Apparatus and method for detection of malicious program using program behavior

US 8,245,295 B2
Filed: 04/08/2008
Issued: 08/14/2012
Est. Priority Date: 07/10/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus for diagnosing malicious code, the apparatus comprising:

a behavior vector generation unit configured to generate a first behavior vector based on a behavior signature extracted from a diagnostic target program;

a diagnostic data storage unit configured to store a plurality of second behavior vectors for a plurality of sample programs predetermined to be maliciousa code diagnostic unit configured to diagnose whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectorswherein the code diagnostic unit comprises;

a distance calculation unit configured to calculate and compare each distance between the first behavior vector and the plurality of second behavior vectors; and

a code determination unit configured to divide a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors, to determine whether the first behavior vector is located in the malicious behavior vector space, and to determine that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method of diagnosing whether a computer program executed in a computer system is a malicious program and more particularly, an apparatus and method of diagnosing whether a computer program is a malicious program using a behavior of a computer program, and an apparatus and method of generating malicious code diagnostic data is provided. The apparatus for diagnosing a malicious code may include a behavior vector generation unit which generates a first behavior vector based on a behavior signature extracted from a diagnostic target program; a diagnostic data storage unit which stores a plurality of second behavior vectors for a plurality of sample programs predetermined to be malicious or normal; and a code diagnostic unit which diagnoses whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectors.

37 Citations

View as Search Results

17 Claims

1. An apparatus for diagnosing malicious code, the apparatus comprising:
- a behavior vector generation unit configured to generate a first behavior vector based on a behavior signature extracted from a diagnostic target program;
  
  a diagnostic data storage unit configured to store a plurality of second behavior vectors for a plurality of sample programs predetermined to be maliciousa code diagnostic unit configured to diagnose whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectorswherein the code diagnostic unit comprises;
  
  a distance calculation unit configured to calculate and compare each distance between the first behavior vector and the plurality of second behavior vectors; and
  
  a code determination unit configured to divide a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors, to determine whether the first behavior vector is located in the malicious behavior vector space, and to determine that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein the distance is a Euclidean distance.
  - 3. The apparatus of claim 1, wherein the code diagnostic unit comprises:
    - a vector conversion unit configured to convert the first behavior vector into a higher-dimensional first feature vector, and converts the plurality of second behavior vectors into a plurality of higher-dimensional second feature vectors;
      
      a distance calculation unit configured to calculate each distance between the first feature vector and the plurality of second feature vectors; and
      
      a code determination unit configured to determine whether the diagnostic target program is a malicious code based on the calculated distance.
  - 4. The apparatus of claim 1, wherein the diagnostic data storage unit stores a weight vector determined based on the second behavior vector of each sample program and whether the sample program is malicious, andthe code determination unit determines whether the diagnostic target program is a malicious code by comparing a determined threshold value with a value calculated by multiplying the calculated distance and an element of the weight vector.
  - 5. The apparatus of claim 4, wherein the code determination unit multiplies the calculated distance and the element of the weight vector according to a value of the following equation:
  - 6. The apparatus of claim 5, wherein the determined threshold value is determined by the following equation:

7. A method of diagnosing a malicious code, the method comprising:
- generating a first behavior vector based on a behavior signature extracted from a diagnostic target program;
  
  loading a plurality of second behavior vectors for a plurality of sample programs predetermined to be malicious; and
  
  diagnosing whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectorswherein the step of diagnosing comprises;
  
  calculating and comparing each distance between the first behavior vector and the plurality of second behavior vectors;
  
  dividing a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors,determining whether the first behavior vector is located in the malicious behavior vector space; and
  
  determining that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7, wherein the calculating and comparing calculates a Euclidean distance between each behavior vector.
  - 9. The method of claim 7, wherein the diagnosing comprises:
    - converting the first behavior vector into a higher-dimensional first feature vector, and converting the plurality of second behavior vectors into a plurality of higher-dimensional second feature vectors;
      
      calculating each distance between the first feature vector and the plurality of second feature vectors; and
      
      determining whether the diagnostic target program is a malicious code based on the calculated distance.
  - 10. The method of claim 7, wherein the determining determines whether the diagnostic target program is a malicious code by comparing a determined threshold value with a value calculated by multiplying the calculated distance and an element of the weight vector determined based on the second behavior vector of each sample program and whether the sample program is malicious.

11. An apparatus for generating malicious code diagnostic data, the apparatus comprising:
- a behavior vector generation unit configured to generate behavior vectors for determining whether a diagnostic target program is a malicious code from a plurality of sample programs predetermined to be malicious;
  
  a weight vector determination unit configured to determine a weight vector for determining whether a diagnostic target program is a malicious code based on each behavior vector for the plurality of sample programs and whether the sample program is malicious; and
  
  a diagnostic data storage unit configured to store each behavior vector and the weight vectora distance calculation unit configured to calculate and compare each distance between the first behavior vector and the plurality of second behavior vectors; and
  
  a code determination unit configured to divide a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors, to determine whether the first behavior vector is located in the malicious behavior vector space, and to determine that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector spacewherein the weight vector determination unit determines the weight vector based on the calculated distance between the plurality of behavior vectors and whether the plurality of sample programs is malicious.
- View Dependent Claims (12, 13)
- - 12. The apparatus of claim 11, wherein the weight vector determination unit maximizes w(α
    - ) in accordance with the following equation;
  - 13. The apparatus of claim 12, wherein the weight vector determination unit determines a threshold value used for determining whether the diagnostic target program is the malicious code by the following equation:

14. A method of generating malicious code diagnostic data, the method comprising:
- generating each behavior vector for determining whether a diagnostic target program is a malicious code from a plurality of sample programs determined in advance whether to be malicious;
  
  determining a weight vector for determining whether a diagnostic target program is a malicious code based on each behavior vector for the plurality of sample programs and whether the sample program is malicious;
  
  storing each behavior vector and the weight vector;
  
  calculating and comparing each distance between the first behavior vector and the plurality of second behavior vectors; and
  
  dividing a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors,determining whether the first behavior vector is located in the malicious behavior vector space; and
  
  determining that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space,wherein the weight vector determination unit determines the weight vector based on the calculated distance between the plurality of behavior vectors and whether the plurality of sample programs is malicious.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein the determining maximizes w(α
    - ) in accordance with the following equation;
  - 16. The method of claim 15, wherein the determining determines a threshold value used for determining whether the diagnostic target program is the malicious code by the following equation:

17. A non-transitory computer readable recording medium comprising a program implementing a method of diagnosing a malicious code stored on said computer-readable recording medium, the program including instructions to cause a computer to:
- generate a first behavior vector based on a behavior signature extracted from a diagnostic target program;
  
  load a plurality of second behavior vectors for a plurality of sample programs determined in advance whether to be malicious;
  
  calculating and comparing each distance between the first behavior vector and the plurality of second behavior vectors;
  
  dividing a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors,determining whether the first behavior vector is located in the malicious behavior vector space; and
  
  determining that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd., Board of Regents of the University of Michigan (University of Michigan)
Original Assignee
Samsung Electronics Co. Ltd., Board of Regents of the University of Michigan (University of Michigan)
Inventors
Park, Taejoon, Shin, Kang Geun, Hu, Xin, Bose, Abhijit
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US12/099,649
Publication Number

US 20090049549A1
Time in Patent Office

1,589 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

Apparatus and method for detection of malicious program using program behavior

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for detection of malicious program using program behavior

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links