1 PCT/KR2017/006466 KR2017006466W WO2018043885A1 WO 2018043885 A1 WO2018043885 A1 WO 2018043885A1 KR 2017006466 W KR2017006466 W KR 2017006466W WO 2018043885 A1 WO2018043885 A1 WO 2018043885A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
path
target file
virtual
malicious code
Prior art date
Application number
PCT/KR2017/006466
Other languages
English (en)
Korean (ko)
Inventor
강경완
김유현
Original Assignee
주식회사 안랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안랩 filed Critical 주식회사 안랩
Publication of WO2018043885A1 publication Critical patent/WO2018043885A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Definitions

  • the present invention relates to a technique for protecting a file from malicious code.
  • the present invention relates to a malware detection technology that detects malicious code before actual damage caused by the malicious code occurs, but is exposed only to a process to be detected without being exposed to a user or a malicious code producer.
  • Malicious code can be attacked in various forms, such as attacks that randomly tamper with information (files), disable them, leak information (files) to the outside, or delete information (files). There are various kinds of ventures.
  • a malicious code that performs an attack in the form of randomly tampering with information (files) and makes it unusable may be difficult to see again by users by randomly tampering, such as encrypting or compressing information (files). Exploit the attack made with).
  • This malicious code is not used to destroy information (files), but to make it unusable, and it is used for malicious purposes to inform users of information (file) attacks and extort money in return for information (file) restoration.
  • the existing malicious code detection technique detects malicious codes based on indirect actions such as distribution method or infection method of malicious code, not detection based on direct malicious behavior of malicious code, that is, attack.
  • malware detection methods are based on indirect actions such as distribution and infection methods of malicious code. Therefore, malicious code is detected after malicious damage or unique behaviors are caused by malicious activity. There is a problem that detection may fail.
  • the present invention while the malicious code is detected before the actual damage caused by the malicious code, to propose a new malware detection technique that is exposed only to the process to be detected without being exposed to the user or malicious code producer.
  • An object of the present invention is to realize a new malware detection technique that detects malicious code before actual damage caused by the malicious code, but is exposed only to a process to be detected without being exposed to a user or a malicious code producer. .
  • Malware detection method the step of creating a separate random file for malware detection, defining a path of the virtual file associated with the arbitrary file; Discriminating whether the process is a normal process or a suspicious process when a process of attempting to search for a target file for performing an action is identified; A first providing step of providing a path of the searched target file to the process as a search result when it is distinguished from a normal process; When distinguished by a suspicious process, when providing a path of the target file as a search result to the process, the path of the virtual file is provided together, so that the arbitrary file associated with the path of the virtual file only in a process identified as a suspicious process. And a second providing step of allowing the presence of the to be recognized.
  • the file generation and path definition unit for generating a separate random file for malware detection, and defines the path of the virtual file associated with the arbitrary file;
  • a process discriminating unit for discriminating whether the process is a normal process or a suspicious process when a process of attempting to search for a target file for performing an action is confirmed; If it is classified as a normal process, the path of the target file searched according to the target file search attempt is provided to the process as a search result, and if it is classified as a suspicious process, the path of the target file is provided to the process as a search result.
  • the control unit to provide the path of the virtual file.
  • the malicious code is detected before the actual damage caused by the malicious code, but through a malicious code detection technique that is limited to only the process to be detected, the malicious code without being easily exposed to the user or malicious code producer Derive the effect of effectively detecting
  • FIG. 1 is a block diagram showing the configuration of a malicious code detection system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating a malicious code detection method according to an embodiment of the present invention.
  • first and second may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another.
  • first component may be referred to as the second component, and similarly, the second component may also be referred to as the first component.
  • FIG. 1 shows a configuration of a malicious code detection system according to an embodiment of the present invention.
  • the malware detection system 100 is preferably mounted on an independent user device 500 such as a computer.
  • the malware detection system 100 of the present invention may be in the form of an application installed in the user device 500.
  • FIG. 1 for convenience of description, a process of attempting to access a storage unit 400 storing information (file) in the user device 500 and information (file) stored in the storage unit 400 (The configuration of the file system 200 that controls the I / O for information (file) between the storage unit 300 and the storage unit 300 is illustrated.
  • the malware detection system 100 generates a separate random file for malware detection and defines a path of a virtual file associated with the random file.
  • the process discrimination unit 120 distinguishes whether the process is a normal process or a suspicious process.
  • the target file is searched, the path of the searched target file is provided to the process as a search result, and when it is classified as a suspicious process, the virtual file is provided when the path of the target file is provided to the process as a search result. It includes a control unit 130 to provide a path with.
  • the malicious code by generating a random file in the form of a file (for example, document, media, etc.) that the malicious code targets the attack, the malicious code itself to attack the arbitrary file to attack It is important to make sure that it is recognized as the target file.
  • a file for example, document, media, etc.
  • the arbitrary file is not a file that actually stores meaningful data, but a file having only the purpose of performing malicious behavior (attack) of the malicious code instead of the file that is the actual target of the malicious code.
  • the file generation and path definition unit 110 stores information (files) in an arbitrary file in the form of a file (for example, document, media, etc.) that the malicious code targets for performing malicious actions. It is created in a directory (path) for exposing to malicious code in the storage unit 400.
  • the file generation and path definition unit 110 when the file generation and path definition unit 110 generates an arbitrary file as described above, the file generation and path definition unit 110 defines the path of the virtual file associated with the arbitrary file.
  • the virtual file is a file that does not actually exist, unlike an arbitrary file that is actually created and exists. Therefore, the path of the virtual file is also information associated with an arbitrary file and is not an actual accessible directory (path).
  • the file generation and path defining unit 110 defines the path of the virtual file as information associated with the arbitrary file when generating the arbitrary file as described above.
  • the process discriminating unit 120 distinguishes whether the process 300 is a normal process or a suspect process.
  • the process discrimination unit 120 may distinguish whether the process 300 is a normal process or a suspect process according to a predefined discrimination policy.
  • the discrimination policy may be a policy for distinguishing a process belonging to a whitelist based on the accumulated malware detection result as a normal processor, and distinguishing a process not belonging to the whitelist as a suspicious process.
  • the process discrimination unit 120 if the process 300 belongs to the white list, it will be classified as a normal process, and if not belonging to the white list, it will be classified as a suspicious process.
  • the discrimination policy identifies a process that belongs to a whitelist based on the accumulated malware detection result and does not have an unknown module among the loaded modules as a normal processor.
  • the module may be a policy that distinguishes a process having an unknown module among the modules as a suspicious process.
  • the process discrimination unit 120 classifies the process as a normal process and does not belong to or belong to the whitelist. Even if it is known, any module that is loaded will be identified as a suspicious process.
  • the controller 130 When the process 300 is classified as a normal process, the controller 130 provides the process 300 with the path of the searched target file as a search result according to the target file search attempt.
  • a process 300 distinguished as a normal process will be referred to as a normal process 300
  • a process 300 distinguished as a suspicious process will be referred to as a suspicious process 300.
  • the controller 130 provides a path of the target file searched according to the target file search attempt as a search result to the normal process 300 that attempts to search the target file for performing the action.
  • the controller 130 provides the path of the previously defined virtual file when providing the path of the target file to the process 300 as a search result.
  • control unit 130 provides the suspect process 300 that attempts to search the target file for performing the action, as a search result, as well as the path of the target file searched according to the target file search attempt, as a search result. It is.
  • the suspicious process 300 unlike the normal process 300 that receives only the path (directory) of the target file through the target file search as a search result, the path (directory) and virtual of the target file through the target file search The path of the file is provided as a search result.
  • the suspicious process 300 since the suspicious process 300 provides the path (directory) of the target file and the path of the virtual file as a search result, the presence of any file associated with the path of the virtual file is only present in the suspicious process 300. It can be recognized.
  • the normal process 300 cannot recognize the existence of any file associated with the path of the virtual file because the path of the virtual file is not known, the malicious code of the present invention based on the arbitrary file.
  • the detection technique is not exposed to normal process 300.
  • the process that may be the malware to be detected that is, the suspicious process 300, since the path of the virtual file is known, recognizes the existence of any file associated with the path of the virtual file, and thus, The malware detection technique of the present invention based on the file is limited to the suspicious process 300 only.
  • the malicious code to be detected in the present invention may be a malicious code to attack in the form of randomly tampering with information (file), or to leak information (file) to the outside It may be malicious code that performs an attack or malicious code that performs an attack in the form of deleting information (file).
  • the controller 130 detects the suspicious process 300 as malicious code based on an action performed by the suspicious process 300 in an arbitrary file by accessing the path of the virtual file.
  • the suspicious process 300 accesses a path of a virtual file that is only information associated with an arbitrary file and does not actually exist, the suspicious process 300 accesses an arbitrary file associated with a path of the virtual file. .
  • the controller 130 is based on the action performed by the suspicious process 300 in the arbitrary file after accessing the path of the virtual file to the arbitrary file, the malicious behavior of the malicious code (detected in the present invention) ( Attack), the suspicious process 300 may be detected as being malicious code.
  • the controller 130 may block the suspicious process 300 from accessing another file anymore.
  • the suspicion process 300 is to only access the path of the virtual file of the path of the target file and the path of the virtual file provided as a search result first, if the suspicious process 300 is malicious code, the actual damage Can be detected as malware before it occurs.
  • the suspicious process 300 accesses the path of the target file before the path of the virtual file among the paths of the target file and the virtual file provided as a search result to detect malicious behavior (attack) in the target file, that is, the actual target file. If you do, you may encounter a situation where you cannot detect malware before the actual damage caused by the malware occurs.
  • the present invention proposes a function of causing the suspicious process 300 to preferentially access the path of the virtual file among the path of the target file and the path of the virtual file provided as a search result.
  • the controller 130 may include a specific factor that causes the suspicious process 300 to access the path of the virtual file before the path of the target file when the file is accessed based on the search result. Provide after reflecting on the path.
  • the controller 130 provides the path of the virtual file as a search result when providing the path of the target file and the path of the virtual file searched to the suspicious process 300 that attempts to search the target file for performing an action. Will reflect on and provide.
  • the specific factor is defined as a factor that causes the suspicious process 300 to attempt to access the path of the virtual file before the path of the target file when the file is accessed based on the search result.
  • a specific factor may be defined based on a result of analyzing a file access pattern in which order the malware to be detected accesses the files in order to access the files.
  • the controller 130 when providing the path of the target file and the virtual file searched by the suspicious process 300 as a search result, the controller 130 reflects a specific factor "! At the beginning of the path of the virtual file and provides the result. will be.
  • the suspicious process 300 attempts to access the path of the virtual file beginning with "! Of the path of the target file and the path of the virtual file provided as a search result, so that the suspicious process 300 In the case of malware, it can be detected as malware before the actual damage occurs.
  • the controller 130 provides a pair of paths of the virtual file for each path of the target file in units of paths of the target file searched according to the target file search attempt, and the suspicious process 300 randomly based on the search result. Even if the file is accessed, try to access the virtual file path before the target file path.
  • the controller 130 when providing the path of the target file and the virtual file searched by the suspicious process 300 as a search result, the virtual file reflecting a specific factor (for example!) For each path of the target file To provide the path of the pair together.
  • the controller 130 controls each target in units of paths of the target file.
  • the path of the virtual file and the path of the target file 1, the path of the virtual file, and the destination file are paired by pairing the path of the virtual file reflecting a specific factor (e.g.!) For each file path 1, 2, 3, 4, 5.
  • the search results are provided in the form of path 2, path of virtual file and path of target file 3, path of virtual file and path of target file 4, path of virtual file and path 5 of target file.
  • the suspicious process 300 attempts to access a path (eg, path 2) of the first target file selected at random among the paths of the target file provided as a search result. Since the path is paired with the path2 of the target file, we will attempt to access the path of the virtual file starting with "! Before the path2 of the target file.
  • a path eg, path 2 of the first target file selected at random among the paths of the target file provided as a search result. Since the path is paired with the path2 of the target file, we will attempt to access the path of the virtual file starting with "! Before the path2 of the target file.
  • the suspicious process 300 through a method of reflecting a specific factor (eg,!) In the path of the virtual file and / or providing a path of the virtual file in pairs with the path of the target file. Attempts to access the path of the virtual file first when accessing the file based on the search result, so that the random file is preferentially accessed, so that if the suspicious process 300 is malicious code, the malicious code before the actual damage occurs. Can be detected.
  • a specific factor eg,! In the path of the virtual file and / or providing a path of the virtual file in pairs with the path of the target file.
  • Block access if the process 300 that attempts to perform an action on the arbitrary file by directly accessing the path of the arbitrary file is confirmed, regardless of whether the process 300 is a normal process or a suspect process, Block access
  • the malicious code detection system 100 implements a new malicious code detection technique for detecting malicious code before actual damage caused by the malicious code occurs.
  • the malware detection technique of the present invention is a detection target through a method in which the path of the virtual file is unknown to the normal process 300 and only the path of the virtual file is known to the suspicious process 300. Limited exposure to suspicious process 300 is provided.
  • a key element for detecting malicious code i.e., an arbitrary file is easily exposed before the actual damage occurs, so that the user misunderstands the arbitrary file as the malicious code and deletes it arbitrarily, It also achieves the effect of preventing the use of files with impure intentions.
  • FIG. 2 the malicious code detection method according to an exemplary embodiment of the present invention will be described in more detail.
  • the configuration shown in FIG. 1 described above will be described with reference to the corresponding reference numerals.
  • the malicious code detection method according to an embodiment of the present invention will be described by referring to the operation method that is operated by the malicious code detection system 100 shown in FIG.
  • the operation method of the malicious code detection system 100 may be any type of file such as a file type (eg, document, media, etc.) that the malicious code targets to perform malicious actions.
  • a file type eg, document, media, etc.
  • the storage unit 400 that stores the information (file) it is created in a directory (path) for exposing to malicious code (S100).
  • the file generation and operation method of the malicious code detection system 100 when generating an arbitrary file as described above, defines the path of the virtual file associated with the arbitrary file (S100).
  • the arbitrary file is not a file that actually stores meaningful data, but a file having only the purpose of performing malicious behavior (attack) of the malicious code instead of the file which is the actual attack target of the malicious code.
  • the virtual file is a file that does not exist, unlike a random file that is actually created and exists. Therefore, the path of the virtual file is also information associated with an arbitrary file and is not an actual accessible directory (path).
  • the path of the virtual file is defined as information associated with the random file.
  • the process 300 for attempting to search for a target file for performing an action is confirmed (S110)
  • the process 300 is suspected to be a normal process.
  • the process is distinguished (S120).
  • the operation method of the malware detection system 100 may distinguish whether the process 300 is a normal process or a suspect process according to a predefined discrimination policy.
  • the discrimination policy may be a policy for distinguishing a process belonging to a whitelist based on the accumulated malware detection result as a normal processor, and distinguishing a process not belonging to the whitelist as a suspicious process.
  • the operation method of the malicious code detection system 100 if the process 300 belongs to a white list according to the discrimination policy, distinguished as a normal process, and if it does not belong to the white list, We will distinguish it by process.
  • the discrimination policy identifies a process that belongs to a whitelist based on the accumulated malware detection result and does not have an unknown module among the loaded modules as a normal processor.
  • the module may be a policy that distinguishes a process having an unknown module among the modules as a suspicious process.
  • the operation method of the malware detection system 100 is normal if there is no known module among the modules that the process 300 belongs to the whitelist and loads according to the discrimination policy. It will be identified as a process, and even if it is not on the whitelist or if it is a module that is unknown, it will be identified as a suspicious process.
  • a search result of the target file searched according to the target file search attempt is searched. As provided to the process 300 (S160).
  • a process 300 distinguished as a normal process will be referred to as a normal process 300
  • a process 300 distinguished as a suspicious process will be referred to as a suspicious process 300.
  • the operating method of the malicious code detection system 100 includes a path of the target file searched according to the target file search attempt to the normal process 300 that attempts to search the target file for performing the action. As a search result.
  • the operating method of the malware detection system 100 when the process 300 is distinguished as a suspicious process (S120 Yes), the process 300 to the path of the target file as a search result When providing to provide the path of the previously defined virtual file (S130).
  • the operation method of the malicious code detection system 100 includes a path of the target file searched according to the target file search attempt to the suspicious process 300 attempting to search the target file for performing an action.
  • the path of the previously defined virtual file is also provided as a search result.
  • the suspicious process 300 unlike the normal process 300 that receives only the path (directory) of the target file through the target file search as a search result, the path (directory) and virtual of the target file through the target file search Since the path of the file is provided as a search result, only the suspicious process 300 will recognize the existence of any file associated with the path of the virtual file.
  • the normal process 300 cannot recognize the existence of any file associated with the path of the virtual file because the path of the virtual file is not known, the malicious code of the present invention based on the arbitrary file.
  • the detection technique is not exposed to normal process 300.
  • the process that may be malicious code that is, the suspicious process 300 to be detected, recognizes the existence of any file associated with the path of the virtual file because the path of the virtual file is known.
  • the malware detection technique of the present invention based on arbitrary files is limited to the suspicious process 300 only.
  • the suspicious process 300 accesses the path of the target file before the path of the virtual file among the paths of the target file and the virtual file provided as a search result, and performs malicious action (attack) on the target file, that is, the file that is the actual target of attack.
  • malicious action attack
  • the malware cannot be detected before the actual damage caused by the malware occurs.
  • the method and / or the path of the virtual file reflects a specific factor (eg!) In the path of the next virtual file. Provides a way to pair with the path of the target file.
  • the path of the virtual file is larger than the path of the target file. Provide a specific argument to try to access the file first, as reflected in the path of the virtual file.
  • the operating method of the malicious code detection system 100 together with the path of the target file and the path of the virtual file detected by the suspicious process 300 attempting to search the target file for performing the action.
  • a search result S130
  • it is provided after reflecting a specific factor to the path of the virtual file.
  • the specific factor is defined as a factor that causes the suspicious process 300 to attempt to access the path of the virtual file before the path of the target file when the file is accessed based on the search result.
  • a specific factor may be defined based on a result of analyzing a file access pattern in which order the malware to be detected accesses the files in order to access the files.
  • the operation method of the malware detection system 100 the path of the target file and the virtual file searched by the suspicious process 300 attempting to search the target file for performing the action
  • the specific argument "! Is provided at the beginning of the path of the virtual file.
  • the suspicious process 300 attempts to access the path of the virtual file beginning with "! Of the path of the target file and the path of the virtual file provided as a search result, so that the suspicious process 300 In the case of malware, it can be detected as malware before the actual damage occurs.
  • the operation method of the malware detection system 100 provides a pair of paths of a virtual file for each path of each target file in units of paths of the target files searched according to a target file search attempt.
  • the suspicious process 300 randomly accesses the file based on the search result, the suspicious process 300 attempts to access the path of the virtual file before the path of the target file.
  • the operating method of the malicious code detection system 100 together with the path of the target file and the path of the virtual file detected by the suspicious process 300 attempting to search the target file for performing the action.
  • the path of the virtual file reflecting a specific factor (for example!) Is provided together in pairs for each path of the target file.
  • the malware detection system 100 For example, assuming that five (eg, paths 1, 2, 3, 4, 5) paths of a target file searched according to a target file search attempt, the malware detection system 100 according to an embodiment of the present invention. ), The path of the virtual file in pairs of the paths of the target file reflecting a specific factor (for example,!) For each path 1, 2, 3, 4, 5 of the target file. Path 1 of the target file, path of the virtual file and path of the target file 2, path of the virtual file and path of the target file 3, path of the virtual file and path of the target file 4, path of the virtual file and path of the target file 5 To provide search results.
  • the suspicious process 300 attempts to access a path (eg, path 2) of the first target file selected at random among the paths of the target file provided as a search result. Since the path is paired with the path2 of the target file, we will attempt to access the path of the virtual file starting with "! Before the path2 of the target file.
  • a path eg, path 2 of the first target file selected at random among the paths of the target file provided as a search result. Since the path is paired with the path2 of the target file, we will attempt to access the path of the virtual file starting with "! Before the path2 of the target file.
  • the suspicious process 300 through a method of reflecting a specific factor (eg,!) In the path of the virtual file and / or providing a path of the virtual file in pairs with the path of the target file. Attempts to access the path of the virtual file first when accessing the file based on the search result, so that the random file is preferentially accessed, so that if the suspicious process 300 is malicious code, the malicious code before the actual damage occurs. Can be detected.
  • a specific factor eg,! In the path of the virtual file and / or providing a path of the virtual file in pairs with the path of the target file.
  • the operation method of the malware detection system 100 if the suspicious process 300 performs an action performed on an arbitrary file by accessing the path of the virtual file (S140 Yes), The suspicious process 300 is detected as malware based on the behavior (S150).
  • the suspicious process 300 accesses a path of a virtual file that is only information associated with an arbitrary file and does not actually exist, the suspicious process 300 accesses an arbitrary file associated with a path of the virtual file. .
  • the suspicious process 300 accesses the path of the virtual file based on the action performed on the arbitrary file after accessing the arbitrary file.
  • the suspicious process 300 may be detected as the malicious code.
  • the suspicious process 300 when the malicious code detection system 100 operates according to an embodiment of the present invention, when the suspicious process 300 is detected as malicious code, the suspicious process 300 may block access to another file. Can be.
  • the operation method of the malicious code detection system 100 that is, the malicious code detection method according to an embodiment of the present invention, detects malicious code before actual damage caused by the malicious code, but is limited to only the process to be detected.
  • New malware detection techniques are exposed, which can effectively detect malware without being easily exposed to users or malware authors.
  • Implementations of the subject matter described in this specification may be implemented in digital electronic circuitry, computer software, firmware or hardware including the structures and structural equivalents disclosed herein, or one or more of them. It can be implemented in combination. Implementations of the subject matter described herein are one or more computer program products, ie one or more modules pertaining to computer program instructions encoded on a program storage medium of tangible type for controlling or by the operation of a processing system. Can be implemented.
  • the computer readable medium may be a machine readable storage device, a machine readable storage substrate, a memory device, a composition of materials affecting a machine readable propagated signal, or a combination of one or more thereof.
  • system encompasses all the instruments, devices, and machines for processing data, including, for example, programmable processors, computers, or multiple processors or computers.
  • the processing system may include, in addition to hardware, code that forms an execution environment for a computer program on demand, such as code constituting processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more thereof. .
  • Computer programs may be written in any form of programming language, including compiled or interpreted languages, or a priori or procedural languages. It can be deployed in any form, including components, subroutines, or other units suitable for use in a computer environment. Computer programs do not necessarily correspond to files in the file system.
  • a program may be in a single file provided to the requested program, in multiple interactive files (eg, a file that stores one or more modules, subprograms, or parts of code), or part of a file that holds other programs or data. (Eg, one or more scripts stored in a markup language document).
  • the computer program may be deployed to run on a single computer or on multiple computers located at one site or distributed across multiple sites and interconnected by a communication network.
  • Computer-readable media suitable for storing computer program instructions and data include, for example, semiconductor memory devices such as EPROM, EEPROM, and flash memory devices, such as magnetic disks such as internal hard disks or external disks, magneto-optical disks, and CDs. It may include all types of nonvolatile memory, media and memory devices, including -ROM and DVD-ROM disks.
  • semiconductor memory devices such as EPROM, EEPROM, and flash memory devices, such as magnetic disks such as internal hard disks or external disks, magneto-optical disks, and CDs. It may include all types of nonvolatile memory, media and memory devices, including -ROM and DVD-ROM disks.
  • the processor and memory can be supplemented by or integrated with special purpose logic circuitry.
  • Implementations of the subject matter described herein may include, for example, a backend component such as a data server, or include a middleware component such as, for example, an application server, or a web browser or graphical user, for example, where a user may interact with the implementation of the subject matter described herein. It may be implemented in a computing system that includes a front end component, such as a client computer with an interface, or any combination of one or more of such back end, middleware or front end components. The components of the system may be interconnected by any form or medium of digital data communication such as, for example, a communication network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention met en œuvre une technique de détection de code malveillant qui détecte un code malveillant avant qu'un dommage réel ne soit provoqué par le code malveillant, la technique étant exposée uniquement à un processus devant être détecté sans être exposée à un utilisateur ou à un créateur de code malveillant.
PCT/KR2017/006466 2016-09-02 2017-06-20 Système et procédé de détection de code malveillant WO2018043885A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020160113127A KR101857575B1 (ko) 2016-09-02 2016-09-02 악성코드탐지시스템 및 악성코드 탐지 방법
KR10-2016-0113127 2016-09-02

Publications (1)

Publication Number Publication Date
WO2018043885A1 true WO2018043885A1 (fr) 2018-03-08

Family

ID=61301219

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/006466 WO2018043885A1 (fr) 2016-09-02 2017-06-20 Système et procédé de détection de code malveillant

Country Status (2)

Country Link
KR (1) KR101857575B1 (fr)
WO (1) WO2018043885A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022211511A1 (fr) * 2021-03-31 2022-10-06 계명대학교 산학협력단 Procédé de détection de rançongiciel, procédé de restauration et dispositif informatique pour mettre en œuvre de tels procédés
KR102494454B1 (ko) * 2021-03-31 2023-02-06 계명대학교 산학협력단 랜섬웨어에 대한 탐지 방법 및 복구 방법, 및 상기 방법을 수행하는 컴퓨팅 장치

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110083180A1 (en) * 2009-10-01 2011-04-07 Kaspersky Lab, Zao Method and system for detection of previously unknown malware
KR20110119918A (ko) * 2010-04-28 2011-11-03 한국전자통신연구원 정상 프로세스에 위장 삽입된 악성코드 탐지 장치, 시스템 및 방법
KR101086203B1 (ko) * 2011-07-15 2011-11-23 에스지에이 주식회사 악성 프로세스의 행위를 판단하여 사전에 차단하는 악성프로세스 사전차단 시스템 및 방법
KR20120073020A (ko) * 2010-12-24 2012-07-04 한국인터넷진흥원 자식 프로세스를 생성하는 악성 코드 행위 모니터링 시스템 및 그 방법
KR101625643B1 (ko) * 2016-04-26 2016-05-30 주식회사 이노티움 휘발성 가상 파일 기반의 악성 코드 탐지 장치 및 방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110083180A1 (en) * 2009-10-01 2011-04-07 Kaspersky Lab, Zao Method and system for detection of previously unknown malware
KR20110119918A (ko) * 2010-04-28 2011-11-03 한국전자통신연구원 정상 프로세스에 위장 삽입된 악성코드 탐지 장치, 시스템 및 방법
KR20120073020A (ko) * 2010-12-24 2012-07-04 한국인터넷진흥원 자식 프로세스를 생성하는 악성 코드 행위 모니터링 시스템 및 그 방법
KR101086203B1 (ko) * 2011-07-15 2011-11-23 에스지에이 주식회사 악성 프로세스의 행위를 판단하여 사전에 차단하는 악성프로세스 사전차단 시스템 및 방법
KR101625643B1 (ko) * 2016-04-26 2016-05-30 주식회사 이노티움 휘발성 가상 파일 기반의 악성 코드 탐지 장치 및 방법

Also Published As

Publication number Publication date
KR20180026139A (ko) 2018-03-12
KR101857575B1 (ko) 2018-05-14

Similar Documents

Publication Publication Date Title
WO2013168913A1 (fr) Appareil et procédé de contrôle de fichiers non exécutables
WO2013168951A1 (fr) Appareil et procédé de contrôle de fichier malveillant
US8955118B2 (en) Detecting malicious software
KR101626424B1 (ko) 가상 머신 모니터 기반 안티 악성 소프트웨어 보안 시스템 및 방법
US8370931B1 (en) Multi-behavior policy matching for malware detection
RU2679175C1 (ru) Способ поведенческого обнаружения вредоносных программ с использованием виртуальной машины-интерпретатора
US7934261B1 (en) On-demand cleanup system
EP3335146B1 (fr) Systèmes et procédés permettant de détecter des vulnérabilités inconnues dans des processus informatiques
WO2012015171A2 (fr) Dispositif de commande à sécurité intégrée contre virus de piratage informatique
WO2018056601A1 (fr) Dispositif et procédé de blocage de rançongiciel à l'aide d'une commande d'accès à un fichier de contenu
WO2010062063A2 (fr) Procédé et système pour prévenir une utilisation illicite liée à un logiciel de navigation
TWI396995B (zh) 惡意軟體清除方法、系統及電腦程式產品與儲存媒體
KR20180032566A (ko) 다수 소프트웨어 개체들에 걸쳐서 악성 행동을 트래킹하기 위한 시스템들 및 방법들
WO2015178578A1 (fr) Système et procédé pour analyser une pièce
WO2019160195A1 (fr) Appareil et procédé de détection de menaces malveillantes contenues dans un fichier, et support d'enregistrement associé
WO2017034072A1 (fr) Système de sécurité de réseau et procédé de sécurité
WO2018164503A1 (fr) Détection de logiciel rançonneur en fonction de la sensibilité au contexte
WO2019039730A1 (fr) Dispositif et méthode pour empêcher les logiciels de rançon
CN109684829B (zh) 一种虚拟化环境中服务调用监控方法和系统
JP2010262609A (ja) 効率的なマルウェアの動的解析手法
US8782809B2 (en) Limiting information leakage and piracy due to virtual machine cloning
WO2018043885A1 (fr) Système et procédé de détection de code malveillant
WO2018208032A1 (fr) Ordinateur ayant une unité informatique d'utilisateur isolée
WO2014042344A1 (fr) Appareil et procédé pour détecter un shellcode malveillant au moyen d'un événement de mise au point
WO2020111504A1 (fr) Procédé de détection de rançongiciel et système de détection de rançongiciel

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17846810

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17846810

Country of ref document: EP

Kind code of ref document: A1