Please download the dossier by clicking on the dossier button x
×

System and method of detecting anomaly malicious code by using process behavior prediction technique

  • US 8,181,248 B2
  • Filed: 11/21/2007
  • Issued: 05/15/2012
  • Est. Priority Date: 11/23/2006
  • Status: Active Grant
First Claim
Patent Images

1. An anomaly malicious code detection system using a process behavior prediction technique, comprising:

  • a DB filtering module configured to perform primary malicious code filtering with respect to execution codes executed in a target system;

    a system resource monitor module operated by a processor device and configured to monitor a plurality of system resources to collect information of events that are generated by the execution codes executed in the target system, the collected event information being in the form of a plurality of resource logs corresponding to the plurality of system resources;

    a reprocessing module configured to reprocess the collected event information to construct, from the collected event information, one integrated log representing a related behavior feature value of the execution codes, the integrated log having a plurality of records, each of the records representing an event and including a portion of the resource logs which corresponds to the event;

    a behavior prediction information processing module configured to input the constructed integrated log into a learning algorithm to extract a malicious behavior feature value as a prediction pattern; and

    an anomaly malicious behavior detection module configured to compare the extracted malicious behavior feature value with a related behavior feature value that is constructed in the reprocessing module to detect a malicious behavior, wherein the system resources are file system, process, registry, service, and network items, andthe system resource monitor module comprises;

    a file monitor configured to extract information, including a detection time, a packet identification (PID), a path, and whether a system directory exists or not;

    an IM monitor configured to extract information by each packet unit, including a detection time, a PID, a S/D-IP, and a packet length;

    a process monitor configured to extract information, including a process detection time, a PID, and the number of threads;

    a registry monitor configured to extract information, including a detection time, a PID, a registry path, a current state, and a size;

    a TDI_P monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, an average length of a packet, protocol, the number of pieces, a transmission size, and a reception size, which are expressed in a process unit through a TDI driver; and

    a TDI_S monitor configured to extract information, including a network information-detection time, a PID, a local IP address, a remote IP address, a protocol, a transmission size, and a reception size, which are expressed in a session unit through the TDI driver.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×