System and method of detecting anomaly malicious code by using process behavior prediction technique

US 8,181,248 B2
Filed: 11/21/2007
Issued: 05/15/2012
Est. Priority Date: 11/23/2006
Status: Active Grant

First Claim

Patent Images

1. An anomaly malicious code detection system using a process behavior prediction technique, comprising:

a DB filtering module configured to perform primary malicious code filtering with respect to execution codes executed in a target system;

a system resource monitor module operated by a processor device and configured to monitor a plurality of system resources to collect information of events that are generated by the execution codes executed in the target system, the collected event information being in the form of a plurality of resource logs corresponding to the plurality of system resources;

a reprocessing module configured to reprocess the collected event information to construct, from the collected event information, one integrated log representing a related behavior feature value of the execution codes, the integrated log having a plurality of records, each of the records representing an event and including a portion of the resource logs which corresponds to the event;

a behavior prediction information processing module configured to input the constructed integrated log into a learning algorithm to extract a malicious behavior feature value as a prediction pattern; and

an anomaly malicious behavior detection module configured to compare the extracted malicious behavior feature value with a related behavior feature value that is constructed in the reprocessing module to detect a malicious behavior, wherein the system resources are file system, process, registry, service, and network items, andthe system resource monitor module comprises;

a file monitor configured to extract information, including a detection time, a packet identification (PID), a path, and whether a system directory exists or not;

an IM monitor configured to extract information by each packet unit, including a detection time, a PID, a S/D-IP, and a packet length;

a process monitor configured to extract information, including a process detection time, a PID, and the number of threads;

a registry monitor configured to extract information, including a detection time, a PID, a registry path, a current state, and a size;

a TDI_P monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, an average length of a packet, protocol, the number of pieces, a transmission size, and a reception size, which are expressed in a process unit through a TDI driver; and

a TDI_S monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, a protocol, a transmission size, and a reception size, which are expressed in a session unit through the TDI driver.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a pattern analyzing/detecting method and a system using the same that are capable of detecting and effectively preventing an unknown malicious code attack. To detect such an attack, the method monitors the system to combine all behaviors exhibited within the system due to corresponding malicious codes, reprocess and learn the behaviors, analyze existing malicious behavior feature values (prediction patterns), and compare them with a behavior pattern exhibited by an execution code.

Citations

11 Claims

1. An anomaly malicious code detection system using a process behavior prediction technique, comprising:
- a DB filtering module configured to perform primary malicious code filtering with respect to execution codes executed in a target system;
  
  a system resource monitor module operated by a processor device and configured to monitor a plurality of system resources to collect information of events that are generated by the execution codes executed in the target system, the collected event information being in the form of a plurality of resource logs corresponding to the plurality of system resources;
  
  a reprocessing module configured to reprocess the collected event information to construct, from the collected event information, one integrated log representing a related behavior feature value of the execution codes, the integrated log having a plurality of records, each of the records representing an event and including a portion of the resource logs which corresponds to the event;
  
  a behavior prediction information processing module configured to input the constructed integrated log into a learning algorithm to extract a malicious behavior feature value as a prediction pattern; and
  
  an anomaly malicious behavior detection module configured to compare the extracted malicious behavior feature value with a related behavior feature value that is constructed in the reprocessing module to detect a malicious behavior, wherein the system resources are file system, process, registry, service, and network items, andthe system resource monitor module comprises;
  
  a file monitor configured to extract information, including a detection time, a packet identification (PID), a path, and whether a system directory exists or not;
  
  an IM monitor configured to extract information by each packet unit, including a detection time, a PID, a S/D-IP, and a packet length;
  
  a process monitor configured to extract information, including a process detection time, a PID, and the number of threads;
  
  a registry monitor configured to extract information, including a detection time, a PID, a registry path, a current state, and a size;
  
  a TDI_P monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, an average length of a packet, protocol, the number of pieces, a transmission size, and a reception size, which are expressed in a process unit through a TDI driver; and
  
  a TDI_S monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, a protocol, a transmission size, and a reception size, which are expressed in a session unit through the TDI driver.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the reprocessing module constructs each record of the integrated log with respect to an event occurrence time.
  - 3. The system of claim 1, wherein the DB filtering module is configured to perform primary malicious code filtering by extracting a code signature from the execution codes and determining whether the extracted code signature is found in a malicious code signature DB and whether the extracted code signature is found in a normal code signature DB.
  - 4. The system of claim 3, wherein the system resource monitor module is configured to monitor the plurality of system resources to collect information of events that are generated by the execution codes when it is determined that the extracted code signature is not found in the malicious code signature DB and is not found in the normal code signature DB.
  - 5. The system of claim 3, wherein the extracted code signature is stored in the malicious code signature DB when any malicious behaviors are detected based on a result of the comparison between the extracted malicious behavior feature value and the related behavior feature value.

6. A method of detecting an anomaly malicious code by using a process behavior prediction technique, comprising the steps of:
- performing primary malicious code filtering on execution codes executed in a system;
  
  monitoring a plurality of system resources to collect information of events that are generated by the execution codes executed in the system, the collected event information being in the form of a plurality of resource logs corresponding to the plurality of system resources;
  
  reprocessing the collected event information to construct, from the collected information, one integrated log representing a related behavior feature value of the execution codes, the integrated log having a plurality of records, each of the records representing an event and including a portion of the resource logs which corresponds to the event;
  
  inputting the constructed integrated log into a learning algorithm to extract a malicious behavior feature value as a prediction pattern; and
  
  comparing the extracted malicious behavior feature value with a related behavior feature value that is constructed during the reprocessing of event information, to detect malicious behaviors, whereinthe system resources are file system, process, registry, service, and network items, andthe step of monitoring the plurality of system resources comprises the steps of;
  
  extracting by a file monitor, information including a detection time, a packet identification (PID), a path, and whether a system directory exists or not;
  
  extracting by an IM monitor, information by each packet unit, including a detection time, a PID, a S/D-IP, and a packet length;
  
  extracting by a process monitor, information including a process detection time, a PID, and the number of threads;
  
  extracting by a registry monitor, information including a detection time, a PID, a registry path, a current state, and a size;
  
  extracting by a TDI_P monitor, information including a network information-detection time, a PID, a local IP address, a remote IP address, an average length of a packet, protocol, the number of pieces, a transmission size, and a reception size, which are expressed in a process unit through a TDI driver; and
  
  extracting by a TDI_S monitor, information including a network information-detection time, a PID, a local IP address, a remote IP address, a protocol, a transmission size, and a reception size, which are expressed in a session unit through the TDI driver.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6, wherein the reprocessing of the collected event information further comprises the step of constructing each record of the integrated log with respect to an event occurrence time.
  - 8. The method of claim 7, wherein the constructing of each record further comprises the step of inserting into a record field with no value in a record of a particular event, a value in a record of a previous event, if the previous event has occurred within a recent event effective time range from the particular event, and inserting, if the previous event has occurred before within the recent event effective time range from the particular event, a null value into the record field with no value.
  - 9. The method of claim 6, wherein the step of performing primary malicious code filtering includes:
    - extracting a code signature from the execution codes anddetermining whether the extracted code signature is found in a malicious code signature DB and whether the extracted code signature is found in a normal code signature DB.
  - 10. The method of claim 9, wherein the plurality of system resources are monitored to collect information of events that are generated by the execution codes when it is determined that the extracted code signature is not found in the malicious code signature DB and is not found in the normal code signature DB.
  - 11. The method of claim 9, further comprising:
    - storing the extracted code signature in the malicious code signature DB when any malicious behaviors are detected based on a result of the comparison between the extracted malicious behavior feature value and the related behavior feature value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F1 Security, Inc.
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Oh, HyungGeun, Paek, Seung-Hyun, Lee, Cheolho, Lee, DoHoon
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US11/944,268
Publication Number

US 20080127346A1
Time in Patent Office

1,637 Days
Field of Search

726 23- 25, 713/165, 713/166, 713/168, 713187-189, 709/224
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/56 Computer malware detection ...

System and method of detecting anomaly malicious code by using process behavior prediction technique

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of detecting anomaly malicious code by using process behavior prediction technique

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links