Apparatus and method for detection of malicious program using program behavior
First Claim
1. An apparatus for diagnosing malicious code, the apparatus comprising:
- a behavior vector generation unit configured to generate a first behavior vector based on a behavior signature extracted from a diagnostic target program;
a diagnostic data storage unit configured to store a plurality of second behavior vectors for a plurality of sample programs predetermined to be maliciousa code diagnostic unit configured to diagnose whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectorswherein the code diagnostic unit comprises;
a distance calculation unit configured to calculate and compare each distance between the first behavior vector and the plurality of second behavior vectors; and
a code determination unit configured to divide a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors, to determine whether the first behavior vector is located in the malicious behavior vector space, and to determine that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus and method of diagnosing whether a computer program executed in a computer system is a malicious program and more particularly, an apparatus and method of diagnosing whether a computer program is a malicious program using a behavior of a computer program, and an apparatus and method of generating malicious code diagnostic data is provided. The apparatus for diagnosing a malicious code may include a behavior vector generation unit which generates a first behavior vector based on a behavior signature extracted from a diagnostic target program; a diagnostic data storage unit which stores a plurality of second behavior vectors for a plurality of sample programs predetermined to be malicious or normal; and a code diagnostic unit which diagnoses whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectors.
37 Citations
17 Claims
-
1. An apparatus for diagnosing malicious code, the apparatus comprising:
-
a behavior vector generation unit configured to generate a first behavior vector based on a behavior signature extracted from a diagnostic target program; a diagnostic data storage unit configured to store a plurality of second behavior vectors for a plurality of sample programs predetermined to be malicious a code diagnostic unit configured to diagnose whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectors wherein the code diagnostic unit comprises; a distance calculation unit configured to calculate and compare each distance between the first behavior vector and the plurality of second behavior vectors; and a code determination unit configured to divide a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors, to determine whether the first behavior vector is located in the malicious behavior vector space, and to determine that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of diagnosing a malicious code, the method comprising:
-
generating a first behavior vector based on a behavior signature extracted from a diagnostic target program; loading a plurality of second behavior vectors for a plurality of sample programs predetermined to be malicious; and diagnosing whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectors wherein the step of diagnosing comprises; calculating and comparing each distance between the first behavior vector and the plurality of second behavior vectors; dividing a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors, determining whether the first behavior vector is located in the malicious behavior vector space; and determining that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space. - View Dependent Claims (8, 9, 10)
-
-
11. An apparatus for generating malicious code diagnostic data, the apparatus comprising:
-
a behavior vector generation unit configured to generate behavior vectors for determining whether a diagnostic target program is a malicious code from a plurality of sample programs predetermined to be malicious; a weight vector determination unit configured to determine a weight vector for determining whether a diagnostic target program is a malicious code based on each behavior vector for the plurality of sample programs and whether the sample program is malicious; and a diagnostic data storage unit configured to store each behavior vector and the weight vector a distance calculation unit configured to calculate and compare each distance between the first behavior vector and the plurality of second behavior vectors; and a code determination unit configured to divide a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors, to determine whether the first behavior vector is located in the malicious behavior vector space, and to determine that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space wherein the weight vector determination unit determines the weight vector based on the calculated distance between the plurality of behavior vectors and whether the plurality of sample programs is malicious. - View Dependent Claims (12, 13)
-
-
14. A method of generating malicious code diagnostic data, the method comprising:
-
generating each behavior vector for determining whether a diagnostic target program is a malicious code from a plurality of sample programs determined in advance whether to be malicious; determining a weight vector for determining whether a diagnostic target program is a malicious code based on each behavior vector for the plurality of sample programs and whether the sample program is malicious; storing each behavior vector and the weight vector; calculating and comparing each distance between the first behavior vector and the plurality of second behavior vectors; and dividing a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors, determining whether the first behavior vector is located in the malicious behavior vector space; and determining that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space, wherein the weight vector determination unit determines the weight vector based on the calculated distance between the plurality of behavior vectors and whether the plurality of sample programs is malicious. - View Dependent Claims (15, 16)
-
-
17. A non-transitory computer readable recording medium comprising a program implementing a method of diagnosing a malicious code stored on said computer-readable recording medium, the program including instructions to cause a computer to:
-
generate a first behavior vector based on a behavior signature extracted from a diagnostic target program; load a plurality of second behavior vectors for a plurality of sample programs determined in advance whether to be malicious; calculating and comparing each distance between the first behavior vector and the plurality of second behavior vectors; dividing a vector space into a normal behavior vector space and a malicious behavior vector space, the vector space including the first behavior vector and the plurality of second behavior vectors, determining whether the first behavior vector is located in the malicious behavior vector space; and determining that the diagnostic target program is a malicious code when the first behavior vector is included in the malicious behavior vector space.
-
Specification