US20110271342A1 - Defense method and device against intelligent bots using masqueraded virtual machine information - Google Patents

Defense method and device against intelligent bots using masqueraded virtual machine information Download PDF

Info

Publication number
US20110271342A1
US20110271342A1 US12/879,691 US87969110A US2011271342A1 US 20110271342 A1 US20110271342 A1 US 20110271342A1 US 87969110 A US87969110 A US 87969110A US 2011271342 A1 US2011271342 A1 US 2011271342A1
Authority
US
United States
Prior art keywords
virtual machine
information
malicious
masqueraded
user terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US12/879,691
Other versions
US8813226B2 (en
Inventor
Yoon Jung CHUNG
Yo Sik KIM
Won Ho Kim
Dong Soo Kim
Sang Kyun NOH
Young Tae Yun
Cheol Won Lee
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electronics and Telecommunications Research Institute ETRI
Original Assignee
Electronics and Telecommunications Research Institute ETRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electronics and Telecommunications Research Institute ETRI filed Critical Electronics and Telecommunications Research Institute ETRI
Assigned to ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE reassignment ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHUNG, YOON JUNG, KIM, DONG SOO, KIM, WON HO, KIM, YO SIK, LEE, CHEOL WON, NOH, SANG KYUN, YUN, YOUNG TAE
Publication of US20110271342A1 publication Critical patent/US20110271342A1/en
Application granted granted Critical
Publication of US8813226B2 publication Critical patent/US8813226B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/151Emulated environment, e.g. virtual machine
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Definitions

  • the present invention relates to a defense method and device against intelligent bots using masqueraded virtual machine information. More specifically, the present invention relates to a defense method and device against intelligent bots using masqueraded virtual machine information for stopping malicious processes of the intelligent bots.
  • Intelligent bots refer to programs that periodically collect information or carry out services without direct participation of a user.
  • such intelligent bots search a terminal connected to the Internet using parameters provided by a user, collect information in which the user has an interest, and provide the collected information to the user.
  • these intelligent bots by nature may he used for malicious behaviors according to a user's intent.
  • security experts execute a virtual machine, and cause the intelligent bot to be executed on the virtual machine, thereby analyzing and tracing the malicious behaviors.
  • Determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process may include determining whether or not the process corresponds to the malicious process of executing any one of access to a file of a user terminal, lookup of a network address of a virtual machine, and access to a registry of the user terminal.
  • Determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process may further include determining whether or not the process is included in a white list that is a list of pre-stored normal processes.
  • Determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process may further include determining whether or not a binary hash value of the virtual machine detection request is identical to a hash value of a pre-stored malicious code.
  • the global hooking module may determine the process as a malicious process when the process is not included in a white list that is a list of normal processes stored in the virtual machine information database.
  • the global hooking module may determine the process as a malicious process when a binary hash value of the virtual machine detection request is identical to a hash value of a malicious code stored in the virtual machine information database.
  • the malicious process information may be information for accessing at least one selected from a file of the user terminal, a network address of the virtual machine, and a registry of the user terminal.
  • FIG. 1 illustrates the configuration of a defense device against intelligent bots using masqueraded virtual machine information according to an exemplary embodiment of the present invention
  • FIG. 2 is a flowchart for explaining a defense method against intelligent bots using masqueraded virtual machine information according to an exemplary embodiment of the present invention.
  • FIG. 3 is a flowchart for explaining a defense method against intelligent bots using masqueraded virtual machine information according to another exemplary embodiment of the present invention.
  • FIG. 1 illustrates the configuration of a defense device against intelligent bots using masqueraded virtual machine information according to an exemplary embodiment of the present invention.
  • the configuration of the defense device against intelligent bots u sing masqueraded virtual machine information will he described with reference to FIG. 1 .
  • a defense device 100 against intelligent bots includes a global hooking module 110 and a virtual machine information database 120 .
  • the global hooking module 110 determines whether or not the process transmitting the virtual machine detection request is a malicious process on the basis of malicious process information stored in the virtual machine information database 120 .
  • the virtual machine information database 120 stores masqueraded virtual machine information for masquerading as the state where the user terminal makes use of the virtual machine, and the malicious process information for determining the malicious process.
  • the malicious process information stored in the virtual machine information database 120 may be made up of information for providing access to at least one selected from a file of the user terminal, a network address of the virtual machine, and a registry of the user terminal.
  • the global hooking module 110 reads the virtual machine information, which is for masquerading as the state where the user terminal makes use of the virtual machine, from the virtual machine information database 120 , and then returns the read virtual machine information to the intelligent bot 130 executing the process.
  • the virtual machine information is stored in the virtual machine information database 120 , and may include at least one selected from masqueraded file information, masqueraded network address information, and masqueraded registry information, all of which are for masquerading as the state where the user terminal makes use of the virtual machine.
  • the file control module 111 determines the process as a malicious process with reference to the malicious process information stored in the virtual machine information database 120 .
  • the file control module 111 may receive the masqueraded file information for masquerading as the virtual machine from the virtual machine information database 120 , and then return the received information to the intelligent bot 130 executing the process.
  • the global hooking module 110 may be configured to determine the process as a malicious process when a binary hash value of the virtual machine detection request is identical to a hash value of the malicious code stored in the virtual machine information database 120 .
  • the global hooking module 110 may be configured to determine whether or not the process is included in a list of normal processes, i.e. a white list, stored in the virtual machine information database 120 , and to execute the process of determining the malicious process as described above only when the process is not included in the white list as a result of the determination.
  • the virtual machine detection request of the intelligent bot 130 may include a request intended for the virtual machine implemented in VMware or CW Sandbox.
  • the masqueraded virtual machine information may be provided to determine that the intelligent bot detecting the operation of the virtual machine is operated on the virtual machine, thereby causing the intelligent bot to stop the malicious process.
  • the defense device against intelligent bots determines, on the basis of pre-stored malicious processes, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process (S 220 ).
  • the defense device against intelligent bots returns masqueraded virtual machine information to the process (S 230 ).
  • the masqueraded virtual machine information is information for masquerading as the state where the user terminal makes use of the virtual machine.
  • the defense device against intelligent bots may transmit the virtual machine detection request to the window kernel of the user terminal (S 240 ). Afterwards, the defense device against intelligent bots may receive a normal value of the virtual machine detection request from the window kernel of the user terminal, and return the received value to the process (S 250 ).
  • FIG. 3 is a flowchart for explaining a defense method against intelligent bots using masqueraded virtual machine information according to another exemplary embodiment of the present invention.
  • the defense method against intelligent bots using masqueraded virtual machine information according to another exemplary embodiment of the present invention will described with reference to FIG. 3 .
  • the defense device against intelligent bots determines whether or not the process executes any one selected from access to a file of the user terminal, lookup of a network address of the virtual machine, and access to a registry of the user terminal (S 330 ).
  • the defense device against intelligent bots returns masqueraded virtual machine information, which is for masquerading as the state where the user terminal makes use of the virtual machine, to the process (S 340 ).
  • the masqueraded virtual machine information may include at least one of masqueraded file information, masqueraded network address information, and masqueraded registry information, all of which are for masquerading as the state where the user terminal makes use of the virtual machine.
  • the binary hash value of the virtual machine detection request is stored in the virtual machine information database (S 336 ).
  • a separate external system analyzes processes for the file, registry, and network, and determines whether or not each process is the malicious process. If each process is the malicious process, the binary hash value is stored as the hash value of the malicious code in the virtual machine information database.
  • the masqueraded virtual machine information can he provided to the intelligent bot detecting the execution of the virtual machine such that the intelligent bot determines that the virtual machine is operated, thereby causing the intelligent bot to stop the malicious process.
  • the intelligent bot even when the user terminal is infected with the intelligent bot, the intelligent bot is caused not to conduct its malicious process, so that it is possible to prevent secondary damages such as a distributed denial-of-service (DDoS) attack or information leakage.
  • DDoS distributed denial-of-service
  • the embodiments may be implemented by arbitrary various methods.
  • the embodiments may be implemented as hardware, software, or a combination thereof.
  • the embodiments may be implemented as the software executed on one or more processors using various operating systems or platforms.
  • such software may be written using any of a number of suitable programming languages, and may also be compiled as executable machine language code or intermediate code that is executed on a framework or a virtual machine.
  • the invention may be embodied as a computer readable medium (e.g., a computer memory, one or more floppy discs, compact discs, optical discs, magnetic tapes, flash memories, etc.) encoded with one or more programs that, when executed on one or more computers or other processors, perform methods that implement the above-mentioned various embodiments of the invention.
  • a computer readable medium e.g., a computer memory, one or more floppy discs, compact discs, optical discs, magnetic tapes, flash memories, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not, the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.

Description

    CROSS-REFERENCE TO RELATED APPLICATION
  • This application claims priority to and the benefit of Korean Patent Application No. 10-2010-0039358, filed Apr. 28, 2010, the disclosure of which is incorporated herein by reference in its entirety.
    • BACKGROUND
  • The present invention relates to a defense method and device against intelligent bots using masqueraded virtual machine information. More specifically, the present invention relates to a defense method and device against intelligent bots using masqueraded virtual machine information for stopping malicious processes of the intelligent bots.
    • Discussion of Related Art
  • Intelligent bots refer to programs that periodically collect information or carry out services without direct participation of a user. In general, such intelligent bots search a terminal connected to the Internet using parameters provided by a user, collect information in which the user has an interest, and provide the collected information to the user. However, these intelligent bots by nature may he used for malicious behaviors according to a user's intent.
  • Accordingly, to analyze the malicious behaviors using these intelligent bots, security experts execute a virtual machine, and cause the intelligent bot to be executed on the virtual machine, thereby analyzing and tracing the malicious behaviors.
  • However, to cope with this analyzing and tracing method based on the execution of the virtual machine, producers of the intelligent bots make use of a method of detecting the execution of the virtual machine. According to this method of detecting the execution of the virtual machine, it is detected whether or not the intelligent bot is executed on the virtual machine, and if it is determined that the intelligent bot is executed on the virtual machine, the intelligent bot is terminated without conducting any malicious behavior.
    • SUMMARY OF THE INVENTION
  • The present invention is directed to a defense method and device against intelligent bots using masqueraded virtual machine information, in which the intelligent bot detecting execution of a virtual machine is provided with masqueraded virtual machine information so as to determine that it is operated on the virtual machine to stop its malicious process, thereby preventing damages such as a distributed denial-of-service (DDoS) attack or information leakage by causing the intelligent bot not to conduct a malicious process even when a user terminal is infected with the intelligent bot.
  • One aspect of the present invention provides a defense method against intelligent bots using masqueraded virtual machine information. The method includes: performing global hooking on a virtual machine detection request transmitted by a process; determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process; and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.
  • Determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process may include determining whether or not the process corresponds to the malicious process of executing any one of access to a file of a user terminal, lookup of a network address of a virtual machine, and access to a registry of the user terminal.
  • Determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process may further include determining whether or not the process is included in a white list that is a list of pre-stored normal processes.
  • Determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process may further include determining whether or not a binary hash value of the virtual machine detection request is identical to a hash value of a pre-stored malicious code.
  • Determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process may further include storing the binary hash value of the virtual machine detection request if the binary hash value is not identical to the hash value of the pre-stored malicious code.
  • The masqueraded virtual machine information may include at least one selected from masqueraded file information, masqueraded network address information, and masqueraded registry information, all of which are for masquerading as a state where a user terminal makes use of a virtual machine.
  • The method may further include: when the process is found not to correspond to the malicious process as a result of the determination, transmitting the virtual machine detection request to a window kernel of a user terminal; and receiving, a normal value of the virtual machine detection request from the window kernel of the user terminal, and returning the received value to the process.
  • Another aspect of the present invention provides a defense device against intelligent bots using masqueraded virtual machine information. The device includes: a virtual machine information database storing the masqueraded virtual machine information for masquerading as a state where a user terminal makes use of a virtual machine, and malicious process information for determining a malicious process; and a global hooking module performing global hooking on a virtual machine detection request of a process, determining, on the basis of the malicious process information stored in the virtual machine information database, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, returning the masqueraded virtual machine information stored in the virtual machine information database to the process.
  • The global hooking module may include: a file control module that, when the process has access to a file of the user terminal, determines the process as a malicious process on the basis of the malicious process information, receives the masqueraded file information for masquerading as the virtual machine from the virtual machine information database, and returns the received information to the process; a network control module that, when the process executes lookup of a virtual machine network address, determines the process as a malicious process on the basis of the malicious process information, receives the masqueraded network address information for masquerading as the virtual machine from the virtual machine information database, and returns the received information to the process and a registry control module that, when the process has access to a registry of the user terminal, determines the process as a malicious process on the basis of the malicious process information, receives the masqueraded registry information for masquerading as the virtual machine from the virtual machine information database, and returns the received information to the process.
  • The global hooking module may determine the process as a malicious process when the process is not included in a white list that is a list of normal processes stored in the virtual machine information database.
  • The global hooking module may determine the process as a malicious process when a binary hash value of the virtual machine detection request is identical to a hash value of a malicious code stored in the virtual machine information database.
  • The masqueraded virtual machine information may include at least one selected from masqueraded file information, masqueraded network address information, and masqueraded registry information, all of which are for masquerading as a state where the user terminal makes use of the virtual machine.
  • The malicious process information may be information for accessing at least one selected from a file of the user terminal, a network address of the virtual machine, and a registry of the user terminal.
  • When the process is found not to correspond to the malicious process as a result of the determination, the global hooking module may transmit the virtual machine detection request to a window kernel of a user terminal, receive a normal value of the virtual machine detection request from the window kernel of the user terminal, and return the received value to the process.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The above and other objects features and advantages of the present invention will become more apparent to those of ordinary skill in the art by describing in detail exemplary embodiments thereof with reference to the attached drawings in which:
  • FIG. 1 illustrates the configuration of a defense device against intelligent bots using masqueraded virtual machine information according to an exemplary embodiment of the present invention;
  • FIG. 2 is a flowchart for explaining a defense method against intelligent bots using masqueraded virtual machine information according to an exemplary embodiment of the present invention; and
  • FIG. 3 is a flowchart for explaining a defense method against intelligent bots using masqueraded virtual machine information according to another exemplary embodiment of the present invention.
    •  DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS
  • The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. Throughout the drawings, it should he noted that the same reference numerals or symbols are used to designate like or equivalent elements having the same function. The detailed descriptions of known function and construction unnecessarily obscuring the subject matter of the present invention will be omitted.
  • FIG. 1 illustrates the configuration of a defense device against intelligent bots using masqueraded virtual machine information according to an exemplary embodiment of the present invention. The configuration of the defense device against intelligent bots u sing masqueraded virtual machine information will he described with reference to FIG. 1.
  • As illustrated in FIG. 1, a defense device 100 against intelligent bots includes a global hooking module 110 and a virtual machine information database 120.
  • To determine whether or not an intelligent bot 130 makes use of a virtual machine at a user terminal, a request to detect the virtual machine for executing a process is transmitted to the user terminal, and then the global hooking module 110 performs global hooking on the virtual machine detection request.
  • The global hooking module 110 determines whether or not the process transmitting the virtual machine detection request is a malicious process on the basis of malicious process information stored in the virtual machine information database 120.
  • The virtual machine information database 120 stores masqueraded virtual machine information for masquerading as the state where the user terminal makes use of the virtual machine, and the malicious process information for determining the malicious process. The malicious process information stored in the virtual machine information database 120 may be made up of information for providing access to at least one selected from a file of the user terminal, a network address of the virtual machine, and a registry of the user terminal.
  • Thus, when it is determined that the process is the malicious process, the global hooking module 110 reads the virtual machine information, which is for masquerading as the state where the user terminal makes use of the virtual machine, from the virtual machine information database 120, and then returns the read virtual machine information to the intelligent bot 130 executing the process. Here, the virtual machine information is stored in the virtual machine information database 120, and may include at least one selected from masqueraded file information, masqueraded network address information, and masqueraded registry information, all of which are for masquerading as the state where the user terminal makes use of the virtual machine.
  • Hereinafter, the global hooking module 110 will be described in greater detail.
  • The global hooking module 110 may includes a file control module 111, a network control module 112, and a registry control module 113.
  • When the process has access to the file of the user terminal, the file control module 111 determines the process as a malicious process with reference to the malicious process information stored in the virtual machine information database 120. Thus, the file control module 111 may receive the masqueraded file information for masquerading as the virtual machine from the virtual machine information database 120, and then return the received information to the intelligent bot 130 executing the process.
  • Further, when the process executes lookup of a virtual machine network address, the network control module 112 determines the process as a malicious process with reference to the malicious process information stored in the virtual machine information database 120. Thus, the network control module 112 may receive the masqueraded network address information for masquerading as the virtual machine from the virtual machine information database 120, and then return the received information to the intelligent bot 130 executing the process.
  • Further, when the process requests access to a registry of the user terminal, the registry control module 113 determines the process as a malicious process with reference to the malicious process information stored in the virtual machine information database 120. Thus, the registry control module 113 may receive the masqueraded registry information for masquerading as the virtual machine from the virtual machine information database 120, and then return the received information to the intelligent bot 130 executing the process.
  • In addition, the global hooking module 110 may be configured to determine the process as a malicious process when a binary hash value of the virtual machine detection request is identical to a hash value of the malicious code stored in the virtual machine information database 120.
  • Meanwhile, the global hooking module 110 may be configured to determine whether or not the process is included in a list of normal processes, i.e. a white list, stored in the virtual machine information database 120, and to execute the process of determining the malicious process as described above only when the process is not included in the white list as a result of the determination.
  • When it is determined that the process transmitting the virtual machine detection request is not the malicious process, or that the process is included in the white list, the global hooking module 110 may determine the process as a normal process. As described above, when the process is determined as the normal process, the global hooking machine 110 may transmit the virtual machine detection request to a window kernel 140 of the user terminal, receive a normal value of the virtual machine detection request from the window kernel 140 of the user terminal, and return the received value to the intelligent bot 130 executing the process.
  • Meanwhile, according, to the exemplary embodiment of the present invention, the virtual machine detection request of the intelligent bot 130 may include a request intended for the virtual machine implemented in VMware or CW Sandbox.
  • Thus, according to the exemplary embodiment of the present invention, the masqueraded virtual machine information may be provided to determine that the intelligent bot detecting the operation of the virtual machine is operated on the virtual machine, thereby causing the intelligent bot to stop the malicious process.
  • FIG. 2 is a flowchart for explaining a defense method against intelligent bots using masqueraded virtual machine information according to an exemplary embodiment of the present invention. The defense method against intelligent bots using masqueraded virtual machine information according to an exemplary embodiment of the present invention will be described with reference to FIG. 2.
  • According to an exemplary embodiment of the present invention, the defense device against intelligent bots performs global hooking on the virtual machine detection request of a process (S210).
  • The defense device against intelligent bots determines, on the basis of pre-stored malicious processes, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process (S220).
  • As a result, if the process corresponds to the malicious process, the defense device against intelligent bots returns masqueraded virtual machine information to the process (S230). Here, the masqueraded virtual machine information is information for masquerading as the state where the user terminal makes use of the virtual machine.
  • Meanwhile, when it is determined that the process does not correspond to the malicious process, the defense device against intelligent bots may transmit the virtual machine detection request to the window kernel of the user terminal (S240). Afterwards, the defense device against intelligent bots may receive a normal value of the virtual machine detection request from the window kernel of the user terminal, and return the received value to the process (S250).
  • FIG. 3 is a flowchart for explaining a defense method against intelligent bots using masqueraded virtual machine information according to another exemplary embodiment of the present invention. The defense method against intelligent bots using masqueraded virtual machine information according to another exemplary embodiment of the present invention will described with reference to FIG. 3.
  • The defense device against intelligent bots may perform global hooking on the virtual machine detection request of a process (S310), and determine whether or not the process is included in a white list (S320). Here, the white list refers to a list of normal processes, and is stored in the virtual machine information database.
  • As a result of the determination, if the process is not included in the white list, the defense device against intelligent bots determines whether or not the process executes any one selected from access to a file of the user terminal, lookup of a network address of the virtual machine, and access to a registry of the user terminal (S330).
  • When it is determined that the process executes any one selected from access to a file of the user terminal, lookup of a network address of the virtual machine, and access to a registry of the user terminal, the defense device against intelligent bots can determine whether or not the process is a malicious process on the basis of whether or not a binary hash value of the virtual machine detection request is identical to a hash value of a malicious code stored in the virtual machine information database (S335).
  • For example, the defense device against intelligent bots may determine whether or not the process is a malicious process on the basis of whether or not the process has access to a media access control (MAC) address, such as 00-05-69-xx-xx-xx, 00-0c-29-xx-xx-xx, or 00-50-56-xx-xx-xx, which is used in the virtual machine, or on the basis of whether or not the process has access to the registry and then information such as a product identification (ID), a hard drive, a video drive, etc., which are used in the virtual machine.
  • As a result of the determination, when it is determined that the process is the malicious process because the virtual machine detection request corresponds to any one of the access to the file of the user terminal, the lookup of the network address of the virtual machine, and the access to the registry of the user terminal, and because the binary hash value of the virtual machine detection request is identical to the hash value of the malicious code, the defense device against intelligent bots returns masqueraded virtual machine information, which is for masquerading as the state where the user terminal makes use of the virtual machine, to the process (S340). Here, the masqueraded virtual machine information may include at least one of masqueraded file information, masqueraded network address information, and masqueraded registry information, all of which are for masquerading as the state where the user terminal makes use of the virtual machine.
  • Meanwhile, as a result of the determination, if it is determined that the process is included in the white list, that the virtual machine detection request does not correspond to any one of the access to the file of the user terminal, the lookup of the network address of the virtual machine, and the access to the registry of the user terminal, or that the binary hash value of the virtual machine detection request is riot identical to the hash value of the malicious code, the defense device against intelligent bots determines that the process does not correspond to the malicious process, and may transmit the virtual machine detection request to the window kernel of the user terminal (S350).
  • Further, if it is determined that the process is not included in the white list, that the virtual machine detection request corresponds to any one of the access to the file of the user terminal, the lookup of the network address of the virtual machine, and the access to the registry of the user terminal, and that the binary hash value of the virtual machine detection request is not identical to the hash value of the malicious code, the binary hash value of the virtual machine detection request is stored in the virtual machine information database (S336). Here, a separate external system analyzes processes for the file, registry, and network, and determines whether or not each process is the malicious process. If each process is the malicious process, the binary hash value is stored as the hash value of the malicious code in the virtual machine information database.
  • As a result, the defense device against intelligent bots may receive the normal value of the virtual machine detection request from the window kernel of the user terminal, and return the received value to the process (S360).
  • Thus, according to embodiments of the present invention, the masqueraded virtual machine information can he provided to the intelligent bot detecting the execution of the virtual machine such that the intelligent bot determines that the virtual machine is operated, thereby causing the intelligent bot to stop the malicious process. As such, according to embodiments of the present invention, even when the user terminal is infected with the intelligent bot, the intelligent bot is caused not to conduct its malicious process, so that it is possible to prevent secondary damages such as a distributed denial-of-service (DDoS) attack or information leakage.
  • The above-mentioned embodiments of the present invention may be implemented by arbitrary various methods. For example, the embodiments may be implemented as hardware, software, or a combination thereof. If the embodiments are implemented as the software, they may be implemented as the software executed on one or more processors using various operating systems or platforms. In addition, such software may be written using any of a number of suitable programming languages, and may also be compiled as executable machine language code or intermediate code that is executed on a framework or a virtual machine.
  • In this respect, the invention may be embodied as a computer readable medium (e.g., a computer memory, one or more floppy discs, compact discs, optical discs, magnetic tapes, flash memories, etc.) encoded with one or more programs that, when executed on one or more computers or other processors, perform methods that implement the above-mentioned various embodiments of the invention.
  • According to embodiments of the present invention, an intelligent bot detecting execution of a virtual machine is provided with masqueraded virtual machine information so as to determine that it is operated on the virtual machine to stop its malicious process, so that it is possible to prevent secondary damages such as a distributed denial-of-service (DDoS) attack or information leakage by causing the intelligent bot not to conduct a malicious process although a user terminal is infected with the intelligent bot.
  • In the drawings and specification, there have been disclosed typical exemplary embodiments of the invention and, although specific terms are employed, they are used in a generic and descriptive sense only and not for purposes of limitation. As for the scope of the invention, it is to be set forth in the following claims. Therefore, it will be understood by those of ordinary skill in the art that various changes in form and details may he made therein without departing from the spirit and scope of the present invention as defined by the following claims.

Claims (14)

1. A defense method against intelligent bots using masqueraded virtual machine information, the method comprising:
performing global hooking on a virtual machine detection request transmitted by a process;
determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process; and
when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.
2. The method of claim 1, wherein determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process includes determining whether or not the process corresponds to the malicious process of executing any one of access to a file of a user terminal, lookup of a network address of a virtual machine, and access to a registry of the user terminal.
3. The method of claim 1, wherein determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process further includes determining whether or not the process is included in a white list that is a list of pre-stored normal processes.
4. The method of claim 1, wherein determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process further includes determining whether or not a binary hash value of the virtual machine detection request is identical to a hash value of a pre-stored malicious code.
5. The method of claim 4, wherein determining, on the basis of pre-stored malicious process information, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process further includes storing the binary hash value of the virtual machine detection request if the binary hash value is not identical to the hash value of the pre-stored malicious code.
6. The method of claim 1, wherein the masqueraded virtual machine information includes at least one selected from masqueraded file information, masqueraded network address information, and masqueraded registry information, all of which are for masquerading as a state where a user terminal makes use of a virtual machine.
7. The method of claim 1, further comprising: when the process is found not to correspond to the malicious process as a result of the determination,
transmitting the virtual machine detection request to a window kernel of a user terminal; and
receiving a normal value of the virtual machine detection request from the window kernel of the user terminal, and returning the received value to the process.
8. A defense device against intelligent bots using masqueraded virtual machine information, the device comprising:
a virtual machine information database storing the masqueraded virtual machine information for masquerading as a state where a user terminal makes use of a virtual machine, and malicious process information for determining a malicious process; and
a global hooking module performing global hooking on a virtual machine detection request of a process, determining, on the basis of the malicious process information stored in the virtual machine information database, whether or not the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, returning the masqueraded virtual machine information stored in the virtual machine information database to the process.
9. The device of claim 8, wherein the global hooking module includes:
a file control module that, when the process has access to a file of the user terminal, determines the process as a malicious process on the basis of the malicious process information, receives the masqueraded file information for masquerading as the virtual machine from the virtual machine information database, and returns the received information to the process;
a network control module that, when the process executes lookup of a virtual machine network address, determines the process as a malicious process on the basis of the malicious process information, receives the masqueraded network address information for masquerading as the virtual machine from the virtual machine information database, and returns the received information to the process; and
a registry control module that, when the process has access to a registry of the user terminal, determines the process as a malicious process on the basis of the malicious process information, receives the masqueraded registry information for masquerading as the virtual machine from the virtual machine information database, and returns the received information to the process.
10. The device of claim 8, wherein the global hooking module determines the process as a malicious process when the process is not included in a white list that is a list of normal processes stored in the virtual machine information database.
11. The device of claim 8, wherein the global hooking module determines the process as a malicious process when a binary hash value of the virtual machine detection request is identical to a hash value of a malicious code stored in the virtual machine information database.
12. The device of claim 8, wherein the masqueraded virtual machine information includes at least one selected from masqueraded file information, masqueraded network address information, and masqueraded registry information, all of which are for masquerading as a state where the user terminal makes use of the virtual machine.
13. The device of claim 8, wherein the malicious process information is information for accessing at least one selected from a file of the user terminal, a network address of the virtual machine, and a registry of the user terminal.
14. The device of claim 8, wherein, when the process is found not to correspond to the malicious process as a result of the determination, the global hooking module transmits the virtual machine detection request to a window kernel of a user terminal, receives a normal value of the virtual machine detection request from the window kernel of the user terminal, and returns the received value to the process.
US12/879,691 2010-04-28 2010-09-10 Defense method and device against intelligent bots using masqueraded virtual machine information Expired - Fee Related US8813226B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020100039358A KR101122646B1 (en) 2010-04-28 2010-04-28 Method and device against intelligent bots by masquerading virtual machine information
KR10-2010-0039358 2010-04-28

Publications (2)

Publication Number Publication Date
US20110271342A1 true US20110271342A1 (en) 2011-11-03
US8813226B2 US8813226B2 (en) 2014-08-19

Family

ID=43797722

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/879,691 Expired - Fee Related US8813226B2 (en) 2010-04-28 2010-09-10 Defense method and device against intelligent bots using masqueraded virtual machine information

Country Status (4)

Country Link
US (1) US8813226B2 (en)
EP (1) EP2383671A1 (en)
JP (1) JP5094928B2 (en)
KR (1) KR101122646B1 (en)

Cited By (72)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100083380A1 (en) * 2008-09-29 2010-04-01 Harris Mark D Network stream scanning facility
US20110225655A1 (en) * 2010-03-15 2011-09-15 F-Secure Oyj Malware protection
US20140137112A1 (en) * 2012-11-09 2014-05-15 International Business Machines Corporation Automatic virtual machine termination in a cloud
US20140359766A1 (en) * 2013-05-30 2014-12-04 Trusteer Ltd. Method and system for prevention of windowless screen capture
US20150212843A1 (en) * 2010-11-29 2015-07-30 Biocatch Ltd. Method, device, and system of differentiating between virtual machine and non-virtualized device
US9104870B1 (en) * 2012-09-28 2015-08-11 Palo Alto Networks, Inc. Detecting malware
US9143522B2 (en) 2011-05-24 2015-09-22 Palo Alto Networks, Inc. Heuristic botnet detection
US9215239B1 (en) 2012-09-28 2015-12-15 Palo Alto Networks, Inc. Malware detection based on traffic analysis
US9489516B1 (en) 2014-07-14 2016-11-08 Palo Alto Networks, Inc. Detection of malware using an instrumented virtual machine environment
US20160335110A1 (en) * 2015-03-31 2016-11-17 Fireeye, Inc. Selective virtualization for security threat detection
US9542554B1 (en) 2014-12-18 2017-01-10 Palo Alto Networks, Inc. Deduplicating malware
US9565202B1 (en) * 2013-03-13 2017-02-07 Fireeye, Inc. System and method for detecting exfiltration content
US20170083706A1 (en) * 2015-09-18 2017-03-23 Fujitsu Limited Device, method, and storage medium
US9613210B1 (en) 2013-07-30 2017-04-04 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using dynamic patching
US20170302682A1 (en) * 2016-04-13 2017-10-19 Fujitsu Limited Device and method for analyzing malware
US20170310693A1 (en) * 2016-04-22 2017-10-26 Sophos Limited Local proxy detection
US9805193B1 (en) 2014-12-18 2017-10-31 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US20180137274A1 (en) * 2016-11-17 2018-05-17 Hitachi Solutions, Ltd. Malware analysis method and storage medium
US10019575B1 (en) 2013-07-30 2018-07-10 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using copy-on-write
US10032010B2 (en) 2010-11-29 2018-07-24 Biocatch Ltd. System, device, and method of visual login and stochastic cryptography
US10037421B2 (en) 2010-11-29 2018-07-31 Biocatch Ltd. Device, system, and method of three-dimensional spatial user authentication
US10055560B2 (en) 2010-11-29 2018-08-21 Biocatch Ltd. Device, method, and system of detecting multiple users accessing the same account
US10069852B2 (en) 2010-11-29 2018-09-04 Biocatch Ltd. Detection of computerized bots and automated cyber-attack modules
US10069837B2 (en) 2015-07-09 2018-09-04 Biocatch Ltd. Detection of proxy server
US10083439B2 (en) 2010-11-29 2018-09-25 Biocatch Ltd. Device, system, and method of differentiating over multiple accounts between legitimate user and cyber-attacker
US10164985B2 (en) 2010-11-29 2018-12-25 Biocatch Ltd. Device, system, and method of recovery and resetting of user authentication factor
US10198122B2 (en) 2016-09-30 2019-02-05 Biocatch Ltd. System, device, and method of estimating force applied to a touch surface
US10262324B2 (en) 2010-11-29 2019-04-16 Biocatch Ltd. System, device, and method of differentiating among users based on user-specific page navigation sequence
US10298614B2 (en) * 2010-11-29 2019-05-21 Biocatch Ltd. System, device, and method of generating and managing behavioral biometric cookies
US10395018B2 (en) 2010-11-29 2019-08-27 Biocatch Ltd. System, method, and device of detecting identity of a user and authenticating a user
US10397262B2 (en) 2017-07-20 2019-08-27 Biocatch Ltd. Device, system, and method of detecting overlay malware
US10404729B2 (en) 2010-11-29 2019-09-03 Biocatch Ltd. Device, method, and system of generating fraud-alerts for cyber-attacks
US10474815B2 (en) 2010-11-29 2019-11-12 Biocatch Ltd. System, device, and method of detecting malicious automatic script and code injection
US10476873B2 (en) 2010-11-29 2019-11-12 Biocatch Ltd. Device, system, and method of password-less user authentication and password-less detection of user identity
US10579784B2 (en) 2016-11-02 2020-03-03 Biocatch Ltd. System, device, and method of secure utilization of fingerprints for user authentication
CN110866250A (en) * 2018-12-12 2020-03-06 哈尔滨安天科技集团股份有限公司 Virus defense method and device and electronic equipment
US10586036B2 (en) 2010-11-29 2020-03-10 Biocatch Ltd. System, device, and method of recovery and resetting of user authentication factor
US10621585B2 (en) 2010-11-29 2020-04-14 Biocatch Ltd. Contextual mapping of web-pages, and generation of fraud-relatedness score-values
US10685355B2 (en) * 2016-12-04 2020-06-16 Biocatch Ltd. Method, device, and system of detecting mule accounts and accounts used for money laundering
US10715548B2 (en) 2016-10-17 2020-07-14 Akamai Technologies, Inc. Detecting device masquerading in application programming interface (API) transactions
US10721210B2 (en) 2016-04-22 2020-07-21 Sophos Limited Secure labeling of network flows
US10719765B2 (en) 2015-06-25 2020-07-21 Biocatch Ltd. Conditional behavioral biometrics
US10728761B2 (en) 2010-11-29 2020-07-28 Biocatch Ltd. Method, device, and system of detecting a lie of a user who inputs data
US10747305B2 (en) 2010-11-29 2020-08-18 Biocatch Ltd. Method, system, and device of authenticating identity of a user of an electronic device
US10776476B2 (en) 2010-11-29 2020-09-15 Biocatch Ltd. System, device, and method of visual login
US10834590B2 (en) 2010-11-29 2020-11-10 Biocatch Ltd. Method, device, and system of differentiating between a cyber-attacker and a legitimate user
US10867041B2 (en) 2013-07-30 2020-12-15 Palo Alto Networks, Inc. Static and dynamic security analysis of apps for mobile devices
US10897482B2 (en) 2010-11-29 2021-01-19 Biocatch Ltd. Method, device, and system of back-coloring, forward-coloring, and fraud detection
US10917431B2 (en) 2010-11-29 2021-02-09 Biocatch Ltd. System, method, and device of authenticating a user based on selfie image or selfie video
US10949757B2 (en) 2010-11-29 2021-03-16 Biocatch Ltd. System, device, and method of detecting user identity based on motor-control loop model
US10949514B2 (en) 2010-11-29 2021-03-16 Biocatch Ltd. Device, system, and method of differentiating among users based on detection of hardware components
US10956573B2 (en) 2018-06-29 2021-03-23 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US10970394B2 (en) 2017-11-21 2021-04-06 Biocatch Ltd. System, device, and method of detecting vishing attacks
US11010474B2 (en) 2018-06-29 2021-05-18 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11055395B2 (en) 2016-07-08 2021-07-06 Biocatch Ltd. Step-up authentication
US11102238B2 (en) 2016-04-22 2021-08-24 Sophos Limited Detecting triggering events for distributed denial of service attacks
US20210329030A1 (en) * 2010-11-29 2021-10-21 Biocatch Ltd. Device, System, and Method of Detecting Vishing Attacks
US11165797B2 (en) 2016-04-22 2021-11-02 Sophos Limited Detecting endpoint compromise based on network usage history
US11196765B2 (en) 2019-09-13 2021-12-07 Palo Alto Networks, Inc. Simulating user interactions for malware analysis
US11210674B2 (en) 2010-11-29 2021-12-28 Biocatch Ltd. Method, device, and system of detecting mule accounts and accounts used for money laundering
US11223619B2 (en) 2010-11-29 2022-01-11 Biocatch Ltd. Device, system, and method of user authentication based on user-specific characteristics of task performance
US11269977B2 (en) 2010-11-29 2022-03-08 Biocatch Ltd. System, apparatus, and method of collecting and processing data in electronic devices
US11269991B2 (en) * 2020-06-22 2022-03-08 Bank Of America Corporation System for identifying suspicious code in an isolated computing environment based on code characteristics
US11277416B2 (en) 2016-04-22 2022-03-15 Sophos Limited Labeling network flows according to source applications
US11522905B2 (en) 2019-09-11 2022-12-06 International Business Machines Corporation Malicious virtual machine detection
US11574056B2 (en) * 2020-06-26 2023-02-07 Bank Of America Corporation System for identifying suspicious code embedded in a file in an isolated computing environment
US11606353B2 (en) 2021-07-22 2023-03-14 Biocatch Ltd. System, device, and method of generating and utilizing one-time passwords
US11636203B2 (en) 2020-06-22 2023-04-25 Bank Of America Corporation System for isolated access and analysis of suspicious code in a disposable computing environment
CN116796308A (en) * 2023-02-03 2023-09-22 安芯网盾(北京)科技有限公司 Method and device for detecting executable program of camouflage process based on Linux kernel
US11797669B2 (en) 2020-06-22 2023-10-24 Bank Of America Corporation System for isolated access and analysis of suspicious code in a computing environment
US11880461B2 (en) 2020-06-22 2024-01-23 Bank Of America Corporation Application interface based system for isolated access and analysis of suspicious code in a computing environment
US20240080339A1 (en) * 2010-11-29 2024-03-07 Biocatch Ltd. Device, System, and Method of Detecting Vishing Attacks

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9860208B1 (en) 2014-09-30 2018-01-02 Palo Alto Networks, Inc. Bridging a virtual clone of a target device in a honey network to a suspicious device in an enterprise network
US9495188B1 (en) 2014-09-30 2016-11-15 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
US10044675B1 (en) 2014-09-30 2018-08-07 Palo Alto Networks, Inc. Integrating a honey network with a target network to counter IP and peer-checking evasion techniques
US9716727B1 (en) 2014-09-30 2017-07-25 Palo Alto Networks, Inc. Generating a honey network configuration to emulate a target network environment
US9882929B1 (en) 2014-09-30 2018-01-30 Palo Alto Networks, Inc. Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network
US10356113B2 (en) 2016-07-11 2019-07-16 Korea Electric Power Corporation Apparatus and method for detecting abnormal behavior
CN107864156B (en) * 2017-12-18 2020-06-23 东软集团股份有限公司 SYN attack defense method and device and storage medium
US11265346B2 (en) 2019-12-19 2022-03-01 Palo Alto Networks, Inc. Large scale high-interactive honeypot farm
US11271907B2 (en) 2019-12-19 2022-03-08 Palo Alto Networks, Inc. Smart proxy for a large scale high-interaction honeypot farm
RU2738337C1 (en) * 2020-04-30 2020-12-11 Общество С Ограниченной Ответственностью "Группа Айби" Intelligent bots detection and protection system and method
CN113626829A (en) * 2021-08-10 2021-11-09 中国科学院软件研究所 Intelligent terminal operating system vulnerability repair method and system based on vulnerability intelligence
CN116244757A (en) * 2023-03-15 2023-06-09 武汉天楚云计算有限公司 Computer equipment monitoring alarm method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060242709A1 (en) * 2005-04-21 2006-10-26 Microsoft Corporation Protecting a computer that provides a Web service from malware
US20080141376A1 (en) * 2006-10-24 2008-06-12 Pc Tools Technology Pty Ltd. Determining maliciousness of software
US20090083852A1 (en) * 2007-09-26 2009-03-26 Microsoft Corporation Whitelist and Blacklist Identification Data
US7941850B1 (en) * 2005-12-23 2011-05-10 Symantec Corporation Malware removal system and method
US20110138465A1 (en) * 2009-12-03 2011-06-09 International Business Machines Corporation Mitigating malicious file propagation with progressive identifiers
US20110225655A1 (en) * 2010-03-15 2011-09-15 F-Secure Oyj Malware protection

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040064737A1 (en) 2000-06-19 2004-04-01 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
US7437766B2 (en) * 2002-10-03 2008-10-14 Sandia National Laboratories Method and apparatus providing deception and/or altered operation in an information system operating system
US10043008B2 (en) 2004-10-29 2018-08-07 Microsoft Technology Licensing, Llc Efficient white listing of user-modifiable files
KR100609710B1 (en) 2004-11-25 2006-08-08 한국전자통신연구원 Network simulation device and method for abnormal traffic analysis
KR100765340B1 (en) 2006-03-30 2007-10-09 지니네트웍스(주) Virtual Inline Network Security Method
KR100799302B1 (en) 2006-06-21 2008-01-29 한국전자통신연구원 Hidden process detection system and method using system event information
JP4571184B2 (en) * 2006-08-24 2010-10-27 デュアキシズ株式会社 Communication management system
JP2008176352A (en) * 2007-01-16 2008-07-31 Lac Co Ltd Computer program, computer device and operation control method
JP4938576B2 (en) * 2007-07-24 2012-05-23 日本電信電話株式会社 Information collection system and information collection method
JP4972046B2 (en) * 2008-07-14 2012-07-11 日本電信電話株式会社 Access monitoring system and access monitoring method
JP2010134536A (en) * 2008-12-02 2010-06-17 Ntt Docomo Inc Pattern file update system, pattern file update method, and pattern file update program
KR100927240B1 (en) 2008-12-29 2009-11-16 주식회사 이글루시큐리티 Malware detection method through virtual environment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060242709A1 (en) * 2005-04-21 2006-10-26 Microsoft Corporation Protecting a computer that provides a Web service from malware
US7941850B1 (en) * 2005-12-23 2011-05-10 Symantec Corporation Malware removal system and method
US20080141376A1 (en) * 2006-10-24 2008-06-12 Pc Tools Technology Pty Ltd. Determining maliciousness of software
US20090083852A1 (en) * 2007-09-26 2009-03-26 Microsoft Corporation Whitelist and Blacklist Identification Data
US20110138465A1 (en) * 2009-12-03 2011-06-09 International Business Machines Corporation Mitigating malicious file propagation with progressive identifiers
US20110225655A1 (en) * 2010-03-15 2011-09-15 F-Secure Oyj Malware protection

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
Detection of VM-Aware Malware bu Zhu et al; Publisher: University of California, Berkley; Date: 12/11/2007 *
Emulating Emulation-Resistant Malware by Kang et al; Publisher: ACM; Date: November 9, 2009 *
Measuring virtual machine detection in malware using DSD tracer by Lau et al; Publisher: Springer-Verlag France; Year: 2008 *
Measuring virtual machine detection in malware using DSD tracer by Lau et al; Publisher: Springer-Verlag; Date: 08/05/2008 *
On the Cutting Edge: Thwarting Virtual Machine Detection by Liston et al; Publisher: Intelguardians; Year: 2006 *
Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware by Chen et al; Publisher: IEEE; Year: 2008 *

Cited By (117)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8607347B2 (en) * 2008-09-29 2013-12-10 Sophos Limited Network stream scanning facility
US20100083380A1 (en) * 2008-09-29 2010-04-01 Harris Mark D Network stream scanning facility
US9501644B2 (en) * 2010-03-15 2016-11-22 F-Secure Oyj Malware protection
US20110225655A1 (en) * 2010-03-15 2011-09-15 F-Secure Oyj Malware protection
US9858416B2 (en) * 2010-03-15 2018-01-02 F-Secure Oyj Malware protection
US20160378985A1 (en) * 2010-03-15 2016-12-29 F-Secure Oyj Malware Protection
US10032010B2 (en) 2010-11-29 2018-07-24 Biocatch Ltd. System, device, and method of visual login and stochastic cryptography
US11210674B2 (en) 2010-11-29 2021-12-28 Biocatch Ltd. Method, device, and system of detecting mule accounts and accounts used for money laundering
US10747305B2 (en) 2010-11-29 2020-08-18 Biocatch Ltd. Method, system, and device of authenticating identity of a user of an electronic device
US10776476B2 (en) 2010-11-29 2020-09-15 Biocatch Ltd. System, device, and method of visual login
US9483292B2 (en) * 2010-11-29 2016-11-01 Biocatch Ltd. Method, device, and system of differentiating between virtual machine and non-virtualized device
US12101354B2 (en) * 2010-11-29 2024-09-24 Biocatch Ltd. Device, system, and method of detecting vishing attacks
US20240080339A1 (en) * 2010-11-29 2024-03-07 Biocatch Ltd. Device, System, and Method of Detecting Vishing Attacks
US10069852B2 (en) 2010-11-29 2018-09-04 Biocatch Ltd. Detection of computerized bots and automated cyber-attack modules
US20150212843A1 (en) * 2010-11-29 2015-07-30 Biocatch Ltd. Method, device, and system of differentiating between virtual machine and non-virtualized device
US20240013225A1 (en) * 2010-11-29 2024-01-11 Biocatch Ltd. Method, Device, and System of Detecting Mule Accounts and Accounts used for Money Laundering
US10834590B2 (en) 2010-11-29 2020-11-10 Biocatch Ltd. Method, device, and system of differentiating between a cyber-attacker and a legitimate user
US10897482B2 (en) 2010-11-29 2021-01-19 Biocatch Ltd. Method, device, and system of back-coloring, forward-coloring, and fraud detection
US11838118B2 (en) * 2010-11-29 2023-12-05 Biocatch Ltd. Device, system, and method of detecting vishing attacks
US11741476B2 (en) * 2010-11-29 2023-08-29 Biocatch Ltd. Method, device, and system of detecting mule accounts and accounts used for money laundering
US10621585B2 (en) 2010-11-29 2020-04-14 Biocatch Ltd. Contextual mapping of web-pages, and generation of fraud-relatedness score-values
US20230153820A1 (en) * 2010-11-29 2023-05-18 Biocatch Ltd. Method, Device, and System of Detecting Mule Accounts and Accounts used for Money Laundering
US11580553B2 (en) * 2010-11-29 2023-02-14 Biocatch Ltd. Method, device, and system of detecting mule accounts and accounts used for money laundering
US11425563B2 (en) 2010-11-29 2022-08-23 Biocatch Ltd. Method, device, and system of differentiating between a cyber-attacker and a legitimate user
US11330012B2 (en) * 2010-11-29 2022-05-10 Biocatch Ltd. System, method, and device of authenticating a user based on selfie image or selfie video
US10586036B2 (en) 2010-11-29 2020-03-10 Biocatch Ltd. System, device, and method of recovery and resetting of user authentication factor
US10917431B2 (en) 2010-11-29 2021-02-09 Biocatch Ltd. System, method, and device of authenticating a user based on selfie image or selfie video
US10055560B2 (en) 2010-11-29 2018-08-21 Biocatch Ltd. Device, method, and system of detecting multiple users accessing the same account
US11314849B2 (en) 2010-11-29 2022-04-26 Biocatch Ltd. Method, device, and system of detecting a lie of a user who inputs data
US10949514B2 (en) 2010-11-29 2021-03-16 Biocatch Ltd. Device, system, and method of differentiating among users based on detection of hardware components
US10728761B2 (en) 2010-11-29 2020-07-28 Biocatch Ltd. Method, device, and system of detecting a lie of a user who inputs data
US10037421B2 (en) 2010-11-29 2018-07-31 Biocatch Ltd. Device, system, and method of three-dimensional spatial user authentication
US20210329030A1 (en) * 2010-11-29 2021-10-21 Biocatch Ltd. Device, System, and Method of Detecting Vishing Attacks
US10949757B2 (en) 2010-11-29 2021-03-16 Biocatch Ltd. System, device, and method of detecting user identity based on motor-control loop model
US10476873B2 (en) 2010-11-29 2019-11-12 Biocatch Ltd. Device, system, and method of password-less user authentication and password-less detection of user identity
US20220108319A1 (en) * 2010-11-29 2022-04-07 Biocatch Ltd. Method, Device, and System of Detecting Mule Accounts and Accounts used for Money Laundering
US10083439B2 (en) 2010-11-29 2018-09-25 Biocatch Ltd. Device, system, and method of differentiating over multiple accounts between legitimate user and cyber-attacker
US10474815B2 (en) 2010-11-29 2019-11-12 Biocatch Ltd. System, device, and method of detecting malicious automatic script and code injection
US10164985B2 (en) 2010-11-29 2018-12-25 Biocatch Ltd. Device, system, and method of recovery and resetting of user authentication factor
US11269977B2 (en) 2010-11-29 2022-03-08 Biocatch Ltd. System, apparatus, and method of collecting and processing data in electronic devices
US10262324B2 (en) 2010-11-29 2019-04-16 Biocatch Ltd. System, device, and method of differentiating among users based on user-specific page navigation sequence
US10298614B2 (en) * 2010-11-29 2019-05-21 Biocatch Ltd. System, device, and method of generating and managing behavioral biometric cookies
US11250435B2 (en) 2010-11-29 2022-02-15 Biocatch Ltd. Contextual mapping of web-pages, and generation of fraud-relatedness score-values
US10395018B2 (en) 2010-11-29 2019-08-27 Biocatch Ltd. System, method, and device of detecting identity of a user and authenticating a user
US11223619B2 (en) 2010-11-29 2022-01-11 Biocatch Ltd. Device, system, and method of user authentication based on user-specific characteristics of task performance
US10404729B2 (en) 2010-11-29 2019-09-03 Biocatch Ltd. Device, method, and system of generating fraud-alerts for cyber-attacks
US10049209B2 (en) 2010-11-29 2018-08-14 Biocatch Ltd. Device, method, and system of differentiating between virtual machine and non-virtualized device
US9143522B2 (en) 2011-05-24 2015-09-22 Palo Alto Networks, Inc. Heuristic botnet detection
US9762608B1 (en) * 2012-09-28 2017-09-12 Palo Alto Networks, Inc. Detecting malware
US9215239B1 (en) 2012-09-28 2015-12-15 Palo Alto Networks, Inc. Malware detection based on traffic analysis
US9104870B1 (en) * 2012-09-28 2015-08-11 Palo Alto Networks, Inc. Detecting malware
US9910695B2 (en) * 2012-11-09 2018-03-06 International Business Machines Corporation Automatic virtual machine termination in a cloud
US20140137112A1 (en) * 2012-11-09 2014-05-15 International Business Machines Corporation Automatic virtual machine termination in a cloud
US9558022B2 (en) * 2012-11-09 2017-01-31 International Business Machines Corporation Automatic virtual machine termination in a cloud
US10152347B2 (en) * 2012-11-09 2018-12-11 International Business Machines Corporation Automatic virtual machine termination in a cloud
US10740136B2 (en) * 2012-11-09 2020-08-11 International Business Machines Corporation Automatic virtual machine termination in a cloud
US10467414B1 (en) * 2013-03-13 2019-11-05 Fireeye, Inc. System and method for detecting exfiltration content
US9565202B1 (en) * 2013-03-13 2017-02-07 Fireeye, Inc. System and method for detecting exfiltration content
US9934381B1 (en) 2013-03-13 2018-04-03 Fireeye, Inc. System and method for detecting malicious activity based on at least one environmental property
US20140359766A1 (en) * 2013-05-30 2014-12-04 Trusteer Ltd. Method and system for prevention of windowless screen capture
US9323925B2 (en) * 2013-05-30 2016-04-26 Trusteer, Ltd. Method and system for prevention of windowless screen capture
US10019575B1 (en) 2013-07-30 2018-07-10 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using copy-on-write
US10867041B2 (en) 2013-07-30 2020-12-15 Palo Alto Networks, Inc. Static and dynamic security analysis of apps for mobile devices
US9613210B1 (en) 2013-07-30 2017-04-04 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using dynamic patching
US9804869B1 (en) 2013-07-30 2017-10-31 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using dynamic patching
US10678918B1 (en) 2013-07-30 2020-06-09 Palo Alto Networks, Inc. Evaluating malware in a virtual machine using copy-on-write
US10515210B2 (en) 2014-07-14 2019-12-24 Palo Alto Networks, Inc. Detection of malware using an instrumented virtual machine environment
US9489516B1 (en) 2014-07-14 2016-11-08 Palo Alto Networks, Inc. Detection of malware using an instrumented virtual machine environment
US9542554B1 (en) 2014-12-18 2017-01-10 Palo Alto Networks, Inc. Deduplicating malware
US11036859B2 (en) 2014-12-18 2021-06-15 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US9805193B1 (en) 2014-12-18 2017-10-31 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US10846404B1 (en) 2014-12-18 2020-11-24 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US10417031B2 (en) * 2015-03-31 2019-09-17 Fireeye, Inc. Selective virtualization for security threat detection
US11868795B1 (en) * 2015-03-31 2024-01-09 Musarubra Us Llc Selective virtualization for security threat detection
US20160335110A1 (en) * 2015-03-31 2016-11-17 Fireeye, Inc. Selective virtualization for security threat detection
US11294705B1 (en) * 2015-03-31 2022-04-05 Fireeye Security Holdings Us Llc Selective virtualization for security threat detection
US10719765B2 (en) 2015-06-25 2020-07-21 Biocatch Ltd. Conditional behavioral biometrics
US11238349B2 (en) 2015-06-25 2022-02-01 Biocatch Ltd. Conditional behavioural biometrics
US10523680B2 (en) * 2015-07-09 2019-12-31 Biocatch Ltd. System, device, and method for detecting a proxy server
US10069837B2 (en) 2015-07-09 2018-09-04 Biocatch Ltd. Detection of proxy server
US11323451B2 (en) * 2015-07-09 2022-05-03 Biocatch Ltd. System, device, and method for detection of proxy server
US10834090B2 (en) * 2015-07-09 2020-11-10 Biocatch Ltd. System, device, and method for detection of proxy server
US20170083706A1 (en) * 2015-09-18 2017-03-23 Fujitsu Limited Device, method, and storage medium
US10339314B2 (en) * 2015-09-18 2019-07-02 Fujitsu Limited Device, method and storage medium for terminating operation of software that is not successfully verified
US20170302682A1 (en) * 2016-04-13 2017-10-19 Fujitsu Limited Device and method for analyzing malware
US11102238B2 (en) 2016-04-22 2021-08-24 Sophos Limited Detecting triggering events for distributed denial of service attacks
US10986109B2 (en) * 2016-04-22 2021-04-20 Sophos Limited Local proxy detection
US11165797B2 (en) 2016-04-22 2021-11-02 Sophos Limited Detecting endpoint compromise based on network usage history
US20170310693A1 (en) * 2016-04-22 2017-10-26 Sophos Limited Local proxy detection
US11843631B2 (en) 2016-04-22 2023-12-12 Sophos Limited Detecting triggering events for distributed denial of service attacks
US11277416B2 (en) 2016-04-22 2022-03-15 Sophos Limited Labeling network flows according to source applications
US10721210B2 (en) 2016-04-22 2020-07-21 Sophos Limited Secure labeling of network flows
US10938781B2 (en) 2016-04-22 2021-03-02 Sophos Limited Secure labeling of network flows
US11055395B2 (en) 2016-07-08 2021-07-06 Biocatch Ltd. Step-up authentication
US10198122B2 (en) 2016-09-30 2019-02-05 Biocatch Ltd. System, device, and method of estimating force applied to a touch surface
US10715548B2 (en) 2016-10-17 2020-07-14 Akamai Technologies, Inc. Detecting device masquerading in application programming interface (API) transactions
US10579784B2 (en) 2016-11-02 2020-03-03 Biocatch Ltd. System, device, and method of secure utilization of fingerprints for user authentication
US20180137274A1 (en) * 2016-11-17 2018-05-17 Hitachi Solutions, Ltd. Malware analysis method and storage medium
US10685355B2 (en) * 2016-12-04 2020-06-16 Biocatch Ltd. Method, device, and system of detecting mule accounts and accounts used for money laundering
US10397262B2 (en) 2017-07-20 2019-08-27 Biocatch Ltd. Device, system, and method of detecting overlay malware
US10970394B2 (en) 2017-11-21 2021-04-06 Biocatch Ltd. System, device, and method of detecting vishing attacks
US11620383B2 (en) 2018-06-29 2023-04-04 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11960605B2 (en) 2018-06-29 2024-04-16 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11604878B2 (en) 2018-06-29 2023-03-14 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US10956573B2 (en) 2018-06-29 2021-03-23 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
US11010474B2 (en) 2018-06-29 2021-05-18 Palo Alto Networks, Inc. Dynamic analysis techniques for applications
CN110866250A (en) * 2018-12-12 2020-03-06 哈尔滨安天科技集团股份有限公司 Virus defense method and device and electronic equipment
US11522905B2 (en) 2019-09-11 2022-12-06 International Business Machines Corporation Malicious virtual machine detection
US11706251B2 (en) 2019-09-13 2023-07-18 Palo Alto Networks, Inc. Simulating user interactions for malware analysis
US11196765B2 (en) 2019-09-13 2021-12-07 Palo Alto Networks, Inc. Simulating user interactions for malware analysis
US11797669B2 (en) 2020-06-22 2023-10-24 Bank Of America Corporation System for isolated access and analysis of suspicious code in a computing environment
US11269991B2 (en) * 2020-06-22 2022-03-08 Bank Of America Corporation System for identifying suspicious code in an isolated computing environment based on code characteristics
US11880461B2 (en) 2020-06-22 2024-01-23 Bank Of America Corporation Application interface based system for isolated access and analysis of suspicious code in a computing environment
US11636203B2 (en) 2020-06-22 2023-04-25 Bank Of America Corporation System for isolated access and analysis of suspicious code in a disposable computing environment
US11574056B2 (en) * 2020-06-26 2023-02-07 Bank Of America Corporation System for identifying suspicious code embedded in a file in an isolated computing environment
US11606353B2 (en) 2021-07-22 2023-03-14 Biocatch Ltd. System, device, and method of generating and utilizing one-time passwords
CN116796308A (en) * 2023-02-03 2023-09-22 安芯网盾(北京)科技有限公司 Method and device for detecting executable program of camouflage process based on Linux kernel

Also Published As

Publication number Publication date
JP2011233125A (en) 2011-11-17
JP5094928B2 (en) 2012-12-12
KR101122646B1 (en) 2012-03-09
US8813226B2 (en) 2014-08-19
EP2383671A1 (en) 2011-11-02
KR20110119929A (en) 2011-11-03

Similar Documents

Publication Publication Date Title
US8813226B2 (en) Defense method and device against intelligent bots using masqueraded virtual machine information
US11750626B2 (en) Systems and techniques for guiding a response to a cybersecurity incident
JP5265061B1 (en) Malicious file inspection apparatus and method
RU2698776C2 (en) Method of maintaining database and corresponding server
EP3200115B1 (en) Specification device, specification method, and specification program
KR102210627B1 (en) Method, apparatus and system for detecting malicious process behavior
US8782791B2 (en) Computer virus detection systems and methods
CN105718825B (en) Malicious USB device detection method and device
US9239922B1 (en) Document exploit detection using baseline comparison
US20150256552A1 (en) Imalicious code detection apparatus and method
US20110277033A1 (en) Identifying Malicious Threads
RU2018118828A (en) SYSTEMS AND METHODS FOR DETECTING MALICIOUS APPLICATIONS WITH DOMAIN GENERATION ALGORITHM (DGA)
US20120131675A1 (en) Server, user device and malware detection method thereof
US10706180B2 (en) System and method for enabling a malware prevention module in response to a context switch within a certain process being executed by a processor
US10824722B1 (en) Methods and systems for genetic malware analysis and classification using code reuse patterns
KR20100005518A (en) Method for detecting the file with fraud name and apparatus thereof
US9202053B1 (en) MBR infection detection using emulation
Choi et al. All‐in‐One Framework for Detection, Unpacking, and Verification for Malware Analysis
KR102292844B1 (en) Apparatus and method for detecting malicious code
KR101042858B1 (en) Windows kernel tamper detection method
US9536090B2 (en) Method of defending a computer from malware
KR101421630B1 (en) system and method for detecting code-injected malicious code
CN106709552B (en) Smart card safety protection method and device
Teufl et al. Android-On-device detection of SMS catchers and sniffers
WO2021035429A1 (en) Method and system for security management on a mobile storage device

Legal Events

Date Code Title Description
AS Assignment

Owner name: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTIT

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHUNG, YOON JUNG;KIM, YO SIK;KIM, WON HO;AND OTHERS;REEL/FRAME:024994/0657

Effective date: 20100809

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551)

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20220819

OSZAR »