METHOD OF MODELING BEHAVIOR PATTERN OF INSTRUCTION SET IN N-GRAM MANNER, COMPUTING DEVICE OPERATING WITH THE METHOD, AND PROGRAM STORED IN STORAGE MEDIUM TO EXECUTE THE METHOD IN COMPUTING DEVICE

US 20160232345A1
Filed: 02/05/2016
Published: 08/11/2016
Est. Priority Date: 02/11/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device configured to execute an instruction set, the computing device comprising:

a system call hooker configured to hook system calls that occur by the instruction set while the instruction set is executed;

a category extractor configured to extract a category to which each of the hooked system calls belongs, with reference to category information associated with a correspondence relationship between a system call and a category;

a sequence extractor configured to extract one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls, with reference to the extracted category; and

a model generator configured to generate a behavior pattern model of the system calls that occur when the instruction set is executed, based on a number of times that each of the extracted behavior sequences occurs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device configured to execute an instruction set is provided. The computing device includes a system call hooker for hooking system calls that occur by the instruction set while the instruction set is executed, a category extractor for extracting a category to which each of the hooked system calls belongs with reference to category information associated with a correspondence relationship between a system call and a category, a sequence extractor for extracting one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls with reference to the extracted category, and a model generator for generating a behavior pattern model of the system calls that occur when the instruction set is executed, based on a number of times that each of the extracted behavior sequences occurs.

Citations

18 Claims

1. A computing device configured to execute an instruction set, the computing device comprising:
- a system call hooker configured to hook system calls that occur by the instruction set while the instruction set is executed;
  
  a category extractor configured to extract a category to which each of the hooked system calls belongs, with reference to category information associated with a correspondence relationship between a system call and a category;
  
  a sequence extractor configured to extract one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls, with reference to the extracted category; and
  
  a model generator configured to generate a behavior pattern model of the system calls that occur when the instruction set is executed, based on a number of times that each of the extracted behavior sequences occurs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing device of claim 1, wherein the extracted category corresponds to one of categories of process, thread, memory, file, registry, network, service, and others.
  - 3. The computing device of claim 1, wherein the model generator is configured to generate the behavior pattern model by associating some or all of behavior sequences expressed in the N-gram manner with the number of times that each of the extracted behavior sequences occurs.
  - 4. The computing device of claim 3, wherein the behavior pattern model is expressed in a vector format.
  - 5. The computing device of claim 1, wherein the category information is stored in at least one of a first storage included in the computing device, or a second storage provided separately from the computing device.
  - 6. The computing device of claim 1, wherein the behavior pattern model is stored in at least one of a first storage included in the computing device, or a second storage provided separately from the computing device.
  - 7. The computing device of claim 6, further comprising a behavior determiner configured to determine whether the executed instruction set is malicious, based on at least one of the generated behavior pattern model or the stored behavior pattern model.
  - 8. The computing device of claim 7, wherein the behavior determiner is configured to compare at least one of one or more malicious pattern models generated in advance by executing one or more malicious codes with at least one of the generated behavior pattern model or the stored behavior pattern model to determine whether the executed instruction set is malicious.
  - 9. The computing device of claim 7, wherein the behavior determiner is configured to compare at least one of one or more normal pattern models generated in advance by executing one or more normal codes with at least one of the generated behavior pattern model or the stored behavior pattern model to determine whether the executed instruction set is malicious.
  - 10. The computing device of claim 7, wherein the behavior determiner is further configured to classify the executed instruction set into one of a normal instruction set and a malicious instruction set based on the determined result.

11. A non-transitory computer-readable storage medium storing a program configured to model a behavior pattern associated with system calls that occur by an instruction set executed in a computing device, the program executing a process, in the computing device, that comprises:
- hooking, by a processor of the computing device, the system calls while the instruction set is executed under a control of the processor;
  
  extracting, by the processor, a category to which each of the hooked system calls belongs, with reference to category information stored in at least one of a first storage of the computing device or a second storage provided separately from the computing device;
  
  extracting, by the processor, one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls, with reference to the extracted category; and
  
  generating, by the processor, a model of the behavior pattern based on a characteristic of the extracted behavior sequences.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The storage medium of claim 11, wherein the characteristic of the extracted behavior sequences comprises a number of times that each of the extracted behavior sequences occurs.
  - 13. The storage medium of claim 12, wherein the model of the behavior pattern is expressed in a vector format, and the vector format is generated by associating all behavior sequences expressed in the N-gram manner with the number of times that each of the extracted behavior sequences occurs.
  - 14. The storage medium of claim 11, wherein the process further comprises storing information associated with the model of the behavior pattern in at least one of the first storage or the second storage.
  - 15. The storage medium of claim 14, wherein the process further comprises comparing at least one of the generated model of the behavior pattern or the stored model of the behavior pattern with a reference model to determine whether the executed instruction set is malicious or normal.

16. A method for modeling a behavior pattern associated with system calls that occur by an instruction set executed in a computing device, the method comprising:
- hooking, by the computing device, the system calls;
  
  extracting, by the computing device, a category to which each of the hooked system calls belongs;
  
  extracting, by the computing device, one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls, with reference to the extracted category; and
  
  generating, by the computing device, a model of the behavior pattern expressed in a vector format, based on a number of times that each of the extracted behavior sequences occurs.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, wherein the hooking comprises dynamically hooking the system calls while the instruction set is executed in the computing device.
  - 18. The method of claim 16, wherein the vector format is obtained by associating some or all of behavior sequences expressed in the N-gram manner with the number of times that each of the extracted behavior sequences occurs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
MOON, Dae Sung, KIM, Ik Kyun, LEE, Han Sung

Granted Patent

US 10,007,788 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

METHOD OF MODELING BEHAVIOR PATTERN OF INSTRUCTION SET IN N-GRAM MANNER, COMPUTING DEVICE OPERATING WITH THE METHOD, AND PROGRAM STORED IN STORAGE MEDIUM TO EXECUTE THE METHOD IN COMPUTING DEVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD OF MODELING BEHAVIOR PATTERN OF INSTRUCTION SET IN N-GRAM MANNER, COMPUTING DEVICE OPERATING WITH THE METHOD, AND PROGRAM STORED IN STORAGE MEDIUM TO EXECUTE THE METHOD IN COMPUTING DEVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links