1. Field of the Invention
Apparatuses and methods consistent with the present invention relate to preventing malicious application behaviors, and more particularly, to using information on malicious application behaviors among devices.
2. Description of the Related Art
Behavior profiling/monitoring engine applications, commonly known as antivirus software, monitor the execution of the application, and record logs. Behavior-based antivirus software monitors malicious applications based on application behaviors. WholeSecurity, Finjan Software, and Proofpoint are companies providing behavior-based solutions. These solutions prevent the malicious applications by determining whether a process is malicious according to an algorithm, providing an engine that blocks application level behaviors, or machine learning and artificial intelligence.
In related art, the application vulnerability description language (AVDL), enterprise vulnerability description (EVDL), and open vulnerability and assessment language (OVAL) describe malicious application behaviors. The AVDL sets a standard by exchanging information on known vulnerabilities in a network. AVDL proposes a vulnerability between clients using the Hypertext Transfer Protocol (HTTP) and a gateway/proxy, and performs an attack. EVDL forms a, known data format in order to indicate the vulnerability of web applications. In addition, EVDL is a security markup language, and provides a guide for initial hazards and the probability of risks. OVAL is a language that determines the vulnerabilities of a computer system and setting issues. OVAL is an international information-security community-based standard providing information on how to check the vulnerabilities of computer systems, and whether the settings have been set.
Most computer systems today have antivirus software installed, which is provided by different vendors, and each is composed of different virus signature/patch formats. In addition, many different kinds of malware attacks cause damage to different applications in different platforms. The vulnerabilities of operating systems, system software, or application software components are susceptible to exploitation. Accordingly, interoperability is an important consideration.
AVDL specifies the stack of the application or “known vulnerability” of the component, e.g., operating system types, operating system versions, application server types, web server types, and database types. Here, AVDL specifies information on directory structures, Hypertext Markup Language (HTML) structures, legal-access points, and legal-response parameters. The EVDL schema is composed of elements such as metadata that contains basic information, profiles that classify the vulnerabilities of applications, analysis that contains information on source code vulnerabilities, detection information that detects the vulnerabilities of the application, and protection information that protects the application while running.
The aforementioned languages share, a known vulnerability. However, the committee for language standardization cannot stipulate that vulnerabilities must be specified in Extensible Markup Language (XML) format.
Large amounts of malware, such as viruses, are created regularly. Accordingly, a process of generating a patch to combat a virus, as illustrated in FIG. 1, is required.
FIG. 1 illustrates the implementation of a related art antivirus process. In operation 1, a virus attacks a known vulnerability of a user computer system. In operation 2, the user computer system reports the characteristics of the attack to a vendor. In operation 3, a virus code is then transmitted to an antivirus vendor. The antivirus vendor analyzes the sample virus code, and generates a patch or a signature. Once operation 3 has been completed, the vendor updates the database of the known vulnerability in operation 3′.
In operation 4, the antivirus vendor transmits the patch or the signature to a client computer so the client computer can update the antivirus signature. In addition, a document based on the aforementioned AVDL, EVDL, and OVAL is generated in operation 4′. The user computer downloads the antivirus software and prevents unauthenticated or malicious applications from running in operation 5.
FIG. 2 is a drawing illustrating whether a generated document protects known vulnerability. FIG. 2 illustrates that malicious software or a virus attacks the vulnerability of an authenticated application. Client 2 may inquire where the vulnerability of common vulnerability and exposure (CVE) lies. Client 2 may receive an AVDL, OVAL, or EVDL document, and share the document with client 1.
However, the vulnerability detailed in an XML document using AVDL, OVAL, or EVDL is a “known” vulnerability, and thus does not specify malicious behaviors. That is, it is difficult to protect the system using a “zero-hour protection” scheme. The zero-hour protection immediately blocks malicious software that poses a threat to the system. The aforementioned vulnerability description languages specify “known vulnerabilities”, but do not specify malicious application “behaviors”. In addition, the languages can be applied when a known vulnerability is shared, but are not effective in preventing the malicious application from spreading.
Related art description languages cannot check whether a vulnerability exists. Another disadvantage is that the generated XML documents are large.
Accordingly, documents in those languages may induce network load when exchanging, sharing, and parsing such documents, and be a problem for embedded systems having limited computing power and small amount of resources. Therefore, solutions to the aforementioned problems are required.