[go: up one dir, main page]

WO2017078222A1 - Système et procédé pour collecter des informations de comportement de script malveillant sur la base du html5 - Google Patents

Système et procédé pour collecter des informations de comportement de script malveillant sur la base du html5 Download PDF

Info

Publication number
WO2017078222A1
WO2017078222A1 PCT/KR2016/000346 KR2016000346W WO2017078222A1 WO 2017078222 A1 WO2017078222 A1 WO 2017078222A1 KR 2016000346 W KR2016000346 W KR 2016000346W WO 2017078222 A1 WO2017078222 A1 WO 2017078222A1
Authority
WO
WIPO (PCT)
Prior art keywords
behavior information
analysis target
event
web page
management unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2016/000346
Other languages
English (en)
Inventor
Hwan Kuk Kim
Jong Hun Jung
Han Chul Bae
Hyun Rok Choo
Sang Hwan Oh
Soo Jin Yoon
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Korea Internet and Security Agency
Original Assignee
Korea Internet and Security Agency
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Korea Internet and Security Agency filed Critical Korea Internet and Security Agency
Publication of WO2017078222A1 publication Critical patent/WO2017078222A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the present inventive concept relates to a system and a method for collecting malicious script behavior information based on HTML5.
  • a malicious code refers to a code that is created for the purpose of an unusual operation or a system harm behavior, and is a concept that includes computer virus, worm and Trojan.
  • a malicious script refers to malicious programs that are written in a script language. As the malicious scripts discovered to date, Visual Basic Script, mIRC script and JavaScript are the most, and there are several scripts created as PHP script, Corel Draw script and the like.
  • a method through signature-based scanning is commonly used as with a binary shape malicious code.
  • a method through signature-based scanning may detect only the malicious code that extracts the signature through a close analysis in advance, heuristics scanning, a static analysis, a behavior monitoring technique and the like are used in the detection of unknown new malicious script.
  • An aspect of the present inventive concept provides a system for collecting malicious script behavior information based on HTML5 that executes the malicious script in a virtual browser to collect the behavior information, and creates a behavior information node tree based on the collected behavior information to improve the malicious script discrimination speed and accuracy.
  • Another aspect of the present inventive concept provides a method for collecting malicious script behavior information based on HTML5 that executes the malicious script in a virtual browser to collect the behavior information, and creates a behavior information node tree based on the collected behavior information to improve the malicious script discrimination speed and accuracy.
  • a system for collecting malicious script behavior information based on HTML5 that includes a behavior information collection unit that receives provision of an analysis target URL, and executes an analysis target web page connected to the analysis target URL on a virtual browser to extract and store the behavior information; a system management unit that checks an operation status of the behavior information collection unit, determines the operation start and the operation end of the behavior information collection unit, and provides the analysis target URL to the behavior information collection unit; and a behavior information management unit that receives the provision of the behavior information node from the behavior information collection unit to add a third field, using a first field and a second field, and generates an behavior information node tree, using a correlation between a plurality of behavior information nodes.
  • a system for collecting malicious script behavior information based on HTML5 that includes an interface unit that receives the provision of an analysis request from an external system and provides an analysis result to the external system; a system management unit that receives the provision of an analysis target URL from the interface unit and checks the operation status of the virtual browser module; a behavior information collection unit that includes the virtual browser module, receives the provision of the analysis target URL from the system management unit, executes an analysis target web page connected to the analysis target URL on the virtual browser module to extract the behavior information, and stores a behavior information node that is an execution time of the behavior information; and a behavior information management unit that receives the provision of the behavior information node from the behavior information collection unit to add a third field, using a first field and a second field, and generates a behavior information node tree, using a correlation between a plurality of behavior information nodes.
  • a method for collecting malicious script behavior information based on HTML5 includes receiving the provision of an analysis request from an external system; providing an analysis target URL to a virtual browser module; executing an analysis target web page connected to the analysis target URL on the virtual browser module; extracting a first behavior information generated while loading the analysis target web page; executing an event after loading the analysis target web page to extract a second behavior information generated when executing the event; storing the first behavior information and the second behavior information; generating a plurality of behavior information nodes; and generating a behavior information node tree, using a correlation between the plurality of behavior information nodes.
  • the system and the method for collecting malicious script behavior information based on HTML5 execute the web browser under the virtualized environment, and execute the analysis target web page on the virtual browser, it is possible to discriminate the malicious script without having an adverse affect on the system. Further, it is possible to discriminate attackable elements by forcibly generating the event along with the executing information of the analysis target web page, and to generate manage the behavior information in the analysis target web page by a tree structure.
  • FIG. 1 is a diagram illustrating a process of collecting the malicious script behavior information according to the present inventive concept
  • FIG. 2 is a schematic block diagram of a system for collecting the malicious script behavior information according to an embodiment of the present inventive concept
  • FIG. 3 is a flow chart for explaining the operation of the system management unit of FIG. 2;
  • FIG. 4 is a block diagram illustrating a detailed module of the behavior information collection unit of FIG. 2;
  • FIG. 5 is a flow chart for explaining the operation of the behavior information collection unit of FIG. 4;
  • FIG. 6 illustrates a sample code including JavaScript
  • FIG. 7 illustrates an example of a behavior information node recorded from FIG. 6
  • FIG. 8 illustrates a sample code that contains an event
  • FIGS. 9 and 10 illustrate examples of the behavior information node recorded from FIG. 8;
  • FIG. 11 illustrates an example of the recorded behavior information node
  • FIG. 12 illustrates an example of the behavior information node added with a medium classification in FIG. 11;
  • FIG. 13 illustrates an example of a behavior information node tree
  • FIG. 14 is a flowchart for explaining the operation of the behavior information management unit of FIG. 2;
  • FIG. 15 is a flowchart sequentially illustrating a method for collecting the malicious script behavior information according to an embodiment of the present inventive concept.
  • FIG. 16 is a flowchart sequentially illustrating a method for collecting the malicious script behavior information according to another embodiment of the present inventive concept.
  • Each block may indicate a part of a module, a segment or a code which include one or more executable instructions for executing specified logical function(s).
  • the functions noted in the blocks may also occur out of order in some alternative execution examples. For example, two blocks illustrated one after another may also be performed really substantially at the same time, or the blocks may also be executed in the reverse order, depending on the corresponding functions.
  • FIG. 1 is a diagram illustrating a process of collecting the malicious script behavior information according to the present inventive concept.
  • FIG. 2 is a schematic block diagram of a system for collecting the malicious script behavior information according to an embodiment of the present inventive concept.
  • FIG. 3 is a flow chart for explaining the operation of the system management unit of FIG. 2.
  • FIG. 4 is a block diagram illustrating a detailed module of the behavior information collection unit of FIG. 2.
  • FIG. 5 is a flow chart for explaining the operation of the behavior information collection unit of FIG. 4.
  • FIG. 6 illustrates a sample code including JavaScript.
  • FIG. 7 illustrates an example of a behavior information node recorded from FIG. 6.
  • FIG. 8 illustrates a sample code that contains an event.
  • FIGS. 9 and 10 illustrate examples of the behavior information nodes recorded from FIG. 8.
  • FIG. 9 and 10 illustrate examples of the behavior information nodes recorded from FIG. 8.
  • FIG. 11 illustrates an example of the recorded behavior information node.
  • FIG. 12 illustrates an example of the behavior information node added with a medium classification in FIG. 11.
  • FIG. 13 illustrates an example of a behavior information node tree.
  • FIG. 14 is a flowchart for explaining the operation of the behavior information management unit of FIG. 2.
  • a system 100 for collecting the malicious script behavior information includes a transceiver interface 110, a system management unit 120, a behavior information collection unit 130, a behavior information management unit 140, a malicious behavior determination unit 150, a database unit 160 and the like.
  • the system 100 for collecting the malicious script behavior information operates to collect malicious script behavior information based on Hyper Text Markup Language 5 (HTML5).
  • HTML5 is the latest standard of Hyper Text Markup Language (HTML) that is a basic programming language for creating web documents.
  • HTML5 may perform the same function even when not installing Active X, and in particular, it may produce fancy graphic effects in the web browser even without using a flash, Silverlight and Java FX.
  • the system 100 for collecting the malicious script behavior information according to the present inventive concept operates to collect and manage the behavior information in the analysis target web page in order to determine whether a malicious script is contained within the HTML5-based web pages.
  • the system 100 for collecting the malicious script behavior information is operated to receive the provision of the analysis requests from an external system 10 and to provide the analysis results to the external system 10.
  • the system 100 for collecting the malicious script behavior information is operated to drive (101) a virtual browser, record (102) the behavior information by executing the event on the virtual browser, three-dimensionalize (103) the behavior information recorded on the virtual browser, and determine (104) whether there is a malicious behavior as compared to the pre-stored malicious behavior information.
  • the transceiver interface 110 receives the provision of the analysis requests from the external system 10, and provides the analysis results to the external system 10.
  • the transceiver interface 110 may include an application programming interface (API).
  • the transceiver interface 110 may include a system authentication API, an information reception API, a system setting API, a result providing API and the like.
  • the system authentication API may output an API usage authentication key, using the registered ID and Password.
  • the information reception API may receive the provision of the analysis target URL from the outside and may output a page ID corresponding thereto.
  • the system setting API may manage accounts, classification criteria, detection records and the like.
  • the result providing API may provide an analysis result depending on the page ID.
  • the transceiver interface 110 may receive the analysis request in the form of HTTP POST, and may provide the analysis result in the form of XML.
  • the system management unit 120 receives the provision of an analysis target URL from the transceiver interface 110, and checks the operation status of the virtual browser module.
  • the system management unit 120 may manage the platform for driving the virtual browser module, and may perform management of the analysis target URL.
  • the system management unit 120 may queue and manage a plurality of analysis target URLs that is input as the analysis target. That is, it is possible to manage the plurality of analysis target URLs in the form of Queue. By managing the plurality of analysis target URLs in the form of Queue, the first requested URL is preferentially processed.
  • the system management unit 120 may check the status of the virtual platform, including the virtual browser module, and may transmit and execute the analysis target URL to the analyzable virtual platform.
  • the system management unit 120 records the information when an error is detected while checking the status of the virtual platform, and may forcibly terminate or restart the virtual platform in which the error occurs.
  • the system management unit 120 receives the provision of an analysis target URL, and adds the analysis target URL to the analysis target URL queue. This is for sequentially handling the requested analysis target URL.
  • the system management unit 120 checks whether an analyzable virtual browser exists.
  • the system management unit commands to analyze the front URL of the analysis target URL queue. If an analyzable virtual browser does not exist, the system management unit checks the status of the currently operating virtual browser. In the currently operating virtual browser, when there is a virtual browser in which the current status is not checked or an error occurs, it is checked whether the URL transmitted to the virtual browser in which an error occurs is analyzed. When the analysis is not completed, the analysis failure details are stored, and when the analysis is completed, the completed analysis details are stored.
  • the system management unit commands to analyze the front URL of the analysis target URL queue. Further, it is checked whether the analysis target URL queue is empty. When the analysis target URL queue is empty, it is checked whether all the virtual browsers are in an analysis completion status. If the analysis target URL queue is not empty or all the virtual browsers are not in the analysis completion status, a process of repeatedly checking whether the analyzable virtual browser exists is performed again.
  • the behavior information collection unit 130 includes a virtual browser module, receives the provision of the analysis target URL from the system management unit 120, executes the analysis target web page connected to the analysis target URL on the virtual browser module to extract the behavior information, and stores the behavior information node that is the execution time of the behavior information. That is, the behavior information collection unit 130 collects dynamic behavior information for the dynamic analysis of the analysis target web page.
  • the behavior information collection unit 130 may include an event management unit 131 and a behavior information extraction unit 132.
  • the event management unit 131 may extract and execute an event in the analysis target web page, and the behavior information extraction unit 132 may extract the behavior information in the analysis target web page.
  • the behavior information extraction unit 132 may extract the behavior information that occurs while an analysis target web page is loaded on the virtual browser module.
  • the event management unit 131 may execute the event after the loading of the analysis target web page is completed, and the behavior information extraction unit 132 may extract the behavior information generated when an event is executed.
  • the virtual browser module included in the behavior information collection unit 130 may receive the provision of the analysis target URL, may execute the analysis target web page connected to the analysis target URL in a virtualized environment, and may collect and output the behavior information.
  • the event management unit 131 may search an event in the analysis target web page when the loading of the analysis target web page is finished.
  • the event management unit 131 may forcibly execute the event with a high possibility of being used for malicious behavior among the events searched in this way on the virtual browser module, and may generate the dynamic behavior in the web page.
  • the event management unit 131 may record the error.
  • the behavior information extraction unit 132 may extract and record the behavior information about a JS API, a DOM, an event, a storage, a network traffic or a browser error.
  • the behavior information extraction unit 132 may record the relevant information on the JS API, the DOM and the event in the form of behavior information node. That is, the behavior information extraction unit 132 may generate the behavior information node about the JS API, the DOM and the event.
  • the behavior information nodes mean an execution time of the behavior information contained in the analysis target web page.
  • the JS API is immediately recorded at the time when the JS API is executed.
  • the DOM and the event are recorded when the event is forcibly executed. However, the DOM is recorded only when it is relevant to the forcibly executing target event.
  • the storage, the network traffic and the browser error are recorded a time, after the recording and analysis of the web page are finished.
  • the behavior information collection unit 130 may further include an external communication channel 133, and the external communication channel 133 may store the behavior information extracted from the analysis target web page. Moreover, the traffic generated during dynamic analysis and sent to the outside may be blocked by the external communication channel 133. This is to prevent a malicious behavior from being additionally generated.
  • the behavior information collection unit 130 receives the provision of the analysis target URL and the page ID to execute the virtual browser. Further, the behavior information collection unit 130 executes the analysis target URL via the virtual browser.
  • the JS API generated during execution of the analysis target URL is recorded in the form of behavior information node through the behavior information extraction unit 132. Such operations are continued until the loading of the analysis target URL is finished.
  • the execution target event is searched through the event management unit 131.
  • the execution target event may be preset in the system. Such an execution target event may be set around the event with a high possibility of being used for causing a malicious behavior.
  • the event is forcibly executed. Further, the JS API generated with the execution of the event is recorded. After completion of the recording operation of the JS API generated with the event execution, an operation of searching the execution target event that is not forcibly executed is repeatedly performed.
  • the storage information, the network traffic information and the browser error information generated with the execution of the web page are recorded.
  • the recorded behavior information is output and stored to the behavior information node, and the relevant records are output and stored.
  • the virtual browser is finished, and when an error occurs in the virtual browser execution operation or the event execution operation, the error is recorded and finished.
  • the execution target of the event is searched and is forcibly executed, thereby being able to know an example of the recorded behavior information node.
  • FIG. 9 since it is a DOM element including an onclick that is an execution target event, it is possible to know that this is recorded.
  • FIG. 10 it is possible to know that the object of execution target event is recorded.
  • a run field is recorded as auto, and in the case of an event that is forcibly executed as an execution target event, the run field may be recorded as manual. In the case of an event that is not executed rather than the execution target event, the run field may be recorded as none.
  • the behavior information management unit 140 receives the provision of the behavior information nodes from the behavior information collection unit 130, analyzes the type of behaviors using a first field f1 and a second field f2, and adds a third field f3. Further, the behavior information management unit 140 generates a behavior information node tree, using a correlation between the plurality of behavior information nodes.
  • the first field f1 may be an object field
  • the second field f2 may be a detail field. It is possible to add a subtype field that is the third field f3, using the field values of the object field and the detail field.
  • the JS API may add the third field f3 using the object field and the detail field
  • the DOM and the event may add the third field f3 using detail (tag, event) field.
  • the behavior information management unit 140 adds the medium classification, depending on the type of behavior of the recorded behavior information node, and forms a plurality of behavior information nodes in a three structure to allow a three-dimensional analysis.
  • the behavior information management unit 140 adds a medium classification to the behavior information nodes recorded in the virtual browser module.
  • the subtype field value may be added to the behavior information node as a medium classification as illustrated in FIG. 12.
  • the behavior information management unit 140 may generate a behavior information node tree, using a temporal context between the plurality of behavior information nodes. Specifically, referring to FIG. 13, an example of behavior information node tree structure is illustrated.
  • the behavior information management unit 140 connects the plurality of behavior information nodes, and in general, the behavior information nodes may be connected in the relation of pre-post in the recorded order.
  • the behavior information nodes may be connected to the last node of death 1 in the relation of pre-post, rather than the pre-post relationship with the previous node.
  • the behavior information nodes may connected in the relation of an ancestor-child. That is, as in the EVENT-JS connection relation of FIG. 13, a tree structure may be formed in a vertical direction.
  • the behavior information management unit 140 receives the provision of the behavior information node and places a pointer on the first behavior information node of the input behavior information node. Further, it is determined whether the node of the pointer is suitable for the classification criteria.
  • the JS API node refers to a JS API classification
  • the DOM node refers to a DOM classification
  • the event node refers to an EVENT classification.
  • the medium classification is added to the behavior information node. Further, the pointer is moved to the next behavior information node. When the pointer indicates a null value, the operation is performed by regarded as checking all the behavior information nodes.
  • the pointer is placed on the next node of the first node to determine whether the behavior information node indicated by the pointer is a DOM node. If it is the DOM node, the nearest previous node that is depth 1 is connected to pre of the pointer, and the subsequently come-out next node is connected to the post of the pointer. That is, the pre-post relation is formed, the ID of the subsequent node is recorded on the post field of the previous node, and the ID of the previous node is recorded on the pre field of the subsequent node.
  • the behavior information node pointed by the pointer is a JS API node. If it is a JS API node, it is determined whether the node before the pointer is the event node. When it is not the JS API node, or it is JS API node but the previous node is not the event node, the pointer is connected to the post field of the previous node. Further, the previous node is connected to the pre field of the pointer. That is, a pre-post relation is formed.
  • the pointer forms an ancestor-child relation with the previous node.
  • the ancestor-child relation is formed by recording the ID of the subsequent node after the child field of the previous node, and by recording the ID of the previous node in the ancestor field of the subsequent node.
  • the pointer is moved to the next behavior information node in a recording order.
  • the pointer indicates a null value, all the behavior information nodes are regarded as being confirmed to output the behavior information node tree.
  • the malicious behavior determination unit 150 determine whether a previously known attack behavior is included using the information node tree. In connection with the operation of the malicious behavior determination unit 150, various methods of operation may be used.
  • the database unit 160 may store the page analysis information, the behavior information node classification information and the management information.
  • the page analysis information is information that is generated based on the analysis of a web page.
  • the behavior information node classification information includes the criteria for classifying the JS API node, the DOM node and the event node.
  • the management information includes the detection information, the malicious type, and a Finite Status Machine (FSM) for malicious determination.
  • FSM Finite Status Machine
  • FIG. 15 is a flowchart sequentially illustrating the method for collecting the malicious script behavior information according to an embodiment of the present inventive concept.
  • the method for collecting the malicious script behavior information receives (S100) the provision of an analysis request from the external system 10. Further, it is possible to receive the provision of the analysis request, along with the reception of provision of the system authentication ID.
  • the analysis target URL is provided (S110) to a virtual browser module, and the analysis target web page connected to the analysis target URL on the virtual browser module is executed (S120).
  • the analysis target web page may be a web page that is programmed based on HTML5.
  • the first behavior information generated during loading of the analysis target web page is extracted (S130), and the execution target event is executed after the end of loading of the analysis target web page is executed to extract (S140) the second behavior information generated when executing the event.
  • the second behavior information includes behavior information about the JS API, the DOM, the event, the storage, the network traffic or the browser error.
  • the behavior information node includes the behavior information nodes on the JS API, the DOM or the event.
  • the behavior information node tree is generated (S170), using the correlation between the plurality of behavior information nodes. Specifically, it is possible to generate the behavior information node tree, using the temporal context between the plurality of behavior information nodes.
  • FIG. 16 is a flowchart sequentially illustrating a method for collecting the malicious script behavior information according to another embodiment of the present inventive concept. For convenience of explanation, the description of the same portion substantially the same as the description of the method for collecting the malicious script behavior information according to an embodiment of the present inventive concept will be not be provided.
  • a method for collecting the malicious script behavior information receives (S100) the provision of an analysis request from the external system 10, provides (S110) the analysis target URL to the virtual browser module, and executes (S120) the analysis target web page connected to the analysis target URL on the virtual browser module.
  • the first behavior information generated during loading of the analysis target web page is extracted (S130), and the execution target event is executed after the end of loading of the execution target web page to extract (S140) the second behavior information generated when executing the event.
  • the first behavior information and the second behavior information are stored (S150), and a plurality of behavior information nodes is generated (S160).
  • the behavior information node tree is stored, and the error information on the module execution or the event execution of the virtual browser is stored (S180).
  • the steps of the method or algorithm described in connection with the embodiments of the present inventive concept may be directly achieved by a hardware module, a software module executed by the processor or a combination of the two modules.
  • the software module may also reside on a RAM memory, a flash memory, a ROM memory, an EPROM memory, an EEPROM memory, a register, a hard disk, a removable disk, a CD-ROM or a recording medium readable by a computer of any form well known in the field of the art of the present inventive concept.
  • An exemplary storage medium is coupled to the processor, and the processor may read information from the recording medium and may write information on the recording medium.
  • the recording medium may also be integrated with a processor.
  • the processor and the storage medium may also reside on an application specific integrated circuit (ASIC).
  • the ASIC may also reside in a user terminal.
  • the processor and the storage medium may reside as discrete components in a user terminal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un système et un procédé pour collecter des informations de comportement de script malveillant sur la base du HTML5. Le système de collecte d'informations de comportement de script malveillant sur la base du HTML5 comprend une unité de collecte d'informations de comportement, une unité de gestion de système et une unité de gestion d'informations de comportement.
PCT/KR2016/000346 2015-11-03 2016-01-13 Système et procédé pour collecter des informations de comportement de script malveillant sur la base du html5 Ceased WO2017078222A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020150153688A KR101619256B1 (ko) 2015-11-03 2015-11-03 Html5 기반의 악성 스크립트 행위 정보 수집 시스템 및 방법
KR10-2015-0153688 2015-11-03

Publications (1)

Publication Number Publication Date
WO2017078222A1 true WO2017078222A1 (fr) 2017-05-11

Family

ID=56021174

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2016/000346 Ceased WO2017078222A1 (fr) 2015-11-03 2016-01-13 Système et procédé pour collecter des informations de comportement de script malveillant sur la base du html5

Country Status (2)

Country Link
KR (1) KR101619256B1 (fr)
WO (1) WO2017078222A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060035680A (ko) * 2006-03-30 2006-04-26 지니네트웍스(주) 가상의 인라인 네트워크 보안방법
JP2009223375A (ja) * 2008-03-13 2009-10-01 Ntt Communications Kk 悪性Webサイト判定装置、悪性Webサイト判定システム、それらの方法、プログラム
KR20130071621A (ko) * 2011-12-21 2013-07-01 한국인터넷진흥원 변종 악성 코드를 탐지하기 위한 시스템 및 방법
KR101400680B1 (ko) * 2013-03-12 2014-05-29 주식회사 윈스 악성코드 자동 수집 시스템
KR101537088B1 (ko) * 2014-09-02 2015-07-15 인포섹(주) Api 호출 흐름 기반의 악성코드 탐지 시스템 및 방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060035680A (ko) * 2006-03-30 2006-04-26 지니네트웍스(주) 가상의 인라인 네트워크 보안방법
JP2009223375A (ja) * 2008-03-13 2009-10-01 Ntt Communications Kk 悪性Webサイト判定装置、悪性Webサイト判定システム、それらの方法、プログラム
KR20130071621A (ko) * 2011-12-21 2013-07-01 한국인터넷진흥원 변종 악성 코드를 탐지하기 위한 시스템 및 방법
KR101400680B1 (ko) * 2013-03-12 2014-05-29 주식회사 윈스 악성코드 자동 수집 시스템
KR101537088B1 (ko) * 2014-09-02 2015-07-15 인포섹(주) Api 호출 흐름 기반의 악성코드 탐지 시스템 및 방법

Also Published As

Publication number Publication date
KR101619256B1 (ko) 2016-05-10

Similar Documents

Publication Publication Date Title
US10416970B2 (en) Analysis device, analysis method, and analysis program
WO2013169059A1 (fr) Système et procédé de surveillance d'un service internet
WO2012091400A1 (fr) Système et procédé de détection de logiciel malveillant dans un fichier sur la base d'une carte génétique de fichier
RU91213U1 (ru) Система автоматического составления описания и кластеризации различных, в том числе и вредоносных, объектов
WO2012108623A1 (fr) Procédé, système et support d'enregistrement lisible par ordinateur pour ajouter une nouvelle image et des informations sur la nouvelle image à une base de données d'images
CN109194606A (zh) 攻击检测系统、方法、计算机设备及存储介质
US20180004939A1 (en) Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored
CN112765672A (zh) 一种恶意代码的检测方法、装置和计算机可读介质
WO2014190427A1 (fr) Identification d'états client
CN115481025A (zh) 自动化测试的脚本录制方法、装置、计算机设备及介质
US20080127043A1 (en) Automatic Extraction of Programming Rules
KR101631032B1 (ko) 비정형 데이터 필터링 및 공통형태 변환을 통한 저장 시스템 및 방법
CN116595523A (zh) 基于动态编排的多引擎文件检测方法、系统、设备及介质
CN108959922B (zh) 一种基于贝叶斯网的恶意文档检测方法及装置
WO2017078222A1 (fr) Système et procédé pour collecter des informations de comportement de script malveillant sur la base du html5
KR101725395B1 (ko) Html5 기반의 악성 스크립트 행위 정보 분석 시스템 및 방법
CN110297639B (zh) 用于检测代码的方法和装置
CN106528411A (zh) 覆盖率检测方法、装置和设备
WO2015050348A1 (fr) Procédé de vérification d'application sur la base d'extraction d'objet, et dispositif correspondant
CN114499968B (zh) 一种xss攻击检测方法及装置
IT202300019449A1 (it) Metodo e sistema per il rilevamento automatico di vulnerabilità informatiche in una api.
WO2012077966A1 (fr) Appareil et procédé de retrait de code malveillant
CN113806715B (zh) 嵌入式设备sdk安全性分析方法及系统
KR100744562B1 (ko) P2p 트래픽 분류 시스템 및 그 분류 방법
KR102623432B1 (ko) 악성코드 메타 정보 수집 장치 및 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16862241

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16862241

Country of ref document: EP

Kind code of ref document: A1