KR101726360B1 - Method and server for generating suffix tree, method and server for detecting malicious code with using suffix tree - Google Patents
Method and server for generating suffix tree, method and server for detecting malicious code with using suffix tree Download PDFInfo
- Publication number
- KR101726360B1 KR101726360B1 KR1020150092118A KR20150092118A KR101726360B1 KR 101726360 B1 KR101726360 B1 KR 101726360B1 KR 1020150092118 A KR1020150092118 A KR 1020150092118A KR 20150092118 A KR20150092118 A KR 20150092118A KR 101726360 B1 KR101726360 B1 KR 101726360B1
- Authority
- KR
- South Korea
- Prior art keywords
- function call
- malicious code
- call sequence
- suffix tree
- unit
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Telephonic Communication Services (AREA)
Abstract
The present invention relates to a method for generating a suffix tree, a server tree creation server, a malicious code detection method using the suffix tree, and a malicious code detection server using the suffix tree. According to the present invention, there is provided a method for managing malicious code, comprising: loading a generated suffix tree based on a malicious code sample file; Receiving a sequence of function calls of a target sample file from a client; Processing the received function call sequence; Retrieving a subsequence of the processed function call sequence in a suffix tree; And determining whether the target sample file is a malicious code based on a search result for the suffix tree. According to the present invention, it is possible to detect a PC or a mobile-based malicious code.
Description
The present invention relates to a method for generating a suffix tree and a suffix tree generation server, a malicious code detection method using the suffix tree, and a malicious code detection server using the suffix tree.
Dynamic analysis means executing program to detect maliciousness and extracting and analyzing action information. Signature-based analysis means analysis using characteristics of existing malicious code.
There are many ways to analyze the sequence of function calls. There are many cases where malicious code is judged to be an arbitrary program when the similarity of malicious code with malfunction code is calculated and similarity is more than a certain threshold value.
The algorithm used in the similarity comparison analysis can be different and various.
Most of the time, analysis time overhead is incurred because most users perform all analysis and not use time-efficient algorithms.
The present invention aims at solving all of the above problems.
The present invention has another purpose to utilize in PC or mobile based malware detection.
Another object of the present invention is to utilize it in malicious code analysis and classification.
In order to accomplish the objects of the present invention as described above and achieve the characteristic effects of the present invention described below, the characteristic structure of the present invention is as follows.
According to an embodiment, there is provided a method for generating a suffix tree, the method comprising: executing a malicious code sample file and a normal sample file including malicious code; Extracting a first function call sequence for the malicious code sample file and a second function call sequence for the normal sample file; Processing the extracted first function call sequence and a second function call sequence; And generating a suffix tree using the processed first function call sequence and the second function call sequence.
According to another embodiment, in the method of generating a suffix tree, the step of processing includes combining the first function call sequence and the second function call sequence by merging successively repeated elements in the extracted first function call sequence and the second function call sequence, And processing the second function call sequence.
According to yet another embodiment, the method of generating a suffix tree comprises generating a temporary suffix tree based on the processed first function call sequence and the second function call sequence ; And removing a node corresponding to the subsequence of the first function call sequence and an edge connecting the node in the temporary suffix tree to determine a final suffix tree.
In a malicious code detection method according to an embodiment, a malicious code detection method includes:
Loading a generated suffix tree based on the malicious code sample file; Receiving a sequence of function calls of a target sample file from a client; Processing the received function call sequence; Retrieving a subsequence of the processed function call sequence in a suffix tree; And determining whether the target sample file is malicious code based on the search result for the suffix tree.
In the malicious code detection method according to another embodiment, the suffix tree includes a function calling sequence extracted from a normal sample file, a function calling sequence extracted from a malicious code sample file including malicious code, And a final suffix tree generated by removing nodes for the function call sequence extracted from the normal sample file in the temporary suffix tree derived from the calling sequence.
According to yet another embodiment, in the malicious code detection method, the processing may include processing the function call sequence by merging successively repeated elements in a function call sequence received from the client.
According to another embodiment of the present invention, there is provided a malicious code detection method, comprising the steps of: extracting a subsequence by applying a sliding window to the processed function calling sequence; And determining whether the extracted subsequence matches a sequence derived from nodes and edges of the suffix tree.
In the malicious code detection method according to another embodiment, the step of extracting the subsequence may include extracting a subsequence by overlapping sliding windows according to a predetermined element unit in the function calling sequence have.
According to another embodiment, in the malicious code detection method, the malicious code detection method may include transmitting, when the target sample file is determined to be malicious code, information indicating that malicious code exists in the target sample file to the client .
According to one embodiment, in the suffix tree generation server, the suffix tree generation server includes: a sample file execution unit that executes a malicious code sample file including a malicious code and a normal sample file; A function call sequence extracting unit for extracting a first function call sequence for the malicious code sample file and a second function call sequence for the normal sample file; A function call sequence processing unit for processing the extracted first function call sequence and the second function call sequence; And a suffix tree generation unit for generating a suffix tree using the processed first function call sequence and the second function call sequence.
According to another embodiment, in the suffix tree generation server, the function call sequence processing unit may combine the first function call sequence and the second function call sequence so that the first function call sequence And processing a second function call sequence.
According to another embodiment of the present invention, in the suffix tree generation server, the suffix tree generation unit generates a temporary suffix tree based on the processed first function call sequence and the second function call sequence, And removing the node connecting the node and the node corresponding to the subsequence of the first function call sequence in the fix tree to determine the final suffix tree.
According to one embodiment, the malicious code detection server comprises: a suffix tree loading unit for loading a suffix tree generated based on a malicious code sample file; A function call sequence receiving unit for receiving a function call sequence of a target sample file from a client; A function call sequence processing unit for processing the received function call sequence; A suffix tree search unit for searching a suffix tree for a subsequence of the processed function call sequence; And a malicious code determination unit for determining whether the target sample file is a malicious code based on a search result for the suffix tree.
In the malicious code detection server according to another embodiment, the suffix tree includes a function calling sequence extracted from a normal sample file, a function calling sequence extracted from a malicious code sample file including malicious code, And a final suffix tree generated by removing nodes for the function call sequence extracted from the normal sample file in the temporary suffix tree derived from the calling sequence.
In a malicious code detection server according to another embodiment, the function call sequence processing unit may include processing the function call sequence by merging successively repeated elements in a function call sequence received from the client .
In the malicious code detection server according to another embodiment, the suffix tree searching unit may include a subsequence extracting unit for extracting a subsequence by applying a sliding window to the processed function calling sequence; And a subsequence matching unit for determining whether the extracted subsequence is matched with a sequence derived from nodes and edges of the suffix tree.
In the malicious code detection server according to another embodiment, the subsequence extracting unit may include extracting a subsequence by overlapping sliding windows according to a predetermined element unit in the function calling sequence.
In the malicious code detection server according to another embodiment, the malicious code detection server may include a malicious code for transmitting information indicating that the malicious code exists in the target sample file to the client, And may further include an information transmission unit.
The present invention can be utilized for PC or mobile based malware detection. Therefore, the present invention has an effect that can be utilized in malicious code analysis and classification.
1A is a flowchart illustrating a method for generating a suffix tree according to an embodiment of the present invention.
1B is a flowchart illustrating a method for generating a suffix tree according to an embodiment of the present invention.
2A is a malicious code detection method according to an embodiment of the present invention, which shows a malicious code detection method.
2B is a flowchart illustrating a malicious code detection method according to an embodiment of the present invention.
3A is a conceptual diagram illustrating a malicious code detection method according to an embodiment of the present invention.
FIG. 3B is a flowchart illustrating a malicious code detection method according to an exemplary embodiment of the present invention, which is performed by a client and a server.
FIG. 4A illustrates a flow of an operation procedure of a client according to an exemplary embodiment of the present invention.
FIG. 4B shows a flow of an operation procedure of a server according to an embodiment of the present invention.
FIG. 5A shows a state before a function call sequence according to an embodiment of the present invention.
FIG. 5B shows a functional call sequence processing according to an embodiment of the present invention.
5C shows a sliding window scan according to an embodiment of the present invention.
6 illustrates a process of generating a suffix tree according to an embodiment of the present invention.
FIG. 7A shows a state before the removal of a function call sequence according to an embodiment of the present invention.
7B illustrates a function call sequence according to an embodiment of the present invention.
FIG. 7C illustrates the removal of a function call sequence according to an embodiment of the present invention.
8 is a block diagram illustrating a suffix tree generation server according to an embodiment of the present invention.
9 is a block diagram illustrating a malicious code detection server according to an embodiment of the present invention.
10 is a block diagram illustrating a suffix tree search unit according to an embodiment of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
1A is a flowchart illustrating a method for generating a suffix tree according to an embodiment of the present invention.
Referring to FIG. 1A, a method of generating a suffix tree performed by a suffix tree generation server can be known. Creating a Suffix Tree A method of creating a suffix tree performed by the server may include the following steps.
In step S110, the suffix tree creation server may execute a malicious code sample file including malicious code and a normal sample file. At this time, each of the malicious code sample file and the normal sample file may be plural, but is not limited thereto.
In step S120, the suffix tree generation server may extract a first function call sequence for the malicious code sample file and a second function call sequence for the normal sample file.
In step S130, the suffix tree creation server may process the extracted first function call sequence and the second function call sequence.
Specifically, the suffix tree generation server may process the first function call sequence and the second function call sequence by merging successively repeated elements in the extracted first function call sequence and the second function call sequence.
In step S140, the suffix tree generation server may generate the suffix tree using the processed first function call sequence and the second function call sequence. Specifically, the suffix tree generation server may generate a temporary suffix tree based on the processed first function call sequence and the second function call sequence. The suffix tree generation server may also determine the final suffix tree by removing the nodes connecting the node and node corresponding to the subsequence of the first function call sequence in the temporary suffix tree.
1B is a flowchart illustrating a method for generating a suffix tree according to an embodiment of the present invention.
Referring to FIG. 1B, a method for generating a suffix tree performed by the suffix tree generating server may include the following steps.
According to one embodiment, the suffix tree generation server may generate the suffix tree using the processed first function call sequence and the second function call sequence.
In step S141, the suffix tree generation server may generate a temporary suffix tree based on the processed first function call sequence and the second function call sequence.
In step S142, the suffix tree generation server can determine the final suffix tree by removing the node connecting the node and the node corresponding to the subsequence of the first function call sequence in the temporary suffix tree.
2A is a malicious code detection method according to an embodiment of the present invention, which shows a malicious code detection method.
Referring to FIG. 2A, the malicious code detection method performed by the malicious code detection server may include the following steps.
In step S210, the malicious code detection server may load the generated suffix tree based on the malicious code sample file. At this time, the suffix tree is formed by processing the function call sequence extracted from the malicious code sample file including the function call sequence extracted from the normal sample file and the malicious code sample file and extracting the normal sample file from the temporary suffix tree derived from the processed function call sequence Lt; RTI ID = 0.0 > suffix tree < / RTI >
In step S220, the malicious code detection server may receive a sequence of function calls of the target sample file from the client.
In step S230, the malicious code detection server may process the received function call sequence. Specifically, the malicious code detection server can process a function call sequence by merging successively repeated elements in the function call sequence received from the client.
In step S240, the malicious code detection server may search the suffix tree for the subsequence of the processed function call sequence. Specifically, the malicious code detection server can extract a subsequence by applying a sliding window to the processed function call sequence. At this time, the malicious code detection server can extract the subsequence by sliding the sliding window according to the predetermined element unit in the function calling sequence. In addition, the malicious code detection server may determine whether the extracted subsequence matches a sequence derived at the nodes and edges of the suffix tree. For example, suppose the preset element unit is 4. 10, 30, 32, 54, 23, 54, ... , The malicious code detection server can extract 10, 30, 32, 54 as a subsequence. Next, the malicious code detection server can extract 30, 32, 54, and 23 as subsequences. Of course, depending on the case, the malicious code detection server may be modified by increasing or decreasing the predetermined element unit, but is not limited thereto.
In step S250, the malicious code detection server may determine whether the target sample file is malicious code based on the search result for the suffix tree.
In step S260, if the target sample file is determined to be malicious code, the malicious code detection server may transmit to the client information indicating that the malicious code exists in the target sample file.
2B is a flowchart illustrating a malicious code detection method according to an embodiment of the present invention.
According to one embodiment, the malicious code detection server may retrieve a subsequence of the processed function call sequence from the suffix tree.
In step S241, the malicious code detection server can extract the subsequence by applying a sliding window to the processed function calling sequence.
In step S242, the malicious code detection server may determine whether the extracted subsequence matches a sequence derived from nodes and edges of the suffix tree.
3A is a conceptual diagram illustrating a malicious code detection method according to an embodiment of the present invention.
Referring to FIG. 3A, the entire system includes a
According to one embodiment, the malicious
In addition, according to one embodiment, the
FIG. 3B is a flowchart illustrating a malicious code detection method according to an exemplary embodiment of the present invention, which is performed by a client and a malicious code detection server.
According to one embodiment, the malware detection framework may be configured with a server-client architecture. At this time, the server may be a malicious code detection server or a suffix tree generation server. In addition, the client may be, but not limited to, a user terminal such as a smart phone or a tablet phone. The client can record (1-1) a function that is called during execution of an arbitrary program. In addition, the client may periodically transmit (a) the sequence of function calls arranged in chronological order to the malicious code detection server. The malicious code detection server loads (2-1) a suffix tree, which is a signature model generated in advance, and searches (2-2, 2-3, 2-4) in the suffix tree in which the transmitted function call sequence is loaded. can do. If the search result is the same as the function call sequence of the malicious code, any program executed on the client can be determined as malicious code. At this time, the malicious code detection server may transmit the search result to the client (b).
FIG. 4A illustrates a flow of an operation procedure of a client according to an exemplary embodiment of the present invention.
Referring to FIG. 4A, the malicious code detection process of the client can be known. The malicious code detection operation of the client may include the following steps. Because clients are more likely to be limited in performance than malware detection servers, they can minimize their work for detection analysis.
According to one embodiment, the client may be responsible for recording the sequence of function calls and periodically sending it to the malicious code detection server.
The malicious code detection operation of the client may include the following steps.
In step S401, the client can execute an arbitrary program and record a function call in an arbitrary program.
In step S402, the client may periodically transmit the function call sequence to the malicious code detection server. Of course, sending a sequence of function calls to a malicious code detection server can happen repeatedly.
4B is a flowchart illustrating an operation of the malicious code detection server according to an embodiment of the present invention.
Referring to FIG. 4B, the malicious code detection process of the malicious code detection server can be known. The malicious code detection server can do more work for the analysis than the client. In addition, the malicious code detection server may load a signature model, a suffix tree, in the memory, which represents a function calling sequence of a known malicious code, prior to analyzing the function calling sequence transmitted from the client. In addition, the malicious code detection server can process the function call sequence when the function call sequence is transmitted from the client.
The malicious code detection operation of the malicious code detection server may include the following steps.
In step S411, the malicious code detection server may load the suffix tree as a signature model. Further, in step S412, the malicious code detection server may receive the function calling sequence from the client.
In step S413, the malicious code detection server may process the received function call sequence. Further, in step S414, the malicious code detection server can create a sliding window. Further, in step S415, the malicious code detection server can search the processed function calling sequence using the sliding window.
In step S416, the malicious code detection server may transmit the retrieved result to the client.
FIG. 5A shows a state before a function call sequence according to an embodiment of the present invention.
Referring to FIG. 5A, a process of processing a function call sequence can be known.
According to one embodiment, when each element constituting the
FIG. 5B shows a functional call sequence processing according to an embodiment of the present invention.
Referring to FIG. 5B, it can be seen that a function call sequence processing process is performed.
According to one embodiment, upon completion of the function call sequence, the malicious code detection server may scan the processed
The malicious code detection server can also search the suffix tree for the sliding window subsequence being scanned.
5C shows a sliding window scan according to an embodiment of the present invention.
Referring to FIG. 5C, a subsequence search using a sliding window extraction is known.
According to one embodiment, the malicious code detection server may determine that the
According to one embodiment, the malicious code detection server can use a signature tree, a
6 illustrates a process of generating a suffix tree according to an embodiment of the present invention.
Referring to FIG. 6, a process of creating a suffix tree by the suffix tree generating server can be known. The suffix tree generation process performed by the server generating server tree may include the following steps.
In step S610, the suffix tree generation server can execute the programs of the
In step S620, the suffix tree generation server may extract the function call sequence. Further, in step S630, the suffix tree creation server may process the extracted function call sequence.
In step S640, the suffix tree generation server may extract the suffix tree and add the processed sequence. Further, in step S650, the suffix tree generation server may remove the function call sequence of the normal sample file.
According to one embodiment, the suffix tree generation server may execute both the known malicious code sample files and the normal sample files in order. Also, the suffix tree generation server can extract each function call sequence while executing the sample file. At this time, the suffix tree generation server may merge the repeated elements of the function call sequences preferentially as a function call sequence processing step. The suffix tree generation server can generate a suffix tree by using the processed function call sequence after the malicious code sample file and the function call sequence of the normal sample file are processed.
According to one embodiment, the suffix tree generation server searches for the function call subsequence of the normal sample file while traversing each node appearing in the fix tree when all malicious code sample files and function call sequences of normal sample files are added The node and the edge that represent it can be removed. At this time, the suffix may be a function call subsequence. The server generates the suffix tree because the malicious code may perform actions similar to normal programs. Also, if a function call sequence denoting this behavior is represented in a suffix tree, a normal file can be classified as malicious. The server tree creation server may remove the sequence of function calls found in normal sample files to prevent normal files from being classified as malicious.
FIG. 7A shows a state before the removal of a function call sequence according to an embodiment of the present invention.
Referring to FIG. 7A, a process for removing a function call sequence of a normal sample file can be seen. It is also possible to know the state before the function call sequence of the normal sample file is removed. A suffix tree can be a structure that represents a suffix contained in several sequences. The edges that make up the tree may be labeled with a subsequence used for node-to-node transitions. In addition, each node can indicate which sequence among the sequences inputted when the trace connecting the subsequence for moving from the root node to the current node is generated when generating the suffix tree.
7B illustrates a function call sequence according to an embodiment of the present invention.
Referring to FIG. 7B, a procedure for removing a function call sequence of a normal sample file can be seen.
For example, when tx = {2,3,4,5} is input into the suffix tree shown in Fig. 7A, and the edge labeled {2,3,4} and the edge labeled {5} , And the label of the lowest node is mt.1, so tx is a subsequence of mt.1. Looking at each node label, we can see which input sequence is the subsequence of which sequence was used at the time of creation. It is also possible to know whether it is a subsequence of a malicious code sample file or a subsequence of a normal sample file.
According to one embodiment, the suffix tree generation server traverses the node to remove the sequence of normal sample files, identifies the label, and removes the node and its associated edge if a normal sample file of labels is included have.
FIG. 7C illustrates the removal of a function call sequence according to an embodiment of the present invention.
Referring to FIG. 7C, the normal sequence is removed from the suffix tree generated by two malicious sequences (mt.1, mt.2) and a normal sequence (bt.1, bt.2). As a result, we can see that all nodes and edges associated with all suffixes included in bt.1 and bt.2 have been removed. At this time, the suffix tree generation server can use the DFS search algorithm as the node traversal used in the removal.
8 is a block diagram illustrating a suffix tree generation server according to an embodiment of the present invention.
8, the suffix
The sample
The function call
The function call
The suffix
9 is a block diagram illustrating a malicious code detection server according to an embodiment of the present invention.
9, the malicious
The suffix
The suffix tree processes the function call sequence extracted from the malicious code sample file containing the function call sequence and the malicious code extracted from the normal sample file and extracts the function call sequence from the normal sample file in the temporary suffix tree derived from the processed function call sequence May be the final suffix tree generated by removing the node for the extracted function call sequence.
The function call
The function call
The function call
The search
The malicious
The malicious code information transmitting unit 960 can transmit to the client information indicating that a malicious code exists in the target sample file when the target sample file is determined to be malicious code.
10 is a block diagram illustrating a suffix tree search unit according to an embodiment of the present invention.
10, the suffix
The
The
The subsequence matching unit 1120 can determine whether or not the extracted subsequence matches a sequence derived from nodes and edges of the suffix tree.
According to one embodiment, the suffix
According to one embodiment, the malicious
According to one embodiment, malicious
According to one embodiment, the suffix tree generation method and the malicious code detection method performed by the malicious
In addition, the malicious
According to one embodiment, the suffix tree generation method and the malicious code detection method can be applied to a general user PC and a mobile environment for determining whether a malicious program exists or not.
In addition, the suffix tree generation method and malicious code detection method can be utilized for PC or mobile based malicious code detection, and furthermore, malicious code analysis and classification can be utilized.
The methods according to embodiments of the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the medium may be those specially designed and configured for the present invention or may be available to those skilled in the art of computer software.
While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. This is possible.
Therefore, the scope of the present invention should not be limited by the illustrated embodiments, but should be determined by the equivalents of the claims, as well as the claims that follow.
Claims (18)
Executing the malicious code sample file and the normal sample file including the malicious code;
The function call sequence extracting unit extracting a first function call sequence for the malicious code sample file and a second function call sequence for the normal sample file;
The function call sequence processing unit processing the extracted first function call sequence and the second function call sequence; And
Wherein the suffix tree generating unit generates the suffix tree using the processed first function call sequence and the second function call sequence
/ RTI >
The processing step comprises:
Wherein the function call sequence processing unit processes the first function call sequence and the second function call sequence by merging successively repeated elements in the extracted first function call sequence and the second function call sequence.
Wherein the generating the suffix tree comprises:
The suffix tree generating unit generating a temporary suffix tree based on the processed first function call sequence and the second function call sequence;
Wherein the suffix tree generator removes a node corresponding to a subsequence of a first function call sequence and an edge connecting the node in the temporary suffix tree to determine a final suffix tree
/ RTI >
Loading the generated suffix tree based on the malicious code sample file;
The function call sequence receiving unit receiving a function call sequence of a target sample file from a client;
Processing the received function calling sequence by the function calling sequence processing unit;
Searching the suffix tree for a subsequence of the processed function call sequence; And
Wherein the malicious code determination unit determines whether the target sample file is a malicious code based on a search result for the suffix tree
A malicious code detection method.
The suffix tree includes:
A function call sequence extracted from a normal sample file and a function call sequence extracted from a malicious code sample file containing malicious code are processed,
A malicious code detection method, which is a final suffix tree generated by removing nodes for a function call sequence extracted from a normal sample file in a temporary suffix tree derived from a processed function call sequence.
The processing step comprises:
Wherein the function call sequence processing unit processes the function call sequence by merging successively repeated elements in a function call sequence received from the client.
Wherein the suffix tree searching unit includes a subsequence extracting unit and a subsequence matching unit,
Wherein the searching comprises:
Extracting a subsequence by applying a sliding window to the processed function call sequence;
Wherein the subsequence matching unit determines whether the extracted subsequence matches a sequence derived as a node and an edge of a suffix tree
A malicious code detection method.
Wherein the extracting the subsequence comprises:
Wherein the subsequence extracting unit extracts a subsequence by sliding the sliding window according to a predetermined element unit in the function calling sequence.
The malicious code detection server may further include a malicious code information transmitting unit,
When the malicious code information transmitting unit determines that the target sample file is a malicious code, transmitting information indicating that the malicious code exists in the target sample file to the client
The malicious code detection method further comprising:
A malicious code sample file containing malicious code and a sample file execution section executing normal sample file;
A function call sequence extracting unit for extracting a first function call sequence for the malicious code sample file and a second function call sequence for the normal sample file;
A function call sequence processing unit for processing the extracted first function call sequence and the second function call sequence; And
A suffix tree generating unit for generating a suffix tree using the processed first function call sequence and the second function call sequence,
A suffix tree generation server comprising
The function call sequence processing unit,
And processing the first function call sequence and the second function call sequence by merging successively repeated elements in the extracted first function call sequence and the second function call sequence.
Wherein the suffix tree generating unit comprises:
Generating a temporary suffix tree based on the processed first function call sequence and a second function call sequence and generating a node corresponding to a subsequence of the first function call sequence in the temporary suffix tree and an edge connecting the node To determine the final suffix tree.
A suffix tree loading unit for loading the generated suffix tree based on the malicious code sample file;
A function call sequence receiving unit for receiving a function call sequence of a target sample file from a client;
A function call sequence processing unit for processing the received function call sequence;
A suffix tree search unit for searching a suffix tree for a subsequence of the processed function call sequence; And
A malicious code determination unit for determining whether the target sample file is a malicious code based on a search result for the suffix tree;
A malicious code detection server.
The suffix tree includes:
A function call sequence extracted from a normal sample file and a function call sequence extracted from a malicious code sample file containing malicious code are processed,
A malicious code detection server, which is a final suffix tree generated by removing nodes for a function call sequence extracted from a normal sample file from a temporary suffix tree derived from a processed function call sequence.
The function call sequence processing unit,
And processing the function call sequence by merging successively repeated elements in a function call sequence received from the client.
The suffix tree search unit searches the suffix tree,
A subsequence extracting unit for extracting a subsequence by applying a sliding window to the processed function calling sequence;
A subsequence matching unit for determining whether the extracted subsequence matches a sequence derived from a node and an edge of a suffix tree,
A malicious code detection server.
Wherein the subsequence extracting unit comprises:
Wherein the sliding window overlaps and moves according to a predetermined element unit in the function calling sequence, thereby extracting the subsequence.
A malicious code information transmitting unit for transmitting to the client information indicating that a malicious code exists in the target sample file when the target sample file is determined to be a malicious code;
Further comprising a malicious code detection server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150092118A KR101726360B1 (en) | 2015-06-29 | 2015-06-29 | Method and server for generating suffix tree, method and server for detecting malicious code with using suffix tree |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150092118A KR101726360B1 (en) | 2015-06-29 | 2015-06-29 | Method and server for generating suffix tree, method and server for detecting malicious code with using suffix tree |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20170002115A KR20170002115A (en) | 2017-01-06 |
KR101726360B1 true KR101726360B1 (en) | 2017-04-13 |
Family
ID=57832240
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150092118A KR101726360B1 (en) | 2015-06-29 | 2015-06-29 | Method and server for generating suffix tree, method and server for detecting malicious code with using suffix tree |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101726360B1 (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101472321B1 (en) * | 2013-06-11 | 2014-12-12 | 고려대학교 산학협력단 | Malignant code detect method and system for application in the mobile |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101091204B1 (en) * | 2010-02-26 | 2011-12-09 | 인하대학교 산학협력단 | A method for intrusion detection by pattern search |
KR101230271B1 (en) * | 2010-12-24 | 2013-02-06 | 고려대학교 산학협력단 | System and method for detecting malicious code |
KR101329037B1 (en) * | 2011-12-21 | 2013-11-14 | 한국인터넷진흥원 | System and method for detecting variety malicious code |
-
2015
- 2015-06-29 KR KR1020150092118A patent/KR101726360B1/en active IP Right Grant
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101472321B1 (en) * | 2013-06-11 | 2014-12-12 | 고려대학교 산학협력단 | Malignant code detect method and system for application in the mobile |
Also Published As
Publication number | Publication date |
---|---|
KR20170002115A (en) | 2017-01-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3258409B1 (en) | Device for detecting terminal infected by malware, system for detecting terminal infected by malware, method for detecting terminal infected by malware, and program for detecting terminal infected by malware | |
CN107251037B (en) | Blacklist generation device, blacklist generation system, blacklist generation method, and recording medium | |
CN109586282B (en) | Power grid unknown threat detection system and method | |
US11470097B2 (en) | Profile generation device, attack detection device, profile generation method, and profile generation computer program | |
CN112041815A (en) | Malware detection | |
US11270001B2 (en) | Classification apparatus, classification method, and classification program | |
WO2017012241A1 (en) | File inspection method, device, apparatus and non-volatile computer storage medium | |
JP6711000B2 (en) | Information processing apparatus, virus detection method, and program | |
EP3905084A1 (en) | Method and device for detecting malware | |
US9992216B2 (en) | Identifying malicious executables by analyzing proxy logs | |
CN111049786A (en) | Network attack detection method, device, equipment and storage medium | |
KR20180079434A (en) | Virus database acquisition methods and devices, equipment, servers and systems | |
CN110543765A (en) | malicious software detection method | |
CN108182363B (en) | Detection method, system and storage medium of embedded office document | |
CN109145589B (en) | Application program acquisition method and device | |
KR102318991B1 (en) | Method and device for detecting malware based on similarity | |
CN108229168B (en) | Heuristic detection method, system and storage medium for nested files | |
KR101907681B1 (en) | Method, apparatus, and system for automatically generating rule for detecting virus code, and computer readable recording medium for reciring the same | |
CN113378161A (en) | Security detection method, device, equipment and storage medium | |
CN112395603B (en) | Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment | |
EP3146460B1 (en) | Identifying suspected malware files and sites based on presence in known malicious environment | |
KR101726360B1 (en) | Method and server for generating suffix tree, method and server for detecting malicious code with using suffix tree | |
CN116015861A (en) | Data detection method and device, electronic equipment and storage medium | |
CN107229865B (en) | Method and device for analyzing Webshell intrusion reason | |
US20190156024A1 (en) | Method and apparatus for automatically classifying malignant code on basis of malignant behavior information |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
GRNT | Written decision to grant |