Anti-malware system and operating method thereof

US 9,223,969 B2
Filed: 06/07/2011
Issued: 12/29/2015
Est. Priority Date: 06/07/2010
Status: Active Grant

First Claim

Patent Images

1. An operating method of an anti-malware system, the operating method comprising:

filtering first target data by matching the first target data with rule patterns;

and scanning second target data by matching the second target data with malware patterns, wherein the filtering and the scanning are performed on a system-on-chip (SoC), wherein the filtering of the first target data comprises;

packet classifying the first target data using at least one flag to determine whether the pattern matching is to be performed,when it is determined that pattern matching is to be performed for the first target data as a result of the packet classifying, carrying out a pattern matching operation between the first target data and the rule patterns;

wherein the filtering the first target data comprises;

matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;

when the matching the hash value is successful, matching the rule pattern with the first target data;

wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and

allowing the first target data to pass by skipping the pattern matching operation between the first target data and the rule patterns, based on a value of the at least one flag that is set without comparing the first target data and the rule patterns.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are an anti-malware system, and an operating method thereof. The anti-malware system matches an filtering operation on first target data to be filtered with a rule pattern, performs a filtering operation on the first target data according to a matching result, matches second target data to be malware-scanned with a malware pattern, and performs a malware scanning operation on the second target data according to a matching result, wherein the filtering operation and the scanning operation are performed on a system-on-chip (SoC).

Citations

44 Claims

1. An operating method of an anti-malware system, the operating method comprising:
- filtering first target data by matching the first target data with rule patterns;
  
  and scanning second target data by matching the second target data with malware patterns, wherein the filtering and the scanning are performed on a system-on-chip (SoC), wherein the filtering of the first target data comprises;
  
  packet classifying the first target data using at least one flag to determine whether the pattern matching is to be performed,when it is determined that pattern matching is to be performed for the first target data as a result of the packet classifying, carrying out a pattern matching operation between the first target data and the rule patterns;
  
  wherein the filtering the first target data comprises;
  
  matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
  
  when the matching the hash value is successful, matching the rule pattern with the first target data;
  
  wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and
  
  allowing the first target data to pass by skipping the pattern matching operation between the first target data and the rule patterns, based on a value of the at least one flag that is set without comparing the first target data and the rule patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The operating method of claim 1, wherein:
    - the first target data is received from a device in which the SoC is installed; and
      
      the filtering is performed on the first target data received from the device.
  - 3. The operating method of claim 1, wherein:
    - the first target data is received from an external device through a communication unit included in the SoC; and
      
      the filtering is performed on the first target data received through the communication unit.
  - 4. The operating method of claim 1, further comprising storing the rule patterns and the malware patterns in a storage unit included in the SoC.
  - 5. The operating method of claim 1, further comprising:
    - setting an IP flag to ‘
      
      All’
      
      , if a rule pattern that allows all IP addresses to pass is included among the rule patterns;
      
      setting a protocol flag to ‘
      
      All’
      
      , if a rule pattern that allows all protocols to pass is included among the rule patterns; and
      
      setting a port flag to ‘
      
      All’
      
      , if a rule pattern that allows all ports to pass is included among the rule patterns,wherein the packet classifying is performed using the IP flag, the protocol flag, and the port flag.
  - 6. The operating method of claim 5, wherein, if the IP flag is set to ‘
    - All’ and
      
      the port flag is set to ‘
      
      All’
      
      , the pattern matching the first target data is not performed.
  - 7. The operating method of claim 1, wherein:
    - the packet classifying comprises IP matching to match an IP address included in the first target data with an IP address included in each of the rule patterns, if there is no rule pattern that allows all IP addresses to pass among the rule patterns; and
      
      if a rule pattern that allows all IP addresses to pass is included among the rule patterns, the IP matching is not performed.
  - 8. The operating method of claim 7, wherein the pattern matching the first target data is performed only if the IP matching is successful as a result of the IP matching process.
  - 9. The operating method of claim 7, wherein the IP matching comprises, if the IP matching is successful, checking whether a rule pattern which is successful in the IP matching is applied to all protocols, and if the rule pattern which is successful in the rule matching is applied to all protocols, setting a protocol flag to ‘
    - All’
      
      .
  - 10. The operating method of claim 9, wherein:
    - the packet classifying further comprises, if the protocol flag is not set to ‘
      
      All’
      
      , protocol matching to match a protocol included in the first target data with a protocol included in the rule pattern which is successful in the IP matching,wherein, if the protocol flag is set to ‘
      
      All’
      
      , the protocol matching is not performed.
  - 11. The operating method of claim 10, wherein the pattern matching the first target data is performed only if protocol matching is successful as a result of the protocol matching.
  - 12. The operating method of claim 10, wherein, if protocol matching is successful as a result of the protocol matching, the packet classifying further comprises checking whether the rule pattern which is successful in the protocol matching is applied to all ports, and, if the rule pattern which is successful in the protocol matching is applied to all ports, setting a port flag to ‘
    - All’
      
      .
  - 13. The operating method of claim 12, wherein:
    - the packet classifying further comprises, if the port flag is not set to ‘
      
      All’
      
      , port matching to match a port included in the first target data with a port included in the rule pattern which is successful in the IP matching; and
      
      if the port flag is set to ‘
      
      All’
      
      , the port matching is not performed.
  - 14. The operating method of claim 13, wherein the pattern matching the first target data is performed only if the port matching is successful and if the IP matching is successful.
  - 15. The operating method of claim 1, wherein the pattern matching between the first target data and the rule patterns comprises:
    - hash value matching to match a hash value of an IP address included in the first target data with a hash value of an IP address included in each of the rule patterns;
      
      if the hash value matching is successful, light pattern matching to match a middle value and a tail value of an IP address included in a rule pattern which is successful in the hash value matching with a middle value and a tail value of the IP address included in the first target data; and
      
      if the light pattern matching is successful, exact pattern matching to match a rule pattern which is successful in the light pattern matching with the first target data.
  - 16. The operating method of claim 15, wherein:
    - the hash value matching comprises matching a hash matcher table with the hash value of the IP address of the first target data; and
      
      the hash matcher table comprises a hash value regarding an IP address included in each of the rule patterns and an item indicating at least one of presence and absence of each hash value.
  - 17. The operating method of claim 15, wherein:
    - the light pattern matching comprises matching a sub matcher table with a partial value of the IP address included in the first target data; and
      
      the sub matcher table comprises an item indicating a hash value of an IP address included in each of the rule patterns, and an item indicating a part of the IP address.
  - 18. The operating method of claim 17, wherein the part of the IP address is a middle value and a tail value of the IP address.
  - 19. The operating method of claim 17, wherein:
    - the sub matcher table further comprises an item indicating an address in which the rule patterns are stored; and
      
      the exact pattern matching comprises referring to an address of a rule pattern which is successful in the light pattern matching among addresses in which the rule patterns are stored, and matching the rule pattern stored in the referred address with the first target data.
  - 20. The operating method of claim 17, wherein:
    - the sub matcher table further comprises a next item; and
      
      the next item indicates data based on which information on a different rule pattern that has an IP hash value equal to a hash value of an IP address displayed on the item indicating the hash value of the IP address is searched for.
  - 21. The operating method of claim 20, wherein the data based on which the information on the different rule pattern is searched for is an address in which the information on the different rule pattern is stored.
  - 22. The operating method of claim 1, wherein the filtering the second target data comprises:
    - matching a hash value for a malware pattern, among the malware patterns, with a hash value for at least a portion of the second target data; and
      
      when the matching of the hash value is successful, matching the malware pattern with the second target data.
  - 23. The operating method of claim 22, wherein the matching the hash value comprises matching a hash value for a portion of the second target data with a hash value for the malware pattern.
  - 24. The operating method of claim 22, wherein the matching the hash value for the malware pattern with the hash value for at least a portion of the second target data comprises:
    - light pattern matching in which a portion of the malware pattern is matched with a portion of the second target data; and
      
      when the light pattern matching is successful, exact matching in which the malware pattern is matched with the second target data.
  - 25. The operating method of claim 24, wherein the exact matching comprises matching a third position value and a fourth position value of the second target data with a third position value and a fourth position value of the malware pattern.
  - 26. The operating method of claim 24, wherein the exact matching comprises matching the second target data with the malware pattern.

27. An anti-malware system for receiving target data, and at least one of scanning and filtering anti-malware, the anti-malware system comprising:
- a storage unit which stores a malware pattern;
  
  a first hash value matching unit which matches a hash value of at least a portion of the target data with a hash value of the malware pattern;
  
  a first light pattern matching unit which matches at least one of a middle value and a tail value of the malware pattern with at least one of a middle value and a tail value of the at least a portion of the target data, when the matching of the hash value is successful; and
  
  an exact pattern matching unit which, when the light pattern matching is successful, refers to an address of a malware pattern which is successful in the light pattern matching among addresses in which malware patterns are stored, andmatches each position of the malware pattern, stored in the referred address, with each corresponding position of the target data;
  
  wherein the filtering the first target data comprises;
  
  matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
  
  when the matching the hash value is successful, matching the rule pattern with the first target data;
  
  wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 28. The anti-malware system of claim 27, wherein:
    - the malware pattern comprises a malware pattern and a rule pattern;
      
      the received target data is to be filtered; and
      
      the first hash value matching unit matches the rule pattern and the target data, and the first light pattern matching unit matches the rule pattern and the target data, when the received target data is classified as data to be filtered by using at least one flag, wherein a value of the at least one flag is set based on the rule pattern prior to at least one of matching by the first hash value matching unit and the first light pattern matching unit.
  - 29. The anti-malware system of claim 28, wherein, when the received target data is to be malware-scanned, the first hash value matching unit matches the malware pattern and the target data, and the first light pattern matching unit matches the malware pattern and the target data.
  - 30. The anti-malware system of claim 27, further comprising:
    - an anti-malware manager which detects the target data as data to be malware-scanned,wherein the malware comprises a malware pattern and a rule pattern, andwherein the first hash value matching unit matches the rule pattern and the target data and the first light pattern matching unit matches the rule pattern and the target data according to an order of the anti-malware manager, or the first hash value matching unit matches the malware pattern and the target data and the first light pattern matching unit matches the malware pattern and the target data.
  - 31. The anti-malware system of claim 27, further comprising:
    - a second hash value matching unit which matches a hash value of at least a first portion of the target data with a hash value of the malware pattern; and
      
      a second light pattern matching unit which, when the matching of the hash value is successful, matches the malware pattern with a second portion of the target data,wherein the malware pattern comprises a malware pattern and a rule pattern,wherein, when the target data is to be filtered, the first hash value matching unit matches the target data to be filtered with the rule pattern and the first light pattern matching unit matches the target data to be filtered with the rule pattern, andwherein, when the target data is to be malware-scanned, the second hash value matching unit and the second light pattern matching unit matches the target data to be scanned with the malware pattern and the second light pattern matching unit matches the target data to be scanned with the malware pattern.
  - 32. The anti-malware system of claim 31, further comprising:
    - an anti-malware manager which receives the target data to be malware-scanned.
  - 33. The anti-malware system of claim 32, wherein the second hash value matching unit performs an operation on the target data received by the anti-malware manager and the malware pattern and the second light pattern matching unit performs an operation on the target data received by the anti-malware manager and the malware pattern.
  - 34. The anti-malware system of claim 27, wherein the first hash value matching unit and the first light pattern matching unit are embodied by hardware.
  - 35. The anti-malware system of claim 34, wherein the hardware comprises:
    - a buffer which stores the target data;
      
      a hash matcher which matches a hash value for a portion of the target data stored in the buffer with a hash value for the malware pattern;
      
      a hash Queue (Q) buffer which, when the hash value for a portion of the target data stored in the buffer is matched with the hash value for the malware pattern by the hash matcher, stores the target data; and
      
      a light pattern matcher which matches a first position value and a second position value of the target data stored in the hash Q buffer with a first position value and a second position value of the malware pattern.
  - 36. The anti-malware system of claim 35, wherein:
    - the hash matcher matches a hash matcher table indicating whether the hash value of the malware pattern exists with the hash value for the portion of the target data; and
      
      when the matching is successful, the target data is stored in the hash Q buffer.
  - 37. The anti-malware system of claim 36, wherein:
    - the hardware further comprises a scan Q buffer;
      
      the light pattern matcher matches a sub matcher table comprising at least one record comprising the hash value of the malware pattern, the first position value, and the second position value, with the first position value and the second position value of the target data; and
      
      when the matching is successful, the target data is stored in the scan Q buffer.
  - 38. The anti-malware system of claim 37, wherein matching the malware pattern with an entirety of the target data is performed on the target data stored in scan Q buffer.
  - 39. The anti-malware system of claim 37, wherein the hardware further comprises an offset address generator which generates an address for storing a record comprising a hash value of target data stored in the hash Q buffer, from among the at least one record of the sub matcher table.
  - 40. The anti-malware system of claim 39, wherein the address generated by the offset address generator is related to target data stored in the hash Q buffer, and is stored in the hash Q buffer, together with the target data.
  - 41. The anti-malware system of claim 27, further comprising a device,wherein the storage unit and the first hash value matching unit are embodied as a system-on-chip (SoC), andwherein the SoC is detachably installed in the device, receives the target data from the device, performs the at least one of the anti-malware scanning and the filtering operation, and notifies the device about a result of the performing.

42. A method of an anti-malware processor, the method comprising:
- filtering by a first logic unit of the processor, input data based on a rule; and
  
  scanning by a second logic unit of the processor, for malware in the data, the filtering and the scanning being performed at a same time,wherein the filtering comprises;
  
  packet classifying the input data using at least one flag to determine whether pattern matching is to be performed;
  
  when it is determined that pattern matching is to be performed for the input data as a result of the packet classifying, performing a pattern matching operation between the input data and rule patterns according to the rule;
  
  wherein the filtering the first target data comprises;
  
  matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
  
  when the matching the hash value is successful, matching the rule pattern with the first target data;
  
  wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and
  
  allowing the input data to pass by skipping the pattern matching operation between the input data and the rule patterns, based on a value of the at least one flag that is set without comparing the input data and the rule patterns.

43. An anti-malware device comprising:
- a processor comprising;
  
  a firewall engine which comprises first logic units and which filters input data based on a rule, and determines whether the input data contains data to be scanned for malware; and
  
  an anti-malware engine which comprises second logic units and scans for malware in the input data, if the firewall engine determines that the input data contains the data to be scanned for malware,wherein;
  
  the firewall engine packet classifies the input data using at least one flag to determine whether the input data is classified as data to be rule pattern-matched,when it is determined that the input data is classified as the data to be rule pattern-matched, the firewall engine performs a pattern matching operation between the input data and rule patterns, according to the rule;
  
  wherein the filtering the first target data comprises;
  
  matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
  
  when the matching the hash value is successful, matching the rule pattern with the first target data;
  
  wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and
  
  the firewall engine allows the input data to pass by skipping the pattern matching operation between the input data and the rule patterns, based on a value of the at least one flag that is set without comparing the input data and the rule patterns.

44. A hardware firewall engine comprising at least one processor, the at least one processor configured to perform a filtering operation with respect to packet data based on a packet rule, and determine whether the packet data contains data to be scanned for malware, wherein the filtering operation comprises:
- packet classifying the packet data using at least one flag to determine whether pattern matching is to be performed;
  
  when it is determined that pattern matching is to be performed for the packet data as a result of the packet classifying, pattern matching between the packet data and rule patterns according to the packet rule;
  
  wherein the filtering the first target data comprises;
  
  matching a hash value for a rule pattern, among the rule patterns, with a hash value for at least a portion of the first target data;
  
  when the matching the hash value is successful, matching the rule pattern with the first target data;
  
  wherein the matching the hash value comprises matching a hash value for at least one of an Internet Protocol (IP) address, a protocol, and a port, which are included in a header of the first target data, with a hash value for at least one of an IP address, a protocol, and a port, which are included in the rule pattern; and
  
  allowing the packet data to pass by skipping the pattern matching between the packet data and the rule patterns, based on a value of the at least one flag that is set without comparing the packet data and the rule patterns.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Original Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Inventors
Yoo, InSeon
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US13/154,756
Publication Number

US 20110302648A1
Time in Patent Office

1,666 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/564   by virus signature recognition

H04L 63/145   the attack involving the pr...

Anti-malware system and operating method thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Anti-malware system and operating method thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links