[go: up one dir, main page]

WO2019103368A1 - Procédé de détection de code malveillant utilisant des mégadonnées - Google Patents

Procédé de détection de code malveillant utilisant des mégadonnées Download PDF

Info

Publication number
WO2019103368A1
WO2019103368A1 PCT/KR2018/013609 KR2018013609W WO2019103368A1 WO 2019103368 A1 WO2019103368 A1 WO 2019103368A1 KR 2018013609 W KR2018013609 W KR 2018013609W WO 2019103368 A1 WO2019103368 A1 WO 2019103368A1
Authority
WO
WIPO (PCT)
Prior art keywords
malicious code
pattern data
malicious
database
apk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2018/013609
Other languages
English (en)
Korean (ko)
Inventor
최윤영
김태웅
정원준
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NSHC Inc
Original Assignee
NSHC Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSHC Inc filed Critical NSHC Inc
Publication of WO2019103368A1 publication Critical patent/WO2019103368A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2219Large Object storage; Management thereof
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to a malicious code detection method, and more particularly, to a malicious code detection method using big data.
  • the Android operating system is Linux-based open source, and as Android-based applications are developed, the threat of Android security due to malicious code is increasing day by day.
  • the malicious codes known so far are not entirely new types, but the majority of the variants of the malicious code that have already been modified or the activities that perform malicious actions are extracted and inserted into another application.
  • malware APK Android application package
  • Android malicious code detection method based on activity string analysis Patent Publication No. 10-2015-0083627, July 20, 2015
  • the classes.dex file in the APK is read and then parsed in the form of pattern information, and then malicious code is detected by comparing the pattern information in the malicious code database.
  • detection can be performed only when the pattern information is exactly matched with the malicious code, and when the reflection, packing, and obfuscation techniques are applied to the APK file, pattern information is deformed and detection is difficult.
  • the present invention has been proposed in order to solve the above-mentioned problems of the previously proposed methods.
  • the present invention compares pattern data extracted from an APK file to be inspected with previously collected large-scale malicious code pattern data, Malicious code can be detected in a short time using a large amount of database, malicious code can be detected without exact matching of strings, And it is an object of the present invention to provide a malicious code detection method using big data that can detect malicious code even for an application.
  • step (3) determining from the comparison result in the step (3) whether the pattern data stored in the database is found in the APK to be inspected, to determine whether or not the pattern is malicious.
  • the pattern data includes:
  • An activity name An activity name, a URL, a character string, and resource file information.
  • the database includes:
  • a pattern database for storing pattern data of a plurality of collected malicious codes
  • An APK information database storing APK information of a plurality of malicious codes
  • a link database for storing connection information for connecting each pattern data stored in the pattern database with at least one APK information stored in the APK information database.
  • the pattern database includes:
  • An activity name of a plurality of malicious codes a URL, a character string, and resource file information.
  • the APK information database comprises:
  • At least one APK information selected from the group including a package name of a plurality of malicious codes, a SHA hash value, a size, and a virus detection name can be stored.
  • the malicious code detection name of the APK including the pattern data extracted in the step (1) is inquired of the total number of APKs including the pattern data, the number of APKs detected as malicious codes in the total number of APKs, .
  • step (4) More preferably, in the step (4)
  • the ratio of the malicious code to each detection name can be calculated.
  • the pattern data extracted from the APK file to be inspected is compared with the large-scale malicious code pattern data collected in the past,
  • malicious code can be determined in a short period of time by using a large amount of database, malicious code can be detected without exact matching of strings, and even for applications using the security technique Malicious code detection can be performed.
  • FIG. 1 is a diagram illustrating a system configuration for implementing a malicious code detection method using Big Data according to an embodiment of the present invention
  • FIG. 2 is a flowchart illustrating a malicious code detection method using Big Data according to an embodiment of the present invention.
  • FIG. 3 is a diagram illustrating a matrix for comparing extracted pattern data and a query result of a database in a malicious code detection method using big data according to an embodiment of the present invention.
  • a malicious code detection method using Big Data includes a pattern database 210, an APK information database 220, and a server 230 including a link database 230 200 and the portable terminal 100, respectively.
  • the portable terminal 100 may include various portable devices capable of using a network such as a smart phone operating as an Android operating system, a smart note, a tablet PC, a smart camera, a smart watch, and a wearable computer.
  • a network such as a smart phone operating as an Android operating system, a smart note, a tablet PC, a smart camera, a smart watch, and a wearable computer.
  • the present invention is not limited to the above-described terminal device of the portable terminal 100 according to the present invention, but may be a portable device that downloads, installs, and drives an application. It is necessary to detect a malicious code in an application package waiting for installation or installation
  • the mobile terminal 100 of the present invention can play a role regardless of the specific terminal type.
  • the server 200 can store and provide information on a plurality of malicious codes.
  • the server 200 can store pattern data of a large-scale malicious code that has been collected in the past, and can reflect the latest malicious code information through continuous updating.
  • the portable terminal 100 can access the server 200 through the network to use the database, and it is difficult to store the malicious code in the portable terminal 100 Big data can be used to detect malicious code accurately and quickly.
  • the portable terminal 100 may access a web page providing a malicious code detection service to request malicious code detection, and the server 200 may provide a database in cooperation with a web page.
  • the database may include a pattern database 210, an APK information database 220, and a link database 230.
  • the pattern database 210 may store pattern data of a plurality of collected malicious codes. More specifically, it may store at least one or more string values selected from the group including the activity name, URL, string, and resource file information of a plurality of malicious codes.
  • the APK information database 220 can store APK information of a plurality of malicious codes. More specifically, it may store at least one APK information selected from the group including a package name of a plurality of malicious codes, a SHA hash value, a size, and a virus detection name.
  • the SHA hash value means the hash value of the Secure Hash Algorithm (SHA) functions, and more specifically, the SHA 256 hash value.
  • the link database 230 may store connection information for connecting each pattern data stored in the pattern database 210 and at least one APK information stored in the APK information database 220. [ That is, the pattern data of the malicious code and the hash value are interconnected, and all the pattern data may be connected to at least one APK information.
  • a malicious code detection method using Big Data includes extracting pattern data from an APK file to be inspected (S100) (S200), comparing the pattern data with the inquiry result (S300), and determining whether the malicious site is malicious (S400).
  • the portable terminal 100 can extract pattern data from an APK (Android application package) file to be inspected.
  • the pattern data may include at least one or more selected from the group including the activity name, the URL, the character string, and the resource file information.
  • APK file When a new APK file is downloaded to the portable terminal 100 and is being installed on standby or newly installed by real-time monitoring, the APK file is inspected.
  • all the applications already installed in the portable terminal 100 An APK file, such as a specific application, may be the target of inspection.
  • step S200 the portable terminal 100 can inquire the pattern data extracted in step S100 on the database storing pattern data of a plurality of malicious codes. That is, in step S200, the portable terminal 100 uses the big data stored in the pattern database 210, the APK information database 220, and the link database 230 via the network, The number of malicious code references of data, and the like.
  • step S300 the portable terminal 100 can compare the pattern data extracted in step S100 with the inquiry result in step S200. More specifically, in step S300, the total number of APKs including the pattern data extracted in step S100, the number of APKs detected as malicious codes (from the total number of APKs), and the number of APKs APK malicious code detection name can be inquired.
  • step S300 of the malicious code detection method using Big Data the inquiry result of step S200 and the pattern data extracted in step S100 are expressed in a matrix form and analyzed Can be utilized.
  • step S100 shows the total number of APKs including the pattern data extracted in step S100, the number of APKs detected as a malicious code in the number of A columns in the B column, the extracted pattern data in the C column, It is possible to display the malware detection name of the APK including the pattern data.
  • column D can exist only when it is detected as malicious code.
  • step S400 the portable terminal 100 can determine the presence or absence of maliciousness based on the degree to which the pattern data stored in the database is found in the APK to be inspected from the comparison result in step S300.
  • step S400 the number of APKs detected as malicious codes (the number of APKs detected in step B in Fig. 3) from the total number of APKs (pattern A column information in Fig. 3) Thermal information), the ratio of the malicious code can be calculated, and the malicious code can be determined using the calculated value. For example, if the calculated value is not less than a predetermined standard, it can be judged to be malicious. In addition, if there are a plurality of malicious code detection names (D column information in Fig. 3) of the APK including the corresponding pattern data (C column information in Fig. 3), it is possible to calculate the percentage of the malicious code occupied by each detection name. The calculated values can be judged synthetically to determine whether maliciousness exists.
  • the malicious code is detected using the statistical method using the big data, so that it is possible to quickly and accurately detect the malicious code even for the APK file to which the pattern data is deformed, the reflection, the packing, and the obfuscation technique.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Selon un procédé de détection de code malveillant utilisant des mégadonnées, proposé par la présente invention, des données de motif extraites d'un fichier APK à inspecter sont comparées à des données de motif de code malveillant à grande échelle recueillies précédemment. En résultat de la comparaison, lorsque de multiples données de motif ayant été utilisées dans un code malveillant existant sont découvertes, il est déterminé que le fichier APK contient un code malveillant. Par conséquent, la présente invention peut déterminer, en utilisant une très grande base de données en un court laps de temps, si un code malveillant existe ou non, détecter un code malveillant même sans correspondance exacte de chaînes de caractères, et détecter un code malveillant même pour une application à laquelle une technique de sécurité Android est appliquée.
PCT/KR2018/013609 2017-11-27 2018-11-09 Procédé de détection de code malveillant utilisant des mégadonnées Ceased WO2019103368A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2017-0159369 2017-11-27
KR1020170159369A KR20190061231A (ko) 2017-11-27 2017-11-27 빅데이터를 활용한 악성코드 검출 방법

Publications (1)

Publication Number Publication Date
WO2019103368A1 true WO2019103368A1 (fr) 2019-05-31

Family

ID=66632020

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2018/013609 Ceased WO2019103368A1 (fr) 2017-11-27 2018-11-09 Procédé de détection de code malveillant utilisant des mégadonnées

Country Status (2)

Country Link
KR (1) KR20190061231A (fr)
WO (1) WO2019103368A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12056239B2 (en) 2020-08-18 2024-08-06 Micro Focus Llc Thread-based malware detection

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120071817A (ko) * 2010-12-23 2012-07-03 한국인터넷진흥원 악성코드 dna 및 메타데이터 자동 관리 시스템
KR101508577B1 (ko) * 2013-10-08 2015-04-07 고려대학교 산학협력단 악성코드 탐지장치 및 방법
KR20150044490A (ko) * 2013-10-16 2015-04-27 (주)이스트소프트 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법
KR20150099132A (ko) * 2014-02-21 2015-08-31 삼성전자주식회사 컨텐츠 악성 검사 방법 및 장치
KR101628837B1 (ko) * 2014-12-10 2016-06-10 고려대학교 산학협력단 악성 어플리케이션 또는 악성 웹사이트 탐지 방법 및 시스템

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120071817A (ko) * 2010-12-23 2012-07-03 한국인터넷진흥원 악성코드 dna 및 메타데이터 자동 관리 시스템
KR101508577B1 (ko) * 2013-10-08 2015-04-07 고려대학교 산학협력단 악성코드 탐지장치 및 방법
KR20150044490A (ko) * 2013-10-16 2015-04-27 (주)이스트소프트 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법
KR20150099132A (ko) * 2014-02-21 2015-08-31 삼성전자주식회사 컨텐츠 악성 검사 방법 및 장치
KR101628837B1 (ko) * 2014-12-10 2016-06-10 고려대학교 산학협력단 악성 어플리케이션 또는 악성 웹사이트 탐지 방법 및 시스템

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12056239B2 (en) 2020-08-18 2024-08-06 Micro Focus Llc Thread-based malware detection

Also Published As

Publication number Publication date
KR20190061231A (ko) 2019-06-05

Similar Documents

Publication Publication Date Title
WO2012091400A1 (fr) Système et procédé de détection de logiciel malveillant dans un fichier sur la base d'une carte génétique de fichier
WO2013089340A1 (fr) Appareil et procédé de détection de similarité entre applications
WO2019054613A1 (fr) Procédé et système d'identification de progiciel source libre en fonction d'un fichier binaire
WO2018182126A1 (fr) Système et procédé permettant d'authentifier un logiciel sécurisé
WO2015056885A1 (fr) Dispositif de détection et procédé de détection pour une application android malveillante
WO2014054854A1 (fr) Système d'analyse de journal et procédé d'analyse de journal pour système de sécurité
WO2014035043A1 (fr) Appareil et procédé permettant de diagnostiquer des applications malveillantes
WO2019066222A1 (fr) Procédé et système pour identifier un progiciel libre sur la base d'un fichier binaire
WO2018016671A2 (fr) Système de détection de code dangereux conçu pour vérifier une vulnérabilité de sécurité et procédé associé
WO2013077538A1 (fr) Dispositif et procédé d'analyse d'application basée sur une api
WO2022108318A1 (fr) Appareil et procédé d'analyse de vulnérabilités de code de contrat intelligent
WO2013100320A1 (fr) Système, terminal utilisateur, procédé et appareil pour protéger et récupérer un fichier de système
WO2013165180A1 (fr) Procédé de suivi de journaux, serveur associé et support d'enregistrement
WO2014088262A1 (fr) Dispositif et procédé de détection d'applications frauduleuses/modifiées
WO2021085983A1 (fr) Procédé, dispositif et support lisible par ordinateur pour détecter des vulnérabilités dans un code source
WO2019135425A1 (fr) Procédé et système de vérification de licence de logiciel à source ouverte
WO2023075500A1 (fr) Procédé d'inspection de dispositif iot, et dispositif associé
WO2018199366A1 (fr) Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité
WO2018194196A1 (fr) Procédé et système de détection d'application d'obfuscation et d'évaluation de la sécurité d'un fichier elf
WO2016064024A1 (fr) Dispositif et procédé de détection de connexion anormale
WO2019103368A1 (fr) Procédé de détection de code malveillant utilisant des mégadonnées
WO2021045312A1 (fr) Procédé de recherche et dispositif de recherche à base de code de hachage
WO2014098337A1 (fr) Dispositif et méthode de collecte de sites dangereux
WO2014098372A1 (fr) Dispositif et méthode de collecte de sites dangereux
WO2022065992A1 (fr) Procédé d'extraction d'un réseau de neurones artificiel à l'aide d'une vulnérabilité par fusion

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18880435

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18880435

Country of ref document: EP

Kind code of ref document: A1