1. Technical Field
The present invention relates generally to an apparatus and method for blocking the activity of malware and, more particularly, to an apparatus and method for blocking the continuous activity of malware with which a user terminal (e.g., a personal computer (PC) or a smart phone) has been infected.
2. Description of the Related Art
Typical virus vaccines maintain information about files diagnosed as malware (i.e., a blacklist) in local storage or a cloud, checks whether or not a specific file is malware when a user accesses or executes the specific file, and blocks the execution of the specific file or deletes the specific file.
In the above scheme, the execution of a file that is the same as or similar to a file that had been previously diagnosed as malware by a virus vaccine can be blocked, but the execution of a new malicious file (i.e., a malicious file not registered on a blacklist) is permitted until the analysis of the new malicious file is completed.
For this reason, a heuristic detection scheme has been introduced. In this scheme, malware is not diagnosed based on a precise pattern, but the results of the static and dynamic analysis (or real-time monitoring) of a specific file are integrated and then the specific file is diagnosed as malware when a behavior pattern common in a specific malware type is detected in the specific file.
While virus vaccines detect and block malware using the blacklist scheme and the heuristic detection scheme, effective countermeasures against new malware are not sufficient.
As countermeasures against malware using the blacklist scheme exhibit their limitations as described above, security products capable of taking countermeasures against malware based on a white list have been recently released.
However, there is great difficulty maintaining a white list in the latest state because user terminals are used in various environments and also operating systems and applications are frequently updated. That is, in the white list scheme, a list of permitted programs is maintained, but the execution of a program not included in the list of permitted programs is blocked. Accordingly, when a list of programs executed in a normal user terminal environment is not accurately maintained, the execution of even a normal program is blocked. As a result, the white list scheme is problematic in that a user terminal may not normally operate.
For this reason, the white list scheme has been introduced and managed only to and within a specific environment (e.g., in an industry server and on a PC) in which an operating system and applications rarely change.
As described above, although the common white list scheme is based on a very powerful security concept related to the blocking of malware because the execution of files other than designated files is blocked, this scheme has difficulty maintaining a white list when there is a change attributable to the updating of an operating system and applications or when different programs are executed on different user terminals.
As a related technology, Korean Patent Application Publication No. 10-2001-0082488 entitled “Method for Preventing the Prohibited Program from Running in Multiple Computers within the Local Area Network System” discloses a technology for preventing a prohibited program from being installed and executed on a multi-computer system connected to a local network.