WO2020189822A1 - Diagnosis apparatus, diagnosis method, and diagnosis system for malicious code in cloud environment - Google Patents
Diagnosis apparatus, diagnosis method, and diagnosis system for malicious code in cloud environment Download PDFInfo
- Publication number
- WO2020189822A1 WO2020189822A1 PCT/KR2019/003218 KR2019003218W WO2020189822A1 WO 2020189822 A1 WO2020189822 A1 WO 2020189822A1 KR 2019003218 W KR2019003218 W KR 2019003218W WO 2020189822 A1 WO2020189822 A1 WO 2020189822A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- file
- malicious code
- diagnosis
- normal
- information
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Definitions
- the present invention relates to a malicious code diagnosis apparatus, a diagnosis method, and a diagnosis system for diagnosing whether a computer file is infected with malicious code.
- the user computer primarily distinguishes between a normal file and a file suspected of being infected with malicious code
- the present invention relates to a malicious code diagnosis apparatus, a diagnosis method, and a diagnosis system in a cloud environment that diagnoses whether a malicious code is infected by transmitting a signature of a file suspected of being infected with a malicious code among them to a cloud server.
- Diagnosis of such malicious codes is usually carried out through a diagnosis engine having signature data for determining whether or not malicious codes, but recently, as the number and types of malicious codes increase exponentially, the diagnosis signature data has also increased significantly. It is difficult to diagnose whether all files to be diagnosed are infected with malicious codes in the user computer itself with limited resources, and as an alternative to this, a so-called cloud-based malicious code diagnosis method has been proposed.
- the method of requesting diagnosis by transmitting the signatures of all files in the user's computer to the cloud server has a limitation in that the amount of data transmitted between the user computer and the cloud server is inevitably increased, and accordingly, the delay in diagnosis time and network load. There is a problem of causing a problem, which leads to an increase in cost.
- Patent Document 1 As an alternative to these problems, there is a technology disclosed in Patent Document 1, and in Patent Document 1, a pre-diagnosis filter such as a bloom filter is installed in a user computer (specifically, a portable terminal), and the pre-diagnosis filter By classifying the application to be diagnosed into an application suspected of being infected by malicious code and an application that is not suspicious of infection, only the application suspected of infection is requested to be diagnosed to the cloud server, thereby improving diagnosis speed and reducing network resources. To prevent.
- a pre-diagnosis filter such as a bloom filter
- the pre-diagnosis filter is designed to filter files that may be malicious codes based on probability based on the blacklist, which is a list of malicious codes generated in a compressed form of hash value information of malicious codes.
- the blacklist is a list of malicious codes generated in a compressed form of hash value information of malicious codes.
- Patent Document 1 checks whether or not all files to be diagnosed are suspicious files for malicious code infection by a single pre-diagnosis filter consisting of a bloom filter, and the pre-diagnosis filter is the hash value of the previously discovered malicious code. As the size of the blacklist compressed the hash value information of the malicious code increases, there is a problem that it takes more time.
- the number of files owned by one user's computer reaches as many as thousands, and in order to scan all of these files, the scan time per file must be minimized as much as possible. For example, it takes too much time to extract the hash value, compare the extracted hash value with the blacklist, and diagnose whether there is a malicious code infection. As time passes, the blacklist data that compresses the hash value information of the malicious code As the amount of is increased, the problem of time delay becomes larger.
- the scan time of the suspicious malicious code infection file within the user's computer can be reduced to a minimum, and the diagnosis target file is incorrectly diagnosed as a suspicious infection file even though it is not a malicious code infection suspicious file. It is important to minimize the possibility of misdiagnosis as not suspicious files even though they are suspicious files or suspicious infections ( ⁇ ).
- Patent Document 1 Registered Patent No. 10-1473658 (announced on December 18, 2014)
- the present invention has been made in consideration of the above problems of the prior art, and the diagnosis of whether a file to be diagnosed is suspicious of a malicious code infection performed on a user's computer is started from a relatively simple method, and is gradually expanded in a complex method to be executed in stages.
- the object of the present invention is to provide a malicious code diagnosis device, diagnosis method, and diagnosis system in a cloud environment that can minimize the scan time for whether a file exists and minimize the possibility of misdiagnosis or misdiagnosis.
- the malicious code diagnosis apparatus of the present invention for solving the above problem is to check whether the diagnosis target file is a normal file that is not suspicious of malicious code infection before the user computer requests the cloud server to diagnose whether the malicious code is infected.
- a malicious code diagnostic device a diagnostic cache that checks whether the diagnostic target file is the normal file from the file key information and file information extracted from the diagnostic target file, and a file extracted from the file determined that the diagnostic cache is not a normal file
- a pre-processed white filter that checks whether the file is the normal file from the path, file size, and file hash value, and some CRC32 values, file size information, and file hash extracted from the file determined by the pre-processing white filter as not a normal file It includes a pre-processing bloom filter that checks whether the file is the normal file from the value.
- the method for diagnosing malicious code of the present invention for solving the above problem is to determine whether the file to be diagnosed is a normal file that is not suspicious of malicious code infection before the user computer requests the cloud server to diagnose whether the malicious code is infected.
- the malicious code diagnosis system of the present invention for solving the above problems is connected to a user computer having the malicious code diagnosis device and a communication network with the user computer, and the file requested from the user computer is It includes a cloud server that diagnoses malware infection.
- the diagnosis of whether or not a file to be diagnosed is suspicious of malicious code infection performed on a user's computer starts from a relatively simple method, and is gradually expanded to a more complex method, thereby reducing the scan time for a suspected malicious code file to a minimum. At the same time, it is possible to obtain the effect of minimizing the possibility of misdiagnosis or misdiagnosis.
- FIG. 1 is a system block diagram showing a schematic configuration of a malware diagnosis system according to a preferred embodiment of the present invention.
- FIG. 2 is a diagram showing an example of a configuration of a bloom filter database
- FIG. 3 is a flowchart showing the flow of a method for diagnosing a malicious code according to a preferred embodiment of the present invention.
- FIG. 1 is a system block diagram showing a schematic configuration of a malware diagnosis system according to a preferred embodiment of the present invention.
- the user computer 130 and the cloud server 170 are connected to enable communication via the communication network 150, and the cloud server 170 is It may also be connected to an external diagnostic pattern update server 190.
- the user computer 130 may be a personal computer such as a desktop or laptop, a general purpose computer used for purposes such as office or science or control, or, for example, a portable communication terminal such as a smartphone.
- at least one diagnosis target file 110 which is a target for diagnosis of malicious code infection, is stored in an internal storage device.
- the file to be diagnosed 110 is not limited to a file stored in the internal storage device of the user computer 130, and includes, for example, a file input into the user computer 130 from outside such as e-mail. All files processed in (130) become diagnostic target files.
- malware infection diagnosis diagnosis of whether or not the file to be diagnosed is actually infected with malicious code (hereinafter, it may be simply described as “malware infection”) (hereinafter, simply “malignant code” Code infection diagnosis”) is in charge of the cloud server 170, and the user computer 130 requests the cloud server 170 to diagnose whether the file to be diagnosed is infected with malicious code.
- the cloud server 170 diagnoses the presence of malicious code only for files suspected of being infected with malicious code (hereinafter, it may be simply described as “a suspicious file of malicious code infection”).
- the user computer 130 includes a diagnostic cache 131, a preprocessed white filter 133, a preprocessed bloom filter 135, and a diagnosis request unit 137.
- the diagnostic cache 131, the preprocessed white filter 133, and the preprocessed bloom filter 135 have a cache database 131a, a white pattern database 133a, and a bloom filter database 135a, respectively.
- the diagnostic cache 131 extracts file key information and file information from the file to be diagnosed 110, and the file having the extracted file key is a file in which a diagnosis has been made to whether a malicious code has been infected, and is stored in the cache database 131a. It checks whether the file key information is stored, and if a file that has been diagnosed with malicious code infection before as a result of the check, checks whether the file information has been altered.
- Confirmation of the alteration of the file information is made by comparing the file information extracted from the file to be diagnosed 110 with the file information of the file stored in the cache database 131a as a file previously diagnosed for infection with malicious code. As a result of checking whether the file information has been altered or not, if it is not altered, it is determined as a normal file and the inspection is terminated.
- the inspection by the preprocessing white filter 133 proceeds.
- the cache database 131a stores file key information and file information of a previously diagnosed file.
- the file key information is information unique to each individual file (a value different from the hash value), and is a value consisting of, for example, a file ID and a partition ID
- the file information is information for confirming whether the file has been changed.
- it includes time information consisting of the creation time, change time, and access time of the file, and file size information indicating the size of the file, but is not limited thereto, but in the present embodiment, the change time among the time information is stored in the cache database 131a. Holds on.
- the preprocessing white filter 133 diagnoses whether a file that is not determined as a normal file as a result of the inspection by the diagnostic cache 131 is suspected of being infected with a malicious code, and the file path and file size from the diagnosis target file 110 The hash value is extracted, and it is checked whether information identical to the extracted file path, file size, and hash value is stored in the white pattern database 133a.
- the white pattern database 133a stores information on the file path, file size, and hash value of the file diagnosed as not infected by the malicious code as a result of the previous malicious code diagnosis, and the result of the inspection by the preprocessing white filter 133 If a file having the file path, file size, and hash value extracted from the file to be diagnosed 110 is in the white pattern database 133a, the file is determined as a white file that is not suspicious of malicious code infection, that is, a normal file, and is examined. To finish.
- the file size information may be directly extracted from the diagnosis target file 110 by the preprocessing white filter 133, and the diagnosis cache 131 utilizes the file size information in the file information extracted from the diagnosis target file 110. It may be good.
- the preprocessing proceeds to the inspection by the bloom filter 135.
- the pre-processed bloom filter 135 is a file to be diagnosed when the diagnosis target file 110 is not a file stored in the white pattern database 133a as a normal file as a result of the inspection by the pre-processed white filter 133. Partial CRC32 values and file size information of (110) are extracted, and it is checked whether information corresponding to some of the CRC32 values of the extracted diagnosis target file 110 exists in the bloom filter database 135a.
- the bloom filter database 135a has malicious code information (BM) in the form of a bitmap obtained from the result of diagnosis of a previously performed malicious code infection, and the preprocessing bloom filter 135 is a part extracted from the diagnosis target file 110 By comparing the CRC32 value, file size information, and information on the total hash value with the malicious code information stored in the bloom filter database 135a, it is possible to check whether the file to be diagnosed 110 is a file suspicious of malicious code infection.
- BM malicious code information
- BM malicious code information
- BM malicious code information
- CM CRC map
- HM hash map
- the CRC map (CM) is a CRC32 of 4 bytes from 512 bytes of data that is the sum of 256 bytes of data at the top and 256 bytes of data at the top of a file that was determined to be infected with malicious code in the previous diagnosis process. Extract the value, apply a seed value of 0 to the extracted CRC32 value of 4 bytes, and map the file size using the 8 megabyte bitmap and seed value obtained by mapping in the Murmur hash 3 method. It is a bitmap consisting of an 8 megabyte bitmap obtained by applying and mapping in the Murmur hash 3 method.
- the hash map extracts the hash value from the file diagnosed as infected with malicious code in the previous diagnosis process using the MD5 (Message Digest Algorithm 5) method, and divides the extracted 16-byte MD5 hashes into 4 byte units. It is a bitmap of 4 files of 8 megabytes obtained by mapping in the Mooremoore hash 3 method by applying a seed value of 0 to each of 4 MD5 files.
- MD5 Message Digest Algorithm 5
- Checking whether a file corresponding to some CRC32 values extracted from the diagnosis target file 110 exists in the bloom filter database 135a is performed by using some CRC32 values and file size information extracted from the diagnosis target file 110. It can be achieved by bitmapping the malicious code information (BM) held by (135a) in the same way as the CRC map (CM) creation process, and then comparing it with the CRC map (CM).
- BM malicious code information
- CM CRC map
- the preprocessing bloom filter 135 extracts the entire hash value of the diagnosis target file 110, and the extracted It is checked whether information corresponding to the total hash value exists in the bloom filter database 135a, and if the total hash value extracted as a result of the check does not exist in the bloom filter database 135a, it is determined as a normal file and ends.
- the pre-processing bloom filter 135 determines whether the file to be diagnosed is a malicious code infection suspicious file and whether the cloud server 170 has infected malicious code. It is determined as a file that needs diagnosis, and the diagnosis request unit 137 of the user computer 130 transmits the entire hash value of the file determined as a malicious code infection suspicious file by the preprocessing bloom filter 135 to the cloud server 170 Then, request a diagnosis of malware infection.
- the pre-processing bloom filter 135 creates the hash map (HM) described above with the total hash value extracted from the diagnosis target file 110. It is achieved by bitmapping in the same way as the process and then comparing it with a hash map (HM).
- the file size information extracted by the pre-processed bloom filter 135 from the file to be diagnosed 110 may be directly extracted by the pre-processed bloom filter 135 from the file to be diagnosed 110, and the diagnosis cache 131 is diagnosed. File size information in the file information extracted from the target file 110 may be utilized.
- the communication network 150 may be either a wired communication network or a wireless communication network as long as the communication network 150 connects the user computer 130 and the cloud server 170 to each other in a wired or wireless manner.
- the cloud server 170 is a known cloud server, and may be a public cloud server that can be used jointly by a large number, but in the present embodiment, it is more preferable to use a private cloud server for reasons such as security.
- the cloud server 170 includes a malicious code diagnosis unit 171 and a database synchronization unit 173, and the malicious code diagnosis unit 171 includes a diagnosis pattern database 171a. Since the cloud server 170 of the present embodiment functions substantially the same as the cloud server of Patent Document 1, detailed descriptions are omitted here.
- the cache database 131a, the white pattern database 133a, and the bloom filter database 135a have “information on malicious code infected files” in the above description.
- the database synchronization unit 173 distributes to the cache database 131a, the white pattern database 133a, and the bloom filter database 135a, respectively, through the communication network 150, thereby
- the cache database 131a, the white pattern database 133a, and the bloom filter database 135a are updated whenever the server 170 determines that the file to be diagnosed 110 is infected with a malicious code, or periodically.
- the diagnosis pattern update server 190 is a separate server from the cloud server 170 of the malicious code diagnosis system 100 of the present embodiment, and the cloud server 170 is obtained in the process of diagnosing whether it is infected with malicious code.
- malicious code information is accumulated in the diagnosis pattern database 171a as a diagnosis pattern, and it is provided to a cloud server of another malicious code diagnosis system or received from another server through a communication network. It may be an update server 190.
- the diagnosis pattern update server 190 is not essential and may be included as necessary.
- FIG. 3 is a flowchart showing the flow of a method for diagnosing a malicious code according to a preferred embodiment of the present invention.
- the diagnosis cache 131 extracts file key information and file information from the diagnosis target file 110 (step S1).
- the start of diagnosis for suspected malicious code infection can be started for a file set at a set scan time, for example, if a scheduled scan is set in the user's computer 130, and if the user starts the scan at a random time, the It starts at the time, or when an unknown file is input to the user computer 130 from the outside, a test may be started prior to execution of the input file.
- step S3 NO
- step S2 NO
- step S4 the process proceeds to step S4 for the next step.
- the method of checking whether file information has been altered is the same as the method described above.
- step S5 NO
- this file is not a white file. It proceeds to step S6.
- step S6 the preprocessing bloom filter 135 extracts some CRC32 values and file size information of the file determined to be not a normal file as a result of the inspection by the preprocessing white filter 133, and proceeds to step S7 to extract the extracted It is checked whether information corresponding to some CRC32 values of the diagnosis target file 110 exists in the bloom filter database 135a.
- step S9 If the total hash value extracted as a result of the confirmation in step S9 does not exist in the bloom filter database 135a, the process proceeds to step S10, the file is determined as a normal file, and ends.
- the pre-processing bloom filter 135 is a malicious code infection suspicious file and A file that is determined to be a file that needs to be diagnosed with malicious code infection and proceeds to step S11, and in step S11, the diagnosis request unit 137 of the user computer 130 is a file determined as a malicious code infection suspicious file by the preprocessing bloom filter 135
- the entire hash value of is transmitted to the cloud server 170 to request diagnosis of malware infection.
- the partial CRC32 value is set as a CRC32 value of 4 bytes extracted from data of 256 bytes at the front and 256 bytes at the end of the diagnosis target file 110, but is not limited thereto. , As long as it consists of CRC32 values extracted from data at two or more of the entire files of the diagnosis target file 110, it may be extracted from data at any location, and the size is not necessarily limited to 256 bytes each.
- the hash map (HM) is 4 files of 8 megabytes obtained by mapping with the Moore Moore hash 3 method by applying a seed value of 0 to 4 MD5 files of 4 bytes each extracted by the MD5 method.
- the extraction and mapping of the hash value is not necessarily limited to the MD5 method and the Mooremoore hash 3, and other known methods may be used.
- the file key information and file information of the file determined as a normal file are stored in a cache database ( It may be added to 131a), and the same applies to a file determined as a normal file for which malicious code infection is not suspected as a result of the inspection by the preprocessing bloom filter 135 described in the above embodiment.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims (13)
- 사용자 컴퓨터에 설치되어서, 사용자 컴퓨터가 클라우드 서버에 악성코드 감염 여부 진단을 의뢰하기 전에, 진단대상 파일이 악성코드의 감염이 의심되지 않는 정상파일인가 여부를 검사하는 악성코드 진단장치로,This is a malicious code diagnosis device that is installed on the user's computer and checks whether the file to be diagnosed is a normal file that is not suspicious of malicious code infection before the user computer requests the cloud server to diagnose malicious code infection.진단대상 파일에서 추출한 파일 키 정보와 파일정보로부터 당해 진단대상 파일이 상기 정상파일인가 여부를 검사하는 진단 캐시와,A diagnostic cache for checking whether the diagnostic target file is the normal file from the file key information and the file information extracted from the diagnostic target file;상기 진단대상 파일 중 상기 진단 캐시가 정상파일이 아닌 것으로 판정한 파일에서 추출한 파일 경로, 파일 크기 및 파일 해시 값으로부터 그 파일이 상기 정상파일인가 여부를 검사하는 전처리 화이트필터와,A pre-processing white filter for checking whether the file is the normal file from the file path, file size, and file hash value extracted from the file that the diagnosis cache is determined to be not a normal file among the files to be diagnosed;상기 진단대상 파일 중 상기 전처리 화이트필터가 정상파일이 아닌 것으로 판정한 파일에서 추출한 일부 CRC32 값, 파일 크기정보 및 파일 해시 값으로부터 그 파일이 상기 정상파일인가 여부를 검사하는 전처리 블룸필터를 포함하는 악성코드 진단장치.Malware including a pre-processed bloom filter that checks whether the file is the normal file from some CRC32 values, file size information, and file hash values extracted from files that are determined to be non-normal files among the diagnosis target files Code diagnosis device.
- 청구항 1에 있어서,The method according to claim 1,상기 악성코드 진단장치는 이전에 악성코드 감염 여부 진단이 이루어진 파일의 파일정보와 함께 악성코드에 감염되지 않은 파일의 파일 키 정보를 캐시 데이터베이스에 보유하고 있고,The malicious code diagnosis device holds in a cache database file key information of a file that has not been infected with malicious code along with file information of a file for which a malicious code infection has been diagnosed previously,상기 진단 캐시는,The diagnostic cache,상기 진단대상 파일에서 추출한 파일 키 정보가 상기 캐시 데이터베이스에 있으면 그 진단대상 파일의 파일정보의 변조 여부를 검사하며,If the file key information extracted from the file to be diagnosed is in the cache database, it is checked whether the file information of the file to be diagnosed is altered,검사 결과 파일정보가 변조되지 않았으면 그 파일을 정상파일로 판정하는 악성코드 진단장치.Malware diagnosis device that determines the file as a normal file if the file information is not altered as a result of the scan.
- 청구항 1에 있어서,The method according to claim 1,상기 악성코드 진단장치는 이전에 이루어진 악성코드 감염 여부 진단결과 악성코드에 감염되지 않은 것으로 진단된 파일의 파일 경로와 파일 크기 및 파일의 전체 해시 값에 관한 정보를 화이트패턴 데이터베이스에 보유하고 있고,The malicious code diagnosis device retains information on the file path, file size, and total hash value of a file diagnosed as not infected by malicious code as a result of a previously performed malicious code infection diagnosis in a white pattern database,상기 전처리 화이트필터는 상기 진단대상 파일 중 상기 진단 캐시가 정상파일이 아닌 것으로 판정한 파일에서 추출한 파일 경로와 파일 크기 및 전체 해시 값에 대응하는 파일이 상기 화이트패턴 데이터베이스에 있으면 그 파일을 정상파일로 판정하는 악성코드 진단장치.The pre-processing white filter converts the file to a normal file if a file corresponding to a file path, file size, and total hash value extracted from a file that is determined to be a non-normal file among the diagnosis target files is in the white pattern database. Malware diagnosis device to determine.
- 청구항 1에 있어서,The method according to claim 1,상기 악성코드 진단장치는 이전에 이루어진 악성코드 감염 여부 진단결과 악성코드에 감염된 것으로 진단된 파일의 일부 CRC32 값과 파일 크기정보로부터 작성된 비트맵 형태의 CRC 맵과 파일의 전체 해시 값으로부터 작성된 비트맵 형태의 해시 맵으로 이루어지는 악성코드정보를 블룸필터 데이터베이스에 보유하고 있고,The malware diagnosis device is in the form of a bitmap created from a CRC map in the form of a bitmap created from some CRC32 values and file size information of a file diagnosed as infected with a malicious code as a result of a previously performed malware infection diagnosis, and a bitmap form created from the entire hash value of the file. It holds malicious code information consisting of hash maps of the bloom filter database,상기 전처리 블룸필터는,The pretreatment bloom filter,상기 진단대상 파일 중 상기 전처리 화이트필터가 정상파일이 아닌 것으로 판정한 파일에서 추출한 일부 CRC32 값과 파일 크기정보를 이용하여 비트맵화 한 값이 상기 CRC 맵에 없으면 그 파일을 정상 파일로 판정하고,If a bitmapped value using some CRC32 values and file size information extracted from a file that is determined to be a non-normal file among the diagnosis target files is not in the CRC map, the file is determined as a normal file,상기 전처리 화이트필터가 정상파일이 아닌 것으로 판정한 파일에서 추출한 일부 CRC32 값과 파일 크기정보를 이용하여 비트맵화 한 값이 상기 CRC 맵에 있어서 정상 파일이 아닌 것으로 판정된 경우, 당해 정상 파일이 아닌 것으로 판정된 파일의 전체 해시 값을 이용하여 비트맵화 한 값이 상기 해시 맵에 없으면 그 파일을 정상 파일로 판정하는 악성코드 진단장치.When it is determined that the bitmapped value using some CRC32 values and file size information extracted from the file determined by the preprocessing white filter as not being a normal file is not a normal file in the CRC map, the file is not considered a normal file. A malicious code diagnosis device that determines a file as a normal file if the bitmapped value by using the entire hash value of the determined file is not in the hash map.
- 청구항 4에 있어서,The method of claim 4,일부 CRC32 값은 진단대상 파일의 맨 앞쪽의 일부 데이터 및 맨 뒤쪽의 일부 데이터의 합계 데이터로부터 추출한 CRC32 값이고,Some CRC32 values are CRC32 values extracted from the sum data of some data at the top and some data at the end of the file to be diagnosed.상기 CRC 맵은 이전의 진단과정에서 악성코드에 감염된 것으로 진단된 파일로부터 추출한 상기 CRC32 값에 시드 값 0을 적용하여 무어무어 해시 3을 적용하여 작성된 비트맵과 상기 CRC32 값에 시드 값으로 파일 크기정보를 적용하여 무어무어 해시 3 방식으로 작성된 비트맵으로 구성되는 악성코드 진단장치.The CRC map is a bitmap created by applying a seed value of 0 to the CRC32 value extracted from a file diagnosed as infected with a malicious code in the previous diagnosis process and applying a Moore Moore hash 3 and file size information as a seed value to the CRC32 value. Malware diagnosis device consisting of bitmaps created in the Moore Moore hash 3 method by applying.
- 청구항 4에 있어서,The method of claim 4,상기 해시 맵은 이전의 진단과정에서 악성코드에 감염된 것으로 진단된 파일로부터 MD5 방식으로 추출한 4개의 MD5 파일에 각각 시드 값 0을 적용해서 무어무어 해시 3 방식으로 작성된 비트맵인 악성코드 진단장치.The hash map is a malware diagnosis device that is a bitmap created in a Moore Moore hash 3 method by applying a seed value of 0 to each of the four MD5 files extracted in the MD5 method from the file diagnosed as infected with the malicious code in the previous diagnosis process.
- 청구항 1에 있어서,The method according to claim 1,상기 악성코드 진단장치는 상기 전처리 블룸필터가 정상파일이 아닌 것으로 판정한 파일을 상기 클라우드 서버로 전송하여 악성코드 감염 여부 진단을 의뢰하는 악성코드 진단장치.The malicious code diagnosis device transmits a file determined by the preprocessing bloom filter as not a normal file to the cloud server to request diagnosis of malicious code infection.
- 사용자 컴퓨터에 설치되어서, 사용자 컴퓨터가 클라우드 서버에 악성코드 감염 여부 진단을 의뢰하기 전에, 진단대상 파일이 악성코드의 감염이 의심되지 않는 정상파일인가 여부를 검사하는 악성코드 진단장치에 의한 악성코드 진단방법으로,Malware diagnosis by a malicious code diagnosis device that is installed on the user's computer and checks whether the file to be diagnosed is a normal file that is not suspicious of malicious code infection before the user computer requests the cloud server to diagnose malicious code infection. Way,진단대상 파일에서 추출한 파일 키 정보와 파일정보로부터 당해 진단대상 파일이 상기 정상파일인가 여부를 검사하는 단계 a)와,Step a) of checking whether the diagnosis target file is the normal file from the file key information and the file information extracted from the diagnosis target file;상기 단계 a)에서 정상파일이 아닌 것으로 판정한 파일에서 추출한 파일 경로, 파일 크기 및 파일 해시 값으로부터 그 파일이 상기 정상파일인가 여부를 검사하는 단계 b)와,Step b) of checking whether the file is the normal file from the file path, file size, and file hash value extracted from the file determined to be not a normal file in step a); and상기 단계 b)에서 정상파일이 아닌 것으로 판정한 파일에서 추출한 일부 CRC32 값, 파일 크기정보 및 파일 해시 값으로부터 그 파일이 상기 정상파일인가 여부를 검사하는 단계 c)를 포함하는 악성코드 진단방법.And step c) of checking whether the file is the normal file from some CRC32 values, file size information, and file hash values extracted from the file determined as not being a normal file in step b).
- 청구항 8에 있어서,The method of claim 8,상기 사용자 컴퓨터는 이전에 악성코드 감염 여부 진단이 이루어진 파일의 파일정보와 함께 악성코드에 감염되지 않은 파일의 파일 키 정보를 캐시 데이터베이스에 보유하고 있고,The user computer holds the file key information of the file not infected with the malicious code in the cache database along with the file information of the file for which the malware infection has been diagnosed previously,상기 단계 a)에서는,In step a),상기 진단대상 파일에서 추출한 파일 키 정보가 상기 캐시 데이터베이스에 있으면 그 진단대상 파일의 파일정보의 변조 여부를 검사하고,If the file key information extracted from the diagnosis target file is in the cache database, it is checked whether the file information of the diagnosis target file is altered,검사 결과 파일정보가 변조되지 않았으면 그 파일을 정상파일로 판정하는 악성코드 진단방법.Malware diagnosis method that determines the file as a normal file if the file information is not altered as a result of the scan.
- 청구항 8에 있어서,The method of claim 8,상기 사용자 컴퓨터는 이전에 이루어진 악성코드 감염 여부 진단결과 악성코드에 감염되지 않은 것으로 진단된 파일의 파일 경로와 파일 크기 및 파일의 전체 해시 값에 관한 정보를 화이트패턴 데이터베이스에 보유하고 있고,The user computer holds information on the file path, file size, and total hash value of the file diagnosed as not infected by the malicious code as a result of the previously performed malicious code infection diagnosis in the white pattern database,상기 단계 b)에서는 상기 진단대상 파일 중 상기 단계 a)에서 정상파일이 아닌 것으로 판정한 파일에서 추출한 파일 경로와 파일 크기 및 전체 해시 값에 대응하는 파일이 상기 화이트패턴 데이터베이스에 있으면 그 파일을 정상파일로 판정하는 악성코드 진단방법.In step b), if a file corresponding to a file path, file size, and total hash value extracted from a file determined as not a normal file in step a) among the files to be diagnosed is in the white pattern database, the file is saved as a normal file. Malware diagnosis method determined by
- 청구항 8에 있어서,The method of claim 8,상기 사용자 컴퓨터는 이전에 이루어진 악성코드 감염 여부 진단결과 악성코드에 감염된 것으로 진단된 파일의 일부 CRC32 값과 파일 크기정보로부터 작성된 비트맵 형태의 CRC 맵과 파일의 전체 해시 값으로부터 작성된 비트맵 형태의 해시 맵으로 이루어지는 악성코드정보를 블룸필터 데이터베이스에 보유하고 있고,The user computer is a bitmap-type hash created from a bitmap-type CRC map created from some CRC32 values and file size information of a file diagnosed as infected with a malicious code as a result of a previously performed malware infection diagnosis result, and a bitmap-type hash created from the entire hash value of the file. Malicious code information consisting of maps is held in the Bloom Filter database,상기 단계 c)에서는,In step c),상기 진단대상 파일 중 상기 단계 b)에서 정상파일이 아닌 것으로 판정한 파일에서 추출한 일부 CRC32 값과 파일 크기정보를 이용하여 비트맵화 한 값이 상기 CRC 맵에 없으면 그 파일을 정상 파일로 판정하고,If a bitmapped value using some CRC32 values and file size information extracted from the files determined to be non-normal in step b) among the diagnosis target files is not in the CRC map, the file is determined as a normal file,상기 단계 b)에서 정상파일이 아닌 것으로 판정한 파일에서 추출한 일부 CRC32 값과 파일 크기정보를 이용하여 비트맵화 한 값이 상기 CRC 맵에 있어서 정상 파일이 아닌 것으로 판정된 경우, 당해 정상 파일이 아닌 것으로 판정된 파일의 전체 해시 값을 이용하여 비트맵화 한 값이 상기 해시 맵에 없으면 그 파일을 정상 파일로 판정하는 악성코드 진단방법.If it is determined that the bitmapped value using the partial CRC32 value and file size information extracted from the file determined to be not a normal file in step b) is not a normal file in the CRC map, it is determined that the file is not a normal file. A method for diagnosing malicious code in which if a bitmapped value by using the entire hash value of the determined file is not in the hash map, the file is determined as a normal file.
- 청구항 8에 있어서,The method of claim 8,진단대상 파일 중 상기 단계 c)에서 정상파일이 아닌 것으로 판정한 파일을 상기 클라우드 서버로 전송하여 악성코드 감염 여부 진단을 의뢰하는 단계 d)를 더 포함하는 악성코드 진단방법.A method for diagnosing malicious code, further comprising step d) of requesting diagnosis of malicious code infection by transmitting a file determined to be non-normal in step c) among the files to be diagnosed to the cloud server.
- 청구항 1 내지 7 중 어느 한 항의 악성코드 진단장치를 구비하는 사용자 컴퓨터와,A user computer provided with the malicious code diagnostic device of any one of claims 1 to 7,상기 사용자 컴퓨터와 통신망을 통해서 통신 가능하게 접속되며, 상기 사용자 컴퓨터로부터 의뢰된 파일의 악성코드 감염 여부를 진단하는 클라우드 서버를 포함하는 악성코드 진단시스템.A malicious code diagnosis system comprising a cloud server that is connected to the user computer and communicates through a communication network and diagnoses whether a file requested from the user computer is infected with a malicious code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/KR2019/003218 WO2020189822A1 (en) | 2019-03-20 | 2019-03-20 | Diagnosis apparatus, diagnosis method, and diagnosis system for malicious code in cloud environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/KR2019/003218 WO2020189822A1 (en) | 2019-03-20 | 2019-03-20 | Diagnosis apparatus, diagnosis method, and diagnosis system for malicious code in cloud environment |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020189822A1 true WO2020189822A1 (en) | 2020-09-24 |
Family
ID=72520949
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2019/003218 WO2020189822A1 (en) | 2019-03-20 | 2019-03-20 | Diagnosis apparatus, diagnosis method, and diagnosis system for malicious code in cloud environment |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2020189822A1 (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100116392A (en) * | 2009-04-22 | 2010-11-01 | 주식회사 안철수연구소 | Method and apparatus for longtime-maintaining reexamination protecting information for malicious code, and computer readable recording medium containing program thereof |
KR101256461B1 (en) * | 2012-09-03 | 2013-04-19 | 주식회사 안랩 | Apparatus and method for detecting start point of process |
KR101473658B1 (en) * | 2013-05-31 | 2014-12-18 | 주식회사 안랩 | Apparatus and system for detecting malicious code using filter and method thereof |
KR20170087007A (en) * | 2016-01-19 | 2017-07-27 | 삼성전자주식회사 | Electronic Apparatus for detecting Malware and Method thereof |
KR20190020998A (en) * | 2017-08-22 | 2019-03-05 | 주식회사 하우리 | Apparatus, method and system for detecting malicious code |
-
2019
- 2019-03-20 WO PCT/KR2019/003218 patent/WO2020189822A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100116392A (en) * | 2009-04-22 | 2010-11-01 | 주식회사 안철수연구소 | Method and apparatus for longtime-maintaining reexamination protecting information for malicious code, and computer readable recording medium containing program thereof |
KR101256461B1 (en) * | 2012-09-03 | 2013-04-19 | 주식회사 안랩 | Apparatus and method for detecting start point of process |
KR101473658B1 (en) * | 2013-05-31 | 2014-12-18 | 주식회사 안랩 | Apparatus and system for detecting malicious code using filter and method thereof |
KR20170087007A (en) * | 2016-01-19 | 2017-07-27 | 삼성전자주식회사 | Electronic Apparatus for detecting Malware and Method thereof |
KR20190020998A (en) * | 2017-08-22 | 2019-03-05 | 주식회사 하우리 | Apparatus, method and system for detecting malicious code |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2012091400A1 (en) | System and method for detecting malware in file based on genetic map of file | |
WO2013089340A1 (en) | Apparatus and method for detecting similarity between applications | |
WO2015056885A1 (en) | Detection device and detection method for malicious android application | |
WO2016088937A1 (en) | Apparatus, system and method for detecting and preventing malicious scripts using code pattern-based static analysis and api flow-based dynamic analysis | |
WO2014035043A1 (en) | Apparatus and method for diagnosing malicious applications | |
WO2018182126A1 (en) | System and method for authenticating safe software | |
WO2013077538A1 (en) | Device and method for analyzing api-based application | |
WO2018056601A1 (en) | Device and method for blocking ransomware using contents file access control | |
WO2011090329A2 (en) | Apparatus, system, and method for preventing infection by malicious code | |
WO2019231122A1 (en) | Electronic device detecting software vulnerability and method for operating same | |
WO2014088262A1 (en) | Apparatus and method for detecting fraudulent/altered applications | |
WO2013100320A1 (en) | System, user terminal, method, and apparatus for protecting and recovering system file. | |
WO2010123261A2 (en) | Network-based malicious code diagnosis method and diagnosis server | |
KR102042045B1 (en) | Apparatus, method and system for detecting malicious code | |
WO2024071451A1 (en) | Method for detecting malicious macro in non-executable file by using ocr technology, and apparatus therefor | |
WO2022107964A1 (en) | Adjacent-matrix-based malicious code detection and classification apparatus and malicious code detection and classification method | |
WO2017131355A1 (en) | Device for self-defense security based on system environment and user behavior analysis, and operating method therefor | |
WO2021125517A1 (en) | Dedicated artificial intelligence system | |
WO2012091341A1 (en) | Method and apparatus for detecting a malware in files | |
WO2014010847A1 (en) | Apparatus and method for diagnosing malicious applications | |
WO2020096262A1 (en) | Electronic device, method for providing personal information using same, and computer-readable recording medium for recording same | |
WO2019225849A1 (en) | Security device and method for providing security service through control of file input/output and integrity of guest operating system | |
WO2014077615A1 (en) | Anti-malware system, method of processing packet in the same, and computing device | |
WO2020189822A1 (en) | Diagnosis apparatus, diagnosis method, and diagnosis system for malicious code in cloud environment | |
WO2019093755A1 (en) | System and method for font copyright protection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19919726 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19919726 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 19.04.2022) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19919726 Country of ref document: EP Kind code of ref document: A1 |