SYSTEM AND METHOD OF DETECTING ANOMALY MALICIOUS CODE BY USING PROCESS BEHAVIOR PREDICTION TECHNIQUE

US 20080127346A1
Filed: 11/21/2007
Published: 05/29/2008
Est. Priority Date: 11/23/2006
Status: Active Grant

First Claim

Patent Images

1. An anomaly malicious code detection system using a process behavior prediction technique, comprising:

a DB filtering module performing primary malicious code filtering with respect to execution codes executed in a system;

a system resource monitor module monitoring a system resource to collect each event information generated by the execution codes executed in the system;

a reprocessing module reprocessing each event information collected in the system resource monitor module to reconstruct it into one integrated log representing a related behavior feature value of the execution codes;

a behavior prediction information processing module inputting the integrated log reconstructed in the reprocessing module into a learning algorithm to extract an anomaly malicious behavior feature value (a prediction pattern); and

an anomaly malicious behavior detection module comparing the anomaly malicious behavior feature value extracted from the behavior prediction information pressing module with the behavior feature value data constructed in the reprocessing module to detect a malicious behavior.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a pattern analyzing/detecting method and a system using the same that are capable of detecting and effectively preventing an unknown malicious code attack. To detect such an attack, the method monitors the system to combine all behaviors exhibited within the system due to corresponding malicious codes, reprocess and learn the behaviors, analyze existing malicious behavior feature values (prediction patterns), and compare them with a behavior pattern exhibited by an execution code.

58 Citations

View as Search Results

8 Claims

1. An anomaly malicious code detection system using a process behavior prediction technique, comprising:
- a DB filtering module performing primary malicious code filtering with respect to execution codes executed in a system;
  
  a system resource monitor module monitoring a system resource to collect each event information generated by the execution codes executed in the system;
  
  a reprocessing module reprocessing each event information collected in the system resource monitor module to reconstruct it into one integrated log representing a related behavior feature value of the execution codes;
  
  a behavior prediction information processing module inputting the integrated log reconstructed in the reprocessing module into a learning algorithm to extract an anomaly malicious behavior feature value (a prediction pattern); and
  
  an anomaly malicious behavior detection module comparing the anomaly malicious behavior feature value extracted from the behavior prediction information pressing module with the behavior feature value data constructed in the reprocessing module to detect a malicious behavior.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the system resource monitor module collects respective event information with respect to file system, process, registry, service, and network items.
  - 3. The system of claim 2, wherein the system resource monitor module comprises:
    - a file monitor extracting information, including a detection time, a packet identification (PID), a path, and whether a system directory exists or not;
      
      an IM monitor extracting information by each packet unit, including a detection time, a PID, a S/D-IP, and a packet length;
      
      a process monitor extracting information, including a process detection time, a PID, and the number of threads;
      
      a registry monitor extracting information, including a detection time, a PID, a registry path, a current state, and a size;
      
      a TDI_P monitor extracting information, including a network information-detection time, a PID, a local IP address, a remote IP address, an average length of a packet, protocol, the number of pieces, a transmission size, and a reception size, which are expressed in a process unit through a TDI driver; and
      
      a TDI_S monitor extracting information, including a network information-detection time, a PID, a local IP address, a remote IP address, a protocol, a transmission size, and a reception size, which are expressed in a session unit through the TDI driver.
  - 4. The system of claim 1, wherein the reprocessing module constructs the related behavior feature value data of the execution codes into one record with respect to an event occurrence time while reconstructing the integrated log.

5. A method of detecting an anomaly malicious code by using a process behavior prediction technique, comprising the steps of:
- performing primary malicious code filtering on execution codes executed in a system;
  
  performing system resource monitoring to collect each event information generated by the execution codes executed in the system;
  
  reprocessing each of the event information collected during the performing of the system resource monitoring to reconstruct one integrated log representing a related behavior feature value of the execution codes;
  
  inputting the integrated log reconstructed during the reprocessing of each of the event information into a learning algorithm to extract an anomaly malicious behavior feature value (a prediction pattern); and
  
  comparing the anomaly malicious behavior feature value extracted during the inputting of the reconstructed integrated log with the behavior feature value data constructed during the reprocessing of the event information to detect malicious behaviors.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein the performing of the system resource monitoring comprises the step of collecting each event information about file system, process, registry, service, and network items.
  - 7. The method of claim 5, wherein the reprocessing of each of the event information further comprises the step of constructing the related behavior feature value data of the execution codes into one record with respect to an event occurrence time while reconstructing the integrated log.
  - 8. The method of claim 7, wherein the constructing of the one record further comprises the step of inserting a value within a recent event effective time range into a record field with no event and inserting a null into a record field when deviant from the recent event effective time range.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F1 Security, Inc.
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
LEE, Cheolho, PAEK, Seung-Hyun, OH, HyungGeun, LEE, DoHoon

Granted Patent

US 8,181,248 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/56 Computer malware detection ...

SYSTEM AND METHOD OF DETECTING ANOMALY MALICIOUS CODE BY USING PROCESS BEHAVIOR PREDICTION TECHNIQUE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD OF DETECTING ANOMALY MALICIOUS CODE BY USING PROCESS BEHAVIOR PREDICTION TECHNIQUE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links