WO2004077295A1 - 不正処理判定方法、データ処理装置、コンピュータプログラム、及び記録媒体 - Google Patents
不正処理判定方法、データ処理装置、コンピュータプログラム、及び記録媒体 Download PDFInfo
- Publication number
- WO2004077295A1 WO2004077295A1 PCT/JP2004/002319 JP2004002319W WO2004077295A1 WO 2004077295 A1 WO2004077295 A1 WO 2004077295A1 JP 2004002319 W JP2004002319 W JP 2004002319W WO 2004077295 A1 WO2004077295 A1 WO 2004077295A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- instruction
- byte
- code
- instruction code
- Prior art date
Links
- 238000012545 processing Methods 0.000 title claims abstract description 212
- 238000000034 method Methods 0.000 title claims abstract description 98
- 238000004590 computer program Methods 0.000 title claims abstract description 30
- 238000001514 detection method Methods 0.000 claims description 32
- 238000004458 analytical method Methods 0.000 description 84
- 238000004891 communication Methods 0.000 description 32
- 230000010365 information processing Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 11
- 238000012790 confirmation Methods 0.000 description 6
- 238000005336 cracking Methods 0.000 description 6
- 241000700605 Viruses Species 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000003213 activating effect Effects 0.000 description 3
- 230000007257 malfunction Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 101710092886 Integrator complex subunit 3 Proteins 0.000 description 1
- 241000446313 Lamella Species 0.000 description 1
- 101100348848 Mus musculus Notch4 gene Proteins 0.000 description 1
- 102100025254 Neurogenic locus notch homolog protein 4 Human genes 0.000 description 1
- 101150014174 calm gene Proteins 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013075 data extraction Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000012447 hatching Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 101150002764 purA gene Proteins 0.000 description 1
- 239000002689 soil Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Definitions
- the present invention relates to an unauthorized process determination method for detecting data for performing an unauthorized process, a data processing device, a computer program for realizing the data processing device, and a computer in which the computer program is recorded.
- the present invention relates to a readable recording medium.
- attack data containing instruction codes for performing illegal processing (hereinafter referred to as “illegal codes”) is used for attacking server devices and personal computers.
- the instruction code is transmitted to an information processing device such as a computer, and the instruction code is executed by the information processing device.
- attack methods There are various types of such attack methods, and one of them is known as an attack method using a knock-over.
- the buffer secured in the stack is in a state where writing is being performed on a stacker that is equal to or greater than the secured buffer. If one of these conditions occurs, unexpected variable rupture may occur, causing the program to malfunction.
- a buffer overflow attack intentionally causes a program to malfunction, for example, acquiring system administrator privileges.
- the present invention has been made in view of such circumstances, and a purpose thereof is to make each of the continuous byte strings, and to provide a leading byte of each byte string.
- a purpose thereof is to make each of the continuous byte strings, and to provide a leading byte of each byte string.
- the appearance pattern of an instruction code appearing in each data sequence is detected. Based on the detection result, whether or not the processing by each data sequence is an illegal process is determined. It is not necessary to prepare in advance a bit notation, etc., for detecting instruction code groups that perform illegal processing.
- Illegal processing determination method capable of detecting code and group, data processing device, n computer program for realizing the data processing device, and computer in which the computer program is recorded To provide a recording medium that can be read by
- the illegal processing request method J is a method for receiving data including a plurality of instruction codes having different byte lengths.
- the in-hand and the storage means for storing the received data are stored in the data processing unit, and the processing power is executed based on the instructions contained in the data contained in the data.
- the data written in the storage means m is sequentially output in RJC in byte units, each of which consists of a continuous byte row, and the head of each byte row.
- the appearance pattern of the instruction code appearing in each data sequence is detected, and processing by each data sequence is performed based on the appearance pattern of the detected instruction. It is characterized in that it is determined whether or not an unauthorized process is performed.
- a data processing device includes: a receiving unit that receives data including a plurality of instruction codes having different byte lengths; a storage unit that stores received data; and a storage unit that stores the received data.
- Determining means for determining whether or not the processing to be executed based on the instruction code included in the data is illegal processing; Means for sequentially reading the data stored in the storage means in byte units, and a continuous read byte sequence, each of which has a different read position in which the first byte of each byte sequence is different.
- Detecting means for detecting an appearance pattern of an instruction code appearing in each data series, for a plurality of data series corresponding to the data sequence, wherein the determining means is configured to detect an appearance pattern of the instruction code detected by the detecting means. It is characterized in that it is performed to determine whether or not the processing by each data series is an illegal processing.
- the data processing device is the data processing device according to the second aspect of the present invention, wherein the data processing device according to the second aspect of the present invention includes a table storing a correspondence relationship between data of a first byte of the instruction code and a byte length of the instruction code. It is characterized by further provision.
- a data processing device is the data processing device according to the second aspect, wherein the data sequence including an appearance pattern to be detected by the detection unit is the storage unit in which an instruction code group being executed is placed. It is characterized by including the process of acquiring the above address.
- a data processing device is the data processing device according to the second invention or the fourth invention, wherein one of the appearance patterns to be detected by the detection means calls a group of instruction codes for executing a predetermined process.
- the instruction code group includes an instruction code for acquiring an address of a return destination of the instruction code.
- a data processing device is the data processing device according to the fifth invention, wherein the appearance pattern further includes an instruction code related to a branch instruction, and an address of a branch destination of the instruction code is
- the present invention is characterized by being associated with an instruction code for calling the instruction code group.
- a data processing device is the data processing device according to the fifth invention, wherein the appearance pattern is a command for activating a system call.
- a code is further included.
- the data processing device is the data processing device according to the fifth invention, wherein the appearance pattern further includes an instruction code for instructing rewriting of data starting from the address.
- a data processing device is the data processing device according to the fifth invention, wherein the appearance pattern further includes a predetermined character code after the instruction code.
- the data processing device is the data processing device according to the second aspect, wherein, when the detection unit detects one of the appearance patterns to be detected, the determination unit determines that the detected data sequence is invalid. It is characterized by being determined to be data for executing processing.
- a data processing device is the data processing device according to the second aspect of the present invention, wherein, when the determination unit determines that the detected data sequence is data for executing an unauthorized process, information to that effect is sent to the outside. It is characterized by further comprising means for notifying the user.
- a computer program is a computer program which determines whether or not a process executed based on input data including a plurality of instruction codes having different byte lengths is an illegal process.
- a computer program having a step of making a determination a plurality of data sequences are read from the computer, each of which is composed of a continuous byte sequence and the first byte of each byte sequence is associated with a different read position. Detecting the appearance pattern of the instruction code appearing in each data system, and determining whether the processing by each data series is an illegal process based on the appearance pattern of the detected instruction code. And a step of performing the following.
- the computer-readable recording medium includes a plurality of instruction codes having different byte lengths input to the computer.
- Computer-readable recording media on which a computer program having a step of judging whether or not a process to be executed based on the downloaded data is an unauthorized process is stored in a computer.
- a computer program is recorded which has a step of detecting the application and a step of determining whether or not the processing by each data series can be performed by an unauthorized process based on the appearance pattern of the detected instruction code. It is characterized by
- the first invention, the second invention, the 12 'invention, and the thirteenth invention include an instruction code for sequentially reading data from the storage means in byte units and executing an illegal process.
- an attempt is made to detect the appearance pattern of the instruction code for a plurality of data sequences at different read positions. Therefore, by performing detection by paying attention to the appearance pattern of instruction codes that cannot be found in ordinary data, when unknown malicious codes appear, ⁇ As long as the processing content does not change, it is possible to deal with it.
- detection is performed based on the appearance pattern of the instruction code, so that the detected appearance pattern may differ depending on where the detection start position is set. Since detection is performed for a plurality of data sequences that are sequentially different, erroneous determinations are reduced and detection accuracy is improved.
- the instruction sequence having the data reading position is provided. Does not detect illegal code if it is located outside the first byte of the instruction code Thus, the processing speed can be improved.
- the fifth invention includes an instruction code for calling a group of instruction codes for executing a predetermined process.
- the return code of the above-mentioned instruction code is included.
- the branch destination of the branch instruction is detected as an appearance pattern associated with the instruction code group. Therefore, it is easy to determine whether or not the data is such that it can execute unauthorized processing, and since it is detected based on its essential structure, it can be used to detect unknown unauthorized code. It will be possible to deal with it.
- an appearance pattern including an instruction code for activating a system rule is further detected. Therefore, it is possible to detect a case where the probability of execution of the malicious code is high, so that the detection accuracy is improved.
- An appearance pattern including an instruction code indicating X. is detected. Therefore, it is possible to deal with an illegal code in which it is not possible to know what processing is performed at a stage before the execution.
- the data is determined to be data for executing an illegal process, so that an illegal operation is performed. With data that will cause the process
- the eleventh invention when it is determined that the detected data sequence is data for which an unauthorized process is performed, the fact is notified externally. Therefore, when an unauthorized code is detected, it is possible to block a traffic or the like, thereby preventing malfunctions caused by the unauthorized code.
- FIG. 1 is a block diagram of a data processing device according to the present embodiment.
- FIG. 2 is a schematic diagram illustrating a process executed by the data processing device.
- FIG. 3 is a schematic diagram illustrating the configuration of data to be analyzed.
- FIG. 4 is a flowchart illustrating a procedure for detecting unauthorized code by the data processing device.
- FIG. 5 is a flowchart illustrating a procedure for detecting an unauthorized code by the data processing device.
- FIG. 6 is a flowchart for explaining the procedure of the analysis / determination processing routine.
- Fig. 7 shows the instruction code detected by the analysis processing of the data processing device. It is a schematic diagram explaining the appearance pattern of.
- FIG. 8 is a schematic diagram illustrating an appearance pattern of an instruction code detected by the analysis processing of the data processing device.
- Fig. 9 is a flowchart explaining the processing procedure of the analysis processing routine.
- FIG. 10 is a flowchart for explaining the processing procedure of the analysis processing routine.
- FIG. 11 is a flowchart illustrating the processing procedure of the analysis processing routine.
- FIG. 12 is a flowchart illustrating the processing procedure of the analysis processing routine.
- FIG. 13 is a flowchart for explaining the processing procedure of the analysis processing routine.
- FIG. 14 is a flowchart for explaining the processing procedure of the judgment processing routine.
- FIG. 15 is a flowchart illustrating a processing procedure of an analysis processing routine according to the present embodiment.
- FIG. 16 is a flowchart for explaining the processing procedure of the analysis routine according to the present embodiment.
- FIG. 17 is a flowchart for explaining the processing procedure of the analysis processing routine according to the present embodiment.
- FIG. 18 is a flowchart for explaining the processing procedure of the analysis processing routine according to the present embodiment.
- FIG. 19 is a flowchart for explaining the processing procedure of the analysis processing routine according to the present embodiment.
- FIG. 20 is a flowchart illustrating a processing procedure of the determination processing routine according to the present embodiment.
- FIG. 21 is a schematic diagram illustrating a configuration of a data processing device according to the present embodiment. BEST MODE FOR CARRYING OUT THE INVENTION
- FIG. 1 is a block diagram of a data processing device according to the present embodiment.
- reference numeral 10 denotes a data processing device, which is a CPU 11, a communication interface 15 a for connecting to an external network, and a connection interface for connecting to an internal network and a network. It has a communication interface 15b.
- the data processing device 10 is a device that relays data transmitted and received on a communication network such as a router, a broadband router, or a switch.
- the communication interface 15a includes: An information processing device and a communication device to be communicated with are connected via an external network.
- the S. ⁇ interface 15b includes an information processing device and a communication device used by the user on the internal network. Connected through the work.
- the information processing device includes a personal computer, a workstation, a server device,
- PDA Personal Digital Assistant
- the communication device includes a mobile phone and the like.
- the CPU 11 is connected to hardware such as a memory 12, a buffer memory 13, and a routing unit 14 .
- the CPU 11 is a control program stored in the memory 12 in advance. By reading and executing these, each of the above-described hardware is controlled, and operates as a device that relays various data transmitted and received between the external network and the internal network.
- the memory 12 stores each hardware
- a routing table storing a network address of a transmission destination for determining a communication path, and a computer program of the present invention are stored.
- the CPU 11 When transmitting data from the internal network to the external network, if the communication interface 15b of the data processing device 10 receives the data, the CPU 11 The communication path is determined with reference to the nodal table stored in the memory 12. The routing section 14 is controlled according to the determined communication path. Then, the data is transmitted to the destination information processing device or communication device via the communication interface 15a, and the data is transmitted from the external network to the internal network. The data is relayed by the data processing device 10 according to the same procedure as described above. At this time, the data processor 10 temporarily stores the received data from the external network side on the buffer interface 13 a in the buffer interface 13 a.
- an instruction code (hereafter, illegal code) that causes an illegal process to be executed for a specific CPU (hereafter, CPU to be protected) is analyzed. ) Is determined in the data.
- the CPU 11 reads the computer program of the present invention from the memory 12, executes the computer program, and stores the data therein.
- Analysis ⁇ Create a virtual CPU execution environment part 11a that provides an environment for judgment.
- the virtual CPU execution environment section 11a includes registers used by the CPU to be protected, virtual registers corresponding to the stacks, virtual stacks, and the like, and analyzes the data to be analyzed by the instruction code of the CPU to be protected.
- the CPU 11 determines the presence or absence of illegal code by monitoring the status of the virtual register and the virtual stack provided in the virtual CPU execution environment unit 11a.
- the CPU 11, the memory 12, and the buffer memory 13 are individually provided.
- the memory 11 and the computer program of the present invention are provided separately. It is also possible to provide an ASIC (Application Specified IC) in which an IC (Integrated Circuit) storing the information is mounted on one chip.
- ASIC Application Specified IC
- FIG. 2 is a schematic diagram illustrating a process executed by the data processing device 10.
- the processing executed by the data processing device 10 is roughly divided into (1) data reception from an external network, (2) extraction of data to be analyzed, and (3) multiple data derived from the data to be analyzed. (4) Detection of illegal code in each instruction sequence.
- each process will be described.
- the communication interface 15a of the data processing device 10 receives data in a predetermined unit (for example, packet unit) according to a communication procedure conforming to the communication standard of the connected external network.
- a predetermined unit for example, packet unit
- Each unit of data to be received has a predetermined byte length, and is composed of a communication header including address information of a transmission source and a transmission destination, and user data arbitrarily created by a user.
- the user data includes an instruction code for executing a process desired by the user, and there is a case where an illegal process is executed by the instruction code.
- the data processing device 10 sequentially extracts the received data in byte units and stores the data in the buffer memory 13 for analysis.
- the position at which data extraction is started can be any predetermined position.
- the first byte of the received data may be the analysis start position, or the first byte of the user data excluding the communication header may be the analysis start position.
- the buffer size of the memory 13 to store the extracted data is predetermined, and the instruction code having the largest instruction length among the instruction codes that can be decoded by the CPU to be protected. Are set in advance so as to store at least one or more.
- the instruction sequence is a sequence of instruction codes of the CPU to be protected starting from the position specified for the data to be analyzed.
- the CPU 11 When performing analysis on the data to be analyzed, the CPU 11 sequentially reads data one byte at a time from the first byte of the buffer memory V13.
- the analysis start buffer position corresponding to the read position from buffer memory 13 is shifted by .1 byte, and another data is read and read. Analysis is performed on the instruction sequence with the data read position as the first byte. Such processing Is repeatedly executed while sequentially shifting the analysis start buffer position, thereby analyzing a plurality of instruction sequences at different read positions.
- the data of the next read data position from the received data is stored in sd in the Vf position fc of the analysis start of the buffer memory 13 after the analysis.
- the CPU 11 of the data processing device 10 has a specific structure (appearance pattern) based on the state of the virtual register and the virtual stack included in the temporary i CPU execution environment 11a. An instruction sequence is detected, and when an instruction sequence having a specific structure is detected,
- One is an instruction code that calls an instruction code group at a branch destination of a branch instruction (hereinafter referred to as a jmp instruction).
- ⁇ , Ca 11 ⁇ pura a branch destination of a branch instruction
- the call destination of the ca 11 instruction corresponds to the address between the jmp instruction and the cal 1 instruction.
- this structure is called “; jmp ⁇ ca 1 ⁇ ” structure, and it is often found in attacker's malicious code in combination with the “call ⁇ pop” structure described later.
- the information of the address immediately after the ca11 instruction (address to return to) from the instruction code group between the jmp instruction and the ca11 instruction is acquired, and the address is obtained.
- an external command embedded in the malicious code itself is acquired, and the external command is executed or the malicious code itself is rewritten.
- the other is a structure where there is a pop instruction without a push instruction at the call destination of the call instruction.
- ⁇ ush life The instruction is an instruction for temporarily storing an address value or the like in the stack area
- the pop instruction is an instruction for obtaining the address value or the like stored in the stack area. is there.
- this structure is referred to as a “ca11 ⁇ pop” structure.
- An illegal code having this structure basically executes an external command or rewrites the illegal code itself by using the same method as the above-mentioned “jmp ⁇ ca11J structure”. 11 When the 1 instruction is executed, the information of the return destination address stored in the stack area is acquired by the Pop instruction, and the address is used as a clue, and the external command is used. Execute malicious code or rewrite malicious code itself.
- FIG. 3 is a schematic diagram illustrating the configuration of the analysis target data.
- the instruction length of the instruction code used in the CPU to be protected is not always constant, and instruction codes of various instruction lengths may be used.
- the received data may include, for example, simple data that is not an instruction code such as image data and document data. Therefore, if the reading position of the data to be analyzed is not properly set, there is a possibility that the instruction code cannot be interpreted correctly, and the judgment about the presence or absence of the illegal code may be erroneously made.
- the data to be analyzed stored in the buffer memory 13 is analyzed.
- the 1 byte The data is read one by one and the data is analyzed assuming that it is the first byte of a certain instruction code.
- the position of the next instruction code can be determined from the read 1-byte data, so that the instruction codes can be sequentially grasped.
- the analysis target data can be interpreted as a single sequence (instruction sequence) in which multiple instruction codes are consecutive.
- the data to be analyzed shown in FIG. 3 includes the first four bytes of simple data, the two-byte instruction code (instruction 1), the four-byte instruction code (instruction 2), 4-byte instruction code (instruction 3), 1-byte instruction code (instruction 4) ... are consecutive data.
- First set the analysis start buffer position to b1, read one byte of data, and obtain information such as the instruction contents, the position of the next instruction code, and the parameters used in the instruction code.
- analysis of instruction sequence 1 with b 1 as the first byte starts.
- the instruction sequence 2, the instruction sequence 3, and the instruction sequence 4 in which each read position is the first byte. are performed simultaneously and in parallel.
- the instruction sequence 5 with the position of b5 as the first byte is a correct instruction code sequence, and when the instruction sequence 5 is analyzed, “; jmp ⁇ ca 11 "determined structure, or” if the ca 1 l ⁇ p 0 p "structure has been detected, has been detected unauthorized code.
- the data series 7 starting from b 7, the data series 11 starting from b 11, and the data series 15 starting from b 15 are the data series 5 Since it is included as a part, data analysis can be omitted.
- FIG. 4 and FIG. 5 are flowcharts illustrating a procedure for detecting an unauthorized code by the data processing apparatus 10.
- step S5 it is determined whether or not the data at the analysis start buffer position is the end of the received data. If the data at the analysis start buffer position is terminated (S5: YES), the detection of the illegal code by this flowchart is terminated, and if the data at the analysis start buffer position is not terminated (S5: YES). : NO), and reads one byte of data at the analysis start buffer position (step S6). Next, the next instruction start position, instruction type, and parameters are obtained based on the read one-byte data, and are stored in the memory 12 (step S7).
- the CPU 11 determines whether there is an instruction sequence whose current position matches the next start position stored in the instruction sequence under analysis.
- Step S8 If there is an instruction sequence that matches the current position and the stored next start position (S8: YES), an analysis described below is performed on all the instruction sequences. ⁇ Perform a judgment process (step S10). . There is no instruction sequence that matches the current position and the stored next start position In this case (S8: NO), the instruction sequence starting from the current position is added as a new instruction sequence for analysis and judgment processing (step S9), and the analysis and judgment process is executed. (S10).
- step S11 the write buffer position is set as the analysis start buffer position (step S11), and the read data position is increased by one (step S12). Then, one byte of data is read from the read data position to the write buffer position on the buffer memory 13 (step S13). Next, the remainder obtained by dividing the value obtained by increasing the analysis buffer position by one by the buffer size is set as the next analysis start buffer position (step S14), and the process returns to step S5.
- FIG. 6 is a flowchart for explaining the procedure of the analysis 1 determination processing routine.
- the analysis process described below is performed for all instruction sequences including the one byte data read from the buffer memory 13 corresponding to the first byte of the instruction code (step S21) ).
- the analysis processing will be described in detail later.
- the instruction table is referred to based on the read one-byte data, and the contents of the instruction, the parameters to be used, and In addition to storing the position of the next instruction, etc., the state in the virtual stack in the virtual CPU execution environment section 11a is monitored and analyzed.
- the CPU 11 determines whether or not the analyzed instruction sequence is terminated (step S22), and when the instruction sequence is not completed (S22: NO), Analysis ⁇ End the judgment processing routine and shift to the processing of step SI 1 in FIG.
- step S23 If it is determined that the instruction sequence has been terminated (S22: YES), a determination process described later is performed (step S23). Then, the CPU 11 receives the result of the determination processing, determines whether or not an unauthorized code has been detected (step S24), and determines that the unauthorized code has not been detected. In this case (S24 ⁇ NO), the current instruction sequence is deleted (step S26), and if it is determined that an invalid code has been detected (S24: YES), an invalid code has been detected. (Step S25) The information is output to the information processing device connected to the internal network via the communication interface 15b. Further, the data processing device 10 may be provided with a display unit for displaying as character information or a light emitting unit for informing by light to output. Further, it may be configured to perform processing such as shutting down communication after outputting information indicating that an unauthorized code has been detected.
- FIG. 8 are schematic diagrams for explaining an appearance pattern of an instruction code detected by the analysis processing of the data processing device 10.
- Figure 7
- Fig. 8 shows the structure of the “ca 11 1 ⁇ Popj structure using the fraudulent K .
- jmpca11Jo-roh corresponds to the address of the branch instruction Sca11 of the mp instruction, and the call destination of the ca11 instruction is the jmp instruction.
- the jmp instruction of address A1 is Accordingly, a branch is made to the instruction ca11 of address A10, and the instruction code group of instructions A2 to A6 is called by the instruction ca11.
- the return address of the ca11 instruction is temporarily stored in the stack area.
- the return code stored in the stack area is temporarily stored in the stack area.
- the instruction code group of A16 to A20 is called by the ca11 instruction of the address A1, and the ca1 instruction is called by the pop instruction. 1 Return address of instruction has been acquired.
- the character string of the external command to be activated immediately after the ca11 instruction is not arranged, but the dummy instruction code of fixed length predetermined by the attacker is used. In this case, the same effect as described above can be obtained. That is, in the example shown in Fig.
- the push instruction existing in the instruction code group to which the ca11 instruction is called does not precede; the op instruction causes the ca11 instruction
- the address A2 that is the return destination is obtained, the value of the address A7 is calculated by the arithmetic processing, the system call is called by the int instruction of the address A20, and the address is obtained. It is configured to execute the external command (shell program) of the character string located in A7.
- addresses shown in FIGS. 7 and 8 are addresses provided for convenience, and do not necessarily represent continuous memory addresses on the stack area.
- FIGS. 9 to 13 are flowcharts illustrating the processing procedure of the analysis processing routine.
- the CPU 11 of the data processing device 10 refers to the above-mentioned instruction table to determine whether the instruction sequence starting from one byte of data read from the buffer memory 13 is a jmp instruction. Is determined (step S31). If it is determined that the instruction is a jmp instruction (S31: YES), the key of the branch destination indicated by the jmp instruction is determined. It is determined whether the dress is larger than the address at the current position (step S32). If it is determined that the address of the branch destination is smaller than the address of the current position (S32: NO), this routine is terminated and the processing returns to the analysis-determination processing routine.
- step S33 If it is determined that the branch destination address is larger than the current position address (S32: YES), the branch destination address is already stored in a predetermined storage area in the memory 12 (hereinafter, referred to as a branch destination table). It is determined whether or not the obtained branch destination address exists (step S33). If the branch destination address already stored in the branch destination table does not exist (S33: NO), the branch destination address of the jmp instruction detected in step S31 is converted to the branch destination table. It is memorized (step S3 4). If the already stored branch destination address exists (S33: YES), the smaller branch destination address is selected (step S35), and the branch destination table is stored in the branch destination table. The branch destination address to be stored is updated (step S36).
- step S37 When the branch address is updated or stored, the next instruction position is stored in the memory 12 (step S37), and the processing is analyzed. ⁇ Return to the judgment processing routine.
- step S41 it is determined whether or not one byte of data read from the buffer memory 13 is an int instruction (Ste S41). If it is determined that the instruction is an int instruction (S41: YES), the fact that the int instruction is detected is stored in the memory 12 (step S42). Then, it is determined whether or not there is a branch destination address already stored in the above-mentioned branch destination table (step S43). If there is no branch destination table stored in the branch destination table (S43: NO), the instruction sequence currently being analyzed is terminated (step S44), and the processing is analyzed. ⁇ Return to the determination routine and make a determination described later. Move to processing. If there is a branch destination address that has already been memorized, A (S43: YE
- step S45 it is determined whether or not the address at the current position is larger than the branch destination address described in the branch destination table (step S45).
- step S41 If it is determined in step S41 that the instruction is not an int instruction (S41: NO), it is determined whether or not the instruction code starting from one byte of data read from the buffer memory 13 is the ca11 instruction. Is determined (step S51). If it is determined that the instruction is the ca11 instruction (S51: YES), it is determined whether the call destination address of the ca11 instruction is larger than the address at the current position (step S51). 5 2). If it is determined that the destination address is larger than the current location address (S52: YES), it is determined whether there is a destination address already stored (step S5). 3). If there is no stored call destination address (S53: NO), the call destination address of the ca11 instruction detected in step S51 is stored (step S54). If there is a stored destination address (S53: YES), the smaller destination address is selected (step S55), and the stored destination address is selected. Is updated (step S56).
- step S52 the ca11 life detected in step S51 If it is determined that the call destination address of the instruction is smaller than the current position (S52: NO), several bytes of data from the next instruction position are stored in the memory 12 as the command data (step 52). S58).
- step S59 it is determined whether or not there is a call destination address in the list where the pop instruction is placed.
- the list means that the pop instruction is placed. This is the storage area that stores the addresses in the list format. If it is determined that there is a call destination address on the list (S59: YES), the fact that the "call ⁇ pop" structure has been detected is stored in the memory 12 (step S60), and the current Terminate the instruction sequence being analyzed (step S61). When the instruction sequence is terminated, the processing returns to the analysis / judgment processing routine and shifts to the judgment processing.
- step S62 If it is determined that there is no called address on the list (S59: NO), it is determined whether or not an int instruction has been detected (step S62), and if no int instruction has been detected. (S62: NO), the processing is returned to the analysis / judgment processing routine without terminating the instruction sequence.
- Step 62 If an int instruction has been detected (S62: YES), it is determined whether or not the branch destination address of the jmp instruction is smaller than the address of the current position by referring to the branch destination table (Step 62). Top S63). If it is determined that the branch destination address is larger than the current position (S63: NO), the processing is analyzed without terminating the instruction sequence. ⁇ Return to the determination processing routine.
- step S64 it is determined whether the call destination address is between the jmp instruction and the current position (step S64). . If the callee address is not between the jmp instruction and the current position (S64: NO), the processing is analyzed without terminating the instruction sequence and returns to the judgment processing routine.
- the fact that the “; jmp ⁇ ca11” structure is detected is stored in the memory 12 (step S65), and the instruction sequence currently analyzed is terminated (step S66). ). When the instruction sequence is terminated, the processing returns to the analysis / judgment processing routine and shifts to the judgment processing.
- step S51 If it is determined in step S51 that the instruction is not the ca11 instruction (S51: NO), the instruction code starting from the 1-note data read from the memory 13 is a pop instruction. Is determined (step S71). If it is determined that the instruction is a pop instruction (S71: YES), the address of the current position is stored in the list (step S72). Then, it is determined whether or not the call destination address of the ca11 instruction matches the address at the current position (step S73). If they match (S73: YES), the fact that the ⁇ ca11 ⁇ popj structure has been detected is stored in the memory 12 (step S74), and the processing returns to the analysis / determination processing routine. If the call destination address of the call instruction does not match the address at the current position (S73: NO), the processing is analyzed and the processing proceeds to the judgment processing routine.
- the instruction boundary may not be interpreted correctly. Yes, it may not be possible to detect the “; jmp ⁇ ca11” structure and the “ca11 ⁇ popj” structure in one instruction sequence. If a jm P instruction with a large branch destination address and a ca11 instruction with a call destination address larger than the next instruction position are detected, the branch destination address and the call destination address are changed to Since the analysis is performed as the start position of each next instruction code, the above-mentioned “; jmp ⁇ ca 11 J structure” and “ca ⁇ 1 ⁇ ⁇ 0 ⁇ ”structure can be detected.
- step S71 If it is determined in step S71 that the instruction is not the ca11 instruction (S71: NO), the data of one byte read from the / memory 13 is output.
- Ret instruction, 1ret instruction, int3 instruction It is determined whether the instruction is an instruction or an iret instruction (step S81). Each of these instructions represents an instruction for returning control from the called routine to the calling routine. If it is any of the above instructions (S81: YES), the instruction sequence currently being analyzed is terminated (step S82), and the process returns to the analysis / determination processing routine. If it is determined that the instruction is not any of the above-mentioned instructions (S81: NO), the processing returns to the analysis / determination processing routine without terminating the instruction sequence.
- FIG. 14 is a flowchart for explaining the processing procedure of the judgment processing routine.
- the CPU 11 of the data processing device 10 determines whether an int instruction has been detected in the instruction sequence terminated by the above-described analysis routine (step S91). If the int instruction has not been detected (S91: NO), it is determined that there is no illegal code because the system call is not called and the external command is not executed by the interrupt processing ( Step S92).
- the CPU 11 uses the "ca11 ⁇ pop" structure or ": jmp ⁇ ca11". It is determined whether or not a structure has been detected (step S93). If no structure is detected (S93: NO), it is determined that there is no illegal code (S92).
- step S94 If any of the “ca1l ⁇ pop” structure or “; jmp ⁇ ca11” structure is detected (S93: YES), the character corresponding to “/” indicating the path delimiter in the command data It is determined whether or not there is a code (step S94). If the character data does not exist in the command data (S94: NO), it is determined that there is no illegal code (S92). Also, If the character data is included in the command data (S94: YES), it is determined that there is a high probability that a system call will be invoked by interrupt processing and an external command (serial code) will be executed. Is determined (step S95).
- performing the supporting evidence to determine whether contains / "indicating a break of Nono 0 scan externally command the detection Netsuki & fraud co de for ⁇ 3 ⁇ 4 Mel ⁇ ⁇ ⁇ jmp
- “/” is given as an example of a character code indicating a path delimiter.
- a different type of protection target CPU uses “/” as a character code indicating a path delimiter.
- ⁇ is used.
- the character code used for side identification is not necessarily limited to /".
- FIGS. 15 to 19 show the processing of the analysis processing routine according to the present embodiment.
- the CPU 11 of the data processing device 10 decrements the lifetime associated with each of the state, the variable, and the counter (step S101).
- a state, a variable, and a counter are introduced as parameters indicating a situation under analysis, and when each parameter is set, a positive default value is set as a survival period. I am trying to set it.
- the state is a “Po instruction waiting” state, which indicates a state waiting for the pop instruction to appear, and a state in which the “ca11 ⁇ pop” structure must be checked. Introduce the "ca 11 1 ⁇ pop confirmation" state to indicate that there is
- a P us li -Pop balance variable for examining the balance of the number of occurrences of the ush instruction and the Pop instruction was introduced.
- Count the state with a high probability that the “pop” structure appears.
- the survival time is a value preset for each parameter, and is decremented by one each time the analysis routine is repeated, indicating the effectiveness of the analysis processing routine with respect to the number of executions. . If the lifetime is decremented in this step and the lifetime becomes 0, initialization is performed here.
- the CPU 11 determines whether the 1-byte data read from the buffer memory 13 is a jmp instruction by referring to the instruction table. (Step S102). If it is determined that the instruction is a jmp instruction (S102: YES), it is determined whether the branch destination address specified by the jmp instruction is larger than the next instruction position.
- Step S103 If it is determined that the branch destination address is less than the next instruction position (S103: NO), this routine is terminated and the processing returns to the analysis-determination processing routine.
- the branch destination list is a storage area of a list format capable of storing a plurality of addresses, and the storage area is secured in the memory 12. Then, after changing the next instruction position to the branch destination address (step S105), the processing returns to the analysis / judgment processing routine.
- step S102 if it is determined that the instruction is not a jmp instruction (S102: NO), the CPU 11 reads one byte of data read from the buffer memory 13 into ca. It is determined whether or not the instruction is one (step S106). If it is determined that the instruction is a ca 11 instruction (S106: YES), it is determined whether the called address is larger than the next instruction position (step S107). If it is determined that the called address is larger than the next instruction position (S107: YES), the difference between the called address and the next instruction position is a default value (for example, 10 bytes). It is determined whether or not it is smaller (step S108). If it is determined that the difference is larger than the default value (S108: NO), the process returns to the analysis / judgment processing routine.
- Step S109 If it is determined that the difference is smaller than the default value (s108: YES), the push-one-op normal variable is cleared, and the state of "Pop instruction waiting" is stored. (Step S109).
- the push instruction is executed in order to detect a Po instruction that is not preceded by the sh instruction. Introduce a balance variable.
- the push instruction is decremented and finally the sign of the pUsh-pop balance variable is determined. Does not precede: Detects op instructions.
- CPU 11 After memorizing that it is in the “waiting for pop instruction” state, CPU 11 changes the next instruction position to the call destination address (step S110) and analyzes the processing. ⁇ Judgment processing routine Return to
- step S107 if it is determined in step S107 that the call destination address of the cal1 instruction is smaller than the next instruction position (S107: NO), the call destination address is determined to be the analysis start position. It is determined whether the difference is smaller (step S111). If it is determined that the call destination address is smaller than the analysis start position (S111: YES), the processing returns to the analysis / determination processing routine. If it is determined that the call destination address is larger than the analysis start position (S111: NO), the next instruction position stored in the aforementioned branch destination list and the branch destination address are compared. In the meantime, it is determined whether or not the destination address is located (step S112).
- step S113 If there is a call destination address between the next instruction position and the branch destination address (S111: YES), the address in the list where the pop instruction is placed is placed. It is determined whether or not the dress is within a predetermined range (for example, several bytes) from the called address (step S113).
- a predetermined range for example, several bytes
- step S114 If there is an address in the list where the pop instruction is located within a predetermined range from the called address (S113: YES), the called address is set to the pop instruction. It is determined whether or not the address matches the address in the list of the placed place (step S114). If it is determined that they match (S114: YES), the fact that the "ca1l ⁇ pop" structure has been detected is stored (step S115), and if they do not match (S114). 14 : NO), the fact that the “; imp ⁇ C all” structure was detected is stored (step S116). Then, the instruction sequence is terminated (Step S117), the process is analyzed, and the process returns to the determination process routine. In step S112, the address of the callee is changed to the next instruction position.
- step S'113 a list of locations where the pop instruction is located within a predetermined range from the called address If there is no address in (S113: N ⁇ ), the processing returns to the analysis / judgment processing routine without terminating the instruction sequence.
- step S106 If it is determined in step S106 that the instruction is not the ca11 instruction (S106: NO), the CPU 11 reads one byte of data from the buffer memory 13 Is a pop instruction (step S118). If it is determined that the instruction is a pop instruction (S118: YES), the current position is stored in the list (step S119), and the push—pop balance variable is decremented (step S119). Step S 12 0). Then, the CPU 11 determines whether the current state is the “pop instruction waiting” state and whether the push-pop balance variable is negative (step S 12 1).
- step S121 If it is in the “waiting for pop instruction” state and it is determined that the push-pop balance variable is negative (S121: YES), the register number used in the pop instruction is memorized, and “ The state of “ca 1 l ⁇ pop confirmation” is stored in the memory 12 (step S 122). Then, after clearing the ca 11 ⁇ pop confirmation counter (step S123), the processing is returned to the analysis / judgment routine. If it is not "waiting for a pop instruction” or if the push-pop balance variable is not negative (S121: NO), this routine is terminated and the analysis is returned to the judgment processing routine.
- step S118 If it is determined in step S118 that the instruction is not a pop instruction (S118: NO), the CPU 11 reads one byte of data read from the non-memory 13 by a push instruction. It is determined whether or not there is (Step S124). If it is determined that the instruction is a push instruction (S124: YES), the push—pop balance variable is incremented and (Step S125)., Analyze the process. ⁇ Return to the judgment process routine.
- Step S12 When it is determined that the instruction is not a ush instruction
- the CPU 11 checks whether the 1-byte data read from the non-memory 13 is a moV instruction or a logical operation instruction. It is determined whether or not it is (step S 1 26). If it is determined that the instruction is a m o V instruction or a logical operation instruction (S 12 6: Y E S), “c a l
- Step S127 it is determined whether or not the register number stored in the base register of the memory addressing is used (Step S127).
- the ca1 1 ⁇ pop confirmation counter is incremented (step S128), and ca1 l ⁇ pop check, judge whether the value of the counter is more than the default value (for example, about 3 to 5)
- Step S129 If it is determined that the value of the ca1l-> pop confirmation counter is equal to or greater than the default value (S129: YES), the message "call ⁇ po J structure detected" is stored. (Step S130), after terminating the instruction sequence (Step S131), analyze the processing. 'Judgment processing routine 3 Note that the processing is stored in Step S127. If it is determined that the register number is not used (S127: N ⁇ ), it is also determined in step s129 that the value of the call ⁇ pop confirmation counter is smaller than the default value In this case (S129: NO), the processing returns to the analysis / judgment processing routine without terminating the instruction sequence.
- step S126 if it is determined that the instruction is neither a moV instruction nor a logical operation instruction (s126: NO), it is determined whether or not the instruction is an instruction marked as a termination instruction (step S126).
- step S126 an instruction table that defines the relationship between instruction codes and instruction lengths of the instruction codes is used, but the terminal instruction is marked in advance in the instruction table. Whether the instruction is marked as a terminating instruction Can be determined.
- Instructions that should be marked as terminal instructions include: (1) Protection function instructions used only in system programs (ARPL, LGDT, LIDT, SGDT, SIDT, LLDT, LTR, SLDT, STR, LMSW, SMSW, LAR, LSL, VERW, CLTS, HLT, (2) Instructions that use the segment selector (moV, part of ush, pop, LES, LDS, etc.), (3) Input / output instructions (IN, OUT) , INS, OUTS, etc.), (4) Infrequently used instructions (DAA, DAS, AAA, AAS, BOUND, PUSHF, POPF, SAHF, LAHF), (5) Start and end of functions or interrupt routines The instruction to indicate (ENTER, LEAVE, RET, LRET, INT3, INTO, IRET). Note that these instructions are instructions specific to a specific CPU. If the CPU to be protected changes, the instructions to be marked as terminal instructions will of course change. Step
- the instruction sequence under analysis is terminated (S131), and the processing is analyzed. Return to the judgment processing routine, and if it is determined that the instruction is not a marked end instruction (S132: NO), the processing is returned to the analysis' judgment processing routine without terminating the instruction sequence. Also, instead of detecting a terminating instruction, if an instruction having an invalid addressing format is detected, or if it is detected that an invalid prefix is being used, the instruction sequence is terminated. Analyzes the processing with ⁇ Returning to the judgment processing routine may be performed.
- FIG. 20 is a flowchart illustrating a processing procedure of a determination processing routine according to the present embodiment.
- the CPU 11 of the data processing device 10 executes the “ca 1 l ⁇ pop” structure or “; jm It is determined whether or not the p ⁇ ca 11 1 ”structure has been detected (step S 14 1). If it is determined that any of the structures has been detected (S 14 1: YES), it is determined that an invalid code exists. If it is determined (step S142) that no structure is detected (S141: NO), it is determined that there is no illegal code (step S144). Then, the process returns to the analysis / determination processing routine.
- a relay device used for data communication such as a router, a broadband router, or a switch
- a personal computer, a server device, and a mobile phone It can also be applied to an information processing device having a communication function, such as a PDA.
- FIG. 21 is a schematic diagram illustrating a configuration of a data processing device according to the present embodiment.
- reference numeral 100 denotes an information processing device such as a personal computer, and the information processing device 100 includes a CPU 101, and a ROM 103 via a bus 102. , A RAM 104, an operation unit 105, a display unit 106, a communication unit 107, an internal storage device 108, and an auxiliary storage device 109.
- the CPU 101 controls the hardware according to the control program stored in the ROM 103.
- RAM I04 is composed of SRAM or flash memory, etc., and is data generated during execution of the control program stored in ROM 103 and external network received via communication unit 107. Receives various data from the network.
- the operation unit 105 is an input device such as a keyboard and a mouse
- the display unit 106 is a display device such as a CRT and a liquid crystal display.
- the operation unit 105 and the display unit 106 are used, for example, when inputting and displaying data to be transmitted.
- the communication unit 107 is connected to a line It is equipped with terminal devices and controls the transmission and reception of various types of data exchanged with external networks.
- the auxiliary storage device 109 includes a FD drive for reading a computer program and the like from a recording medium M such as an FD and a CD-ROM recording the computer program and the like of the present invention, and a CD-ROM drive and the like. That is, the read computer program is stored in the internal storage device 108.
- the computer program stored in the internal storage device 108 is appropriately read into the RAM 104 in accordance with an instruction from the CPU 101 and executed.
- the information processing device 100 functions as a device that detects an unauthorized code from the data received by the communication unit 107.
- the computer program described above is preferably a resident type program that is automatically read into the RAM I 04 when the information processing device 100 is started up. It is preferable to automatically detect an unauthorized code when data is received from the outside in the meantime. The procedure for detecting an unauthorized code is described in Embodiment 1.
- the computer program of the present invention has been described as being provided by the recording medium M, the computer program may be provided by communication means via the communication unit 107. .
- the configuration is such that an unauthorized code is detected by using the information processing device 100 such as a personal computer.
- the information processing device 100 such as a personal computer.
- a mobile phone, a PDA, a computer Of course, it can be applied to mobile devices, in-vehicle communication devices, and various information appliances.
- the computer program of the present invention by recording it on a recording medium such as an FD or a CD-ROM, the computer program can be implemented. It can also be provided as a package of application software that detects applications. Industrial applicability
- the second invention whether or not an instruction code for sequentially reading data from the storage means in byte units and executing an illegal process is included.
- it tries to detect the appearance pattern of the instruction code for a plurality of data sequences at different read positions. Therefore, by focusing on the occurrence pattern of instruction code that is not found in ordinary data, detection is performed even if an unknown illegal code appears. As long as does not change, it is possible to deal with it.
- the detection since the detection is performed based on the appearance pattern of the instruction code, the appearance pattern to be detected may be different depending on where the detection start position is set, but a plurality of the read positions are sequentially changed. Since the data sequence is detected, the number of erroneous determinations is reduced, and the detection accuracy can be improved.
- the instruction sequence having the data read position is provided.
- the instruction code is located at a position other than the first byte, illegal code can be prevented from being detected, and the processing speed can be improved.
- the appearance pattern including the process of acquiring the address on the storage means in which the instruction code group being executed is placed is detected, the essence of the illegal code is detected. It is possible to propose a detection method that focuses on the basic structure.
- an instruction code group for executing a predetermined process is called.
- An instruction pattern for issuing an instruction code for obtaining a return address of the instruction code is detected in a group of instruction codes to be called. Therefore, it is easy to determine whether or not the data is such that it can perform unauthorized processing, and since it is detected based on its essential structure, it is possible to detect unknown fraudulent code. It is possible to deal with it.
- the branch destination of the branch instruction detects an appearance pattern associated with the above-mentioned instruction code group. Therefore, it is easy to determine whether or not the data is such that it can perform unauthorized processing, and since it is detected based on its essential structure, it is possible to detect unknown malicious code. Can also deal with.
- an appearance pattern including an instruction code for activating a system call is detected. Therefore, it is possible to detect a case where the probability of execution of a malicious code is high, and it is possible to improve the detection accuracy.
- an appearance pattern including an instruction code for instructing data rewriting starting from the return address is detected. Therefore, it is possible to cope with an illegal code that does not know what processing is executed at a stage before the execution.
- the data when an appearance pattern of an instruction code to be detected is detected, the data is determined to be data for executing an unauthorized process, so that the unauthorized process is executed.
- Data -It is easy to determine whether or not it is, and since it is determined based on its basic structure, it is possible to deal with unknown malicious code. .
- the fact is notified externally. Therefore, when an unauthorized code is detected, communication is interrupted or the like, so that inconsistency caused by the unauthorized code can be prevented.
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2005502935A JP4320014B2 (ja) | 2003-02-26 | 2004-02-26 | 不正処理判定方法、データ処理装置、コンピュータプログラム、及び記録媒体 |
US11/211,556 US7895655B2 (en) | 2003-02-26 | 2005-08-26 | Malicious-process-determining method, data processing apparatus and recording medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2003-049911 | 2003-02-26 | ||
JP2003049911 | 2003-02-26 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/211,556 Continuation US7895655B2 (en) | 2003-02-26 | 2005-08-26 | Malicious-process-determining method, data processing apparatus and recording medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004077295A1 true WO2004077295A1 (ja) | 2004-09-10 |
Family
ID=32923329
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2004/002319 WO2004077295A1 (ja) | 2003-02-26 | 2004-02-26 | 不正処理判定方法、データ処理装置、コンピュータプログラム、及び記録媒体 |
Country Status (4)
Country | Link |
---|---|
US (1) | US7895655B2 (ja) |
JP (1) | JP4320014B2 (ja) |
TW (1) | TW200416541A (ja) |
WO (1) | WO2004077295A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007080281A (ja) * | 2005-09-13 | 2007-03-29 | Cloudmark Inc | 実行可能コードのためのシグネチャ |
JP2007188437A (ja) * | 2006-01-16 | 2007-07-26 | Nippon Telegr & Teleph Corp <Ntt> | 攻撃検知装置、攻撃検知方法および攻撃検知プログラム |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7607122B2 (en) * | 2005-06-17 | 2009-10-20 | Microsoft Corporation | Post build process to record stack and call tree information |
CN101470661B (zh) * | 2007-12-28 | 2012-03-14 | 鸿富锦精密工业(深圳)有限公司 | 计算机程序除错系统及方法 |
US8291497B1 (en) * | 2009-03-20 | 2012-10-16 | Symantec Corporation | Systems and methods for byte-level context diversity-based automatic malware signature generation |
US8713681B2 (en) * | 2009-10-27 | 2014-04-29 | Mandiant, Llc | System and method for detecting executable machine instructions in a data stream |
CN102576392B (zh) * | 2009-10-31 | 2014-12-17 | 惠普发展公司,有限责任合伙企业 | 用于恶意代码检测的设备和方法及恶意代码检测器 |
US9372991B2 (en) * | 2012-03-06 | 2016-06-21 | International Business Machines Corporation | Detecting malicious computer code in an executing program module |
US10103890B2 (en) * | 2014-08-08 | 2018-10-16 | Haw-Minn Lu | Membership query method |
US10728040B1 (en) * | 2014-08-08 | 2020-07-28 | Tai Seibert | Connection-based network behavioral anomaly detection system and method |
KR101715759B1 (ko) * | 2015-09-22 | 2017-03-15 | 한국전자통신연구원 | 멀티코어 환경에서의 악성코드 분석 장치 및 방법 |
US20190362074A1 (en) * | 2018-05-24 | 2019-11-28 | Microsoft Technology Licensing, Llc | Training technologies for deep reinforcement learning technologies for detecting malware |
US10963561B2 (en) * | 2018-09-04 | 2021-03-30 | Intel Corporation | System and method to identify a no-operation (NOP) sled attack |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH01237834A (ja) * | 1988-03-18 | 1989-09-22 | Fujitsu Ltd | ロードモジュールの編集表示方式 |
JPH11167487A (ja) * | 1997-12-02 | 1999-06-22 | Fujitsu Ltd | ウィルスチェックネットワーク、ウィルスチェック装置、クライアント端末及びウィルス情報管理局 |
JP2001344128A (ja) * | 2000-06-02 | 2001-12-14 | Nec Microsystems Ltd | 逆アセンブル表示アドレスの設定方法および記録媒体 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5414833A (en) * | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
US5826013A (en) * | 1995-09-28 | 1998-10-20 | Symantec Corporation | Polymorphic virus detection module |
AU1206097A (en) * | 1995-12-28 | 1997-07-28 | Eyal Dotan | Method for protecting executable software programs against infection by software viruses |
JPH09319574A (ja) | 1996-05-29 | 1997-12-12 | Nec Niigata Ltd | コンピュータウィルスチェックシステム |
US5951698A (en) | 1996-10-02 | 1999-09-14 | Trend Micro, Incorporated | System, apparatus and method for the detection and removal of viruses in macros |
US6301699B1 (en) * | 1999-03-18 | 2001-10-09 | Corekt Security Systems, Inc. | Method for detecting buffer overflow for computer security |
US6058372A (en) * | 1999-06-11 | 2000-05-02 | Sweet; Stephen R. | Interactive self-service hard drive copying system |
US6405303B1 (en) * | 1999-08-31 | 2002-06-11 | Advanced Micro Devices, Inc. | Massively parallel decoding and execution of variable-length instructions |
US7360076B2 (en) * | 2001-06-13 | 2008-04-15 | Itt Manufacturing Enterprises, Inc. | Security association data cache and structure |
US6832302B1 (en) * | 2001-10-24 | 2004-12-14 | At&T Corp. | Methods and apparatus for detecting heap smashing |
-
2004
- 2004-02-26 TW TW093104904A patent/TW200416541A/zh unknown
- 2004-02-26 WO PCT/JP2004/002319 patent/WO2004077295A1/ja active Application Filing
- 2004-02-26 JP JP2005502935A patent/JP4320014B2/ja not_active Expired - Fee Related
-
2005
- 2005-08-26 US US11/211,556 patent/US7895655B2/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH01237834A (ja) * | 1988-03-18 | 1989-09-22 | Fujitsu Ltd | ロードモジュールの編集表示方式 |
JPH11167487A (ja) * | 1997-12-02 | 1999-06-22 | Fujitsu Ltd | ウィルスチェックネットワーク、ウィルスチェック装置、クライアント端末及びウィルス情報管理局 |
JP2001344128A (ja) * | 2000-06-02 | 2001-12-14 | Nec Microsystems Ltd | 逆アセンブル表示アドレスの設定方法および記録媒体 |
Non-Patent Citations (1)
Title |
---|
EITARO SAITO: "2001 Nen han virus daizukan", NIKKEI NETWORK, no. 16, 22 July 2001 (2001-07-22), pages 59 - 85, XP002982548 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007080281A (ja) * | 2005-09-13 | 2007-03-29 | Cloudmark Inc | 実行可能コードのためのシグネチャ |
JP2007188437A (ja) * | 2006-01-16 | 2007-07-26 | Nippon Telegr & Teleph Corp <Ntt> | 攻撃検知装置、攻撃検知方法および攻撃検知プログラム |
JP4739962B2 (ja) * | 2006-01-16 | 2011-08-03 | 日本電信電話株式会社 | 攻撃検知装置、攻撃検知方法および攻撃検知プログラム |
Also Published As
Publication number | Publication date |
---|---|
US20060026685A1 (en) | 2006-02-02 |
JP4320014B2 (ja) | 2009-08-26 |
JPWO2004077295A1 (ja) | 2006-06-08 |
TW200416541A (en) | 2004-09-01 |
US7895655B2 (en) | 2011-02-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4320013B2 (ja) | 不正処理判定方法、データ処理装置、コンピュータプログラム、及び記録媒体 | |
US7895655B2 (en) | Malicious-process-determining method, data processing apparatus and recording medium | |
KR102137773B1 (ko) | 보안 애플리케이션을 통해 안전한 데이터를 전송하기 위한 시스템 및 그에 관한 방법 | |
ES2302962T3 (es) | Metodo y sistema para detectar de forma heuristica virus en un codigo ejecutable. | |
JP4851150B2 (ja) | ユーザ変更可能ファイルの効率的なホワイトリスティング | |
EP2600272A2 (en) | Hacker virus security-integrated control device | |
US20090133125A1 (en) | Method and apparatus for malware detection | |
US20060130145A1 (en) | System and method for analyzing malicious code protocol and generating harmful traffic | |
Pasupulati et al. | Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities | |
EP2774071B1 (en) | System and method for detecting a file embedded in an arbitrary location and determining the reputation of the file | |
CN109474625A (zh) | 网络安全防护方法、装置及嵌入式系统 | |
JPH11316677A (ja) | コンピュ―タネットワ―クの保安方法 | |
CN110837640B (zh) | 恶意文件的查杀方法、查杀设备、存储介质及装置 | |
CN101676876A (zh) | 受威胁计算机的自动的基于硬件的恢复 | |
JP2007047884A (ja) | 情報処理システム | |
WO2008040223A1 (fr) | Procédé de filtrage de données nocives transférées entre un terminal et un hôte de destination dans un réseau | |
WO2010024606A2 (ko) | 정상 파일 데이터베이스 제공 시스템 및 방법 | |
RU2746105C2 (ru) | Система и способ конфигурирования шлюза для защиты автоматизированных систем | |
KR100985076B1 (ko) | Usb 디바이스 보안 장치 및 방법 | |
CN114338203A (zh) | 一种基于拟态蜜罐的内网检测系统及方法 | |
JP2006268687A (ja) | コンピュータウィルス監視プログラム及びこれを用いたコンピュータ端末装置 | |
JP2007157059A (ja) | プロアクティブな不正プログラム検出方法、検出装置及びコンピュータプログラム | |
CN111343000B (zh) | 用于配置网关以保护自动化系统的系统和方法 | |
CN110830494B (zh) | 一种iot攻击防御方法、装置及电子设备和存储介质 | |
US11520884B2 (en) | Dummy information insertion device, dummy information insertion method, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2005502935 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11211556 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 11211556 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |