JP2010134536A - Pattern file update system, pattern file update method, and pattern file update program - Google Patents

Abstract

Disclosed is an early distribution of additional pattern files.
A virus scanning unit 110 detects a virus in the inspection target 10 by comparing the pattern file 11 and the inspection target 10, and an abnormality detection unit 120 detects that the software behavior is abnormal, When an abnormality is detected by the abnormality detection unit 120, the information collection unit 130 collects the abnormality occurrence information 16 as information necessary for virus analysis, and the virus analysis unit 300 is collected by the information collection unit 130. An additional pattern file 18 is created by performing virus analysis using the abnormality occurrence information 16, and the pattern file distribution unit 400 distributes the additional pattern file 18 created by the virus analysis unit 300 to the device.
[Selection] Figure 1

Description

The present invention relates to a pattern file update system, a pattern file update method, and a pattern file update program.

  Computer equipment such as a personal computer (PC) is exposed to a virus attack. The damage caused by viruses on PCs is increasing year by year, and it is becoming more malicious. For example, viruses for the purpose of mischief were the mainstream before, but viruses for money have increased recently. With regard to mobile phones, mobile phones generally contain more personal information than PCs, and mobile phones with higher functionality contain more valuable information such as electronic money. Currently, no virus targeting mobile phones has occurred in Japan, but anti-virus technology for mobile phones will be improved due to the background of higher functionality of mobile phones, the use of general-purpose OSs for mobile phones, and advanced attacks. It is necessary.

  At present, virus scanning is the mainstream virus countermeasure technology for PCs. In this method, virus feature points are recorded in advance as pattern data, and it is checked whether there is anything matching this pattern at the time of inspection. Therefore, an unknown virus such as a new virus whose pattern is not defined cannot be detected, and there is a problem that damage is expanded until a new pattern is added.

As a method for determining the occurrence of a computer virus at an early stage and preventing the spread of infection damage in advance, for example, there is a method described in Patent Document 1 below.
JP 2007-233831 A

  However, in the above-mentioned document, it is not considered to extract and analyze information on new viruses in a comprehensive and rapid manner and to distribute the results, so that additional pattern files as a result of extraction and analysis cannot be distributed early. There was a problem.

  In view of the above-described problems, an object of the present invention is to provide a pattern file update system, a pattern file update method, and a pattern file update program that can distribute an additional pattern file at an early stage.

  In order to solve the above-described problems, a pattern file update system according to the present invention includes a virus scanning unit that detects a virus in the inspection target software file by comparing the pattern file and the inspection target software file, and execution of the inspection target software. An abnormality detecting means for detecting that the software behavior is abnormal, and an information collecting means for collecting information at the time of occurrence of abnormality as information necessary for virus analysis when an abnormality is detected by the abnormality detecting means, Virus analysis means for creating an additional pattern file by performing virus analysis using information on occurrence of anomaly collected by the information collection means, and pattern file distribution means for delivering the additional pattern file created by the virus analysis means, It is characterized by providing.

  With this configuration, the virus scanning unit detects a virus in the inspection target software file by comparing the pattern file with the inspection target software file, and the abnormality detection unit detects that the software behavior is abnormal during execution of the inspection target software. When an abnormality is detected by the abnormality detection means, the information collection means collects information on the occurrence of an abnormality as information necessary for virus analysis, and the virus analysis means is collected by the information collection means. An additional pattern file is created by performing virus analysis using the information at the time of abnormal occurrence, and the pattern file distribution means distributes the additional pattern file created by the virus analysis means. It becomes possible to deliver.

  Moreover, it is preferable that the pattern file update system of the present invention further includes an abnormality novelty confirmation unit that confirms whether or not the abnormality is a known abnormality when an abnormality is detected by the abnormality detection unit. .

  With this configuration, since the abnormality novelty confirmation unit confirms whether or not the abnormality is a known abnormality, it is possible to prevent acquiring unnecessary information.

  In the pattern file update system according to the present invention, when the abnormality novelty confirmation unit uses a return address that the software loads on the call stack as an element of the software behavior used by the abnormality detection unit, It is preferable to check whether the abnormality detected by the abnormality detection means is an existing abnormality by using the return address string on the call or the change of the return address string on the call stack between certain timings .

  With this configuration, the abnormality novelty confirmation unit can more accurately confirm whether or not the abnormality is a known abnormality.

  In the pattern file update system according to the present invention, when the abnormality novelty confirmation unit is a unit for evaluating the degree of abnormality with respect to the software behavior, the abnormality novelty confirmation unit uses the transition of the abnormality degree, It is preferable to confirm whether or not the abnormality detected by the detection means is an existing abnormality.

  With this configuration, the abnormality novelty confirmation unit can more accurately confirm whether or not the abnormality is a known abnormality.

  In order to solve the above problems, a pattern file update method of the present invention includes a virus scanning step for detecting a virus in the inspection target software file by comparing the pattern file and the inspection target software file, and execution of the inspection target software. An abnormality detection step for detecting that the software behavior is abnormal, and an information collection step for collecting information when an abnormality occurs as information necessary for virus analysis when an abnormality is detected in the abnormality detection step, A virus analysis step for creating an additional pattern file by performing virus analysis using the information at the time of occurrence of anomaly collected in the information collection step, and a pattern file distribution step for distributing the additional pattern file created in the virus analysis step And The features.

  With this configuration, in the virus scanning step, the virus in the inspection target software file is detected by comparing the pattern file with the inspection target software file. In the abnormality detection step, the software behavior is abnormal during the execution of the inspection target software. When an abnormality is detected in the abnormality detection step, information at the time of occurrence of abnormality as information necessary for virus analysis is collected in the information collection step, and collected in the information collection step in the virus analysis step. An additional pattern file is created by performing virus analysis using the information at the time of the abnormal occurrence, and the additional pattern file created in the virus analysis step is distributed in the pattern file distribution step. It is possible to deliver at an early stage.

  The pattern file update system according to the present invention described above can be understood as an invention according to a pattern file update program as follows.

  That is, the terminal control program according to the present invention includes a virus scanning unit that detects a virus in the inspection target software file by comparing the pattern file with the inspection target software file, and the execution of the inspection target software. An anomaly detecting means for detecting that the software behavior is abnormal, an information collecting means for collecting information at the time of occurrence of an abnormality as information necessary for virus analysis when an abnormality is detected by the anomaly detecting means, and an information collecting means The virus analysis means that creates an additional pattern file by performing virus analysis using the information at the time of occurrence of anomaly collected by, and the pattern file distribution means that delivers the additional pattern file created by the virus analysis means It is characterized by that. That is, as shown in FIG. 7, the pattern file update program includes a virus scanning module that detects viruses in the inspection target software file by comparing the pattern file with the inspection target software file, and the inspection target software. An abnormality detection module that detects that the software behavior is abnormal during execution, and an information collection module that collects information when an abnormality occurs as information necessary for virus analysis when an abnormality is detected by the abnormality detection means. A virus analysis module that creates an additional pattern file by performing virus analysis using the error occurrence information collected by the information collection module, and a pattern file distribution module that delivers an additional pattern file created by virus analysis means And Obtain.

  In order to solve the above problems, a pattern file update system according to the present invention includes a virus scanning unit that operates on an inspection target device and detects a virus in the inspection target software file by comparing the pattern file with the inspection target software file. During the execution of the software to be inspected, an abnormality detection unit that detects that the software behavior is abnormal, and when an abnormality is detected by the abnormality detection unit, information on the occurrence of the abnormality is collected as information necessary for virus analysis Information collection means that operates on the device to be inspected or the server, virus analysis means that creates an additional pattern file by performing virus analysis using information at the time of occurrence of abnormality collected by the information collection means, and a server An additional pattern file created by the virus analysis means that operates. Characterized in that it comprises a pattern file delivery means for signal, a.

  In order to solve the above problems, the pattern file update method of the present invention includes a virus scanning step in which the inspection target device detects a virus in the inspection target software file by comparing the pattern file and the inspection target software file, An abnormality detection step that detects that the software behavior is abnormal while the target device is running software, and an abnormality occurs as information necessary for virus analysis when an abnormality is detected in the abnormality detection step of the inspection target device An information collection step for collecting time information; a virus analysis step for creating an additional pattern file by performing virus analysis using the abnormality occurrence information collected in the information collection step by the inspection target device or server; The server is created during the virus analysis step Characterized in that it comprises a pattern file distribution step of distributing the additional pattern file, a.

  According to these inventions, the additional pattern file can be distributed at an early stage.

  According to the present invention, it is possible to distribute an additional pattern file at an early stage.

[First embodiment]
Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 shows a functional configuration diagram of a pattern file update system in the present embodiment. This is an example, and the configuration is not limited to this. The pattern file update system according to the present embodiment includes an inspection target device 100 (inspection target), a data mining unit 200, a virus analysis unit 300 (virus analysis unit), and a pattern file distribution unit 400 (pattern file distribution unit). Composed.

  The inspection target device 100 is a device to be inspected, and in this embodiment, a mobile phone is used as an example for explanation. However, the present invention is not limited thereto, and may be a simple mobile phone (PHS: Personal Handy-phone System), a portable information terminal (PDA: Personal Digital Assistant) having a communication function, or a personal computer (PC). good. Specifically, the inspection target device 100 includes a virus scanning unit 110 (virus scanning unit), an abnormality detection unit 120 (abnormality detection unit), and an information collection unit 130 (information collection unit). The inspection target device 100 uses the inspection target 10 (inspection target software file), the pattern file 11 (pattern file), and the in-system information 15 as input values, and outputs the abnormality occurrence information 16.

  In the example used for the description in the present embodiment, the data mining unit 200 and the virus analysis unit 300 are described as functions included in the server, but may be included in the inspection target device 100. When the data mining unit 200 is included in the inspection target device 100, the inspection target device 100 outputs the extraction information 17. If the virus analysis unit 300 is included in the test target device 100 in addition to the data mining unit 200, the test target device 100 outputs the additional pattern file 18.

  The virus scanning unit 110 receives the pattern file 11 in which a pattern from which a characteristic code of a virus is extracted and the inspection target 10 used on the inspection target device 100 are received and recorded in the pattern file 11 in the inspection target 10. It has a function to check whether a pattern is included. The virus scanning unit 110 determines that a virus exists in the inspection object 10 when the inspection object 10 includes the pattern recorded in the pattern file 11. In that case, the inspection target device 100 may perform processing such as execution stop and file deletion. When the virus scanning unit 110 determines that no virus exists in the inspection target 10, the virus scanning unit 110 notifies the abnormality detection unit 120 of a scan result 12 as information indicating that no virus exists.

  The abnormality detection unit 120 notifies the information collection unit 130 of the detection result 14 when a function for detecting an abnormality by inspecting the behavior of software executed on the inspection target device 100 and an abnormality are detected. It has a function.

  Specifically, the abnormality detection unit 120 receives the inspection object 10 and the scan result 12. The abnormality detection unit 120 detects an abnormality by comparing at least one of the black list and the white list included in the abnormality detection unit 120 with the received inspection object 10. Hereinafter, the abnormality detection method in the abnormality detection unit 120 will be described in detail.

  There are two types of inspection methods: normal behavior is recorded in advance, a white list format that detects a different behavior as abnormal, and abnormal behavior is recorded in advance, and the behavior that matches this is regarded as abnormal. It is a blacklist format to detect. Here, either may be used or used in combination.

  Behaviors that represent the characteristics of software operations can be used, such as resource usage, file access, system call calls, function call calls, etc., and whitelists and blacklists are created using these. can do. FIG. 2 shows an example of a white list when the four types are behaviors. One or more types of these behaviors may be used.

  Here, a case where system call calling and function call calling are used will be described as an example of using a plurality of functions. When certain software calls a function, it pushes the return address of the function called on the call stack. This return address is popped when the function returns and disappears from the call stack. In other words, by examining the return address loaded on the call stack at a certain point in time, it is possible to know the functions that have been called by the software and have not been returned so far. This can be used as a feature of software behavior.

  Each time the return address is pushed and popped, the call stack data may be acquired as a behavior. Moreover, you may acquire only within a certain timing. By adopting a configuration limited to a certain timing, the amount of data can be suppressed. In this case, a system call can be used as a certain timing. Generally, when a virus performs a malicious operation, it is necessary to use the function of the OS, and there is a high possibility that a system call will be used. In this case, the efficiency can be improved by examining the call stack triggered by the system call. Can be improved.

  When investigating the call stack when a system call is issued, the system call type and the return address on the call stack at that time may be defined as behavior. An example of this case is shown in FIG.

  When investigating the call stack when a system call is issued, a change in the return address on the call stack between system calls may be defined as a behavior. An example of this case is shown in FIG. In the example of FIG. 4, when the return addresses of (A) and (B) in FIG. 4 are compared from the bottom, the matching part is (C) and the mismatching part is (D). This mismatched part (D) is used for the behavior. In this example, q and p are popped and f is pushed between the system calls open and read, but it can be seen that these functions have changed from the mismatched portion. In this example, it is not possible to determine whether it has been popped or pushed, but it is also possible to add this information as a behavior. When these are implemented, the system call hook may use a ptrace system call or the like, or the system call call flow may be rewritten, and control may be transferred to the hook function for each system call call. A frame pointer can be used to obtain the return address of the call stack. In addition to the return address, variables and other register values are recorded in the call stack, and it is necessary to know which address in the call stack is recorded, but by using the frame pointer, This information can be obtained. Also, the frame pointer may not be used in a special environment such as an ARM architecture. In this case, the address where the return address is recorded by using Debug information or by disassembling and analyzing the binary. Can know. This may be used in an environment where a system call for acquiring a return address is prepared. For example, Windows (registered trademark) GetThreadCallStack is applicable.

  The abnormality detection unit 120 may detect an abnormality when a behavior that is not in the white list or a behavior that is in the black list is acquired even once. Or you may detect abnormality in the stage acquired several times. Further, the degree of abnormality of each behavior may be accumulated, and it may be determined that an abnormality has occurred when a certain threshold value is exceeded.

  When the detection result 14 is notified from the abnormality detection unit 120, the information collection unit 130 has a function of collecting abnormality occurrence information 16 as information necessary for virus analysis based on the in-system information 15. The information collection unit 130 has a function of transmitting the collected abnormality occurrence information 16 to the data mining unit 200. The data mining unit 200 may be omitted. In that case, the information collection unit 130 transmits the collected abnormality occurrence information 16 to the virus analysis unit 300.

  Examples of the abnormality occurrence information 16 include URLs and files accessed during a certain period, system calls and functions called during a certain period, memory dump, operation history, and the like. Furthermore, information on the software execution environment such as an OS (operating system) type, software name, and version can also be used.

  The data mining unit 200 has a function of receiving the abnormality occurrence information 16 collected by the information collection unit 130 and creating the extraction information 17 as information useful for virus analysis based on the received abnormality occurrence information 16. . Hereinafter, a method in which the data mining unit 200 creates the extracted information 17 from the abnormality occurrence time information 16 will be described in detail.

  There are two extraction points. The first is to consolidate information from the same virus into one, and the second is to remove unnecessary information from the abnormality occurrence information 16. The former can be realized by storing the sent information in a database and identifying it by comparing it. The content of the data depends on the information sent from the information collecting unit 130. Also, depending on the type of virus or the technique of the abnormality detection unit 120, it may be difficult to specify information necessary for virus analysis. In that case, all the information that may be necessary for the analysis is sent. By limiting this information as much as possible, it is possible to reduce the amount of data and speed up virus analysis in the next stage. Even when it is impossible to limit, it is possible to rank the degree of association with the occurrence of abnormality. For this purpose, a method of comparing information from a plurality of devices at the time of occurrence of the same abnormality and searching for a similar point or comparing with information from correct software and searching for a difference can be considered.

  In FIG. 1, the data mining unit 200 is connected to one inspection target device 100, but may be connected to a plurality of inspection target devices 100. In this case, the data mining unit 200 receives the abnormality occurrence information 16 from the plurality of information collecting units 130, and can collect information on new viruses more comprehensively. In FIG. 1, the data mining unit 200 is placed outside the inspection target device 100, but may be included in the inspection target device 100. With this configuration, the extracted information 17 having a smaller data amount than the abnormality occurrence information 16 is transmitted from the inspection target device 100 to an external server, so that the communication amount can be reduced. Moreover, a part of the function of the data mining unit 200 may be included in the inspection target device 100. Furthermore, the data mining unit 200 can be omitted.

  The virus analysis unit 300 detects the cause of the abnormality based on the extracted information 17 created by the data mining unit 200, and creates an additional pattern file 18 if the cause is not included in the pattern file 11. It has a function. When the data mining unit 200 is omitted, the virus analysis unit 300 receives the abnormality occurrence time information 16 from the information collection unit 130 and uses the received abnormality occurrence time information 16 to cause the abnormality. Is detected. Even in this case, the virus analysis unit 300 determines whether or not the cause is not included in the pattern file 11, and if the cause is a new virus, creates the additional pattern file 18 as described above. .

  The detection of the cause of the abnormality based on the extracted information 17 by the virus analysis unit 300 can be performed in the same manner as the virus scan currently used. Even if the abnormality detection unit 120 is not a virus, for example, irregular behavior due to a bug is regarded as abnormal. Further, it is determined that an abnormality has occurred even though the virus detection unit 120 is not infected by a defect in the white list or black list of the abnormality detection unit 120. These are first discovered at the stage of virus analysis. If the cause of the abnormality is a bug or deficiency in the list, you may request a bug or list correction.

  The pattern file distribution unit 400 has a function of distributing the additional pattern file 18 created by the virus analysis unit 300 to all devices or devices that require it. If the virus can be infected only in a specific environment (for example, OS type, software version), the virus may be distributed only to devices having the corresponding environment.

  FIG. 5 shows a hardware configuration of the inspection target device 100. As illustrated in FIG. 5, the inspection target device 100 physically includes a CPU 21, a main storage unit 22, an auxiliary storage unit 23 such as a hard disk, a communication control unit 24 that controls communication, and a display unit such as an LCD or an organic EL display. 25 and an operation unit 26 such as a keyboard. Each function of the pattern file update system 1 has a communication control unit 24, a display unit 25, and an operation unit under the control of the CPU 21 by reading predetermined software on hardware such as the CPU 21 and the main storage unit 22. 26, and reading and writing of data in the main storage unit 22 and the auxiliary storage unit 23 are realized.

  The correspondence between the hardware configuration and the functional configuration is shown below. Regarding the device to be inspected 100, the functions of the virus scanning unit 110, the abnormality detection unit 120, the information collection unit 130, the data mining unit 200, and the virus analysis unit 300 are executed by the CPU 21 as a physical component. Is realized.

  Next, the flow of processing in the pattern file update system 1 of this embodiment will be described with reference to FIG. The process of FIG. 6 starts when the execution of software is started.

  The virus scanning unit 110 acquires a file necessary for executing the software on the inspection target device 100 as the inspection target 10 (step S101), and compares the acquired inspection target 10 with the pattern file 11. It is confirmed whether or not a virus exists in the inspection object 10 (step S102). If a virus exists ("YES" in step S102), the inspection target device 100 performs virus blocking or removal measures such as stopping or deleting the use of the corresponding file (step S103). When step S103 is performed, the process ends. However, the inspection target device 100 may execute the software after the process of S103 and proceed to S104. If no virus exists ("NO" in step S102), execution of the software is started.

  The abnormality detection unit 120 acquires the inspection object 10 as the behavior of the software being executed at any time (step S104), and inspects whether an abnormality has occurred based on the acquired inspection object 10 (step S105). . When the abnormality detection unit 120 detects an abnormality ("YES" in step S105), the abnormality detection unit 120 notifies the information collection unit 130 of the detection result 14. When the information collection unit 130 receives the detection result 14 indicating that an abnormality has occurred, the information collection unit 130 collects the abnormality occurrence information 16 as information that may be necessary for virus analysis (step S106). The data mining unit 200 extracts information effective for virus analysis from the abnormality occurrence information 16 collected by the information collecting unit 130 (step S107). The virus analysis unit 300 performs virus analysis using the information extracted by the data mining unit 200, and creates an additional pattern file 18 (step S108). The pattern file distribution unit 400 distributes the additional pattern file 18 created by the virus analysis unit 300 to a device that needs it (step S109). When step S109 is performed, the process ends. However, after S109, the application may be resumed on the inspection target device to continue execution and monitoring. Note that step S107 may be omitted. In this case, in step S108, the virus analysis unit performs virus analysis using the abnormality occurrence information 16 collected by the information collection unit 130, and creates an additional pattern file 18.

  When a new file is used as an input value during software execution, or when another program is called, S101 and S102 are executed as needed even during a loop. If the abnormality detection unit 120 detects the occurrence of an abnormality in S105, the execution of the software is stopped. The use of the software may be interrupted as it is, or the execution of the software and the processing from step S106 to step S109 in FIG. 6 may be performed in parallel as separate processing.

  Next, the effect of the pattern file update system 1 of this embodiment is demonstrated.

  The virus scanning unit 110 of the pattern file update system 1 in this embodiment detects a virus in the inspection target 10 by comparing the pattern file 11 and the inspection target 10, and the abnormality detection unit 120 executes the software of the inspection target 10. When the software behavior is detected to be abnormal, and the abnormality detection unit 120 detects the abnormality, the information collection unit 130 collects the abnormality occurrence information 16 as information necessary for virus analysis, and The analysis unit 300 creates an additional pattern file 18 by performing virus analysis using the abnormality occurrence information 16 created by the information collection unit 130, and the pattern file distribution unit 400 is created by the virus analysis unit 300. In order to distribute the additional pattern file 18 to the device, the additional pattern file 18 is distributed at an early stage. It is possible to become.

  In addition, by distributing the additional pattern file 18 at an early stage, the number of victims infected with the new virus can be reduced. That is, according to the present invention, the security vendor can comprehensively and quickly collect information on the new virus, and as a result, the number of victims infected with the new virus can be reduced.

  Generally, a period until a new pattern is added is (1) a period until a new virus is discovered by a security vendor, (2) a security vendor analyzes the new virus, and adds an additional pattern file 18 It is divided into a period until it is created and (3) a period until the additional pattern file 18 is distributed to each virus scan. The present invention mainly focused on shortening the period of (1).

  In order to discover new viruses, security vendors mainly (A) investigate Internet sites such as writing by virus creators, and (B) honey that captures viruses by preparing an environment that is intentionally susceptible to viruses. Use of pots, (C) notifications from users who were actually damaged. However, in (A), information about all viruses is not written on the Internet site, and there are also problems such as time lag until writing and trouble of site investigation. Further, in (B), there is a problem that it takes time for the virus to reach the honeypot, and it is difficult to detect a virus that spreads (external media, Bluetooth, etc.) without going through the Internet. In (C), not all of the users who match the damage give notifications, and there are some viruses that are not noticed by the users, so the information is not sufficient. By using the pattern file update system 1 of the present invention, it is possible to overcome the above-mentioned problems and promptly inform the security vendor of information relating to the new virus.

[Second Embodiment]
Next, a second embodiment according to the present invention will be described with reference to FIG. 8, FIG. 9, and FIG. The description of the same parts as those in the first embodiment will be omitted here, and different parts from the first embodiment will be mainly described.

  FIG. 8 shows a functional configuration diagram of the pattern file update system 1 in the present embodiment. As shown in FIG. 8, the pattern file update system 1 according to this embodiment includes a test target device 100, a data mining unit 200, a virus analysis unit 300, and a pattern file distribution unit 400. The difference from the first embodiment is that the inspection target device 100 further includes an abnormality novelty confirmation unit 125.

  The abnormality novelty confirmation unit 125 has a function of receiving the detection result 14 from the abnormality detection unit 120, a function of confirming whether the abnormality detected by the abnormality detection unit 120 is a known one when the detection result 14 is received, And a function of outputting the detection result 14 according to the confirmed result. Hereinafter, a method in which the abnormality novelty confirmation unit 125 confirms whether or not the abnormality detected by the abnormality detection unit 120 is known will be described.

  The inspection target device 100 holds past data in a holding unit (not shown), and the abnormality novelty confirmation unit 125 compares the recorded past data with the detection result 14 received from the abnormality detection unit 120. Also good. Or you may compare with the past data recorded on the database cooperated with the virus analysis part 300. FIG. This database classifies abnormalities that were actually caused by viruses, abnormalities due to bugs, abnormalities due to incomplete lists, etc., and when they were found to be known abnormalities by comparison, they were adjusted accordingly. It is preferable to take measures. With this configuration, it is possible to efficiently deal with abnormalities.

  Database elements are defined as behavior. In addition to this, data associated with the behavior, for example, a score indicating the degree of abnormality may be registered in the database. Furthermore, exact matching may be used for matching with database behavior. Analogy may be used for matching with the behavior of the database. The following effects can be obtained by using the analogy. That is, for example, when the behavior shown in FIG. 3 is adopted, it is assumed that a function Z that performs a malicious operation by a virus is called as shown in FIG. In FIGS. 9A and 9B, since the third function from the bottom is different between x and y, it is determined that they are different when the exact matching is performed. However, it is thought that it is different only because it happened to be a different branch in the conditional branch. In this case, it is highly likely that it is correct that the virus has been infected with the same virus, but by using analogy, it can be detected that the virus has been infected with the same virus.

  In this case, the similarity may be determined by comparing only the top of the call stack, or the degree of abnormality may be expressed as a score, and if the degree of accumulation is accumulated, the similarity may be found depending on how the score changes.

  Next, the flow of processing in the pattern file update system 1 of this embodiment will be described with reference to FIG.

  The difference between the first embodiment and this embodiment is that step S206 is newly added. Since others are the same as those in the first embodiment, description thereof is omitted here. Note that steps S201 to S205 correspond to steps S101 to S105 in FIG. 6, and steps S207 to S210 correspond to steps S106 to S109 in FIG.

  When the abnormality detection unit 120 detects an abnormality ("YES" in step S205), the abnormality detection unit 120 notifies the abnormality novelty confirmation unit 125 of the detection result 14 (step S205). When receiving the notification of the detection result 14 from the abnormality detection unit 120, the abnormality novelty confirmation unit 125 checks whether the abnormality detected by the abnormality detection unit 120 is a known abnormality (step S206). When the abnormality novelty confirmation unit 125 does not confirm that the abnormality detected by the abnormality detection unit 120 is a known abnormality (“NO” in step S206), the abnormality novelty confirmation unit 125 performs the information collection unit 130. The information collection unit 130 collects information that may be necessary for virus analysis (step S207). When the abnormality novelty confirmation unit 125 confirms that the abnormality detected by the abnormality detection unit 120 is a known abnormality (“YES” in step S206), the abnormality novelty confirmation unit 125 includes the information collection unit 130. The process of step S204 is performed without notifying the detection result 14. If “YES” is determined in the step S206, the execution of the software may be terminated.

  Next, the effect of the pattern file update system 1 in this embodiment is demonstrated.

  In the pattern file update system 1 according to the present embodiment, the virus scanning unit 110 detects a virus in the inspection target 10 by comparing the pattern file 11 and the inspection target 10, and the abnormality detection unit 120 detects software of the inspection target 10. When it is detected that the software behavior is abnormal during the execution, and the abnormality detection unit 120 detects the abnormality, the abnormality novelty confirmation unit 125 confirms whether the abnormality is a known abnormality. When the novelty confirmation unit 125 does not confirm that the abnormality is known, the information collection unit 130 collects the abnormality occurrence information 16 as information necessary for virus analysis, and the virus analysis unit 300 An additional pattern file 18 is created by performing virus analysis using the abnormality occurrence information 16 collected by the collection unit 130. Pattern file delivery unit 400 becomes able to deliver additional pattern file 18 created by the virus analysis unit 300 in the device, it is possible to prevent acquiring the unnecessary information.

It is a figure which shows the function structure of the pattern file update system in 1st embodiment. It is a figure which shows the example of the white list | wrist for abnormality detection. It is a schematic diagram which shows an example of behavior. It is a schematic diagram which shows an example of behavior. It is a hardware block diagram of the test object apparatus shown in FIG. It is a figure which shows the flow of a process in the pattern file update system in 1st embodiment. It is a figure which shows the function structure of the pattern file update program in 1st embodiment. It is a figure which shows the function structure of the pattern file update system in 2nd embodiment. It is a schematic diagram which shows an example of behavior. It is a figure which shows the flow of a process in the pattern file update system in 2nd embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Pattern file update system, 10 ... Inspection object, 11 ... Pattern file, 12 ... Scan result, 14 ... Detection result, 16 ... Information at the time of abnormality occurrence, 17 ... Extraction information, 18 ... Additional pattern file, 100 ... Inspection object apparatus , 110 ... virus scanning unit, 120 ... abnormality detection unit, 125 ... abnormality novelty confirmation unit, 130 ... information collection unit, 200 ... data mining unit, 300 ... virus analysis unit, 400 ... pattern file distribution unit.

Claims (8)

Virus scanning means for detecting a virus in the inspection target software file by comparing the pattern file and the inspection target software file;
An abnormality detection means for detecting that the software behavior is abnormal during execution of the software to be inspected,
When an abnormality is detected by the abnormality detection means, information collection means for collecting information on occurrence of abnormality as information necessary for virus analysis;
Virus analysis means for creating an additional pattern file by performing virus analysis using information on occurrence of anomaly collected by the information collection means;
Pattern file delivery means for delivering an additional pattern file created by the virus analysis means;
A pattern file update system.   The pattern file update system according to claim 1, further comprising: an abnormality novelty confirmation unit that confirms whether or not the abnormality is a known abnormality when an abnormality is detected by the abnormality detection unit. .   When the abnormality novelty confirmation unit uses a return address that the software loads on the call stack as an element of the software behavior used by the abnormality detection unit, a return address string on the call stack at a certain timing, or 3. The pattern according to claim 2, wherein whether or not the abnormality detected by the abnormality detection means is an existing abnormality is determined by using a change in the return address string on the call stack between timings. File update system.   When the abnormality detection means is a means for evaluating the degree of abnormality with respect to the software behavior, the abnormality novelty confirmation means uses the transition of the abnormality degree to detect that the abnormality detected by the abnormality detection means is an existing one. 3. The pattern file update system according to claim 2, wherein it is confirmed whether or not there is an abnormality. A virus scanning step of detecting a virus in the inspection target software file by comparing the pattern file and the inspection target software file;
An abnormality detection step for detecting that the software behavior is abnormal during execution of the software to be inspected,
When an abnormality is detected in the abnormality detection step, an information collection step for collecting information on occurrence of abnormality as information necessary for virus analysis;
A virus analysis step of creating an additional pattern file by performing virus analysis using the abnormality occurrence information collected in the information collection step;
A pattern file distribution step for distributing the additional pattern file created in the virus analysis step;
A pattern file update method comprising: Computer
Virus scanning means for detecting a virus in the inspection target software file by comparing the pattern file and the inspection target software file;
An abnormality detection means for detecting that the software behavior is abnormal during execution of the software to be inspected,
When an abnormality is detected by the abnormality detection means, information collection means for collecting information on occurrence of abnormality as information necessary for virus analysis;
Virus analysis means for creating an additional pattern file by performing virus analysis using information on occurrence of anomaly collected by the information collection means;
Pattern file delivery means for delivering an additional pattern file created by the virus analysis means;
Pattern file update program to function as Operates on the device to be inspected,
Virus scanning means for detecting a virus in the inspection target software by comparing the pattern file and the inspection target software file;
An abnormality detection means for detecting that the software behavior is abnormal during execution of the software to be inspected,
When an abnormality is detected by the abnormality detection means, information collection means for collecting information on occurrence of abnormality as information necessary for virus analysis;
Operates on the inspection target device or server,
Virus analysis means for creating an additional pattern file by performing virus analysis using abnormality occurrence information collected by the information collection means;
A pattern file distribution unit that operates on the server and distributes an additional pattern file created by the virus analysis unit;
A pattern file update system. A virus scanning step in which the inspection target device detects a virus in the inspection target software file by comparing the pattern file and the inspection target software file;
An abnormality detection step of detecting that the software behavior is abnormal while the inspection target device is executing software,
When the abnormality is detected in the abnormality detection step, the inspection target device collects information on occurrence of abnormality as information necessary for virus analysis, and
The virus analysis step of creating an additional pattern file by performing virus analysis using the abnormality occurrence information collected in the information collection step, by the inspection target device or the server,
A pattern file distribution step in which the server distributes the additional pattern file created in the virus analysis step;
A pattern file update method comprising:

Images