APPARATUS AND METHOD FOR DETECTING MALICIOUS FILES

US 20130305366A1
Filed: 02/26/2013
Published: 11/14/2013
Est. Priority Date: 05/11/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus for detecting a malicious file, comprising:

a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file;

an address storage unit configured to store normal address range information in accordance with the driving of the program; and

a maliciousness determination unit configured to determine whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus for detecting a malicious file, includes a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file; and an address storage unit configured to store normal address range information in accordance with the driving of the program.

Further, the apparatus includes a maliciousness determination unit configured to determine whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information.

35 Citations

View as Search Results

20 Claims

1. An apparatus for detecting a malicious file, comprising:
- a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file;
  
  an address storage unit configured to store normal address range information in accordance with the driving of the program; and
  
  a maliciousness determination unit configured to determine whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus claim 1, wherein the program driving unit determines a file format of the non-executable file, and selects and drives a program for executing the non-executable file based on the determined file format.
  - 3. The apparatus of claim 1, wherein the maliciousness determination unit determines, when the execution address is not within the normal address range information, whether or not a memory region indicated by the execution address has execution properties, and determines whether the non-executable file is malicious based on the determination result.
  - 4. The apparatus of claim 3, wherein the maliciousness determination unit determines:
    - when the memory region indicated by the execution address does not have execution properties, whether the non-executable file is malicious by checking whether an abnormal event occurs due to an execution of a code stored in the memory region indicated by the execution address;
      
      when the abnormal event does not occur, whether the non-executable file is malicious by checking whether an execution address from the next of the execution address to a predetermined operation is within the normal address range information; and
      
      when the memory region indicated by the execution address is determined to have execution properties, the non executable file to be normal.
  - 5. The apparatus of claim 1, further comprising a malicious code extraction unit configured to extract a code in a region corresponding to an execution address that is not included in the normal address range information.
  - 6. The apparatus of claim 1, further comprising a cause analysis unit configured to analyze cause for vulnerability by comparing vulnerability information and a module including a command related to the execution address that is not included in the normal address range information.
  - 7. The apparatus of claim 1, wherein the normal address range information includes a start address and an end address of a module loaded by the driving of the program.
  - 8. The apparatus of claim 1, wherein the maliciousness determination unit stores an execution address of a command executed immediately before the execution of a command of the execution address that is not within the normal address range information.

9. A method for detecting a malicious file comprising:
- obtaining an execution address of a command executed during driving of a program corresponding to a non-executable file;
  
  storing normal address range information in accordance with the driving of the program; and
  
  determining, when the obtained execution address is not included in the normal address range information, whether the non-executable file is malicious.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. The method of claim 9, wherein said determining whether the non-executable file is malicious includes:
    - determining, when the execution address is not included in the normal address range information, whether a memory region indicated by the execution address has execution properties; and
      
      determining whether the non-executable file is malicious based on the determination result.
  - 11. The method of claim 10, wherein said determining whether the non-executable file is malicious includes:
    - checking, when the memory region indicated by the execution address does not have execution properties, whether an abnormal event occurs due to execution of a code stored in the memory region indicated by the execution address; and
      
      determining, when the abnormal event occur, the non-executable file to be malicious.
  - 12. The method of claim 11, wherein said determining whether the non-executable file is malicious includes:
    - checking, when the abnormal event does not occur, whether an execution address from the next of the execution address to a predetermined operation indicates the memory region that is not included in the normal address range information;
      
      determining, when the execution address for the predetermined step indicates the memory region that is not included in the normal address range information, the non-executable file to be malicious.
  - 13. The method of claim 9, further comprising:
    - determining a format of the non-executable file,wherein a program corresponding to the non-executable file is driven based on the determined file format.
  - 14. The method of claim 9, further comprising:
    - extracting a code in a memory region indicated by the execution address that is not included in the normal address range information.
  - 15. The method of claim 9, further comprising:
    - analyzing cause for vulnerability by comparing vulnerability information and a module including a command related to an execution address that is not included in the normal address range information.
  - 16. The method of claim 9, wherein the normal address range information includes a start address and an end address of a module loaded by driving of the program.
  - 17. The method of claim 9, wherein said determining whether the non-executable file is malicious includes:
    - determining whether the execution address is within the normal address range based on a type of the executed command.
  - 18. The method of claim 17, wherein when the command is structured example handling (SEH), whether a chain value of the SEH is within the normal address range information is determined.
  - 19. The method of claim 18, wherein when the command is return, call or jump, a single step is performed to determine whether or not the execution address indicated by the command is within the normal address range information.
  - 20. The method of claim 9, further comprising:
    - storing an execution address of a command executed immediately before the execution of a command of the execution address that is not within the normal address range information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ahnlab Incorporated
Original Assignee
Ahnlab Incorporated
Inventors
LIM, Cha Sung, LEE, Ju Seok

Granted Patent

US 8,763,128 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

APPARATUS AND METHOD FOR DETECTING MALICIOUS FILES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

APPARATUS AND METHOD FOR DETECTING MALICIOUS FILES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others