System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program

US 20120324575A1
Filed: 04/27/2010
Published: 12/20/2012
Est. Priority Date: 02/23/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting and blocking unwanted programs in real time based on process behavior analysis, comprising:

a security server defining a list of unwanted program scenarios in advance; and

matching a program, executed on a user terminal based on an agent program, with the unwanted program scenarios, thus detecting and blocking an unwanted process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and program for detecting and blocking unwanted programs in real time based on process behavior analysis and a recording medium for storing the program. In particular, the invention relates to a system, method and program for detecting and blocking unwanted programs in real time based on process behavior analysis and a recording medium for storing the program, in which a security server defines lists of unwanted abnormal actions of a process in advance, detects the number of abnormal actions that have occurred, collects the abnormal actions, and detects and blocks an unwanted process by matching a program executed on a user terminal with the lists of abnormal actions.

63 Citations

View as Search Results

12 Claims

1. A method of detecting and blocking unwanted programs in real time based on process behavior analysis, comprising:
- a security server defining a list of unwanted program scenarios in advance; and
  
  matching a program, executed on a user terminal based on an agent program, with the unwanted program scenarios, thus detecting and blocking an unwanted process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 11, 12)
- - 2. The method according to claim 1, wherein the list of unwanted program scenarios comprises lists of abnormal actions such as occurrence of a session, transmission of packets to multiple Internet Protocol (IP) addresses, occurrence of spoofing, transmission/reception of packets, opening and generation of files, Interrupt Descriptor Table (IDT) hook detection, generation and opening of a service, access to physical memory, generation of processes, access to a different process, invasion of principal function tables of an operating system, behavior of concealing a relevant program'"'"'s actions, registration of program auto start-up, an attempt at keyboard hacking, registry concealment, access to other processes, behavior of invading address space of other processes, nameless processes, parentless processes, generation of execution files, writing mode of execution files, loading of device drivers, and behavior of compulsorily terminating other processes.
  - 3. The method according to claim 2, wherein the list of unwanted program scenarios is configured such that one or more lists of abnormal actions are combined to form each singular scenario, and one or more singular scenarios are combined to form a composite scenario.
  - 4. The method according to claim 2, wherein each of the lists of abnormal actions further comprises at least one dummy abnormal action which ignores any actions.
  - 5. The method according to claim 1, wherein the user terminal is connected to the security server while accessing the security server over the network until the agent program is terminated.
  - 6. The method according to claim 1, wherein a method of detecting the unwanted process is implemented using any one selected from among a method of detecting, as an unwanted process, an process running under a name identical to that of an operating system when the unwanted process is running, a method of simultaneously tracking actions of a network and a process when an unwanted process is running, and then detecting actions of the unwanted process using a combination of scenarios, a method of detecting checksums and then detecting an unwanted process running while being parasitic on a normal process, a method of tracking a parent process and a child process generated thereby in real time via process tracking, and then eliminating an initially generated unwanted process and detecting a child process which is generated by the initially generated unwanted process and is running under a name of another process of the operating system, and a method of detecting an unwanted process, which is running by injecting code into a normal process, using a hooking detection and restoration technique.
  - 7. The method according to claim 1, wherein a method of blocking the unwanted process is implemented, in a case of network packets, using a method of blocking all packets of a relevant process, and is implemented, in a case of process packets, using any one selected from among, a method of compulsorily terminating a relevant process, a method of blocking packets of the relevant process for a specific time period, and a method of providing a simple alert.
  - 8. The method according to claim 1, further comprising:
    - the security server establishing detection and blocking scenario policies related to abnormal actions, analyzing the scenario policies for individual types, and distributing the scenario policies to the user terminal; and
      
      the user terminal applying the abnormal action-related detection and blocking scenario policies received from the security server to a kernel stage.
  - 11. A program for detecting and blocking unwanted programs in real time based on process behavior analysis according to claim 1.
  - 12. A recording medium for storing the program according to claim 11 in computer-readable form.

9. A system for detecting and blocking unwanted programs in real time based on process behavior analysis, the system comprising a plurality of user terminals and a security server individually connected to the user terminals over a network, wherein:
- each of the user terminals comprises an action monitoring module for monitoring actions of a process, a process tracking and Process Identification (PID) detection module for tracking actions of a process, abnormal actions of which have been detected, and detecting Process Identification (PID) of the process, a scenario blocking module for combining lists of actions taken by a relevant process for a given time period and blocking the relevant process when the actions match those of a composite scenario, a checksum blocking module for blocking a relevant process when a checksum of an execution program thereof matches a previously obtained checksum, a hooking detection and restoration module for, when an unwanted program is operating by injecting code into another process so as to conceal itself, detecting the unwanted program and restoring an original program, and an exceptional process database (DB) for examining a relevant process for an exception to action-based monitoring and then processing the relevant process as the exception to action-based monitoring; and
  
  the security server comprises an analysis module for analyzing statistical information received from the user terminals, a security measure module for collecting information about abnormal actions occurring in the user terminals and blocking of unwanted programs in the user terminals, thus taking security measures, and an overall DB for storing information about blocking conditions, occurrence of abnormal actions on each of the user terminals, and unwanted programs.
- View Dependent Claims (10)
- - 10. The system according to claim 9, wherein the security server further comprises:
    - an exceptional process DB transferred to each of the user terminals and used to determine an exception to action-based monitoring; and
      
      a blocking scenario DB transferred to the user terminal and used to perform process action-based matching and blocking

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ISE Information Company Limited
Original Assignee
ISE Information Company Limited
Inventors
Choi, Byeong Ho, Im, Chol Su

Application Number

US13/580,958
Publication Number

US 20120324575A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 21/554 involving event detection a...

System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links