Apparatus and method for detecting malicious files

US 8,763,128 B2
Filed: 02/26/2013
Issued: 06/24/2014
Est. Priority Date: 05/11/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus for detecting a malicious file, comprising:

a processor; and

a memory for storing computer executable instructions that, when executed by the processor, cause the processor to implement;

a program driving unit for inputting an execution address of a command executed by driving a program corresponding to a non-executable file;

an address storage unit for storing normal address range information in accordance with the driving of the program; and

a maliciousness determination unit for determining whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information;

wherein the maliciousness determination unit determines;

in response to the execution address is not within the normal address range information, whether or not a memory region indicated by the execution address has execution properties, and determines whether the non-executable file is malicious based on the determination result;

in response to the memory region indicated by the execution address does not have execution properties, whether the non-executable file is malicious by checking whether an abnormal event occurs due to an execution of a code stored in the memory region indicated by the execution address;

in response to the abnormal event does not occur, whether the non-executable file is malicious by checking whether an execution address from the next of the execution address to a predetermined operation is within the normal address range information; and

in response to the memory region indicated by the execution address is determined to have execution properties, the non-executable file to be normal.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus for detecting a malicious file, includes a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file; and an address storage unit configured to store normal address range information in accordance with the driving of the program.

Further, the apparatus includes a maliciousness determination unit configured to determine whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information.

38 Citations

View as Search Results

15 Claims

1. An apparatus for detecting a malicious file, comprising:
- a processor; and
  
  a memory for storing computer executable instructions that, when executed by the processor, cause the processor to implement;
  
  a program driving unit for inputting an execution address of a command executed by driving a program corresponding to a non-executable file;
  
  an address storage unit for storing normal address range information in accordance with the driving of the program; and
  
  a maliciousness determination unit for determining whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information;
  
  wherein the maliciousness determination unit determines;
  
  in response to the execution address is not within the normal address range information, whether or not a memory region indicated by the execution address has execution properties, and determines whether the non-executable file is malicious based on the determination result;
  
  in response to the memory region indicated by the execution address does not have execution properties, whether the non-executable file is malicious by checking whether an abnormal event occurs due to an execution of a code stored in the memory region indicated by the execution address;
  
  in response to the abnormal event does not occur, whether the non-executable file is malicious by checking whether an execution address from the next of the execution address to a predetermined operation is within the normal address range information; and
  
  in response to the memory region indicated by the execution address is determined to have execution properties, the non-executable file to be normal.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus claim 1, wherein the program driving unit determines a file format of the non-executable file, and selects and drives a program for executing the non-executable file based on the determined file format.
  - 3. The apparatus of claim 1, further comprising a malicious code extraction unit for extracting a code in a region corresponding to an execution address that is not included in the normal address range information.
  - 4. The apparatus of claim 1, wherein the normal address range information includes a start address and an end address of a module loaded by the driving of the program.
  - 5. The apparatus of claim 1, wherein the maliciousness determination unit stores an execution address of a command executed immediately before the execution of a command of the execution address that is not within the normal address range information.

6. An apparatus for detecting a malicious file, comprising:
- a processor; and
  
  a memory for storing computer executable instructions that, when executed by the processor, cause the processor to implement;
  
  a program driving unit for inputting an execution address of a command executed by driving a program corresponding to a non-executable file;
  
  an address storage unit for storing normal address range information in accordance with the driving of the program;
  
  a maliciousness determination unit for determining whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information; and
  
  a cause analysis unit for analyzing cause for vulnerability by comparing vulnerability information and a module including a command related to the execution address that is not included in the normal address range information;
  
  wherein the maliciousness determination unit determines;
  
  in response to the execution address is not within the normal address range information, whether or not a memory region indicated by the execution address has execution properties, and determines whether the non-executable file is malicious based on the determination result;
  
  in response to the memory region indicated by the execution address does not have execution properties, whether the non-executable file is malicious by checking whether an abnormal event occurs due to an execution of a code stored in the memory region indicated by the execution address;
  
  in response to the abnormal event does not occur, whether the non-executable file is malicious by checking whether an execution address from the next of the execution address to a predetermined operation is within the normal address range information; and
  
  in response to the memory region indicated by the execution address is determined to have execution properties, the non-executable file to be normal.

7. A method for detecting a malicious file comprising:
- obtaining an execution address of a command executed during driving of a program corresponding to a non-executable file;
  
  storing normal address range information in accordance with the driving of the program; and
  
  determining, when the obtained execution address is not included in the normal address range information, whether the non-executable file is malicious;
  
  wherein said determining whether the non-executable file is malicious includes;
  
  determining, when the execution address is not included in the normal address range information, whether a memory region indicated by the execution address has execution properties;
  
  determining whether the non-executable file is malicious based on the determination result;
  
  checking, in response to the memory region indicated by the execution address does not have execution properties, whether an abnormal event occurs due to execution of a code stored in the memory region indicated by the execution address;
  
  determining, in response to the abnormal event occur, the non-executable file to be malicious;
  
  checking, in response to the abnormal event does not occur, whether an execution address from the next of the execution address to a predetermined operation indicates the memory region that is not included in the normal address range information; and
  
  determining, in response to the execution address for the predetermined step indicates the memory region that is not included in the normal address range information, the non-executable file to be malicious.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7, further comprising:
    - determining a format of the non-executable file,wherein a program corresponding to the non-executable file is driven based on the determined file format.
  - 9. The method of claim 7, further comprising:
    - extracting a code in a memory region indicated by the execution address that is not included in the normal address range information.
  - 10. The method of claim 7, further comprising:
    - analyzing cause for vulnerability by comparing vulnerability information and a module including a command related to an execution address that is not included in the normal address range information.
  - 11. The method of claim 7, wherein the normal address range information includes a start address and an end address of a module loaded by driving of the program.
  - 12. The method of claim 7, wherein said determining whether the non-executable file is malicious includes:
    - determining whether the execution address is within the normal address range based on a type of the executed command.
  - 13. The method of claim 12, wherein when the command is structured exception handling (SEH), whether a chain value of the SEH is within the normal address range information is determined.
  - 14. The method of claim 13, wherein when the command is return, call or jump, a single step is performed to determine whether or not the execution address indicated by the command is within the normal address range information.
  - 15. The method of claim 7, further comprising:
    - storing an execution address of a command executed immediately before the execution of a command of the execution address that is not within the normal address range information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ahnlab Incorporated
Original Assignee
Ahnlab Incorporated
Inventors
Lim, Cha Sung, Lee, Ju Seok
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
TURCHEN, JAMES R

Application Number

US13/777,181
Publication Number

US 20130305366A1
Time in Patent Office

483 Days
Field of Search

726/23, 726/24
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

Apparatus and method for detecting malicious files

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for detecting malicious files

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links