Along with popularization of the Internet and wireless communication devices, an infection route of malicious software or a malicious code becomes various, and damages caused therefrom are increasing every year. A malicious code refers to software that is intended to cause undesired effects such as system failure, information outflow or the like against user's intention and advantages. The malicious code includes hacking tools such as virus, worm, trojan, backdoor, logic bomb, trap door or the like, and malicious spyware, ad-ware or the like. The malicious code causes problems such as outflow of personal information, e.g., user identification information (ID), password or the like, object system control, file deletion/change, system failure, service denial of application program/system, core data outflow, installation of other hacking programs or the like through a self-reproduction function or an automatic propagation function, and damages caused therefrom are considerably various and serious.
To that end, a malicious code curing system (vaccine program) that detects and cures a malicious code has been developed. Most of the malicious code curing systems (vaccine programs) that have been known use a file-based diagnosis method. This is because most of the malicious codes have a file format that may be executed in a specific system. For example, the malicious code generally has an execution file (PE: Portable Executable) format to be executed in a window system. An extension of a file having the PE format includes exe, cpl, ocx, dll, vxd, sys, scr, dry or the like. In order to diagnose the malicious code having the execution file (PE) format, the malicious code curing system needs to have a specific signature capable of recognizing such file format and determining such code as the malicious code. This diagnosis method is the same as a signature-based or string inspection method employed by most of the malicious code curing systems. The signature-based diagnosis method is used for inspecting specific parts or unique parts of the file classified into the malicious code. Thus, the signature-based diagnosis method is advantageous in that precise diagnosis may be performed while minimizing false positive and false negative and also in that scanning may be rapidly performed by comparing specific parts of the files during the file inspection. However, the signature-based diagnosis method may not deal with a new file that is slightly changed, because the false negative in which the file of the malicious code may not be diagnosed even if only hundreds bits of the file are changed occurs. The signature-based diagnosis method may deal with only a known malicious code, and thus may not deal with a new malicious code that has not been known.
Meanwhile, an APT (Advanced Persistent Threat) attack that attracts attention recently utilizes various malicious codes by applying a high-level attack technique to allow an attacker to set a specific target and extract desired information. Especially, the APT attack is not detected in an initial invasion stage, and a Non-PE (Non-Portable Executable) file including a malicious code is widely used. This is because a program (e.g., document creating program or image program) for executing a non-executable file basically has a certain level of security vulnerability, and also because a variant malicious code may be easily generated by including the malicious code in the non-executable file to change the file.
Due to such characteristics, the APT attack performs frequently Zero Day attack by using a malicious non-executable file exploit. For example, when a recipient opens a malicious non-executable file attached to an email, the computer of the recipient may be infected by the malicious file and may attack another computer. Further, the malicious file may intrude the system and allows core data to be leaked to the outside. Further, the non-executable file has various formats, so that an analyzer requires a considerable amount of time and effort to determine whether the non-executable file is malicious and analyze malicious behaviors in the case of the Zero-Day Exploit using the malicious non-executable file. Moreover, a conventional technique may hardly deal with various malicious non-executable files that are modified or newly generated during the analysis.
For example, a conventional signature-based inspection method needs to have mass signature database to detect various attack methods. However, it is practically difficult to block the zero day exploit using the malicious non-executable file.
In addition, a conventional behavior-based detection method requires information such as a design method or the like to detect behaviors of various attackers, which results in a lot of problems such as false positive and false negative.
In order to solve such problem, a malicious code curing system capable of rapidly and accurately detecting whether a non-execution file includes a malicious code needs to be developed.