1. Technical Field
The present disclosure relates to a computing device, and more particularly, to a method of modeling a behavior pattern of an instruction set that is executed in a computing device in an N-gram manner, a computing device operating with the method, and a program to execute the method.
2. Description of the Related Art
Malicious codes are used in attacking specified or unspecified targets. Users of computing devices unwittingly execute files that are infected with malicious codes or download files that are infected with malicious codes through the Internet. When the files infected with the malicious codes are executed, a specific instruction set is executed by a processor of a computing device. The execution of the instruction set corresponding to the malicious codes cause various problems, such as leaks of personal information, system crash, denial of service, or the like. Accordingly, detecting malicious codes has been recently emphasized as an important issue.
In order to detect malicious codes, a static analysis and a dynamic analysis are performed. The static analysis is used for reversely analyzing a code of a file suspected to be infected with a malicious code. Through the static analysis, an instruction set executed by the malicious code is predicted. The dynamic analysis is used for directly checking an operation of a file suspected to be infected with a malicious code by executing the file.
Through the static and dynamic analyses, the file suspected to be infected with the malicious code may be analyzed and the malicious code may be detected therefrom. According to the static and dynamic analyses, a previously known malicious code may be accurately and rapidly detected based on a specific binary pattern and a specific behavior rule. However, it is difficult to detect a mutant malicious code or an unknown malicious code, and information of a new pattern and rule needs to be continuously collected.
The malicious code is covertly infiltrated to a target of attack via various routes and is concealed for a long time. Furthermore, an attack pattern of the malicious code becomes diversified and evolves. Due to these reasons, a method of modeling a behavior pattern of an instruction set executed by a malicious code and accurately detecting a mutant malicious code or an unknown malicious code is required.