Mobile device having self-defense function against virus and network-based attacks and self-defense method using the same

US 20090165137A1
Filed: 03/20/2008
Published: 06/25/2009
Est. Priority Date: 12/20/2007
Status: Active Grant

First Claim

Patent Images

1. A mobile device for wireless communication comprising:

a virus checking module, which receives information on files required for virus checking on a basis of input/output (I/O) information created from a file system of an operating system, and determines whether or not the files are infected with a virus using distribution of similarity between data;

a malicious packet determination module, which examines information on an Internet protocol (IP) packet created from a network to interrupt a denial-of-service attack (DoS attack); and

a control module, which receives the I/O information created from the file system of the operating system, selects the files required for the virus checking, and transmits the selected files to the virus checking module, or receives information on the IP packet created from the network to transmit the received information to the malicious packet determination module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a mobile device having a self-defense function against virus and network-based attacks and a self-defense method using the same. The mobile device includes a virus checking module, which receives information on files required for virus checking on a basis of input/output (I/O) information created from a file system of an operating system, and determines whether or not the files are infected with a virus using distribution of similarity between data; a malicious packet determination module, which examines information on an Internet protocol (IP) packet created from a network to interrupt a denial-of-service attack (DoS attack); and a control module, which receives the I/O information created from the file system of the operating system, selects the files required for the virus checking, and transmits the selected files to the virus checking module, or receives information on the IP packet created from the network to transmit the received information to the malicious packet determination module, thereby preventing damage caused by the virus in advance, and effectively preventing a denial-of-service attack (DoS attack) caused by wireless network resource depletion and battery consumption that may occur in a wireless environment.

Citations

31 Claims

1. A mobile device for wireless communication comprising:
- a virus checking module, which receives information on files required for virus checking on a basis of input/output (I/O) information created from a file system of an operating system, and determines whether or not the files are infected with a virus using distribution of similarity between data;
  
  a malicious packet determination module, which examines information on an Internet protocol (IP) packet created from a network to interrupt a denial-of-service attack (DoS attack); and
  
  a control module, which receives the I/O information created from the file system of the operating system, selects the files required for the virus checking, and transmits the selected files to the virus checking module, or receives information on the IP packet created from the network to transmit the received information to the malicious packet determination module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The mobile device as set forth in claim 1, further comprising a file system monitoring module, which is registered in the operating system beforehand, monitors all pieces of I/O information created from a file system driver, and transmits the monitored information to the control module.
  - 3. The mobile device as set forth in claim 1, further comprising a network packet monitoring module, which is registered in the operating system beforehand, monitors IP packets created from the network, and transmits the monitored information to the control module.
  - 4. The mobile device as set forth in claim 1, wherein the mobile device includes one selected from a desktop computer, a laptop computer, a personal digital assistant (PDA), a mobile phone, a WebPDA, and a transmission control protocol (TCP) networking assisted wireless mobile device.
  - 5. The mobile device as set forth in claim 1, wherein the virus checking module copies an original file based on the provided file information, converts and simplifies data of the copied file, normalizes the simplified file data, acquires distribution of similarity between data using the normalized file data, analyzes the acquired distribution of similarity between data, and determines that the file is virus-infected when a preset dense distribution pattern exists.
  - 6. The mobile device as set forth in claim 5, wherein the distribution of similarity between data is acquired by constituting a code map optimized for the normalized file data using a typical Self-Organizing Map (SOM) learning algorithm, and forming a new matrix on a basis of average values of surrounding values.
  - 7. The mobile device as set forth in claim 5, wherein the original file includes one of a general file and an executable file.
  - 8. The mobile device as set forth in claim 5, wherein the original file already exists in the mobile device or is introduced from an outside source through a specific path.
  - 9. The mobile device as set forth in claim 8, wherein the specific path includes one selected from Internet, e-mail, Bluetooth, and ActiveSync.
  - 10. The mobile device as set forth in claim 1, wherein the malicious packet determination module:
    - causes a base station to transmit a connection request packet (SYN packet) for transmission control protocol (TCP) connection to the mobile device, and causes the mobile device to transmit a connection request acknowledgement packet (SYN/ACK_—1 packet) to the base station when the mobile device receives the transmitted SYN packet;
      
      causes the base station to transmit an acknowledgement packet (ACK_—2 packet) to the mobile device in response to the SYN/ACK_—1 packet when the base station receives the transmitted SYN/ACK_—1 packet, and completes the TCP connection when the mobile device receives the transmitted ACK_—2 packet; and
      
      releases the completed TCP connection when the mobile device receives a packet, to which a reset or connection request flag (RST or SYN flag) is set, from the base station after the TCP connection is completed.
  - 11. The mobile device as set forth in claim 10, wherein the malicious packet determination module determines that the TCP connection is abnormally released when the mobile device receives no packet for a preset timeout time after the TCP connection is completed, and safely releases the TCP connection.
  - 12. The mobile device as set forth in claim 1, wherein the malicious packet determination module:
    - causes a base station to transmit a SYN packet for TCP connection to the mobile device, and causes the mobile device to transmit a SYN/ACK_—1 packet to the base station when the mobile device receives the transmitted SYN packet;
      
      causes the base station to transmit a disconnection packet (FIN packet) to the mobile device when the base station receives the transmitted SYN/ACK_—1 packet; and
      
      interrupts the TCP connection when the mobile device receives the transmitted FIN packet.
  - 13. The mobile device as set forth in claim 1, wherein the malicious packet determination module:
    - causes a base station to transmit a connection request packet (SYN packet) for transmission control protocol (TCP) connection to the mobile device, and causes the mobile device to transmit a connection request acknowledgement packet (SYN/ACK_—1 packet) to the base station when the mobile device receives the transmitted SYN packet;
      
      causes the base station to transmit an acknowledgement disconnection packet (ACK_—2/FIN packet), to which a FIN flag is set, to the mobile device together with acknowledgement (ACK_—2) in response to the SYN/ACK_—1 packet when the base station receives the transmitted SYN/ACK_—1 packet; and
      
      interrupts the TCP connection when the mobile device receives the transmitted ACK_—2/FIN packet.
  - 14. The mobile device as set forth in claim 1, wherein the malicious packet determination module:
    - causes a base station to transmit a connection request packet (SYN packet) for transmission control protocol (TCP) connection to the mobile device, and causes the mobile device to transmit a connection request acknowledgement packet (SYN/ACK_—1 packet) to the base station when the mobile device receives the transmitted SYN packet;
      
      causes the base station to transmit the SYN packet to the mobile device again when the base station receives the transmitted SYN/ACK_—1 packet; and
      
      interrupts the TCP connection when the mobile device receives the re-transmitted SYN packet.
  - 15. The mobile device as set forth in any one of claims 12 to 14, wherein the malicious packet determination module determines that the TCP connection is abnormally released when the mobile device receives no packet for a preset timeout time after the SYN/ACK_—
    - 1 packet is transmitted to the base station, and safely releases the TCP connection.
  - 16. The mobile device as set forth in claim 1, wherein the malicious packet determination module safely releases the TCP connection when the mobile device does not receive an acknowledgement packet (ACK_—
    - 3 packet) from the base station for a preset timeout time after transmitting a disconnection acknowledgement packet (FIN/ACK packet) for normally releasing the TCP connection to the base station in a state where the TCP connection is completed between the base station and the mobile device.

17. A method of performing a self-defense function against virus and network-based attacks on a mobile device having a virus checking module and a malicious packet determination module, the method comprising the steps of:
- a) monitoring all pieces of input/output (I/O) information created from a file system driver of an operating system;
  
  b) selecting files required for virus checking on a basis of the monitored I/O information;
  
  c) receiving information on the selected files through the virus checking module to determine whether or not the files are infected with a virus using distribution of similarity between data;
  
  d) monitoring an Internet protocol (IP) packet created from a network; and
  
  e) examining information on the monitored IP packet through the malicious packet determination module to interrupt a denial-of-service attack (DoS attack).
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 18. The method as set forth in claim 17, wherein step c) comprises the sub-steps of:
    - c-1) copying an original file, and converting and simplifying data of the copied file;
      
      c-2) normalizing the simplified file data;
      
      c-3) acquiring distribution of similarity between data using the normalized file data; and
      
      c-4) analyzing the acquired distribution of similarity between data, and determining that the file is virus-infected when a preset dense distribution pattern exists.
  - 19. The method as set forth in claim 18, wherein sub-step c-1) includes checking according to a format of the copied file whether or not a file header is deliberately changed prior to converting and simplifying the data of the copied file.
  - 20. The method as set forth in claim 18, wherein sub-step c-1) includes checking a format of the copied file prior to converting and simplifying the data of the copied file, and determining that the file is virus-infected when a part deliberately changed by the virus exists.
  - 21. The method as set forth in claim 18, wherein the original file includes one of a general file and an executable file.
  - 22. The method as set forth in claim 18, wherein in sub-step c-3), the distribution of similarity between data is acquired by constituting a code map optimized for the normalized file data using a typical Self-Organizing Map (SOM) learning algorithm, and forming a new matrix on a basis of average values of surrounding values.
  - 23. The method as set forth in claim 18, wherein sub-step c-3) includes the sub-steps of:
    - c-3-1) acquiring median values and eigenvectors of the normalized file data, and constituting a code map using the acquired median values and eigenvectors;
      
      c-3-2) calculating difference values with the normalized file data using the constituted code map, and acquiring best match data vectors;
      
      c-3-3) shifting the code map to another code map in order to calculate whole data once again using the acquired best match data vectors, recalculating difference values with the normalized file data using the shifted another code map, and storing values corresponding to best matched values; and
      
      c-3-4) rearranging the data on a basis of the average values of the surrounding values, and forming a new matrix.
  - 24. The method as set forth in claim 18, wherein step e) includes the sub-steps of:
    - transmitting, by a base station, a connection request packet (SYN packet) for transmission control protocol (TCP) connection to the mobile device, and transmitting, by the mobile device, a connection request acknowledgement packet (SYN/ACK_—1 packet) to the base station when the mobile device receives the transmitted SYN packet;
      
      transmitting, by the base station, an acknowledgement packet (ACK_—2 packet) to the mobile device in response to the SYN/ACK_—1 packet when the base station receives the transmitted SYN/ACK_—1 packet;
      
      completing the TCP connection when the mobile device receives the transmitted ACK_—2 packet; and
      
      releasing the completed TCP connection when the mobile device receives a packet, to which a reset or connection request flag (RST or SYN flag) is set, from the base station after the TCP connection is completed.
  - 25. The method as set forth in claim 24, wherein it is determined that the TCP connection is abnormally released when the mobile device receives no packet for a preset timeout time after the TCP connection is completed, and the TCP connection is safely released.
  - 26. The method as set forth in claim 18, wherein step e) includes the sub-steps of:
    - transmitting, by a base station, a SYN packet for TCP connection to the mobile device, and transmitting, by the mobile device, a SYN/ACK_—1 packet to the base station when the mobile device receives the transmitted SYN packet;
      
      transmitting, by the base station, a disconnection packet (FIN packet) to the mobile device when the base station receives the transmitted SYN/ACK_—1 packet; and
      
      interrupting the TCP connection when the mobile device receives the transmitted FIN packet.
  - 27. The method as set forth in claim 18, wherein step e) includes the sub-steps of:
    - transmitting, by a base station, a connection request packet (SYN packet) for transmission control protocol (TCP) connection to the mobile device, and transmitting, by the mobile device, a connection request acknowledgement packet (SYN/ACK_—1 packet) to the base station when the mobile device receives the transmitted SYN packet;
      
      transmitting, by the base station, an acknowledgement disconnection packet (ACK_—2/FIN packet), to which a FIN flag is set, to the mobile device together with acknowledgement (ACK_—2) in response to the SYN/ACK_—1 packet when the base station receives the transmitted SYN/ACK_—1 packet; and
      
      interrupting the TCP connection when the mobile device receives the transmitted ACK_—2/FIN packet.
  - 28. The method as set forth in claim 18, wherein step e) includes the sub-steps of:
    - transmitting, by a base station, a connection request packet (SYN packet) for transmission control protocol (TCP) connection to the mobile device, and transmitting, by the mobile device, a connection request acknowledgement packet (SYN/ACK_—1 packet) to the base station when the mobile device receives the transmitted SYN packet;
      
      transmitting, by the base station, the SYN packet to the mobile device again when the base station receives the transmitted SYN/ACK_—1 packet; and
      
      interrupting the TCP connection when the mobile device receives the re-transmitted SYN packet.
  - 29. The method as set forth in one of claims 26, 27 and 28, wherein it is determined that the TCP connection is abnormally released when the mobile device receives no packet for a preset timeout time after the SYN/ACK_—
    - 1 packet is transmitted to the base station, and the TCP connection is safely released.
  - 30. The method as set forth in claim 18, wherein step e) includes safely releasing the TCP connection when the mobile device does not receive an acknowledgement packet (ACK_—
    - 3 packet) for a preset timeout time after transmitting a disconnection acknowledgement packet (FIN/ACK packet) for normally releasing the TCP connection to the base station in a state where the TCP connection is completed between the base station and the mobile device.
  - 31. A computer readable medium recording a program that can execute the method as set forth in any one of claims 17 through 30 using a computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Original Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Inventors
Yoo, In Seon, Kim, Mu Hang

Granted Patent

US 8,789,184 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Mobile device having self-defense function against virus and network-based attacks and self-defense method using the same

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile device having self-defense function against virus and network-based attacks and self-defense method using the same

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links