System and method of detecting anomaly malicious code by using process behavior prediction technique
First Claim
Patent Images
1. An anomaly malicious code detection system using a process behavior prediction technique, comprising:
- a DB filtering module configured to perform primary malicious code filtering with respect to execution codes executed in a target system;
a system resource monitor module operated by a processor device and configured to monitor a plurality of system resources to collect information of events that are generated by the execution codes executed in the target system, the collected event information being in the form of a plurality of resource logs corresponding to the plurality of system resources;
a reprocessing module configured to reprocess the collected event information to construct, from the collected event information, one integrated log representing a related behavior feature value of the execution codes, the integrated log having a plurality of records, each of the records representing an event and including a portion of the resource logs which corresponds to the event;
a behavior prediction information processing module configured to input the constructed integrated log into a learning algorithm to extract a malicious behavior feature value as a prediction pattern; and
an anomaly malicious behavior detection module configured to compare the extracted malicious behavior feature value with a related behavior feature value that is constructed in the reprocessing module to detect a malicious behavior, wherein the system resources are file system, process, registry, service, and network items, andthe system resource monitor module comprises;
a file monitor configured to extract information, including a detection time, a packet identification (PID), a path, and whether a system directory exists or not;
an IM monitor configured to extract information by each packet unit, including a detection time, a PID, a S/D-IP, and a packet length;
a process monitor configured to extract information, including a process detection time, a PID, and the number of threads;
a registry monitor configured to extract information, including a detection time, a PID, a registry path, a current state, and a size;
a TDI_P monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, an average length of a packet, protocol, the number of pieces, a transmission size, and a reception size, which are expressed in a process unit through a TDI driver; and
a TDI_S monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, a protocol, a transmission size, and a reception size, which are expressed in a session unit through the TDI driver.
2 Assignments
0 Petitions
Accused Products
Abstract
Provided are a pattern analyzing/detecting method and a system using the same that are capable of detecting and effectively preventing an unknown malicious code attack. To detect such an attack, the method monitors the system to combine all behaviors exhibited within the system due to corresponding malicious codes, reprocess and learn the behaviors, analyze existing malicious behavior feature values (prediction patterns), and compare them with a behavior pattern exhibited by an execution code.
-
Citations
11 Claims
-
1. An anomaly malicious code detection system using a process behavior prediction technique, comprising:
-
a DB filtering module configured to perform primary malicious code filtering with respect to execution codes executed in a target system; a system resource monitor module operated by a processor device and configured to monitor a plurality of system resources to collect information of events that are generated by the execution codes executed in the target system, the collected event information being in the form of a plurality of resource logs corresponding to the plurality of system resources; a reprocessing module configured to reprocess the collected event information to construct, from the collected event information, one integrated log representing a related behavior feature value of the execution codes, the integrated log having a plurality of records, each of the records representing an event and including a portion of the resource logs which corresponds to the event; a behavior prediction information processing module configured to input the constructed integrated log into a learning algorithm to extract a malicious behavior feature value as a prediction pattern; and an anomaly malicious behavior detection module configured to compare the extracted malicious behavior feature value with a related behavior feature value that is constructed in the reprocessing module to detect a malicious behavior, wherein the system resources are file system, process, registry, service, and network items, and the system resource monitor module comprises; a file monitor configured to extract information, including a detection time, a packet identification (PID), a path, and whether a system directory exists or not; an IM monitor configured to extract information by each packet unit, including a detection time, a PID, a S/D-IP, and a packet length; a process monitor configured to extract information, including a process detection time, a PID, and the number of threads; a registry monitor configured to extract information, including a detection time, a PID, a registry path, a current state, and a size; a TDI_P monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, an average length of a packet, protocol, the number of pieces, a transmission size, and a reception size, which are expressed in a process unit through a TDI driver; and a TDI_S monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, a protocol, a transmission size, and a reception size, which are expressed in a session unit through the TDI driver. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of detecting an anomaly malicious code by using a process behavior prediction technique, comprising the steps of:
-
performing primary malicious code filtering on execution codes executed in a system; monitoring a plurality of system resources to collect information of events that are generated by the execution codes executed in the system, the collected event information being in the form of a plurality of resource logs corresponding to the plurality of system resources; reprocessing the collected event information to construct, from the collected information, one integrated log representing a related behavior feature value of the execution codes, the integrated log having a plurality of records, each of the records representing an event and including a portion of the resource logs which corresponds to the event; inputting the constructed integrated log into a learning algorithm to extract a malicious behavior feature value as a prediction pattern; and comparing the extracted malicious behavior feature value with a related behavior feature value that is constructed during the reprocessing of event information, to detect malicious behaviors, wherein the system resources are file system, process, registry, service, and network items, and the step of monitoring the plurality of system resources comprises the steps of; extracting by a file monitor, information including a detection time, a packet identification (PID), a path, and whether a system directory exists or not; extracting by an IM monitor, information by each packet unit, including a detection time, a PID, a S/D-IP, and a packet length; extracting by a process monitor, information including a process detection time, a PID, and the number of threads; extracting by a registry monitor, information including a detection time, a PID, a registry path, a current state, and a size; extracting by a TDI_P monitor, information including a network information-detection time, a PID, a local IP address, a remote IP address, an average length of a packet, protocol, the number of pieces, a transmission size, and a reception size, which are expressed in a process unit through a TDI driver; and extracting by a TDI_S monitor, information including a network information-detection time, a PID, a local IP address, a remote IP address, a protocol, a transmission size, and a reception size, which are expressed in a session unit through the TDI driver. - View Dependent Claims (7, 8, 9, 10, 11)
-
Specification