This application claims the benefit of Korean Patent Application No. 10-2014-0012280, filed on Feb. 3, 2014, entitled “Apparatus and method for detecting a malicious code based on collected event information”, which is hereby incorporated by reference in its entirety into this application.
1. Technical Field
The present invention relates to an apparatus and method for detecting a process that executes a malicious code and more particularly, to an apparatus and method for detecting a malicious code which collects various event information from a user's computing device, reconstructs all activities from the start point to the end point of each process corresponding to the collected unit events, and detects if any malicious code is by each process or by each file based on the collected event information.
2. Description of the Related Art
A representative conventional malicious code detection and processing technology is a binary pattern-based malicious code detection technology which determines a file or process as a malicious code when a predefined binary pattern exists in the process or file which is required for malicious code inspection. Whenever a malicious code is detected, a specific binary pattern of the detected malicious code is registered to manage binary pattern data of malicious codes. Thus, the malicious code detection based on binary patterns shows a high detection rate and ensures fast detection time for the malicious codes of which binary patterns are managed and present. However, detection for unknown and/or variant malicious codes is not possible.
There is a behavior-based detection of malicious codes in addition to the binary pattern based detection of malicious codes. The behavior-based detection of malicious codes first defines behavior rules and then determines as a malicious code when any file or process corresponds to the rules. The behavior-based detection of malicious codes collects relating information on a user's PC or network for the application of the predefined rules. Thus, whenever a new rule is created, additional relating information should be collected. In addition, any correlation between running processes or stored files cannot be determined. Therefore, there is demand to develop data collection methods to detect even unknown and variant malicious codes and detect any malicious code based on the collected data.
An object of the present invention is to collect various event information obtainable from a user's computing device in order to detect a malicious code and then detect a malicious code by processes or files based on reconstructed data.
Another object of the present invention is to apply data reconstructed by processes or files to a variety of malicious code detection methods by collecting the data regardless of malicious code detection methods.
According to an embodiment of the present invention, there is provided an apparatus for detecting a malicious code using collected event information. The apparatus for detecting a malicious code comprises a feature factor collecting module collecting information of feature factor events from a computing device based on the defined feature factors; a feature factor specification module converting the collected information of feature factor events into feature factor specification data in the form available on the analysis; and a malicious code detection module analyzing if a malicious code is or not by using the specification data.
The defined feature factor comprises information related to a computer process, information related to a file system, and information related to a registry available to detect a malicious code.
The feature factor collecting module collects, when an event corresponding to the defined feature factor occurs, information relating to the feature factor event.
The information of the feature factor event comprises host ID, user ID (login ID), collecting time, operating system, process name, process ID, feature factor ID, and additional information relating to the feature factor, etc.
The feature factor specification module reconstructs the collected information of the feature factor event into feature factor specification data by processes.
The feature factor specification module updates the information of the process in which the feature factor event is occurred and also updating the information of the parent process of the process in which the event is occurred.
The feature factor specification module reconstructs by executable files based on the feature factor specification data reconstructed by processes.
The feature factor specification data comprises specification representing the number of occurrences of the feature factor events.
The malicious code detection module determines if the updated executable process or file is a malicious code or not based on the specification data.
According to another embodiment of the present invention, there is provided a method for detecting a malicious code. The method for detecting a malicious code comprises: feature factor defining to define features, that may occur in a computing device, to detect malicious codes; feature factor event collecting to collect information of feature factor events from the computing device based on the defined feature factors; feature factor specification to convert the collected information of feature factor events into feature factor specification data in the form available on the analysis; and malicious code detecting to analyze if a malicious code is or not by using the specification data.
The defined feature factor comprises information related to a computer process, information related to a file system, and information related to a registry, etc. available to detect a malicious code.
The feature factor event collecting comprises collecting, when an event corresponding to the defined feature factor occurs in a system, information relating to the feature factor event.
The feature factor event information comprises host ID, user ID, collecting time, operating system, process name, process ID, feature factor ID, and additional information relating to the feature factor, etc.
The feature factor specification comprises reconstructing the collected information of the feature factor event into feature factor specification data by processes.
The feature factor specification comprises updating the information of the process in which the feature factor event is occurred and also updating the information of the parent process of the process in which the event is occurred.
The feature factor specification comprises reconstructing by executable files based on the feature factor specification data reconstructed by processes.
The feature factor specification comprises specification representing the number of occurrences of the feature factor events.
The malicious code detecting comprises determining if the updated executable process or file is a malicious code or not based on the specification data.
According to the present invention, the malicious code detection can be applied to any method for detecting a malicious code since various event information obtainable from a user's computing device is first collected to detect a malicious code and the collected events are reconstructed for all activities from the start point to the end point of each process to represent data.
Furthermore, the apparatus and method for detecting a malicious code of the present invention can detect unknown and/or variant malicious codes since various event information is collected from a user's computing device regardless of kinds of malicious codes.
While the present invention has been described with reference to particular embodiments, it is to be appreciated that various changes and modifications may be made by those skilled in the art without departing from the spirit and scope of the present invention, as defined by the appended claims and their equivalents.
Throughout the description of the present invention, when describing a certain technology is determined to evade the point of the present invention, the pertinent detailed description will be omitted.
Unless clearly used otherwise, expressions in the singular number used in the present invention include a plural meaning.
Module, unit, interface and the like among the terms used in the description means general objects relating to a computer such as hardware, software and a combination thereof.
As shown in
The feature factor collecting module 101 collects, whenever various feature factor events defined in a computing device occur, information relating thereto in order to detect a malicious code. Here, the feature factor event includes information relating to a process of the user's computing device, information related to a file system, information related to a registry and the like. The feature factor can be added if necessary. The feature factor-based feature factor collecting module collects, whenever a feature factor event occurs, information relating thereto. When a feature factor event occurs, information to be collected includes host ID, user ID, collecting time, operating system, process name, process ID, feature factor ID, additional information relating to the feature factor and the like. Additional information for the corresponding feature factor can vary with feature factors. When an event that the process generates another process occurs, information may include an ID of the child process.
The feature factor specification module 102 is a module to reconstruct each of the feature factor events collected by the feature factor collecting module 101 by processes. The feature factor specification module 102 does not define unit event, but reconstructs all activities from the start point to the end point of processes by a specific process to provide information possible to determine if the feature process is a normal code or a malicious code by providing feature factor specification. Furthermore, the feature factor specification module can be data-mated by integrating by executable files which generate the process.
Whenever the process specification information, which is reconstructed by the feature factor specification module 102 whenever an event occurs, is updated, the malicious code detection module 103 determines if it is a normal code or a malicious code with the inputted process information of the updated feature factor events. The malicious code detection module 103 may determine a malicious code by being applied to a model generated by a mining algorithm or to behavior-based rules for the detection of malicious codes.
The feature factor information storing module 104 stores the collected event information, feature factor specification data reconstructed by processes or executable files, and information about malicious codes.
The visualizing module 105 visualizes information to be provided to a user. The visualizing module 105 visualizes and outputs the information relating to the events collected through the feature factor collecting module 101, the feature factor specification information reconstructed by processes or executable files by the feature factor specification module 102, the malicious code information according to the malicious code detection module 103 for a user to recognize easily. The visualizing module 105 may include graphic user interface (GUI) for a user to understand the information relating to the events, the feature factor specification information, and the malicious code information.
The control module 106 may control the overall operations and workings of the apparatus for detecting a malicious code 100.
A method for detecting a malicious code according to an embodiment of the present invention to protect a computing device against a malicious attack will be described hereinafter.
The apparatus for detecting a malicious code 100 detects a malicious code by the method comprising feature factor defining to define features that may occur in a computing device to detect malicious codes in S201; feature factor event collecting to collect information of feature factor events from the computing device based on the defined feature factors in S202; feature factor specification to convert the collected information of feature factor events into feature factor specification data in the form available on the analysis in S203; and malicious code detecting to analyze if a malicious code is or not by using the specification data in S204.
As shown in
The step of collecting feature factors comprises collecting information in chronological order whenever a feature factor event defined from a computing device through the feature factor collecting module 101 occurs, based on the defined feature factors as shown in
As shown in
The step of feature factor specification of S203 comprises reconstructing each of the feature factor events collected in the step of collecting feature factors by processes or by executable files.
Since it is not easy to detect if a feature process is normal or malicious with unit event collected in the step of collecting feature factors of S202, it can facilitate the detection of a malicious code by utilizing feature factor specification which is the result of reconstruction of all activity from the start point to the end point of a feature process. A feature factor specification list as shown in
As shown in
The feature factor specification information in the step of feature factor specification includes a process name, a process ID, a feature factor specification ID value and the like. The feature factor specification information is updated based on the process ID in chronological order of log numbers for the collected events in
a) is the feature factor specification information of 401 of the log No. 1 in
b) is the feature factor specification information of 402 of the log No. 2 in
c) is the feature factor specification information of 403 of the log No. 3 in
d) is the feature factor specification information of 404 of the log No. 4 in
e) is the feature factor specification information of 405 of the log No. 5 in
As in
As in
In the step of detecting a malicious code of S204 which analyzes if a malicious code is or not, whenever a feature factor event is collected, the feature factor specification list is updated and information of the processes of the updated feature factor event is inputted to the malicious code detection module 103 to determine if it is normal/malicious. The feature factor specification information of the present invention is applicable to various malicious code detection methods so that the malicious code detection module 103 can apply the feature factor specification information to a model generated by a mining algorithm such as SVM (support vector machine) and the like or a behavior-based rule in order to detect a malicious code.
When a new event is collected in the step of detecting a malicious code of S204, a process of transmitting the updated information to the malicious code detection module 103 will be only explained with
e) illustrates a case that 4 feature factor events are already collected and an event that the process of nateon.exe (PID:2336) generates an executable file as the 5th feature factor event is occurring. Here, it corresponds to the feature factor specification ID No. 3 of the process (PID:2336) and thus the value of the feature factor specification ID No. 3 is increased by 1 to result 2 and the value of the feature factor specification ID No. 4 of the explorer.exe (PID:1664) which is the parent process of nateon.exe (PID:2336) is also increased by 1 to result 2. Here, since the feature factor specification information of 2 processes of nateon.exe (PID:2336) and explorer.exe (PID:1664) is only updated, the updated specification information of 2 processes is transmitted to the malicious code detection module to be detected if it is normal/malicious.
An embodiment of the present invention may be implemented in a computer system, e.g., as a computer readable medium. As shown in in
Accordingly, an embodiment of the invention may be implemented as a computer implemented method or as a non-transitory computer readable medium with computer executable instructions stored thereon. In an embodiment, when executed by the processor, the computer readable instructions may perform a method according to at least one aspect of the invention.
The computer readable medium may include a program instruction, a data file and a data structure or a combination of one or more of these.
The program instruction recorded in the computer readable medium may be specially designed for the present invention or generally known in the art to be available for use. Examples of the computer readable recording medium include a hardware device constructed to store and execute a program instruction, for example, magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs, and DVDs, and magneto-optical media such as floptical disks, read-only memories (ROMs), random access memories (RAMs), and flash memories. In addition, the above described medium may be a transmission medium such as light including a carrier wave transmitting a signal specifying a program instruction and a data structure, a metal line and a wave guide. The program instruction may include a machine code made by a compiler, and a high-level language executable by a computer through an interpreter.
The above described hardware device may be constructed to operate as one or more software modules to perform the operation of the present invention, and vice versa.
While it has been described with reference to particular embodiments, it is to be appreciated that various changes and modifications may be made by those skilled in the art without departing from the spirit and scope of the embodiment herein, as defined by the appended claims and their equivalents. Accordingly, examples described herein are only for explanation and there is no intention to limit the invention. The scope of the present invention should be interpreted by the following claims and it should be interpreted that all spirits equivalent to the following claims fall with the scope of the present invention.
Number | Date | Country | Kind |
---|---|---|---|
10-2014-0012280 | Feb 2014 | KR | national |