KR20170127630A - Ransom Ware Blocking Apparatus based on Whitelist and Method therefor - Google Patents

Abstract

More particularly, the present invention relates to a white list-based Ransomware blocking apparatus and method. More particularly, the present invention relates to a white list-based Ransomware blocking apparatus and method for registering and managing a normal execution file, It is determined whether the target executable file is a safe executable file registered in the whitelist or not, and if the executable file is not registered in the whitelist, execution is basically blocked so that Rangamware infiltrates into the user's computer And more particularly, to a white-list-based Rangumware blocking apparatus and method capable of efficiently blocking according to the execution path of an executable file while blocking originally.

Description

[0001] The present invention relates to a white-list-based Ransomware blocking device and method,

More particularly, the present invention relates to a white list-based Ransomware blocking apparatus and method. More particularly, the present invention relates to a white list-based Ransomware blocking apparatus and method for registering and managing a normal execution file, It is determined whether the target executable file is a safe executable file registered in the whitelist or not, and if the executable file is not registered in the whitelist, execution is basically blocked so that Rangamware infiltrates into the user's computer And more particularly, to a white-list-based Rangumware blocking apparatus and method capable of efficiently blocking according to the execution path of an executable file while blocking originally.

Ransomware is a malicious program that infiltrates an Internet user's computer and encrypts internal documents, spreadsheets, picture files, etc., and sends a decryption key program to recover encrypted files. It is becoming a social problem.

If a user's computer is infected with Ransomware, the execution of an unknown file by the user is infected. If the user's computer is infected or the Ransomware is hidden in the system, There is an infected path such as a user's computer is infected by background execution, a malicious code is transmitted through a web page, and the user's computer is infected.

Specifically, the way Ransomware infiltrates your computer can be by attaching e-mail attachments, installing Web ActiveX, running infected files, infecting e-mail attachments that are not clear-cut or by visiting a website In this case, the attached file pattern is zip, exe, scr, cab, pdf, etc. When this type of file is executed, the Ransomware infected file is downloaded from the server and executed. At this time, do.

If you look at the damage range of Ransomware, you can see 40 kinds of extensions such as xis, xisx, doc, docx, pdf, txt, jpg, psd, wav, mp4, mpg, avi, Files, and Cloud Drive, Local Disk, USB Drive, and NetWorkDrive.

Ransomware does not modify the extension of the file, it creates 3 files (RECOVER [5 digits]. *) In the folder where the file is encrypted, and it is difficult to detect whether the file is infected because there is no extension tampering.

Ransomware can not recover encrypted files or the like after encrypting internal documents, spreadsheets, picture files, etc. once it has been infiltrated into the user's computer. There is a problem that the encryption target is wide and damages the user's computer. Despite Ransomware's threats, there is little technology available to effectively block Ransomware.

As a prior art in the related field, Korean Patent Laid-Open No. 10-2010-0079047 entitled " Information security training system and method " includes a triggering action collecting unit for collecting actions (triggering actions) A training scenario modeling unit for modeling a training scenario for information security training on the triggering actions, and a security awareness level of the user who is performing the training by analyzing whether the user behavior observed during the training is in conformity with the modeled scenario And a report generating unit for generating a report to be fed back to the user based on the derived security level.

Korean Unexamined Patent Publication No. 10-2015-0078972, 'Intelligent Continuous Attack Detection and Response System and Method Using Behavior Based Analysis Technology', includes a function audit module for supporting the operation management and audit of the entire module, An audit policy module that manages an attack validity criterion policy; an audit policy module that calls an audit target scope defined by the audit policy module to perform audit of the audit target status; A system state monitoring module for analyzing the attack type and the damage range of the system, and a countermeasure for matching the attack by receiving the attack analysis result from the system state monitoring module, .

Published Patent No. 10-2010-0079047, July 8, 2010. Published Patent No. 10-2015-0078972, July 8, 2015.

A problem to be solved by the present invention is to overcome the above problems by registering and managing a normal executable file in advance as a whitelist, not a malicious program, and if a random executable file is executed, It is judged whether or not the target executable file is a safe executable file registered in the whitelist, and if the executable file is not registered in the whitelist, execution is basically blocked so that Rangumware is prevented from infiltrating into the user's computer And to provide a white-list-based Ransomware blocking apparatus and method capable of implementing efficient blocking according to the execution path of an executable file.

The present invention relates to a white-list-based Ransomware blocking apparatus, and more particularly, to a white-list-based Ransomware blocking apparatus comprising: setting means for presetting and registering a whitelist with respect to an arbitrary executable file executed in a user computer; If the execution file is a file registered in the whitelist, execution is permitted. If the execution file is not a registered file, a blocking signal is sent to the blocking means To the control unit And blocking means for blocking an object executable file or transmitting a notification signal to the user computer when the blocking signal is received from the determining means.

In this case, the determination means permits execution of the lower executable file of the target executable file, if the executable file is a file registered in the whitelist.

In this case, even when the executable file is a file registered in the whitelist so that execution is permitted even when the execution file is a new execution file other than the permitted executable file, As shown in FIG.

In this case, if the execution file is not a file registered in the whitelist, the judging means transfers a blocking signal to the blocking means.

Here, the white list includes a basic white list, a vendor whitelist, and a user whitelist. The basic whitelist includes all executable files in which only the window is installed in the user computer, And the vendor whitelist is all executable files created in accordance with the installation of the program except for the basic whitelist when a program other than a window is installed in the user computer, The user white list is an executable file received from another administrator terminal and added to the whitelist.

According to another aspect of the present invention, there is provided a white-list-based Ransomware blocking method comprising the steps of: (A) setting a white list for an arbitrary executable file executed in a user computer; (B) If the execution file is a file registered in the whitelist, the judging means judges whether the execution is a user execution or a background execution when an arbitrary execution file is executed in the user computer. If the execution file is a file registered in the whitelist, If not, transmitting a blocking signal to the blocking means; And (C) when the blocking unit receives the blocking signal from the determining unit, blocking the target execution file or transmitting a notification signal to the user computer.

The step (B) includes the steps of: (B1) allowing the execution means to execute the lower executable file of the target executable file if the execution means is a user and the executable file is a file registered in the whitelist .

In this case, in the step (B), (B2), when the execution means is a user, the new executable file other than the permitted executable file is newly created And transmitting a blocking signal to the blocking unit when the blocking unit is executed.

If the executable file is not a file registered in the whitelist, the step (B) may include: (B3) transmitting a blocking signal to the blocking unit when the determination unit determines that the execution file is background execution do.

Here, the white list includes a basic white list, a vendor whitelist, and a user whitelist. The basic whitelist includes all executable files in which only the window is installed in the user computer, And the vendor whitelist is all executable files created in accordance with the installation of the program except for the basic whitelist when a program other than a window is installed in the user computer, The user white list is an executable file received from another administrator terminal and added to the whitelist.

According to the present invention, a normal executable file, which is not a malicious program, is registered and managed in advance as a whitelist. When an arbitrary executable file is executed, the target executable file is registered in the whitelist If the execution file is not registered in the whitelist, it is possible to block the execution of the Raman software from the user's computer, and implement effective blocking according to the execution path of the executable file There is an effect.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is an overall block diagram of a white-list-based Ransomware interception device according to a preferred embodiment of the present invention; FIG.
FIG. 2 to FIG. 6 are reference views for explaining a Raman software interception method according to a preferred embodiment of the present invention.
FIG. 7 is an overall flowchart of a white-list-based Ransomware blocking method according to a preferred embodiment of the present invention. FIG.

Before describing the specific details for the practice of the invention, terms and words used in the specification and claims should be construed to enable the inventor to properly define the concept of a term in order to best describe its invention It should be interpreted as meaning and concept consistent with the technical idea of the present invention.

It is to be noted that the detailed description of known functions and constructions related to the present invention is omitted when it is determined that the gist of the present invention may be unnecessarily blurred.

Hereinafter, a white list-based Ransomware blocking apparatus according to a preferred embodiment of the present invention will be described in detail with reference to FIG. 1 to FIG.

FIG. 1 is an overall configuration diagram of a white-list-based Ransomware blocking apparatus according to a preferred embodiment of the present invention, and FIGS. 2 to 6 are reference views for explaining a Ransomware blocking method according to a preferred embodiment of the present invention .

As shown in FIG. 1, a white-list-based Ransomware blocking apparatus 100 according to a preferred embodiment of the present invention includes a setting unit 10, a determination unit 20, and a blocking unit 30.

First, the setting means 10 sets and registers a whitelist for an arbitrary executable file that can be executed or executed in the user computer. The executable file information to be added to the whitelist is received from another administrator terminal, Update the file to whitelist.

The whitelist used in the present invention is a term used to express the opposite concept of the black list by drawing attention to the term " black list ", which is conventionally used in the art, and includes an executable file (list) List), but may be any executable file or process that is not malicious or malicious.

More specifically, the whitelist according to the present invention is a positive security concept contrary to the black list method derived by the signature detection technique based on the negative security. The whitelist registers the permitted execution file or process in the whitelist, File or process may be blocked to prevent the malicious code from intruding into the user's computer. In the following Table 1, the white list-based method according to the present invention and the blacklist-based method according to the related art Respectively.

Whitelist-based Blacklist-based Processing method Prevention Post-processing Scope of execution Use only allowed applications Use all applications convenience Limited environment Universal environment Engine size No change Steady increase Resource share lowness height Security level height lowness UPDATE / PATCH Scheduling is available on demand Concerns about failure due to real-time update / patch application

The setting means 10 registers the white list by setting the white list in the following three ways, and the white list can be divided into a basic white list, a vendor whitelist, and a user white list.

The default whitelist can be any executable file or process that is automatically created and created or updated with only the operating system installed, such as Windows, installed on the user's computer, and all executable files and processes installed on the installed system. have. The default white list is a whitelist of executables and processes that are created when no other programs are installed and only an operating system such as Windows is installed.

The vendor whitelist means, for example, that if you installed Microsoft Office 2010 with only Windows installed, it would mean all executables and processes created by installing that MS Office 2010, except for the default whitelist. can do.

The user whitelist may be an executable file received from the administrator terminal and added to the whitelist, and may be an executable file that can be extracted through a separate whitelist extraction tool. Except for the default whitelist and vendor whitelist, executables and processes are created by user needs and these executables and processes can be defined as user whitelists.

Specifically, the default whitelist and the vendor whitelist can be downloaded to the user's computer system by the interceptor 100 and automatically updated by the interceptor 100 to the user's computer system when each whitelist is updated .

If the executable file is not a file registered in the whitelist, the judging means 20 judges whether the executable file is a user execution or a background execution when the executable file is executed in the user computer. (30). If the file is a registered file, the call is permitted.

In the case of user execution, if the executable file is a file registered in the whitelist, the execution of the lower executable file of the target executable file is allowed.

In the case of user execution, when a new executable file other than the executable file which is permitted to be called is newly generated and executed even when the executable file is a file registered in the whitelist and the call is permitted, the blocking signal is transmitted to the blocking means 30.

If the executable file is judged to be background execution when the executable file is executed on the user's computer, for example, if the executable file is not registered in the whitelist, the blocking signal is transmitted to the blocking means 30.

In the present invention, user execution means all executions when the parent process is the explorer, and background execution means all executions when the parent process is not the explorer.

If the determination means 20 determines that the executable file is executed in the user's computer, the specific method of determining whether the executable file is a user execution or a background execution is as follows. If the Windows desktop is logged in, the explorer.exe is executed. When a process is executed by clicking on the explorer, all of these executions are judged to be user execution. When you run A.exe, your parent process becomes explorer.exe. If A.exe is run in the background, A.exe's parent process will be some process in the background.

In a situation where the actual user uses the computer, there is almost no case in which the user clicks the malicious program or the Raman software to execute it. If the user arbitrarily executes any process in the background regardless of the intention of the user, Since the probability of the process is high, it is an excellent method in terms of the security effect and the blocking efficiency to access the execution in the user computer according to the user execution or the background execution as described above.

When the blocking means 30 receives a blocking signal for an arbitrary executable file from the determining means 20, the blocking means 30 blocks the target executable file or transmits a notification signal to the user computer.

Referring to FIG. 2 to FIG. 6, FIG. 2 shows a conceptual diagram of the white list security process.

In FIG. 3, it can be confirmed that when the background process of the Windows default process is executed, xx.exe is blocked if it is not a whitelist, and the notification signal (pop-up) is delivered to the user. At this point, you have the option to allow users to choose whether to turn on or off notifications for background blocking. Specifically, the option can be configured to allow the user to select the notification level in the setting menu by dividing the notification level into upper, middle, and lower.

In FIG. 4, when the user executes xx.exe as a whitelist, it can be confirmed that all the child processes are executed. When the user executes the executable file and the process are whitelisted, the execution of all the subordinate processes connected to the executable file and the process can be selectively executed. If sub-executables and processes are not in the whitelist, they are automatically registered and notified to the user. User execution is when the process is explore.exe.

In Fig. 5, the user execution is basically executed even though it is not a whitelist, but a notification delivery (pop-up) can be given to the user. Optionally, you can also let users choose whether to run or stop notifications about their contents, even if the user is running. If you select Execute, you can automatically add the executable and subprocesses to the whitelist. In addition, the option can be set by the user to divide the notification level into upper, middle, and lower levels in the setting menu.

In Fig. 6, if the background execution is not a whitelist, a notification is sent to the user after the block is transmitted (pop-up). Optionally, you can let users choose whether to turn on or off the notification of background blocking, and the option can be set by the user to split the notification level up, down, and down in the settings menu.

Hereinafter, a white list-based Ransomware blocking method according to a preferred embodiment of the present invention will be described in detail with reference to FIG.

FIG. 7 is an overall flowchart of a white-list-based Ransomware blocking method according to a preferred embodiment of the present invention.

First, the setting means 10 sets and registers a whitelist regarding an arbitrary executable file that is executable or executable on the user computer, receives executable file information to be added to the whitelist from a separate administrator terminal, And updates the executable file to the whitelist (S10).

Next, the determination means 20 determines whether the execution of the arbitrary executable file is a user execution or a background execution (S20).

If the execution file is not a file registered in the whitelist, the blocking unit 30 transmits a blocking signal to the blocking unit 30. If the file is a registered file, (S30).

Next, in the case of user execution as a result of the determination in step S20, if the determination unit 20 determines that the executable file is a file registered in the whitelist, the execution unit 20 permits the call to the lower executable file of the target executable file (S40).

Next, as a result of the determination in step S20, if the determination unit 20 determines that the execution file is a file registered in the whitelist, the execution unit 20 newly creates a new executable file other than the executable file that is permitted to be called When it is executed, the blocking signal is transmitted to the blocking means 30 (S50).

Finally, if it is determined in step S20 that background execution is performed, for example, if the execution file by the Windows basic process is not a file registered in the whitelist, the determination unit 20 transmits a blocking signal to the blocking unit 30 (S60).

While the present invention has been particularly shown and described with reference to preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. It will be appreciated by those skilled in the art that numerous changes and modifications can be made without departing from the invention. Accordingly, all such modifications and variations are intended to be included within the scope of the present invention.

10: Setting means
20: Judgment means
30: Blocking means

Claims (10)

Setting means (10) for presetting and registering a whitelist with respect to an arbitrary executable file executed in the user computer;
If the execution file is a file registered in the whitelist, execution is permitted. If the execution file is not a registered file, a blocking signal is sent to the blocking means (20) for delivering the information to the server (30); And
And blocking means (30) for blocking the target execution file or for transmitting a notification signal to the user computer when the blocking signal is received from the determining means (20).
The method of claim 1,
Wherein the judging means (20) permits execution of a lower executable file of the target executable file if the executable file is a file registered in the whitelist.
The method of claim 1,
In the case where the execution means is a user registered in the whitelist, the judgment means 20 judges that the execution of a new execution file other than the permitted execution file Means (30).
The method of claim 1,
Wherein the judging means (20) transmits a blocking signal to the blocking means (30) if the execution file is not a file registered in the whitelist, in case of background execution.
The method of claim 1,
The white list includes a base white list, a vendor white list, and a user white list,
The basic whitelist is all the executable files in the state where only the window is installed in the user computer and all the executable files that are automatically updated and created in the state where only the window is installed in the user computer.
The vendor whitelist is all the executable files created in accordance with the installation of the program other than the basic whitelist when a program other than the window is installed in the user computer,
Wherein the user white list is an executable file received from a separate administrator terminal and added to the whitelist.
(A) the setting means (10) sets and registers a whitelist for an arbitrary executable file to be executed in the user computer;
(B) The judging means 20 judges whether the execution of the execution file is a user execution or a background execution when an arbitrary execution file is executed in the user computer. If the execution file is a file registered in the whitelist, If the file is not a registered file, transmitting a blocking signal to the blocking means 30; And
(C) blocking the target execution file or transmitting a notification signal to the user computer when the blocking means (30) receives the blocking signal from the determining means (20) How to block.
The method of claim 6,
The step (B)
(B1) allowing the determination means (20) to execute a lower executable file of the target executable file if the executable file is a file registered in the whitelist; List based Ransomware blocking method.
The method of claim 6,
The step (B)
(B2) In the case where the judgment means (20) is a user execution, even when the execution file is a file registered in the whitelist and allows execution, when a new execution file other than the permitted execution file is newly generated and executed, To the blocking means (30). ≪ Desc / Clms Page number 13 >
The method of claim 6,
The step (B)
(B3) a step of transmitting the blocking signal to the blocking means (30) when the judging means (20) is in the background execution and the execution file is not the file registered in the whitelist Based Ransomware blocking method.
The method of claim 6,
The white list includes a base white list, a vendor white list, and a user white list,
The basic whitelist is all the executable files in the state where only the window is installed in the user computer and all the executable files that are automatically updated and created in the state where only the window is installed in the user computer.
The vendor whitelist is all the executable files created in accordance with the installation of the program other than the basic whitelist when a program other than the window is installed in the user computer,
Wherein the user white list is an executable file received from a separate administrator terminal and added to the whitelist.

Images