Along with the popularization of the Internet network, various kinds of information processing apparatuses have become target of an attack such as computer virus and cracking and tend more to be exposed to such a menace. In cases of recent years, for example, computer virus typified by “Nimda” and “Code Red”, which self-propagates using vulnerability (security hole) of an application program such as a system program or a web browser, has caused serious damage.
In an attack mentioned above by computer virus, cracking and the like, attack data including an instruction code for performing a malicious process (hereinafter referred to as a malicious code) is transmitted to an information processing apparatus such as a server apparatus and a personal computer which is the target of the attack, so that the instruction code is executed at the information processing apparatus. There are a variety of such attack techniques and an attack technique by buffer overflow is known as one thereof. In buffer overflow, when a buffer secured in a stack falls into a buffer overflow state where writing is performed at a stack area larger than the secured buffer, unexpected variable destruction is caused which may lead to malfunction of a program. In an attack by buffer overflow, malfunction of a program is caused intentionally so as to obtain administrator authorization of a system, for example.
In order to cope with these attacks such as computer virus and cracking, as described in Japanese Patent Application Laid-Open No. H9-319574, for example, a process of detecting presence of a particular bit pattern to be found in a malicious code is performed for received data. When such a bit pattern is included in received data, it is determined that the data is attack data including a malicious code, and rejection of data, annunciation to the user and the like are performed.
Accordingly, in order to cope with a variety of attacks such as computer virus and cracking with a conventional technique, it is necessary to prepare and store a particular bit pattern corresponding to each computer virus and cracking in a database, and the database must be updated to cope with a case where new computer virus or cracking technique is found.
In a conventional detecting method for attack data, a known bit pattern is detected as described above, or the structure of a portion which is not essential for an attack process such as simple repetition of a NOP (non-operation) instruction is detected. Accordingly, the method is vulnerable to variation of attack data and it is necessary to update a database of bit patterns used for detection every time unknown attack data arises, arousing concern over time lug before the database is updated.
The present invention, in view of the above situation, aims to provide a malicious-process-determining method, a data processing apparatus and a computer-readable recording medium recorded a computer program for realizing the data processing apparatus where, for a plurality of data sequence each composed of a contiguous sequence of byte strings and have a first byte corresponding to a different read address, detecting whether each of data sequences generate a plurality of character codes configuring a command name of an external command, and determining whether the process of each data sequence is a malicious process based on the detection result, thereby performing detection on an unknown instruction code group that performs a malicious process without preparing in advance a bit pattern and the like for detecting the instruction code group that performs the malicious process.