The present invention relates to a security device and method that protect a data processing system from various types of malicious code and prevent the divulgence of data and erroneous operation.
With the development of data processing systems, such as computers, mobile terminals, etc., that operate and manage various types of data and with the development of networks, such as the Internet, that mediate mutual communication, a massive amount of data is being handled via data processing systems.
Such data includes not only information useful to users but also information malicious to users. The information malicious to users may include malicious code, such as viruses, spyware, adware, etc., as an example. The malicious code may fatally damage a data processing system that is being used by a specific user or a plurality of unspecified users, may cause operations undesirable to a user to be performed, and, furthermore, may divulge the private information of a user and thus may cause economic damage to the corresponding user. Accordingly, efforts to continuously monitor and block such malicious code have been continuously made.
Conventionally and generally, to search for malicious code, the patterns of a plurality of types of malicious code are previously stored in a database (DB), and it is monitored whether a file having any one of the patterns is present at a specific location of a designated data processing system or network.
However, the conventional method randomly examines stored files and compares them with the patterns stored in the DB, and thus it is problematic in that the level of security is low for invested time and resources. Furthermore, the conventional method randomly monitors the security level of a file regardless of the execution of the corresponding file only when a conventional security device is run, and thus the conventional method is limited in that the conventional security device cannot monitor malicious code that is not activated or is not malicious code itself at a specific point of time and then initiates a malicious function when specific processing is performed or a specific point of time is reached.
In order to overcome these problems, there was proposed a method in which a conventional security device examined all files present in a data processing system or at a specific location at predetermined intervals. However, the number of security target files that must be monitored by the conventional security device is not small due to the size of the data processing system or specific location, and the number of times monitoring is performed increases as the length of the monitoring intervals decreases. Accordingly, in order to perform precise file monitoring, a problem arises in that high-level specifications are required for the conventional security device.