Apparatus and method for detecting malicious files
First Claim
Patent Images
1. An apparatus for detecting a malicious file, comprising:
- a processor; and
a memory for storing computer executable instructions that, when executed by the processor, cause the processor to implement;
a program driving unit for inputting an execution address of a command executed by driving a program corresponding to a non-executable file;
an address storage unit for storing normal address range information in accordance with the driving of the program; and
a maliciousness determination unit for determining whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information;
wherein the maliciousness determination unit determines;
in response to the execution address is not within the normal address range information, whether or not a memory region indicated by the execution address has execution properties, and determines whether the non-executable file is malicious based on the determination result;
in response to the memory region indicated by the execution address does not have execution properties, whether the non-executable file is malicious by checking whether an abnormal event occurs due to an execution of a code stored in the memory region indicated by the execution address;
in response to the abnormal event does not occur, whether the non-executable file is malicious by checking whether an execution address from the next of the execution address to a predetermined operation is within the normal address range information; and
in response to the memory region indicated by the execution address is determined to have execution properties, the non-executable file to be normal.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus for detecting a malicious file, includes a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file; and an address storage unit configured to store normal address range information in accordance with the driving of the program.
Further, the apparatus includes a maliciousness determination unit configured to determine whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information.
38 Citations
15 Claims
-
1. An apparatus for detecting a malicious file, comprising:
-
a processor; and a memory for storing computer executable instructions that, when executed by the processor, cause the processor to implement; a program driving unit for inputting an execution address of a command executed by driving a program corresponding to a non-executable file; an address storage unit for storing normal address range information in accordance with the driving of the program; and a maliciousness determination unit for determining whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information; wherein the maliciousness determination unit determines; in response to the execution address is not within the normal address range information, whether or not a memory region indicated by the execution address has execution properties, and determines whether the non-executable file is malicious based on the determination result; in response to the memory region indicated by the execution address does not have execution properties, whether the non-executable file is malicious by checking whether an abnormal event occurs due to an execution of a code stored in the memory region indicated by the execution address; in response to the abnormal event does not occur, whether the non-executable file is malicious by checking whether an execution address from the next of the execution address to a predetermined operation is within the normal address range information; and in response to the memory region indicated by the execution address is determined to have execution properties, the non-executable file to be normal. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus for detecting a malicious file, comprising:
-
a processor; and a memory for storing computer executable instructions that, when executed by the processor, cause the processor to implement; a program driving unit for inputting an execution address of a command executed by driving a program corresponding to a non-executable file; an address storage unit for storing normal address range information in accordance with the driving of the program; a maliciousness determination unit for determining whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information; and a cause analysis unit for analyzing cause for vulnerability by comparing vulnerability information and a module including a command related to the execution address that is not included in the normal address range information; wherein the maliciousness determination unit determines; in response to the execution address is not within the normal address range information, whether or not a memory region indicated by the execution address has execution properties, and determines whether the non-executable file is malicious based on the determination result; in response to the memory region indicated by the execution address does not have execution properties, whether the non-executable file is malicious by checking whether an abnormal event occurs due to an execution of a code stored in the memory region indicated by the execution address; in response to the abnormal event does not occur, whether the non-executable file is malicious by checking whether an execution address from the next of the execution address to a predetermined operation is within the normal address range information; and in response to the memory region indicated by the execution address is determined to have execution properties, the non-executable file to be normal.
-
-
7. A method for detecting a malicious file comprising:
-
obtaining an execution address of a command executed during driving of a program corresponding to a non-executable file; storing normal address range information in accordance with the driving of the program; and determining, when the obtained execution address is not included in the normal address range information, whether the non-executable file is malicious; wherein said determining whether the non-executable file is malicious includes; determining, when the execution address is not included in the normal address range information, whether a memory region indicated by the execution address has execution properties; determining whether the non-executable file is malicious based on the determination result; checking, in response to the memory region indicated by the execution address does not have execution properties, whether an abnormal event occurs due to execution of a code stored in the memory region indicated by the execution address; determining, in response to the abnormal event occur, the non-executable file to be malicious; checking, in response to the abnormal event does not occur, whether an execution address from the next of the execution address to a predetermined operation indicates the memory region that is not included in the normal address range information; and determining, in response to the execution address for the predetermined step indicates the memory region that is not included in the normal address range information, the non-executable file to be malicious. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
Specification