APPARATUS AND METHOD FOR DETECTING MALICIOUS PROCESS

US 20090070876A1
Filed: 04/16/2008
Published: 03/12/2009
Est. Priority Date: 09/07/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus for detecting a malicious process, comprising:

a process monitoring unit for monitoring a process generated in a computing environment;

a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit;

a file generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a file generation time;

a file generation time change preventing unit for preventing a change in the file generation time of the target process when the target process requests to change the file generation time; and

a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process generates a file within a predetermined reference time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are an apparatus and method for detecting a malicious process. The apparatus includes: a process monitoring unit for monitoring a process generated in a computing environment; a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit; a process generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a generation time; a generation time change preventing unit for preventing a change in the generation time of the target process when the target process requests to change the generation time; and a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process is generated within a predetermined reference time.

27 Citations

View as Search Results

13 Claims

1. An apparatus for detecting a malicious process, comprising:
- a process monitoring unit for monitoring a process generated in a computing environment;
  
  a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit;
  
  a file generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a file generation time;
  
  a file generation time change preventing unit for preventing a change in the file generation time of the target process when the target process requests to change the file generation time; and
  
  a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process generates a file within a predetermined reference time.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus according to claim 1, further comprising:
    - a forced termination unit for forcibly terminating the child process determined as the malicious process by the malicious process detecting unit; and
      
      a result output unit for outputting a determination result of the malicious process detecting unit.
  - 3. The apparatus according to claim 1, wherein the target process set by the target process setting unit executes a previously monitored target file.
  - 4. The apparatus according to claim 1, wherein the file generation time change monitoring unit monitors if the target process calls an Application Program Interface (API) required for changing the file generation time.
  - 5. The apparatus according to claim 1, wherein the file generation time change preventing unit provides a substitution function stored therein instead of the API called by the target process to prevent the change in the file generation time of the target process.
  - 6. The apparatus according to claim 1, wherein the child process is generated by the target process set by the target process setting unit.
  - 7. The apparatus according to claim 1, wherein when the malicious process detecting unit determines that the child process is not a malicious process, the target process setting unit sets the child process as a target process.

8. A method for detecting a malicious process, comprising:
- monitoring if a process generated in a computing environment is a child process of a preset target process; and
  
  recognizing the generated process as a malicious process when the process monitored to be the child process generates a file within a predetermined reference time.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method according to claim 8, wherein the preset target process executes a previously monitored targeted file.
  - 10. The method according to claim 8, wherein the child process is generated by the preset target process.
  - 11. The method according to claim 8, further comprising monitoring if the generated process calls an Application Program Interface (API) required for changing a file generation time and providing a substitution function instead of the API when the generated process is the preset target process.
  - 12. The method according to claim 8, further comprising registering the generated process as a target process when the process monitored to be the child process generates the file longer than the predetermined reference file
  - 13. The method according to claim 8, further comprising forcibly terminating the process recognized as the malicious process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
KIM, Yun Ju, YUN, Young Tae

Granted Patent

US 8,091,133 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56 Computer malware detection ...

APPARATUS AND METHOD FOR DETECTING MALICIOUS PROCESS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR DETECTING MALICIOUS PROCESS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links