WO2020189823A1 - Dispositif et procédé de prise en charge de programmes malveillants grâce à une technique de vérification de validité de fichier de redirection - Google Patents

Dispositif et procédé de prise en charge de programmes malveillants grâce à une technique de vérification de validité de fichier de redirection Download PDF

Info

Publication number
WO2020189823A1
WO2020189823A1 PCT/KR2019/003223 KR2019003223W WO2020189823A1 WO 2020189823 A1 WO2020189823 A1 WO 2020189823A1 KR 2019003223 W KR2019003223 W KR 2019003223W WO 2020189823 A1 WO2020189823 A1 WO 2020189823A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
redirection
program
malicious
monitoring target
Prior art date
Application number
PCT/KR2019/003223
Other languages
English (en)
Korean (ko)
Inventor
황규민
한관석
김의탁
Original Assignee
주식회사 하우리
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 하우리 filed Critical 주식회사 하우리
Priority to PCT/KR2019/003223 priority Critical patent/WO2020189823A1/fr
Publication of WO2020189823A1 publication Critical patent/WO2020189823A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to a malicious program processing apparatus and a processing method, and in particular, a file modified by the monitoring target program when a file accessed to a computer system is a monitoring target program that needs monitoring because it is suspected as a malicious program infected with malicious code, etc.
  • the present invention relates to a malicious program processing apparatus and a processing method according to a method of validating a redirection file that safely protects the system from malicious programs by managing them in a redirection path.
  • Patent Documents 1 and 2 there are various detection methods described in Patent Documents 1 and 2 as an action-based detection method that detects malicious or not by analyzing the behavior of an executed program.
  • Patent Document 1 by analyzing the API and parameters that are called when the file (program) to be analyzed is executed, the risk score of the action is measured, and the risk score of the file is calculated by summing the measured risk score. It checks whether it is a malicious program.
  • Patent Document 2 creates a feature vector using feature factor information collected during the execution of a process (program), and detects whether the process contains malicious code using the generated feature vector. .
  • Patent Document 1 Registered Patent No. 10-1404882 (announced on June 11, 2014)
  • Patent Document 2 Publication No. 10-2017-81386 (published on July 12, 2017)
  • the present invention has been made in view of the above problems of the prior art, and manages system resource manipulation actions of a suspected program separately from the original system resource, and when the program is identified as a malicious program, it is managed separately.
  • An object of the present invention is to provide a malicious program processing apparatus and a processing method based on a method of validating a redirection file that maintains the system in the environment before the malicious program was executed by removing the old resources.
  • the malicious program processing apparatus of the present invention for solving the above problem includes a monitoring filter that checks whether a program that accesses a computer system and requests a file open is a program to be monitored as a malicious program, and whether the program to be monitored is It includes a monitoring target item database holding a monitoring target item for determination, and the monitoring filter determines that the program requesting the file open corresponds to any one or more of the monitoring target items, and , A redirection file is created by copying the original file of the file requested to be opened by the monitoring target program, and the generated redirection file is stored in a redirection path that is different from the file path of the original file.
  • the malicious program processing method of the present invention for solving the above problem includes the step a) of determining whether a program requesting a file open request by accessing a computer system is a monitoring target program suspected of being a malicious program, and the step a ), if the program that requested to open the file is a program to be monitored, step b) of creating a redirection file by copying the original file of the file requested to be opened by the program, and the redirection file generated as a file of the original file And storing c) in a redirection path that is a path different from the path.
  • the present invention separates and stores a file modified by a normal program and a file modified by a monitoring target program suspected as a malicious program in different paths.
  • the file and the file modified by the normal program can be managed separately from each other, and when the validation of the redirection file turns out to be ineffective, it can be easily processed by deleting the invalid redirection file from the system.
  • the system can be safely protected from malicious programs.
  • FIG. 1 is a block diagram showing a malicious program processing apparatus according to a preferred embodiment of the present invention.
  • FIG. 2 is a flowchart showing the flow of a malicious program processing method according to a preferred embodiment of the present invention
  • FIG. 3 is a flowchart showing the flow of a file validity verification method for validating a file.
  • FIG. 1 is a block diagram showing a malicious program processing apparatus according to a preferred embodiment of the present invention.
  • the malicious program processing apparatus 100 in this embodiment uses a redirection technique that separates and manages a resource used by a normal program and a resource used by a malicious program.
  • the monitoring filter 130 is configured by adding a redirection function to the filter that monitors the behavior between the program 110 running in the user mode and the actual data in the kernel mode. By separating and managing the actual data and the resources used by the malicious program according to (130), the resources in the computer system can be safely protected.
  • the malicious program processing apparatus 100 of the present embodiment that executes the above functions is installed in a computer system, and as shown in FIG. 1, the monitoring filter 130, the monitoring target item database 140, and the original data storage means 150 ) And a redirection data storage unit 160 and a redirection information memory 170.
  • the monitoring filter 130 adds a redirection function to the mini filter provided by the Windows OS (Windows Operating System), and all programs that request file open to execute certain tasks by accessing the computer system ( 110), the program 110 determines whether it is a program that is suspected of being infected with malicious code, that is, a program to be monitored, and in the case of a program to be monitored, the redirection file from which the original file is copied is different from the path of the original file. It is stored in the redirection path, which is the path, and the modification of the file by the monitoring target program is executed only for the redirection file.
  • Windows OS Windows Operating System
  • a program 110 that accesses a resource for file modification, etc., obtains a handle of a file to be modified in kernel mode to modify the file, and the monitoring filter 130 All programs or threads accessed in user mode for file modification, etc.
  • the term ⁇ program'' is used as a term encompassing all programs or threads accessed in user mode for file modification, etc.
  • the program 110 may be a malicious program infected with malicious code or the like, and thus a program to be monitored (in this specification, this program is referred to as a "monitoring target program", and a program other than the monitoring target program is referred to as "normal" Program”).
  • the malicious program processing device 100 has a monitoring target item database 140, and has a plurality of monitoring target items in the monitoring target item database 140, and the malicious program processing device 100 is in a user mode. If the accessing program 110 corresponds to one or more of the monitoring target items held in the monitoring target item database 140, the program is set as a monitoring target program.
  • -Injected thread If the malicious program is not an executable file such as EXE or COM, it uses a method of loading it into another running process (this is called'DLL injection'), and a program that accesses in user mode (110) It checks whether it is an injected thread by monitoring the creation of a thread of, and if it is an injected thread, it is set as a monitoring target program.
  • -Script type program There are script execution programs such as VBScript, WScript, powershell, php, etc., or malicious programs in the form of interpreters such as java programs, so that a process or interpreter that can execute a script is a monitoring target program.
  • script execution programs such as VBScript, WScript, powershell, php, etc.
  • malicious programs in the form of interpreters such as java programs, so that a process or interpreter that can execute a script is a monitoring target program.
  • the monitoring filter 130 stores a redirection file previously redirected by the monitoring target program in the redirection data storage means 160 Check whether there is.
  • the monitoring filter 130 is stored in the original data storage unit 150.
  • a redirection file which is a copy file from which an existing original file is copied, is generated and stored in the redirection data storage unit 160, and file information of the generated redirection file is stored in the redirection information memory 170.
  • the monitoring filter 130 applies the file information of the newly created redirection file, obtains the handle of the redirection file from the kernel, and returns it to the program, and thereby, the redirection file newly created and stored in the redirection data storage means 160 File modification is made.
  • the monitoring filter 130 obtains the handle of the original file stored in the original data storage means 150 and returns it to the program, thereby storing the original data.
  • the original file stored in the means 150 is modified.
  • the monitoring target item database 140 holds a monitoring target item for determining whether the program 110 accessed in the user mode is a monitoring target program, and the monitoring target item is the same as described above.
  • the original data storage means 150 is a data storage means for storing an original file created or modified by a normal program, for example, storage of a known configuration such as a hard disk, a CD-ROM, an electronic storage device such as RAM or ROM. You can use means.
  • the redirection data storage means 160 is a data storage means for storing a redirection file that is a copy copied from the original file stored in the original data storage means 150 by the monitoring filter 130, for example, a hard disk, a CD- A storage means of a known configuration, such as an electronic storage device such as ROM, RAM, or ROM, can be used.
  • the redirection data storage means 160 may use the same storage means physically as the original data storage means 150 for storing the original file, or may use other storage means, but the original data storage means 150 and The access path must be different, and modification of the file by the program determined by the monitoring filter 130 as the monitoring target program is possible only for the redirection file stored in the redirection data storage unit 160.
  • the redirection information memory 170 is a memory that stores file information of the redirection file when the monitoring filter 130 creates a redirection file that is a copy copied from the original file stored in the original data storage means 150.
  • the file information of the redirection file is, for example, the file path of the original file, the copy date and time when the file was first copied, and the name of the redirection file.
  • FIG. 2 is a flow chart showing the flow of a malicious program processing method according to a preferred embodiment of the present invention.
  • the monitoring filter 130 makes a file open request in step S12. Check whether the program is a program to be monitored.
  • the redirection file that was redirected before the file requested to be opened by the monitoring target program is Check whether there is.
  • step S16 the monitoring filter 130 stores the file information of the redirection file stored in the redirection data storage unit 160 into the redirection information memory 170 ) And then proceeds to step S17.
  • the file information of the redirection file includes the file path of the original file, the copy date and time when the file was first copied, and the name of the redirection file.
  • step S14 YES
  • step S17 the monitoring filter 130 applies the file information of the redirection file to the kernel to handle the redirection file. Is returned to the program, and the process proceeds to step S18.
  • step S18 a file modification operation such as modification, deletion, or change of the redirection file is executed, and the process ends.
  • the monitoring filter 130 checks whether the program 110 that accesses in the user mode and requests the file to be opened is a monitoring target program, and when it is not the monitoring target program, the original data storage means
  • the original file held by 150 can be modified normally, and on the contrary, when the program requesting to open the file is determined to be a monitoring target program, the monitoring filter 130 is stored in the original data storage means 150.
  • a redirection file, which is a copy of the original file, is newly created and stored in a redirection path (redirect data storage means 160) that is different from the path of the original file, and the monitoring target program only modifies the file for the redirection file stored in the redirection path. To be able to do it.
  • the malicious program processing apparatus 100 performs a process such as deletion of the redirection file, and conversely, if it is found to be a valid file, the redirection file is stored in the original data storage means ( 150) and merge with the original file.
  • FIG. 3 is a flowchart showing a validity verification method for verifying the validity of a program.
  • step S21 the file data of the redirection file is read in step S21, and the process proceeds to step S22.
  • step S22 the file header value of the read-out file data of the redirection file is verified.
  • Files commonly used in application programs are, for example, jpg, exe, docx,...
  • a file with a specific extension such as, and such a specific extension, has a unique value, that is, a file header value, at the entry part of the file, and malicious programs usually modulate this file header value. File validity can be verified by checking the header value.
  • step S22 YES
  • the process proceeds to step S23 to execute instruction verification.
  • step S23 If the verification result of step S23 is also found to be valid, the redirection file proceeds to step S24 to merge the verified redirection file with the original file and terminate.
  • step S25 delete the redirection file that is not valid from the system. Proceed and finish.
  • a file modified by a normal program and a file modified by a monitoring target program suspected of being a malicious program are stored separately in different paths, thereby being modified by a program suspected as a malicious program. It is possible to separate and manage the changed file and the file modified by the normal program, and at the same time, when the validation of the redirection file turns out to be invalid, it can be easily processed by deleting the invalid redirection file from the system. Therefore, the system can be safely protected from malicious programs.
  • it is determined whether the program to be monitored is by checking whether the program 110 accessing the user mode of the system corresponds to any one or more of the monitored items held in the monitored item database 140.
  • this program is called a ⁇ normal program'', It is a term distinct from the indicated "normal program" by a separate database or the like, and if the program 110 accessing the user mode of the system is in this database, the program may be determined as a normal program.
  • a program determined as a malicious program in the above process may be managed by a malicious program database, and if the program 110 accessing the user mode of the system is in the malicious program database, the program may be determined as a monitoring target program. .
  • the said embodiment and the said modified example may be implemented separately, and may be implemented in combination with each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Selon la présente invention, un filtre de surveillance (130) vérifie si un programme (110) accédant à un système informatique et effectuant une demande d'ouverture de fichier est un programme à surveiller, et après la vérification, si le programme n'est pas un programme à surveiller, le programme est autorisé à modifier normalement un fichier d'origine conservé dans un moyen de stockage de données d'origine (150), mais si le programme effectuant une demande d'ouverture de fichier est identifié comme étant un programme à surveiller, le filtre de surveillance (130) crée un nouveau fichier de redirection, qui est une copie du fichier d'origine stocké dans le moyen de stockage de données d'origine (150), et stocke le fichier créé dans un moyen de stockage de données de redirection (160), qui a un chemin différent du chemin où le fichier d'origine est stocké, le programme à surveiller étant autorisé à modifier uniquement le fichier de redirection stocké dans le moyen de stockage de données de redirection (160). Après la vérification de la validité du fichier de redirection, s'il est valide, le fichier de redirection est fusionné avec le fichier d'origine, mais s'il est invalide, le fichier de redirection est supprimé du moyen de stockage de données de redirection (160).
PCT/KR2019/003223 2019-03-20 2019-03-20 Dispositif et procédé de prise en charge de programmes malveillants grâce à une technique de vérification de validité de fichier de redirection WO2020189823A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/KR2019/003223 WO2020189823A1 (fr) 2019-03-20 2019-03-20 Dispositif et procédé de prise en charge de programmes malveillants grâce à une technique de vérification de validité de fichier de redirection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/KR2019/003223 WO2020189823A1 (fr) 2019-03-20 2019-03-20 Dispositif et procédé de prise en charge de programmes malveillants grâce à une technique de vérification de validité de fichier de redirection

Publications (1)

Publication Number Publication Date
WO2020189823A1 true WO2020189823A1 (fr) 2020-09-24

Family

ID=72520952

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2019/003223 WO2020189823A1 (fr) 2019-03-20 2019-03-20 Dispositif et procédé de prise en charge de programmes malveillants grâce à une technique de vérification de validité de fichier de redirection

Country Status (1)

Country Link
WO (1) WO2020189823A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100089245A (ko) * 2009-02-03 2010-08-12 주식회사 안철수연구소 의심스러운 행위의 수준별 분류 및 격리 실행을 통한 악성 코드 사전 대응 장치, 방법 및 그 방법을 실행하기 위한 프로그램이 기록된 컴퓨터로 읽을 수 있는 기록매체
KR20100089968A (ko) * 2009-02-05 2010-08-13 주식회사 안철수연구소 선별적 가상화를 이용한 악성 코드 사전 차단 장치, 방법 및 그 방법을 실행하는 프로그램이 기록된 컴퓨터로 읽을 수 있는 기록매체
KR20160099173A (ko) * 2015-02-11 2016-08-22 (주) 에스에스알 실행 프로그램 동작 감시방법, 감시장치 및 이를 위한 컴퓨터 프로그램, 그 기록매체
KR101710928B1 (ko) * 2015-09-04 2017-03-13 숭실대학교산학협력단 모바일 단말기의 os 플랫폼에서의 악성 코드 방지 방법, 이를 수행하기 위한 기록 매체 및 시스템
KR20190020999A (ko) * 2017-08-22 2019-03-05 주식회사 하우리 악성프로그램 처리장치 및 처리방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100089245A (ko) * 2009-02-03 2010-08-12 주식회사 안철수연구소 의심스러운 행위의 수준별 분류 및 격리 실행을 통한 악성 코드 사전 대응 장치, 방법 및 그 방법을 실행하기 위한 프로그램이 기록된 컴퓨터로 읽을 수 있는 기록매체
KR20100089968A (ko) * 2009-02-05 2010-08-13 주식회사 안철수연구소 선별적 가상화를 이용한 악성 코드 사전 차단 장치, 방법 및 그 방법을 실행하는 프로그램이 기록된 컴퓨터로 읽을 수 있는 기록매체
KR20160099173A (ko) * 2015-02-11 2016-08-22 (주) 에스에스알 실행 프로그램 동작 감시방법, 감시장치 및 이를 위한 컴퓨터 프로그램, 그 기록매체
KR101710928B1 (ko) * 2015-09-04 2017-03-13 숭실대학교산학협력단 모바일 단말기의 os 플랫폼에서의 악성 코드 방지 방법, 이를 수행하기 위한 기록 매체 및 시스템
KR20190020999A (ko) * 2017-08-22 2019-03-05 주식회사 하우리 악성프로그램 처리장치 및 처리방법

Similar Documents

Publication Publication Date Title
US8082442B2 (en) Securely sharing applications installed by unprivileged users
US10360382B2 (en) Execution environment file inventory
US9396326B2 (en) User transparent virtualization method for protecting computer programs and data from hostile code
US7620990B2 (en) System and method for unpacking packed executables for malware evaluation
Altekar et al. OPUS: Online Patches and Updates for Security.
US8181247B1 (en) System and method for protecting a computer system from the activity of malicious objects
US8434151B1 (en) Detecting malicious software
RU2514140C1 (ru) Система и способ увеличения качества обнаружений вредоносных объектов с использованием правил и приоритетов
US8578345B1 (en) Malware detection efficacy by identifying installation and uninstallation scenarios
US9767280B2 (en) Information processing apparatus, method of controlling the same, information processing system, and information processing method
KR20060083850A (ko) 부분적인 이미지 해시들을 이용하여 실행가능한 파일무결성을 검증하기 위한 시스템 및 방법
CN106845223B (zh) 用于检测恶意代码的方法和装置
US8656494B2 (en) System and method for optimization of antivirus processing of disk files
WO2007125422A2 (fr) Système et procédé pour appliquer un contexte de sécurité sur un élément téléchargeable
US9104860B2 (en) Systems, methods and media for managing process image hijacks
US8429429B1 (en) Computer security system and method
Zhang et al. JSISOLATE: lightweight in-browser JavaScript isolation
CN116881173B (zh) 接口参数的检测方法、装置、电子设备和计算机可读介质
US20170171224A1 (en) Method and System for Determining Initial Execution of an Attack
Miller et al. Playing inside the black box: Using dynamic instrumentation to create security holes
WO2020189823A1 (fr) Dispositif et procédé de prise en charge de programmes malveillants grâce à une technique de vérification de validité de fichier de redirection
US10241696B1 (en) Securely launching files downloaded to potentially unsafe locations on a computer system
KR102017016B1 (ko) 악성프로그램 처리장치 및 처리방법
EP2584484B1 (fr) Système et procédé pour protéger un système informatique contre l'activité d'objets malveillants
WO2011074824A2 (fr) Système et procédé destinés à mettre à jour une base de données de signatures et appareil permettant la mise à jour d'une base de données d'un terminal client

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19920172

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19920172

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 21.04.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 19920172

Country of ref document: EP

Kind code of ref document: A1