System and method for matching pattern
First Claim
Patent Images
1. A malware pattern matching method comprising:
- generating a hash matcher table comprising a hash value item displaying a hash value and an item displaying a pre-stored malware pattern data, or comprising the hash value item displaying the hash value and an item displaying whether a hash value of the pre-stored malware pattern data is identical to the hash value displayed on the hash value item;
dividing a target data into a plurality of sub data;
for at least one sub data of the plurality of sub data, generating a hash value of the sub data and comparing the generated hash value of the sub data and the hash matcher table;
generating a sub matcher table which comprises the hash value item displaying the hash value and a malware pattern data item displaying a malware pattern data corresponding to the hash value displayed on the hash value item;
only in response to the hash value of at least one sub data of the plurality of sub data existing in the hash matcher table, performing a sub pattern matching operation to match the at least one sub data of the plurality of sub data with the corresponding pre-stored malware pattern data by using the sub matcher table;
determining a type of the pre-stored malware pattern data;
in response to a determination that the type of the pre-stored malware pattern data is a grammatically complex malware pattern, performing a full pattern matching operation to determine whether the target data is identical to at least the pre-stored malware pattern data by referring to a result of the sub pattern matching operation; and
in response to a determination that the type of the pre-stored malware pattern data is a grammatically simple malware pattern, not performing the full pattern matching operation,wherein performing the sub pattern matching operation comprises;
performing a light pattern matching operation to match a part of the one sub data with the pre-stored malware pattern data by using the sub matcher table; and
if the part of the one sub data is identical to or included in the pre-stored malware pattern data, performing an exact pattern matching operation to match a whole of the one sub data with a whole of the pre-stored malware pattern data.
1 Assignment
0 Petitions
Accused Products
Abstract
System and method for matching a pattern are provided. The pattern matching method includes performing a sub pattern matching operation to match at least one sub data of a plurality of sub data of a target data with a pre-stored pattern data, and performing a full pattern matching operation to determine whether the target data is identical to at least the pre-stored pattern data by referring to a result of the sub pattern matching operation, and wherein the full pattern matching operation is performed or not performed according to a type of the pre-stored pattern data. Accordingly, an accurate matching operation is performed with respect to the target data of various patterns.
19 Citations
18 Claims
-
1. A malware pattern matching method comprising:
-
generating a hash matcher table comprising a hash value item displaying a hash value and an item displaying a pre-stored malware pattern data, or comprising the hash value item displaying the hash value and an item displaying whether a hash value of the pre-stored malware pattern data is identical to the hash value displayed on the hash value item; dividing a target data into a plurality of sub data; for at least one sub data of the plurality of sub data, generating a hash value of the sub data and comparing the generated hash value of the sub data and the hash matcher table; generating a sub matcher table which comprises the hash value item displaying the hash value and a malware pattern data item displaying a malware pattern data corresponding to the hash value displayed on the hash value item; only in response to the hash value of at least one sub data of the plurality of sub data existing in the hash matcher table, performing a sub pattern matching operation to match the at least one sub data of the plurality of sub data with the corresponding pre-stored malware pattern data by using the sub matcher table; determining a type of the pre-stored malware pattern data; in response to a determination that the type of the pre-stored malware pattern data is a grammatically complex malware pattern, performing a full pattern matching operation to determine whether the target data is identical to at least the pre-stored malware pattern data by referring to a result of the sub pattern matching operation; and in response to a determination that the type of the pre-stored malware pattern data is a grammatically simple malware pattern, not performing the full pattern matching operation, wherein performing the sub pattern matching operation comprises; performing a light pattern matching operation to match a part of the one sub data with the pre-stored malware pattern data by using the sub matcher table; and if the part of the one sub data is identical to or included in the pre-stored malware pattern data, performing an exact pattern matching operation to match a whole of the one sub data with a whole of the pre-stored malware pattern data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 18)
-
-
13. A malware pattern matching method comprising:
-
generating a hash matcher table comprising a hash value item displaying a hash value and an item displaying a malware pattern data of a pre-stored malware pattern database or comprising the hash value item displaying the hash value and an item indicating whether hash values of the malware pattern data of the pre-stored pattern database are identical to the hash values displayed on the hash value item; dividing a target data into a plurality of sub data; for at least one sub data of the plurality of sub data, generating a hash value of the sub data and comparing the generated hash value of the sub data and the hash matcher table; generating a sub matcher table which comprises the hash value item displaying the hash value and a malware pattern data item displaying a malware pattern data corresponding to the hash value displayed on the hash value item; only in response to the hash value of at least one sub data of the plurality of sub data existing in the hash matcher table, performing a light pattern matching operation to match a part of the at least one sub data of the plurality of sub data with a malware pattern data of a pre-stored malware pattern database by using the sub matcher table; and performing an exact pattern matching operation to match a whole of the one sub data with the malware pattern data only if the part of the one sub data is identical to or included in the malware pattern data. - View Dependent Claims (14)
-
-
15. A malware pattern matching system, comprising:
-
a target data dividing unit which, using a processor, divides a target data into a plurality of sub data; a storage unit which stores a hash matcher table comprising a hash value item displaying a hash value and an item displaying a pre-stored malware pattern data, or comprising the hash value item displaying the hash value and an item displaying whether a hash value of the pre-stored malware pattern data is identical to the hash value displayed on the hash value item; a hash value matching unit which matches a hash value of at least one sub data of the plurality of sub data with the hash matcher table; a sub pattern matching unit which, only in response to the hash value of at least one sub data of the plurality of sub data existing in the hash matcher table, matches the at least one sub data of the plurality of sub data with the corresponding pre-stored malware pattern data; a full pattern matching unit that, in response to the one sub data not being identical to the malware pattern data matched with the hash value of the one sub data after the matching operation of the sub pattern matching unit, matches the target data with the malware pattern data by referring to a matching result of the sub pattern matching unit; and a determination unit that, in response to the one sub data being identical to the malware pattern data matched with the hash value of the one sub data after the matching operation of the sub pattern matching unit, does not operate the full pattern matching unit and determines that the malware pattern data is included in the target data, wherein the sub pattern matching unit comprises; a light pattern matching unit which is operable to match a part of the one sub data with a sub matcher table; and an exact pattern matching unit which matches a whole of the one sub data with the pattern data, if the part of the one sub data is identical to those of the sub matcher table, wherein the sub matcher table comprises the hash value item displaying the hash value and a malware pattern data item displaying a malware pattern data corresponding to the hash value displayed on the hash value item. - View Dependent Claims (16)
-
-
17. A malware pattern matching system, comprising:
-
a target data dividing unit which, using a processor, divides a target data into a plurality of sub data; a storage unit which stores a hash matcher table comprising a hash value item displaying a hash value and an item displaying a pre-stored malware pattern data, or comprising the hash value item displaying the hash value and an item displaying whether a hash value of the pre-stored malware pattern data is identical to the hash value displayed on the hash value item; a hash value matching unit which matches a hash value of at least one sub data of the plurality of sub data with the hash matcher table; a sub pattern matching unit which, only in response to the hash value of at least one sub data of the plurality of sub data existing in the hash matcher table, matches the at least one sub data of the plurality of sub data with the corresponding pre-stored malware pattern data; a full pattern matching unit which is operable to match the target data with a whole of the pre-stored malware pattern data; and a determination unit which determines whether to operate the full pattern matching unit according to a type of the pre-stored malware pattern data, wherein the type of the pre-stored malware pattern data is a grammatically defined complex malware pattern or a grammatically defined simple malware pattern, wherein the malware pattern matching system further comprises a determination unit that, in response to the type of the pre-stored malware pattern data being the grammatically defined simple malware pattern, does not operate the full pattern matching unit, and wherein, in response to the type of the pre-stored malware pattern data being the grammatically defined complex malware pattern, the determination unit controls the full pattern matching unit to be operated after the matching operation of the sub pattern matching unit, wherein the sub pattern matching unit comprises; a light pattern matching unit which is operable to match a part of the one sub data with a sub matcher table; and an exact pattern matching unit which matches a whole of the one sub data with the pattern data, if the part of the one sub data is identical to those of the sub matcher table, wherein the sub matcher table comprises the hash value item displaying the hash value and a malware pattern data item displaying a malware pattern data corresponding to the hash value displayed on the hash value item.
-
Specification