KR102045772B1 - Electronic system and method for detecting malicious code - Google Patents

Abstract

The present invention provides a classification information storage for storing classification information regarding a classification to which each of the system calls occurring in a user device belongs, one or more normal call models generated based on system calls each occurring when a normal code is executed; Model-informed storage, each of which stores information about one or more malicious invocation models generated based on system calls that occur when malicious code is executed, and a detection target call that includes system calls made by an application executed on a user device. A data receiver receiving the data of the pattern, an application feature extractor extracting a feature on system calls included in the detected call pattern by referring to classification information, and extracted with at least one of normal call models and malicious call models Compare the characteristics of the application An electronic system is provided that includes a code detector for detecting whether a row code is malicious. According to the present invention, not only known malicious code but also variant malicious code or unknown malicious code can be detected.

Description

Electronic systems and methods for detecting malware {ELECTRONIC SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE}

The present invention relates to the detection of malicious code, and more particularly to an electronic system and method for detecting malicious code.

Malicious code is used to attack specific or unspecific targets. An attack by malicious code is initiated, for example, by executing a file infected with malicious code. Users of electronic systems unknowingly run files infected with malware or download files infected with malware over the Internet. Malicious code causes various problems such as personal information leakage, system destruction, denial of service, and so on. Therefore, detecting malicious code has been highlighted as an important issue in recent years.

In order to detect malicious code, static analysis and dynamic analysis are performed. Static analysis is used to reversely analyze the code of files suspected of being infected with malicious code. Static analysis predicts the behavior of files suspected of being infected with malicious code. Dynamic analysis is used to directly check the behavior of files suspected of being infected with malicious code by executing files suspected of being infected with malware.

Through static and dynamic analysis, files suspected of being infected with malicious code can be analyzed and malicious code can be detected. Static and dynamic analysis can accurately detect known malicious code. However, Mutant malware or unknown malware is difficult to detect.

To complement static and dynamic analysis, heuristic techniques are used. Heuristic techniques are used to detect variant or unknown malicious code that includes code patterns similar to known malicious code. For example, to detect variant malware or unknown malware, the behavior of the process may be monitored based on known scenarios. However, abnormal behavior not included in the scenario is difficult to detect. In addition, if a file suspected of being infected with malicious code has been executed for a long time, it is difficult to track suspicious activity.

Malicious code penetrates into attack targets through various routes and hides for a long time. In addition, malicious code attack patterns are becoming more diverse and evolving. For this reason, it is difficult to detect malicious code in advance and prepare for attack in advance. Therefore, there is a need for a method for accurately detecting not only known malicious code but also variant malicious code or unknown malicious code.

In addition to known malware, electronic systems and methods are provided for detecting variant or unknown malware. In an embodiment of the present invention, the electronic system may extract a feature regarding system calls generated by an application and generate a call model to detect malicious code. have. In particular, the electronic system according to an embodiment of the present invention generates not only a malicious call model generated based on system calls generated when malicious code is executed, but also based on system calls generated when normal code is executed. Can refer to the normal call model.

According to an embodiment of the present disclosure, an electronic system includes: classification information storage configured to store classification information regarding a classification to which each of system calls occurring in a user device belongs; One or more normal call models, each generated based on system calls that occur when the normal code executes on the user device, and one or more generated based on system calls, each generated when the malicious code executes on the user device. Model information storage configured to store information regarding malicious call models; A data receiver configured to be provided with data of a detection target call pattern including system calls made by an application executed on a user device; An application feature extractor configured to extract a feature relating to system calls included in the detected call pattern by referring to the provided data and classification information; And a code detector configured to detect whether the executable code of the application is malicious by comparing the extracted characteristic with at least one of the one or more normal calling models and the one or more malicious calling models.

In one embodiment of the invention, the categorization information includes information about a correspondence between at least one of a process, thread, memory, file, registry, network, service, and other categorizations and system calls occurring in the user device. can do.

According to an embodiment of the present disclosure, the electronic system may further include a model generator configured to generate one or more normal call models and one or more malicious call models with reference to classification information in advance before data of the detected call pattern is provided. Can be.

In one embodiment of the present invention, the model generator may update at least one of one or more normal call models and one or more malicious call models based on the extracted feature and the detection result of the code detector.

In one embodiment of the invention, each of the one or more normal call models is a classification of each of the system calls that occur when normal code is executed, and the location of memory accessed when normal code is executed, the system accessed when normal code is executed. The file may be generated based on at least one of a kind of a file, a kind of a registry accessed when the normal code is executed, a characteristic of a network accessed when the normal code is executed, and a type of a service operating when the normal code is executed. Furthermore, each of the one or more malicious calling models may be classified into a class of each of the system calls occurring when the malicious code is executed, the location of the memory accessed when the malicious code is executed, the type of system file accessed when the malicious code is executed, and the malicious code. May be generated based on at least one of a kind of a registry accessed when the program is executed, a characteristic of a network accessed when the malicious code is executed, and a type of a service that operates when the malicious code is executed.

In an embodiment of the present invention, the application feature extractor includes classifications to which system calls included in the detected call pattern belong, order of occurrence of system calls included in the detected call pattern, and system calls included in the detected call pattern. At least one of each call count may be extracted.

According to another embodiment of the present invention, an electronic system includes an event hooker, each configured to execute an application, and configured to hook system calls occurring when the application is executed, and generate an event log regarding the hooked system calls. A plurality of computing devices configured to; A classification information storage configured to store classification information regarding a classification to which each of the system calls occurring in the plurality of computing devices belongs; One or more normal call models, each generated based on system calls that occur when normal code is executed on a plurality of computing devices, and each based on system calls that occur when malicious code is executed on a plurality of computing devices. Model information storage configured to store information about the generated one or more malicious invocation models; An application feature extractor configured to extract a feature about hooked system calls with reference to the event log and classification information; And comparing the extracted characteristic with at least one of the one or more normal calling models and the one or more malicious calling models to detect whether the executable code of the application includes at least one of malicious code, variant malicious code, and suspicious code. It may include a code detector.

In another embodiment of the present invention, a characteristic relating to hooked system calls may include at least one of the categories to which the hooked system calls belong, the order in which the hooked system calls occur, and the number of calls of each of the hooked system calls. Can be.

According to another embodiment of the present invention, an electronic system is configured to store information on at least one of malicious code, variant malicious code, and suspect code included in an execution code of an application based on a detection result of a code detector in a database. It may further include a result processor.

According to another embodiment of the present invention, a method for detecting malicious code using an electronic system includes: normal call pattern information about system calls occurring when normal code is executed on a computing device, and malicious code to be executed on a computing device. Collecting malicious call pattern information regarding system calls that occur when; Generating one or more normal call models and one or more malicious call models based on the normal call pattern information and the malicious call pattern information, respectively; Receiving data of a detection target call pattern including system calls made by an application executed on one or more user devices; Extracting a characteristic about system calls included in a call pattern to be detected by referring to classification information regarding a classification to which each of the system calls occurring in the computing device belongs; And comparing the extracted characteristic with at least one of one or more normal call models and one or more malicious call models to detect whether the execution code of the application is malicious.

In another embodiment of the invention, the detecting step comprises: comparing the extracted characteristic with at least one of the one or more normal call models; And when the similarity between the target normal call model compared with the extracted feature and the extracted feature among the one or more normal call models is equal to or greater than the first reference value, determining that the execution code of the application is normal.

According to another embodiment of the present invention, if the similarity between the target normal call model and the extracted feature is greater than or equal to the first reference value and the difference between the target normal call model and the extracted feature is greater than or equal to the second reference value, the extracted method is extracted. The method may further include updating the target normal call model by referring to the property.

In another embodiment of the present invention, the detecting step comprises: when the similarity between each of the one or more normal call models and the extracted feature is less than the first reference value, at least one of the one or more malicious call models and the extracted feature Comparing the; And when the similarity between at least one of the one or more malicious calling models and the extracted characteristic is equal to or greater than a third reference value, determining that the execution code of the application includes malicious code.

In another embodiment of the invention, the detecting step comprises: if the similarity between the extracted characteristic and at least one of the one or more malicious invocation models is less than the third reference value and is greater than or equal to the fourth reference value, the executable code of the application is modified. The method may further include determining that the malicious code is included.

In another embodiment of the invention, the detecting step further comprises: managing the executable code of the application as suspect code when the similarity between each of the one or more malicious invocation models and the extracted characteristic is less than the fourth reference value. It may include.

In another embodiment of the present invention, the managing step may include: determining that the executable code of the application includes new malicious code when the similarity between each of the one or more normal call models and the extracted feature is equal to or less than a fifth reference value; step; And generating a new malicious calling model corresponding to the new malicious code with reference to the extracted characteristic.

In another embodiment of the present invention, the managing includes: storing the execution code of the application as the interest code when the similarity between the extracted characteristic and at least one of the one or more normal call models is greater than the fifth reference value ; And when another executable code including the code of interest is detected, generating a new malicious calling model corresponding to the code of interest with reference to the extracted feature.

According to an embodiment of the present invention, not only the known malicious code but also the modified malicious code or unknown malicious code may be detected. Furthermore, if there is a history of attack patterns similar to the detection results, the detection results can be used to find the attack path and source. Thus, new types of attacks can be prepared. In addition, according to an embodiment of the present invention, an application may be efficiently classified based on a call model.

1 is a block diagram illustrating an electronic system according to an exemplary embodiment of the present disclosure.
FIG. 2 is a block diagram illustrating a computing device included in the electronic system of FIG. 1.
3 is a table showing examples of classifications to which system calls occurring in the computing device of FIG. 2 belong.
4 is a block diagram illustrating a malicious code detection system included in the electronic system of FIG. 1 and an event hooker included in the computing device of FIG. 2.
5 is a conceptual diagram illustrating a process of detecting malicious code by using the malicious code detection system of FIG. 4.
6 is a block diagram illustrating a malicious code detection system included in the electronic system of FIG. 1.
7 is a block diagram illustrating a malicious code detection system included in the electronic system of FIG. 1.
8A and 8B are flowcharts illustrating an operation of a malicious code detection system according to an embodiment of the present invention.
9 is a flow chart that describes in more detail the step of detecting malicious code of FIG. 8B.
10 is a flow chart that describes in more detail the steps of managing the suspicious code of FIG.

The foregoing characteristics and the following detailed description are all illustrative for ease of explanation and understanding of the invention. That is, the present invention is not limited to this embodiment and may be embodied in other forms. The following embodiments are merely examples to fully disclose the present invention, and are descriptions for conveying the present invention to those skilled in the art to which the present invention pertains. Thus, where there are several methods for implementing the components of the present invention, it is necessary to clarify that the implementation of the present invention is possible in any of these methods or any of the same.

In the present specification, when there is a statement that a configuration includes specific elements, or when a process includes specific steps, it means that other elements or other steps may be further included. That is, the terms used in the present specification are only for describing specific embodiments and are not intended to limit the concept of the present invention. Furthermore, the described examples to aid the understanding of the invention also include their complementary embodiments.

The terms used herein have the meanings that are commonly understood by those skilled in the art. Terms commonly used should be interpreted in a consistent sense in the context of the present specification. In addition, terms used in the present specification should not be interpreted in an idealistic or formal sense unless the meaning is clearly defined. Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings.

1 is a block diagram illustrating an electronic system according to an exemplary embodiment of the present disclosure. The electronic system 1000 may include a malicious code detection system 100, one or more computing devices 210, 220, 230, a wired network 310, and a wireless network 320.

For example, the malicious code detection system 100 may be implemented in the form of a server system. To this end, the malware detection system 100 may include one or more computing devices. For example, the computing device included in the malicious code detection system 100 may be an electronic device such as a general purpose computer, a workstation, or the like. For example, the computing device included in the malware detection system 100 may include one or more processors.

The malicious code detection system 100 may perform a unique function according to the operation of one or more processors. The malicious code detection system 100 may detect malicious code that attacks the computing devices 210, 220, and 230. The configuration and operation of the malware detection system 100 is described with reference to FIGS. 4-10.

By way of example, each of the computing devices 210, 220, 230 may be a user device. For example, each of the computing devices 210, 220, 230 may be an electronic device such as a personal computer, a notebook, a smartphone, a tablet, a wearable device, or the like, but the present invention is not limited to this example. Each of the computing devices 210, 220, 230 may include one or more processors. For example, each of the computing devices 210, 220, 230 may include a processor such as a general purpose processor, a workstation processor, an application processor, or the like.

The computing devices 210, 220, and 230 may perform unique functions according to the operation of the processor. For example, the computing devices 210, 220, 230 may execute an application and provide a service to a user. In some cases, the execution code of the application executed by the computing devices 210, 220, 230 may include malicious code. Alternatively, the execution code of the application executed by the computing devices 210, 220, and 230 may include Mutant malicious code or unknown malicious code. The electronic system 1000 according to an embodiment of the present invention may detect malicious code, variant malicious code, or unknown malicious code included in the execution code of the application.

The computing devices 210, 220, 230 may perform unique functions alone. Alternatively, the computing devices 210, 220, 230 may perform unique functions by communicating with other computing devices via a network. By way of example, computing devices 210, 220, 230 may communicate with other computing devices via at least one of wired network 310 and wireless network 320.

For example, the wired network 310 may support interface protocols such as Universal Serial Bus (USB), Peripheral Component Interconnect Express (PCIe), Serial Advanced Technology Attachment (SATA), or the like, or may use Transmission Control Protocol / Internet Protocol (TCP / IP). Support communication protocols such as For example, wireless network 320 may include Long Term Evolution (LTE), Worldwide Interoperability for Microwave Access (WiMax), Global System for Mobile Communication (GSM), Code Division Multiple Access (CDMA), Bluetooth, Near Field Communication (NFC). , Communication protocols such as WiFi (Wireless Fidelity), and Radio Frequency Identification (RFID) can be supported. However, the above examples are intended to aid the understanding of the present invention and are not intended to limit the present invention.

The computing devices 210, 220, 230 may communicate with the malware detection system 100 through at least one of the wired network 310 and the wireless network 320. The computing devices 210, 220, 230 may transmit data to the malicious code detection system 100 through at least one of the wired network 310 and the wireless network 320. The configuration and operation of computing device 210 are described with reference to FIG. 2.

In FIG. 1, the electronic system 1000 is shown to include three computing devices 210, 220, 230. However, the number of computing devices 210, 220, 230 is not limited by FIG. 1. The electronic system 1000 may include one, two, or four or more computing devices. The number of computing devices included in the electronic system 1000 may be changed or modified in various ways.

FIG. 2 is a block diagram illustrating a computing device included in the electronic system of FIG. 1. As an example, FIG. 2 shows the computing device 210 of FIG. 1. Each of the other computing devices 220, 230 included in the electronic system 1000 of FIG. 1 may be configured and operate similarly to the computing device 210. Therefore, overlapping descriptions of other computing devices 220 and 230 included in the electronic system 1000 of FIG. 1 are omitted for convenience of description.

For example, the computing device 210 may include a processor 211, a memory 213, a storage 215, an event hooker 217, and a bus 219. However, the configuration of the computing device 210 shown in FIG. 2 is merely an example to help understand the present invention. The computing device 210 may further include other components not shown in FIG. 2 (eg, a communication module, a user interface, etc.). Alternatively, computing device 210 may not include one or more of the components shown in FIG. 2. The present invention is not limited by the configuration shown in FIG.

The processor 211 may process operations performed by the computing device 210. By way of example, processor 211 may include one or more processor cores. By way of example, processor 211 may be a general purpose processor, workstation processor, or application processor.

 The memory 213 may temporarily store data processed or to be processed by the processor 211. For example, the memory 213 may be a volatile memory such as a static random access memory (SRAM), a dynamic RAM (DRAM), a synchronous DRAM (SDRAM), or a flash memory, a phase-change RAM (PRAM), or an MRAM (Magneto). non-volatile memory, such as -resistive RAM (REST), resistive RAM (ReRAM), ferro-electric RAM (FRAM), or the like.

The storage 215 can store data regardless of power supply. For example, the storage 215 may store files used to drive an operating system, executable files of an application, and user data. For example, the storage 215 may be a device including a nonvolatile memory such as a hard disk drive (HDD), a solid state drive (SSD), a secure digital (SD) card, or the like.

The computing device 210 can run an application. By way of example, executable files of an application may be stored in storage 215. When an execution request of an application is provided from a user of the computing device 210, the processor 211 may load data necessary for executing the application from the storage 215 to the memory 213. The processor 211 may process operations necessary for executing an application by using the data loaded in the memory 213.

When an application is run on computing device 210, various types of system calls may occur and system calls may be handled by an operating system. Accordingly, the application may provide a service to the user of the computing device 210 using the resources of the computing device 210. System calls occurring at computing device 210 are described with reference to FIG. 3.

The event hooker 217 may hook system calls that occur when an application is executed. Hooking refers to the act of intercepting function calls, system messages, or events. According to the operation of the event hooker 217, system calls occurring when an application is executed in the computing device 210 may be identified.

In an embodiment, computing device 210 may generate an Event Log regarding system calls hooked by event hooker 217. That is, computing device 210 may generate data about system calls that occur when an application is executed. In an embodiment, the event log may be stored in the memory 213 or the storage 215. The stored event log may be transmitted to the malicious code detection system 100 of FIG. 1 through the wired network 310 or the wireless network 320 of FIG. 1. The malicious code detection system 100 may detect whether the execution code of the application is malicious by referring to the event log. Detection of malicious code is described with reference to FIGS. 4-10.

As an example, the stored event log may be sent to the malware detection system 100 periodically (eg, every minute). Alternatively, the stored event log may be transmitted to the malicious code detection system 100 when a specific condition is met (eg, when a transmission request occurs). However, the present invention is not limited by the above embodiments and examples. As another example, data regarding system calls hooked by the event hooker 217 may be sent to the malware detection system 100 in real time. Embodiments of the invention may be variously changed or modified as necessary.

The bus 219 may provide a communication path between the components of the computing device 210. By way of example, the processor 211, memory 213, storage 215, and event hooker 217 may exchange data with each other via a bus 219. The bus 219 may be configured to support various types of communication formats used in the computing device 210.

3 is a table showing examples of classifications to which system calls occurring in the computing device of FIG. 2 belong.

As an example, each of the system calls that occur when an application is executed may be associated with one of a process, a thread, a memory, a file, a registry, a network, a service, and other classifications. Can be. For example, the "CreateProcess" system call may belong to a process classification, and the "ReadFile" system call may belong to a file classification. For example, when a "ReadFile" system call occurs when an application is executed, processing (eg, a read operation) on a system file may be performed. As an example, the "NtOpenThread" API function call of the Windows operating system may correspond to the "OpenThread" system call of the thread classification.

When an application runs, one or more system calls may occur to provide a service to a user. The event hooker 217 shown in FIG. 2 may hook system calls that occur when an application is executed. Thus, according to the operation of the event hooker 217, system calls that occur when an application is executed may be identified.

However, system calls that occur when the application's normal execution code is executed may be different from system calls that occur when the malicious code is executed. For example, if an application is infected with malicious code, system calls may occur that are different from system calls that occur when normal executable code is executed. Thus, by examining system calls that occur when a particular application is executed, it may be detected whether the executable code of that particular application is malicious. Detection of malicious code is described with reference to FIGS. 4-10.

3 is an example to help understanding of the present invention. 3 shows a process, thread, memory, file, registry, network, service, and other classifications as a classification to which each of the system calls belongs. However, the classifications to which the system calls belong can be variously changed or modified as necessary. For example, depending on the type of operating system used in the computing device 210 of FIG. 2, the classifications to which the system calls belong may be changed or modified.

Furthermore, the type and number of system calls belonging to each category may also be variously changed or modified. In Figure 3, the numbers assigned to the system calls, respectively, are provided for convenience of explanation.

By way of example, the classifications to which the system calls belong may be designed in more detail or schematically than shown in FIG. 3. That is, the number of classifications to which system calls belong may be more than eight or less than eight. As an example, the classes to which the system calls belong may be uniquely selected. Alternatively, the classifications to which the system calls belong may be designed to change dynamically depending on the environment. Embodiments of the invention may be variously changed or modified as necessary.

4 is a block diagram illustrating a malicious code detection system included in the electronic system of FIG. 1 and an event hooker included in the computing device of FIG. 2. In an embodiment, the malicious code detection system 100 includes a classification information storage 110, a data receiver 120, an application feature extractor 130, a model information storage 140, and a code detector 150. can do.

The classification information storage 110 may store classification information. The classification information is information about the classifications to which the system calls originating from the computing device (eg, user device) belong. For example, the classification information storage 110 may store classification information corresponding to the table shown in FIG. 3. That is, the classification information storage 110 may store information regarding a corresponding relationship between at least one of a process, thread, memory, file, registry, network, service, and other classifications and system calls occurring in the computing device. .

As described with reference to FIGS. 2 and 3, event hooker 217 may hook system calls that occur when an application executes on a computing device. Depending on the operation of the event hooker 217, an event log may be generated regarding hooked system calls. In order to detect whether the executable code of the application is malicious, the event log may be consulted. The series of system calls generated by the execution of the application may be treated as being included in the "detected call pattern".

The data receiver 120 may receive data of a detection target call pattern. Data of the detection target call pattern may be generated based on the event log. That is, data receiver 120 may be provided with data regarding system calls hooked by event hooker 217 when the application is executed. For example, the data receiver 120 may be provided with data of a detection target call pattern through the wired network 310 or the wireless network 320 of FIG. 1.

The application feature extractor 130 may extract a feature about system calls included in the detected call pattern. That is, the application feature extractor 130 may extract a feature about system calls hooked by the event hooker 217 when the application is executed. The application feature extractor 130 may refer to the classification information stored in the data and classification information storage 110 provided through the data receiver 120 to extract the feature.

With reference to FIG. 3, the features extracted by the application feature extractor 130 are described. For convenience of explanation, the case where the Nth system call occurs T times will be denoted as "(N / T)". For example, five occurrences of the "ReadProcessMemory" system call of FIG. 3 may be indicated as "(15/5)".

For example, when the target application is executed, the "ExitThread" system call may occur once and the "TerminateThread" system call may occur once. According to the operation of the event hooker 217, an event log including information indicating that the "ExitThread" system call occurs once and the "TerminateThread" system call occurs once may be generated. The malicious code detection system 100 may receive data of a detection target call pattern generated based on the event log. The application feature extractor 130 may extract a feature of "(10/1) (11/1)" with reference to the provided data and classification information.

As mentioned above, by way of example, the application feature extractor 130 may include classifications to which system calls (i.e., system calls hooked by the event hooker 217) that are included in the detection target call pattern belong to the detection target call. At least one of an occurrence order of system calls included in the pattern and a number of calls of each of the system calls included in the detection target call pattern may be extracted. Each application can generate a unique system call pattern to provide a service. Accordingly, the features extracted by the application feature extractor 130 may be used to identify the type of application or to detect whether the executable code of the application is malicious.

Model information storage 140 may store information about one or more normal call models and one or more malicious call models. Each of the normal call models may be generated based on system calls that occur when normal code is executed at a computing device (eg, user device). By way of example, a normal call model may be generated based on system calls made by execution of an application that is not infected with malicious code. In contrast, each of the malicious call models may be generated based on system calls that occur when malicious code is executed on the computing device.

In an embodiment, before the event hooker 217 operates, the first application not infected with malicious code may be executed in advance. When system calls corresponding to the characteristic of "(10/1) (11/1)" are generated by the execution of the first application, the first application is based on the characteristic of "(10/1) (11/1)". A normal call model corresponding to may be generated. The normal call model corresponding to the first application not infected with the malicious code may be different from the normal call model corresponding to the second application not infected with the malicious code. Thus, based on normal call models, the first application can be distinguished from the second application.

Similarly, before the event hooker 217 operates, the first malicious code may be executed in advance. When system calls corresponding to the characteristics of "(10/1) (31/1)" occur according to the execution of the first malicious code, the first is based on the characteristics of "(10/1) (31/1)". A malicious call model corresponding to malicious code may be generated. The malicious calling model corresponding to the first malicious code may be different from the malicious calling model corresponding to the second malicious code. Furthermore, the malicious calling model may differ from the normal calling model. Thus, based on normal calling models and malicious calling models, malicious code can be detected.

In the above example, “before the event hooker 217 operates” may refer to a learning process of the malicious code detection system 100. The malicious code detection system 100 may pre-learn normal call models and malicious call models through a learning process before detecting malicious code according to the operation of the event hooker 217. The learning process of the malware detection system 100 is further described with reference to FIG. 8A.

The characteristic corresponding to the normal call model or the malicious call model may indicate information such as a classification to which the system call belongs, an order of occurrence of system calls, a call count of the system call, and the like. Thus, based on the characteristics corresponding to the normal calling model or the malicious calling model, the characteristics of the application or the malicious code can be identified. Hereinafter, unique characteristics such as "(10/1) (11/1)" and "(10/1) (31/1)" will be referred to as "feature chains".

Above, it has been described that a normal call model or a malicious call model is generated based on the characteristics of system calls. However, the normal call model or malicious call model is not only the characteristics of the system calls themselves, but also the location of the memory accessed by the system call, the type of system file accessed by the system call, the type of registry accessed by the system call. , The nature of the network accessed by the system call, the type of service operating by the system call, the meaning imposed by interpreting the nature of the system calls, and the like. The above examples are provided to aid the understanding of the present invention and for convenience of description, and are not intended to limit the present invention.

The code detector 150 may reference normal call models and malicious call models stored in the feature and model information storage 140 extracted by the application feature extractor 130. As an example, the code detector 150 may compare the extracted characteristic with at least one of normal call models and malicious call models.

The code detector 150 may detect whether the executable code of the application is malicious based on the comparison result. For example, the code detector 150 may detect whether the execution code of the application includes at least one of malicious code, variant malicious code, and suspicious code based on the comparison result. The code detector 150 may generate a detection result DR.

For example, if the extracted characteristic is the same as or similar to the normal calling model corresponding to the first application not infected with the malicious code, the execution code of the application may be determined to be normal. On the other hand, if the extracted characteristic is the same as or similar to the malicious calling model corresponding to the first malicious code, the execution code of the application may be determined to be malicious. Detection of malicious code is described in more detail with reference to FIGS. 8B-10.

5 is a conceptual diagram illustrating a process of detecting malicious code by using the malicious code detection system of FIG. 4. In FIG. 5, only the application feature extractor 130, the model information storage 140, and the code detector 150 included in the malicious code detection system 100 of FIG. 4 are shown. However, the configuration shown in FIG. 5 is for convenience of description and is not intended to limit the present invention. As mentioned above, the malware detection system 100 may further include other components not shown in FIG. 5.

The application characteristic extractor 130 may be provided with data of the detection target call pattern. The data of the detected call pattern may be generated based on an event log regarding system calls that occur when the target application is executed at the computing device (eg, user device). The application feature extractor 130 may receive data of a detection target call pattern generated by the target application to detect whether the execution code of the target application is malicious.

The application characteristic extractor 130 may refer to classification information (eg, information corresponding to the table of FIG. 3) stored in the classification information storage 110 of FIG. 4 to include system calls (ie, target applications) included in the detection target call pattern. This can occur when executed and extracts properties relating to system calls hooked by the event hooker 217 of FIG. 2. For example, the application characteristic extractor 130 may extract a characteristic of "(10/1) (11/1) (31/1) (29/1) (31/1) (15/5)". This extracted property consists of one 10th system call, one 11th system call, one 31st system call, one 29th system call, and one 31st system call. It may occur once again, and it may mean that the 15th system call has occurred 5 times.

The code detector 150 may compare at least one of normal call models and malicious call models stored in the model information storage 140 with a feature extracted by the application feature extractor 130. By way of example, the code detector 150 may be a property chain "(10/1) (11/1) (31/1) (29/1) (30/1) (31/1) stored in the model information storage 140. (15/5) (18/1) "and" (10/1) (11/1) (31/1) (29/1) (31/1) (31/1) (15) extracted by the application feature extractor 130 / 5) "can be compared.

In an embodiment of the present disclosure, a reference value for determining similarity may be set. For example, when the reference value is 80%, it may be determined whether the similarity between the stored feature chain and the extracted feature is 80% or more. If the similarity is 80% or more, it may be determined that the extracted feature is similar to the stored feature chain.

The code detector 150 may detect whether the execution code of the target application is malicious based on the comparison result. When the characteristic chain compared to the extracted characteristic corresponds to the normal invocation model, the execution code of the target application may be determined to be normal. On the other hand, if the feature chain compared to the extracted feature corresponds to the malicious invocation model, the execution code of the target application may be determined to be malicious. The code detector 150 may generate a detection result DR corresponding to the determination result.

The reference value for the similarity determination may be variously selected as necessary. In some embodiments, multiple reference values may be used. Processing of comparison and determination according to an embodiment of the present invention is described in more detail with reference to FIGS. 8B to 10.

6 is a block diagram illustrating a malicious code detection system included in the electronic system of FIG. 1. In an embodiment, the malicious code detection system 100 included in the electronic system 1000 of FIG. 1 may include the malicious code detection system 100a of FIG. 6. In an embodiment, the malware detection system 100a may include a classification information storage 110, a data receiver 120, an application feature extractor 130, a model information storage 140, a code detector 150, and a model generator 160. ) May be included.

The application characteristic extractor 130 may extract the characteristics of system calls that occur when an application is executed on the computing device (eg, user device). To this end, the application feature extractor 130 may refer to the classification information stored in the classification information storage 110 and the data DAT of the detection target call pattern provided through the data receiver 120.

The code detector 150 may detect whether the executable code of the application executed on the computing device is malicious. To this end, the code detector 150 may refer to the features extracted by the application feature extractor 130 and the feature chains stored in the model information storage 140.

The configurations and functions of the classification information storage 110, the data receiver 120, the application feature extractor 130, the model information storage 140, and the code detector 150 of FIG. 6 are each classified information storage ( 110, the data receiver 120, the application feature extractor 130, the model information storage 140, and the code detector 150. Duplicate descriptions of the classification information storage 110, the data receiver 120, the application feature extractor 130, the model information storage 140, and the code detector 150 are omitted below for convenience of description.

In an embodiment, before the data DAT of the detection target call pattern is provided, the computing device (eg, the user device) may execute normal code and malicious code in advance. The model generator 160 may collect information about system calls made by normal code and malicious code that are executed in advance. The model generator 160 may generate one or more normal call models and one or more malicious call models based on the classification information stored in the classification information storage 110 and the previously collected information. The normal call models and malicious call models previously generated by the model generator 160 may be used to detect whether the executable code of the application that generated the detection target call pattern is malicious.

In the above embodiment, "before the data DAT of the detection target call pattern is provided" may mean a learning process of the malicious code detection system 100a. The malicious code detection system 100 may learn the normal call models and the malicious call models in advance through a learning process before examining the data DAT of the detection target call pattern. The learning process of the malware detection system 100a is further described with reference to FIG. 8A.

In an embodiment, the model generator 160 may update normal call models and malicious call models. For example, when the version of an application is updated, the executable code of that application may change and the characteristics of system calls made by that application may change. In this case, the normal call model corresponding to the application needs to be updated. The model generator 160 may update at least one of normal call models and malicious call models based on the feature extracted by the application feature extractor 130 and the detection result DR of the code detector 150.

As mentioned above, the malicious code detection system 100a may previously learn normal call models and malicious call models through a learning process. Further, the malicious code detection system 100a may update the learned normal call models and the learned malicious call models. That is, the malicious code detection system 100a may perform repetitive learning based on the detection result DR. Through repeated learning, a normal calling model or a malicious calling model with the most appropriate property chain can be generated.

As mentioned above, each of the normal call models may be generated based on the nature of the system calls that occur when normal code is executed. For example, the normal call model may be generated based on at least one of the classifications to which the system calls belong, the order in which the system calls occur, and the number of calls of each of the system calls. Furthermore, the normal call model is characterized by the location of the memory accessed when the normal code is executed, the type of system file accessed when the normal code is executed, the type of registry accessed when the normal code is executed, and the characteristics of the network accessed when the normal code is executed. And based on at least one of a type of service operating when the normal code is executed.

And, each of the malicious call models may be generated based on the characteristics of system calls that occur when the malicious code is executed. For example, the malicious call model may be generated based on at least one of the classifications to which the system calls belong, the order in which the system calls occur, and the number of calls of each of the system calls. Furthermore, the malicious calling model is characterized by the location of the memory accessed when the malicious code is executed, the type of system file accessed when the malicious code is executed, the type of registry accessed when the malicious code is executed, and the characteristics of the network accessed when the malicious code is executed. , And may be generated based on at least one of the types of services operating when the malicious code is executed.

However, the examples and embodiments mentioned above are provided to help the understanding of the present invention. The invention is not limited by the examples and embodiments mentioned above. The present invention can be implemented in various forms as necessary.

7 is a block diagram illustrating a malicious code detection system included in the electronic system of FIG. 1. In an embodiment, the malicious code detection system 100 included in the electronic system 1000 of FIG. 1 may include the malicious code detection system 100b of FIG. 7. In an embodiment, the malicious code detection system 100b may include a classification information storage 110, a data receiver 120, an application feature extractor 130, a model information storage 140, a code detector 150, and a detection result processor 170. ), And a database 175.

The application characteristic extractor 130 may extract the characteristics of system calls that occur when an application is executed on the computing device (eg, user device). To this end, the application feature extractor 130 may refer to the classification information stored in the classification information storage 110 and the data DAT of the detection target call pattern provided through the data receiver 120.

The code detector 150 may detect whether the executable code of the application executed on the computing device is malicious. To this end, the code detector 150 may refer to the features extracted by the application feature extractor 130 and the feature chains stored in the model information storage 140.

The configurations and functions of the classification information storage 110, the data receiver 120, the application feature extractor 130, the model information storage 140, and the code detector 150 of FIG. 7 are each classified information storage ( 110, the data receiver 120, the application feature extractor 130, the model information storage 140, and the code detector 150. Duplicate descriptions of the classification information storage 110, the data receiver 120, the application feature extractor 130, the model information storage 140, and the code detector 150 are omitted below for convenience of description.

In an embodiment, the detection result processor 170 may be provided with the detection result of the code detector 150. The detection result processor 170 may store information corresponding to the detection result in the database 175. In particular, the detection result processor 170 stores information about at least one of malicious code, variant malicious code, and suspicious code included in executable code of an application executed on a computing device (eg, a user device) in the database 175. Can be.

For example, the database 175 may store various information such as a characteristic chain of malicious code, a kind of an application including malicious code, operations executed by the malicious code, and the like. Information stored in the database 175 may be used to detect malicious code and prepare for attack by malicious code. For example, based on the information stored in the database 175, the electronic system 1000 may manage an operation policy and perform a defense procedure for defending against the attack of malicious code.

8A and 8B are flowcharts illustrating an operation of a malicious code detection system according to an embodiment of the present invention. For example, the malicious code detection system according to an embodiment of the present invention may perform learning about normal call models and malicious call models according to the method described with reference to FIG. 8A. Furthermore, the malicious code detection system according to an embodiment of the present invention may detect malicious code according to the method described in FIG. 8B. To aid in the understanding of the present invention, FIGS. 8A and 8B are referred to together.

In operation S1100, normal call pattern information and malicious call pattern information may be collected. Normal call pattern information is information about system calls that occur when normal code is executed on a computing device (eg, a user device). Malicious call pattern information is information about system calls that occur when malicious code is executed on a computing device. For example, the model generator 160 of FIG. 6 may collect normal call pattern information and malicious call pattern information in advance. For example, the model generator 160 of FIG. 6 may operate the event hooker 217 of FIG. 2 to collect information, but the invention is not limited by this example.

In step S1200, one or more normal call models and one or more malicious call models may be generated. The normal call models may be generated based on the normal call pattern information collected in step S1100. The normal invocation model may include a characteristic chain of applications that are not infected with malicious code. The malicious call models may be generated based on the malicious call pattern information collected in step S1100. Malicious invocation models can include a characteristic chain of malicious code. For example, the model generator 160 of FIG. 6 may generate normal call models and malicious call models in advance based on the information collected in operation S1100.

The malicious code detection system according to an embodiment of the present invention may perform learning through steps S1100 and S1200. Steps S1100 and S1200 may be performed repeatedly. Thus, the malicious code detection system according to an embodiment of the present invention may generate and collect one or more normal call models and one or more malicious call models. The malicious code detection system according to an embodiment of the present invention may detect malicious code according to the method described in FIG. 8B based on the learning result.

In operation S1300, data of a detection target call pattern may be provided. As mentioned above, the detection target call pattern may include system calls made by an application executed on one or more user devices. As an example, system calls made by an application may be hooked by the event hooker 217 of FIG. For example, the application characteristic extractor 130 of FIG. 4 may be provided with data of a detection target call pattern through the data receiver 120 of FIG. 4. The detection target call pattern may be referenced to detect whether the executable code of the application is malicious.

In operation S1400, properties regarding system calls included in a detection target call pattern may be extracted. For example, the application characteristic extractor 130 of FIG. 4 may extract characteristics of system calls included in a detection target call pattern with reference to classification information. As mentioned above, the classification information is information about the classification to which each of the system calls occurring at the computing device belongs.

In step S1500, it may be detected whether the execution code of the application is malicious. For example, the code detector 150 of FIG. 4 may compare at least one of the normal call models and the malicious call models generated in operation S1200 with the extracted feature in operation S1400. The code detector 150 may detect whether the executable code of the application is malicious based on the comparison result. Step S1500 is described in more detail with reference to FIG. 9.

9 is a flow chart that describes in more detail the step of detecting malicious code of FIG. 8B. In an embodiment, step S1500 of FIG. 8B may include steps S1510 to S1580 of FIG. 9. For example, step S1500 may be processed by the code detector 150 of FIG. 4.

In operation S1510, the feature extracted in operation S1400 of FIG. 8B may be compared with at least one of the one or more normal call models generated in operation S1200 of FIG. 8A. For example, the code detector 150 may compare the feature extracted by the application feature extractor 130 of FIG. 4 with at least one of the normal call models to determine whether the execution code of the application is normal.

In step S1520, the similarity between the extracted feature and the normal call models may be determined. For example, when the similarity between the target normal call model and the extracted feature compared to the extracted feature among the normal call models is greater than or equal to the first reference value, it may be determined that the similarity is high. If it is determined that the similarity is high, step S1530 may be performed. On the other hand, when the similarity is smaller than the first reference value, it may be determined that the similarity is low. If it is determined that the similarity is low, step S1540 may be performed.

In operation S1530, the execution code of the application may be determined to be normal. If the similarity between the extracted feature and the target normal call model is equal to or greater than the first reference value, the code detector 150 may determine that the execution code of the application is normal.

In an embodiment, when the execution code of the application is normal, step S1535 may be performed. In operation S1535, the target normal call model may be updated. For example, when the version of the application is updated, the executable code of the application may change and the nature of system calls made by the application may change. In this case, the normal call model (that is, the target normal call model) corresponding to the application needs to be updated. For example, if the difference between the extracted feature and the target normal call model is greater than or equal to the second reference value, the model generator 160 of FIG. 6 may update the target normal call model with reference to the extracted feature. With repeated learning, the target normal call model with the most appropriate characteristic chain can be generated.

In operation S1540, the extracted characteristic may be compared with at least one of the one or more malicious calling models generated in operation S1200 of FIG. 8A. For example, the code detector 150 may compare the extracted characteristic with at least one of the malicious calling models to determine whether the executable code of the application is malicious.

In operation S1550, the similarity between the extracted feature and the malicious call model may be determined. For example, when the similarity between at least one of the malicious call models and the extracted characteristic is equal to or greater than a third reference value, it may be determined that the similarity is high. If it is determined that the similarity is high, step S1560 may be performed. Furthermore, when the similarity is smaller than the third reference value and is equal to or greater than the fourth reference value, it may be determined that the similarity is mid-high. If it is determined that the similarity is a serious injury, step S1570 may be performed. On the other hand, when the similarity is smaller than the fourth reference value, it may be determined that the similarity is low. If it is determined that the similarity is low, step S1580 may be performed.

In operation S1560, the execution code of the application may be determined to include malicious code. If the similarity between at least one of the malicious call models and the extracted feature is equal to or greater than a third reference value, the code detector 150 may determine that the execution code of the application includes malicious code.

In operation S1570, the execution code of the application may be determined to include variant malicious code. If the similarity between at least one of the malicious invocation models and the extracted characteristic is smaller than the third reference value and is greater than or equal to the fourth reference value, the code detector 150 may determine that the executable code of the application includes the modified malicious code. .

In operation S1580, it may be determined that the execution code of the application includes the suspect code. If the similarity between each of the malicious invocation models and the extracted characteristic is smaller than the fourth reference value, the execution code of the application may be managed as suspicious code. Step S1580 is described in more detail with reference to FIG. 10.

In an embodiment, the database 175 of FIG. 7 may store various information such as a characteristic chain of malicious code, a type of an application including malicious code, operations performed by the malicious code, and the like. Furthermore, the database 175 may further store tag information regarding whether the detected malicious code is a known malicious code, a modified malicious code, or a suspected code. Information stored in the database 175 may be used to detect malicious code and prepare for attack by malicious code.

10 is a flow chart that describes in more detail the steps of managing the suspicious code of FIG. In an embodiment, step S1580 of FIG. 9 may include steps S1581 to S1585 of FIG. 10. For example, step S1580 may be processed by the code detector 150 of FIG. 4.

As described with reference to FIG. 9, when the similarity between each of the malicious invocation models and the extracted feature is smaller than the fourth reference value, the execution code of the application may be managed as the suspect code in step S1580. That is, when the similarity between the extracted feature and the normal call model is low and the similarity between the extracted feature and the malicious call model is low, the execution code of the application may be managed as suspicious code.

In step S1581, the similarity between the extracted feature and the normal call models may be determined once more. Operation S1581 may be performed again separately from operation S1520 of FIG. 9. Alternatively, step S1581 may be performed by referring to the result obtained in step S1520.

For example, if the similarity between each of the normal call models and the extracted characteristic is equal to or less than the fifth reference value, it may be determined that the similarity is very low. If it is determined that the similarity is very low, step S1583 may be performed. On the other hand, when the similarity is greater than the fifth reference value, it may be determined that the similarity is not very low. If it is determined that the similarity is not very low, step S1585 may be performed.

In step S1583, a new malicious call model may be generated. Even if the similarity between the extracted feature and the malicious calling model is low, if the similarity between the extracted feature and the normal calling model is very low, the executable code of the application may include new malicious code that is not yet known. Therefore, when the similarity between each of the normal call models and the extracted feature is equal to or less than the fifth reference value, the code detector 150 may determine that the execution code of the application includes the new malicious code. Further, with reference to the extracted characteristic, a characteristic chain of new malicious code can be defined. The newly defined feature chain may be stored in the model information storage 140 of FIG. 4 as a new malicious call model.

In operation S1585, the execution code of the application may be stored as interest code. If the similarity between the extracted feature and the malicious invocation model is low and the similarity between the extracted feature and the normal invocation model is not very low, it is difficult to determine whether the application's executable code is malicious. Thus, if the similarity between at least one of the normal call models and the extracted feature is greater than the fifth reference value, the executable code of the application may be stored as the code of interest. As an example, the database 175 of FIG. 7 may store a code of interest.

The stored code of interest can be used to detect malicious code and prepare for attack by malicious code. For example, if other executable code is detected that includes a stored code of interest, the stored code of interest may be malicious. Thus, when other executable code containing a stored code of interest is detected, a new malicious invocation model corresponding to the stored code of interest may be generated. A new malicious call model can be created by defining a characteristic chain of new malicious code based on the extracted characteristics.

The construction shown in each conceptual diagram should only be understood from a conceptual point of view. In order to help the understanding of the present invention, the shape, structure, size, etc. of each component shown in the conceptual diagram are exaggerated or reduced. The actual implementation may have a different physical shape than shown in the respective conceptual diagrams. Each conceptual diagram is not intended to limit the physical shape of the components.

The device configuration shown in each block diagram is to assist in understanding the invention. Each block may be formed of smaller units of blocks depending on the function. Alternatively, the plurality of blocks may form a larger unit block according to a function. That is, the technical idea of the present invention is not limited by the configuration shown in the block diagram.

The present invention has been described above with reference to the embodiments of the present invention. However, in view of the characteristics of the technical field to which the present invention belongs, the object of the present invention may be achieved in a form different from the above embodiments while including the gist of the present invention. Therefore, the above embodiments are to be understood in terms of description rather than limitation. That is, the technical idea which can achieve the same objective as this invention, including the summary of this invention, should be interpreted as being included in the technical idea of this invention.

Therefore, modifications or variations of the technical spirit within the scope not departing from the essential characteristics of the present invention are included in the protection scope claimed by the present invention. In addition, the protection scope of the present invention is not limited to the above embodiments.

100, 100a, 100b: Malware Detection System
110: classification information storage 120: data receiver
130: application property extractor 140: model information storage
150: code detector 160: model generator
170: detection result handler 175: database
210, 220, 230: computing device 211: processor
213: Memory 215: Storage
217: Event Hooker 219: Bus
310: wired network 320: wireless network
1000: electronic system

Claims (17)

A classification information storage configured to store classification information regarding a classification to which each of the system calls occurring in the user device belongs;
One or more normal call models, each generated based on system calls that occur when normal code is executed on the user device, and each generated based on system calls that occur when malicious code is executed on the user device. Model information storage configured to store information about one or more malicious invocation models;
A data receiver configured to be provided with data of a detection target call pattern including system calls made by an application executed in the user device;
An application feature extractor configured to extract a feature relating to system calls included in the detected call pattern by referring to the provided data and the classification information;
Compare the extracted characteristic with at least one of the one or more normal calling models and the one or more malicious calling models to determine whether the executable code of the application includes at least one of malicious code, variant malicious code, and suspicious code. A code detector configured to detect; And
A database configured to store information regarding at least one of the malicious code, the modified malicious code, and the suspect code included in the executable code of the application based on a detection result of the code detector,
The code detector uses the information stored in the database to obtain the detection result. The method of claim 1,
The categorization information includes information regarding a correspondence between at least one of a process, thread, memory, file, registry, network, service, and other categorizations and system calls occurring in the user device. The method of claim 1,
Before the data of the detection target call pattern is provided, the one or more normal call models and the one or more malicious call models are generated with reference to the classification information in advance, and the extracted characteristics and the detection result of the code detector are generated. And a model generator configured to update at least one of the one or more normal call models and the one or more malicious call models based. The method of claim 1,
The code detector is:
If the similarity between each of the one or more normal call models and the extracted characteristic is equal to or greater than a first reference value, determine that the execution code of the application is normal,
If the similarity between at least one of the one or more malicious invocation models and the extracted feature is less than the first reference value and is greater than or equal to a third reference value, determine that the executable code of the application includes the malicious code,
If the similarity between at least one of the one or more malicious invocation models and the extracted feature is less than the third reference value and is greater than or equal to a fourth reference value, determine that the executable code of the application includes the variant malicious code; , And
If the similarity between each of the one or more malicious invocation models and the extracted characteristic is less than the fourth reference value, the execution code of the application is managed as the suspect code,
If the similarity between each of the one or more normal invocation models and the extracted feature is less than the fourth reference value and less than or equal to a fifth reference value, determine that the executable code of the application includes new malicious code, and
If the similarity between at least one of the one or more normal call models and the extracted characteristic is less than the fourth reference value and greater than the fifth reference value, store the executable code of the application as an interest code in the database. Electronic system further configured. The method of claim 1,
Each of the one or more normal call models includes a classification of each of the system calls that occur when the normal code is executed, a location of memory accessed when the normal code is executed, a type of system file accessed when the normal code is executed, Generated based on at least one of a type of a registry accessed when the normal code is executed, a characteristic of a network accessed when the normal code is executed, and a type of service operating when the normal code is executed,
Each of the one or more malicious calling models may include a classification of each of the system calls occurring when the malicious code is executed, a location of a memory accessed when the malicious code is executed, a type of system file accessed when the malicious code is executed, And an electronic system generated based on at least one of a type of a registry accessed when the malicious code is executed, a characteristic of a network accessed when the malicious code is executed, and a type of a service operating when the malicious code is executed. The method of claim 1,
The application feature extractor includes classifications to which system calls included in the detection target call pattern belongs, an order of occurrence of system calls included in the detection target call pattern, and a number of calls of each of the system calls included in the detection target call pattern. And to extract at least one of the electronic systems. A plurality of computing devices, each configured to execute an application, comprising an event hooker configured to hook system calls that occur when the application is executed, and configured to generate an event log regarding the hooked system calls;
A classification information storage configured to store classification information regarding a classification to which each of the system calls occurring in the plurality of computing devices belong;
One or more normal call models generated based on system calls that occur when normal code executes on the plurality of computing devices, and system calls that occur when malicious code executes on the plurality of computing devices, respectively. Model information storage configured to store information about one or more malicious invocation models generated based on the information;
An application feature extractor configured to extract a feature relating to the hooked system calls with reference to the event log and the classification information;
Compare the extracted characteristic with at least one of the one or more normal calling models and the one or more malicious calling models to determine whether the executable code of the application includes at least one of malicious code, variant malicious code, and suspicious code. A code detector configured to detect; And
A database configured to store information regarding at least one of the malicious code, the modified malicious code, and the suspect code included in the executable code of the application based on a detection result of the code detector,
The code detector uses the information stored in the database to obtain the detection result. The method of claim 7, wherein
And the characteristic with respect to the hooked system calls comprises at least one of a classification to which the hooked system calls belong, an order of occurrence of the hooked system calls, and a number of calls of each of the hooked system calls. The method of claim 7, wherein
The code detector is:
If the similarity between each of the one or more normal call models and the extracted characteristic is equal to or greater than a first reference value, determine that the execution code of the application is normal,
If the similarity between at least one of the one or more malicious invocation models and the extracted feature is less than the first reference value and is greater than or equal to a third reference value, determine that the executable code of the application includes the malicious code,
If the similarity between at least one of the one or more malicious invocation models and the extracted feature is less than the third reference value and is greater than or equal to a fourth reference value, determine that the executable code of the application includes the variant malicious code; , And
If the similarity between each of the one or more malicious invocation models and the extracted characteristic is less than the fourth reference value, the execution code of the application is managed as the suspect code,
If the similarity between each of the one or more normal invocation models and the extracted feature is less than the fourth reference value and less than or equal to a fifth reference value, determine that the executable code of the application includes new malicious code, and
If the similarity between at least one of the one or more normal call models and the extracted characteristic is less than the fourth reference value and greater than the fifth reference value, store the executable code of the application as an interest code in the database. Electronic system further configured. In a method for detecting malicious code using an electronic system,
Collecting normal call pattern information about system calls that occur when normal code is executed on a computing device, and malicious call pattern information about system calls that occur when malicious code is executed on the computing device;
Generating one or more normal call models and one or more malicious call models based on the normal call pattern information and the malicious call pattern information, respectively;
Receiving data of a detection target call pattern including system calls made by an application executed on one or more user devices;
Extracting a characteristic of system calls included in the detected call pattern by referring to classification information regarding a classification to which each of the system calls generated by the computing device belongs;
Compare the extracted characteristic with at least one of the one or more normal calling models and the one or more malicious calling models to determine whether the executable code of the application includes at least one of malicious code, variant malicious code, and suspicious code. Detecting; And
Storing information about at least one of the malicious code, the modified malicious code, and the suspected code included in the executable code of the application based on a detection result of a code detector, in a database;
The detection result is obtained using the information stored in the database. The method of claim 10,
The detecting step is:
Comparing the extracted feature with at least one of the one or more normal call models; And
Determining that the execution code of the application is normal when the similarity between the target normal call model compared with the extracted feature and the extracted feature among the one or more normal call models is equal to or greater than a first reference value; Way. The method of claim 11,
If the similarity between the target normal call model and the extracted feature is equal to or greater than the first reference value and the difference between the target normal call model and the extracted feature is equal to or greater than a second reference value, Updating the target normal invocation model. The method of claim 11,
The detecting step is:
Comparing the extracted feature with at least one of the one or more malicious call models when the similarity between each of the one or more normal call models and the extracted feature is less than the first reference value; And
If the similarity between at least one of the one or more malicious invocation models and the extracted feature is greater than or equal to a third reference value, determining that the executable code of the application includes the malicious code. The method of claim 13,
The detecting step is:
Determining that the executable code of the application includes the variant malicious code when the similarity between at least one of the one or more malicious invocation models and the extracted feature is less than the third reference value and equal to or greater than a fourth reference value The method further comprises a step. The method of claim 14,
The detecting step is:
If the similarity between each of the one or more malicious invocation models and the extracted feature is less than the fourth reference value, managing the executable code of the application as the suspect code. The method of claim 15,
The managing step is:
If the similarity between each of the one or more normal call models and the extracted feature is less than or equal to a fifth reference value, determining that the executable code of the application includes new malicious code; And
Generating a new malicious calling model corresponding to the new malicious code by referring to the extracted characteristic. The method of claim 16,
The managing step is:
If the similarity between at least one of the one or more normal call models and the extracted feature is greater than the fifth reference value, storing the executable code of the application as an interest code in the database; And
And when another executable code including the code of interest is detected, generating a new malicious calling model corresponding to the code of interest with reference to the extracted characteristic.

Images