Anti-malware system and operating method thereof
First Claim
Patent Images
1. An operating method of an anti-malware system, the operating method comprising:
- filtering first target data by matching the first target data with rule patterns;
and scanning second target data by matching the second target data with malware patterns, wherein the filtering and the scanning are performed on a system-on-chip (SoC), wherein the filtering of the first target data comprises;
packet classifying the first target data using at least one flag to determine whether the pattern matching is to be performed,when it is determined that pattern matching is to be performed for the first target data as a result of the packet classifying, carrying out a pattern matching operation between the first target data and the rule patterns;
wherein the filtering the first target data comprises;
matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
when the matching the hash value is successful, matching the rule pattern with the first target data;
wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and
allowing the first target data to pass by skipping the pattern matching operation between the first target data and the rule patterns, based on a value of the at least one flag that is set without comparing the first target data and the rule patterns.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are an anti-malware system, and an operating method thereof. The anti-malware system matches an filtering operation on first target data to be filtered with a rule pattern, performs a filtering operation on the first target data according to a matching result, matches second target data to be malware-scanned with a malware pattern, and performs a malware scanning operation on the second target data according to a matching result, wherein the filtering operation and the scanning operation are performed on a system-on-chip (SoC).
-
Citations
44 Claims
-
1. An operating method of an anti-malware system, the operating method comprising:
- filtering first target data by matching the first target data with rule patterns;
and scanning second target data by matching the second target data with malware patterns, wherein the filtering and the scanning are performed on a system-on-chip (SoC), wherein the filtering of the first target data comprises; packet classifying the first target data using at least one flag to determine whether the pattern matching is to be performed, when it is determined that pattern matching is to be performed for the first target data as a result of the packet classifying, carrying out a pattern matching operation between the first target data and the rule patterns; wherein the filtering the first target data comprises;
matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
when the matching the hash value is successful, matching the rule pattern with the first target data;wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and allowing the first target data to pass by skipping the pattern matching operation between the first target data and the rule patterns, based on a value of the at least one flag that is set without comparing the first target data and the rule patterns. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- filtering first target data by matching the first target data with rule patterns;
-
27. An anti-malware system for receiving target data, and at least one of scanning and filtering anti-malware, the anti-malware system comprising:
-
a storage unit which stores a malware pattern; a first hash value matching unit which matches a hash value of at least a portion of the target data with a hash value of the malware pattern; a first light pattern matching unit which matches at least one of a middle value and a tail value of the malware pattern with at least one of a middle value and a tail value of the at least a portion of the target data, when the matching of the hash value is successful; and an exact pattern matching unit which, when the light pattern matching is successful, refers to an address of a malware pattern which is successful in the light pattern matching among addresses in which malware patterns are stored, and matches each position of the malware pattern, stored in the referred address, with each corresponding position of the target data; wherein the filtering the first target data comprises;
matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
when the matching the hash value is successful, matching the rule pattern with the first target data;wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A method of an anti-malware processor, the method comprising:
-
filtering by a first logic unit of the processor, input data based on a rule; and scanning by a second logic unit of the processor, for malware in the data, the filtering and the scanning being performed at a same time, wherein the filtering comprises; packet classifying the input data using at least one flag to determine whether pattern matching is to be performed; when it is determined that pattern matching is to be performed for the input data as a result of the packet classifying, performing a pattern matching operation between the input data and rule patterns according to the rule; wherein the filtering the first target data comprises;
matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
when the matching the hash value is successful, matching the rule pattern with the first target data;wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and allowing the input data to pass by skipping the pattern matching operation between the input data and the rule patterns, based on a value of the at least one flag that is set without comparing the input data and the rule patterns.
-
-
43. An anti-malware device comprising:
- a processor comprising;
a firewall engine which comprises first logic units and which filters input data based on a rule, and determines whether the input data contains data to be scanned for malware; and an anti-malware engine which comprises second logic units and scans for malware in the input data, if the firewall engine determines that the input data contains the data to be scanned for malware, wherein; the firewall engine packet classifies the input data using at least one flag to determine whether the input data is classified as data to be rule pattern-matched, when it is determined that the input data is classified as the data to be rule pattern-matched, the firewall engine performs a pattern matching operation between the input data and rule patterns, according to the rule; wherein the filtering the first target data comprises;
matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
when the matching the hash value is successful, matching the rule pattern with the first target data;wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and the firewall engine allows the input data to pass by skipping the pattern matching operation between the input data and the rule patterns, based on a value of the at least one flag that is set without comparing the input data and the rule patterns.
- a processor comprising;
-
44. A hardware firewall engine comprising at least one processor, the at least one processor configured to perform a filtering operation with respect to packet data based on a packet rule, and determine whether the packet data contains data to be scanned for malware, wherein the filtering operation comprises:
-
packet classifying the packet data using at least one flag to determine whether pattern matching is to be performed; when it is determined that pattern matching is to be performed for the packet data as a result of the packet classifying, pattern matching between the packet data and rule patterns according to the packet rule; wherein the filtering the first target data comprises;
matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
when the matching the hash value is successful, matching the rule pattern with the first target data;wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and allowing the packet data to pass by skipping the pattern matching between the packet data and the rule patterns, based on a value of the at least one flag that is set without comparing the packet data and the rule patterns.
-
Specification