Apparatus and method for detecting malicious process
First Claim
1. An apparatus for detecting a malicious process, comprising:
- a process monitoring unit for monitoring a process generated in a computing environment;
a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit;
a file generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a file generation time;
a file generation time change preventing unit for preventing a change in the file generation time of the target process when the target process requests to change the file generation time; and
a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process generates a file within a predetermined reference time.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are an apparatus and method for detecting a malicious process. The apparatus includes: a process monitoring unit for monitoring a process generated in a computing environment; a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit; a process generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a generation time; a generation time change preventing unit for preventing a change in the generation time of the target process when the target process requests to change the generation time; and a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process is generated within a predetermined reference time.
-
Citations
12 Claims
-
1. An apparatus for detecting a malicious process, comprising:
-
a process monitoring unit for monitoring a process generated in a computing environment; a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit; a file generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a file generation time; a file generation time change preventing unit for preventing a change in the file generation time of the target process when the target process requests to change the file generation time; and a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process generates a file within a predetermined reference time. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for detecting a malicious process, comprising:
-
monitoring if a process generated in a computing environment is a child process of a preset target process, and monitoring if the generated process calls an Application Program Interface (API) required for changing a file generation time and providing a substitution function instead of the API when the generated process is the preset target process; and recognizing the generated process as a malicious process when the process monitored to be the child process generates a file within a predetermined reference time. - View Dependent Claims (9, 10, 11, 12)
-
Specification