METHOD AND APPARATUS FOR MALWARE DETECTION

US 20090133125A1
Filed: 09/12/2008
Published: 05/21/2009
Est. Priority Date: 11/21/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting malware, comprising:

determining whether an input file is an executable file or not by analyzing a header of the input file;

determining whether the input file is malware or not through a plurality of predetermined conditions by analyzing the header of the input file if the input file is an executable file; and

outputting a signal corresponding to presence of malware if the input file is determined as malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to an apparatus and method for detecting malware. The malware detection apparatus and method of the present invention determines whether a file is malware or not by analyzing the header of an executable file. Since the malware detection apparatus and method can quickly detect presence of malware, it can shorten detection time considerably. The malware detection apparatus and method can also detect even unknown malware as well as known malware to thereby estimate and determine presence of malware. Therefore, it is possible to cope with malware in advance, protect a system with a program, and increase security level remarkably.

293 Citations

15 Claims

1. A method for detecting malware, comprising:
- determining whether an input file is an executable file or not by analyzing a header of the input file;
  
  determining whether the input file is malware or not through a plurality of predetermined conditions by analyzing the header of the input file if the input file is an executable file; and
  
  outputting a signal corresponding to presence of malware if the input file is determined as malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the determining whether an input file is an executable file or not includes:
    - determining whether the header of the input file starts with a first signature; and
      
      determining that the input file is an executable file if the header of the input file starts with the first signature and a second signature of the input file is present at a designated position.
  - 3. The method of claim 2, wherein in the determining whether an input file is an executable file or not,if the header of the input file does not start with the first signature or if the second signature of the input file is not present at a designated position, the input file is determined as an non-executable file and malware detection is terminated.
  - 4. The method of claim 2, wherein the determining whether an input file is an executable file or not further includes:
    - when the header of the input file starts with the first signature and the second signature of the input file is present at a designated position, extracting a field for a system type from the header of the input file, comparing the field with predetermined data, and determining whether the input file is an executable file based on a comparison result.
  - 5. The method of claim 1, wherein the determining whether the input executable file is malware further includes:
    - giving weights to the multiple conditions; and
      
      finally determining whether the input file is malware by summing up the weight for the satisfied condition if the input file satisfies at least one of the conditions.
  - 6. The method of claim 1, wherein in the determining whether the input executable file is malware,if there is a section including both executable attribute and write attribute among sections included in the header of the input file, the input file is determined as malware.
  - 7. The method of claim 1, wherein in the determining whether the input executable file is malware,if there is a section including any one between executable attribute and code attribute among sections included in the header of the input file, the input file is determined as malware.
  - 8. The method of claim 1, wherein in the determining whether the input executable file is malware,if there is no executable section among sections included in the header of the input file, the input file is determined as malware.
  - 9. The method of claim 1, wherein in the determining whether the input executable file is malware,if there is a section including a value that cannot be printed among sections included in the header of the input file, the input file is determined as malware.
  - 10. The method of claim 1, wherein in the determining whether the input executable file is malware,if a total sum of the sizes of sections included in the input file is greater than the entire size of the file, the input file is determined as malware.
  - 11. The method of claim 1, wherein in the determining whether the input executable file is malware,if a value directing an end of a first header and a start of a second header among a plurality of headers included in the input file is smaller than the size of the first header, the input file is determined as malware.
  - 12. The method of claim 1, wherein in the determining whether the input executable file is malware,if a value designating a position of the second signature is greater than a predetermined reference value, the input file is determined as malware.

13. An apparatus for detecting malware, comprising:
- a header extractor for extracting a header of an input file;
  
  a file determiner for determining whether the input file is an executable file or not;
  
  a header analyzer for analyzing the extracted header of the file and deciding a probability that the input file is malware based on a determination result of the file determiner; and
  
  a malware determiner for collecting determination results of the header analyzer, finally determining whether the input file is malware, and outputting a final determination result.
- View Dependent Claims (14, 15)
- - 14. The apparatus of claim 13, wherein the file determiner determines whether the header of the input file starts with a first signature and a second signature of the input file is present at a designated position to thereby determine whether the input file is an executable file of a Portable Executable (PE) format.
  - 15. The apparatus of claim 13, wherein the header analyzer checks whether there is a section including both executable attribute and write attribute in the header of the input file, whether there is a section including any one between executable attribute and code attribute, whether there is no executable section, whether there is a section including a value that cannot be printed, whether a total sum of the sizes of sections included in the input file is greater than the entire size of the file, whether a value directing an end of a first header and a start of a second header is smaller than the size of the first header, and whether a first field value of the first header is greater than a predetermined reference value;
    - andif any one of the above conditions is satisfied, the input file is determined as malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Choi, Yang Seo, Kim, Dae Won, Jang, Jong Soo, Oh, Jin Tae, Kim, Byoung Koo, Yoon, Seung Yong, Kim, Ik Kyun

Application Number

US12/209,249
Publication Number

US 20090133125A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/562 Static detection

METHOD AND APPARATUS FOR MALWARE DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

293 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

METHOD AND APPARATUS FOR MALWARE DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

293 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others