1. Field of the Invention
The present invention relates to a method and apparatus for extracting windows executable files of a complete form in an environment of a high speed network having a large capacity, and more particularly, to a method and apparatus for extracting windows executable files that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session.
The present invention is obtained from a research for an IT growth power technology development business of Ministry of Knowledge and Economy [subject management number: 2006-S-042-03, a subject title: development for a real-time attack signature generation and management technology for coping to zero-day attack of network threat].
2. Description of the Related Art
Computer viruses have been variously developed from viruses for infecting files to worms for rapidly spreading through a network, and to Trojan horses for stealing data. A threat of viruses and malwares for a network has been increased and infection of files due to viruses and malwares and hacking techniques of files have been developed. Therefore, various countermeasures have been actively researched to protect a computer system from a threat of viruses and malwares for a network.
Most known anti-virus programs use a file-based diagnosis method. The file-based diagnosis method diagnoses a virus or a malware using a specified type signature and is called a signature-based diagnosis method or a string-based diagnosis method.
Because the signature-based diagnosis method scans only a specific portion or an intrinsic portion of a file classified into malware as a scan target, the signature-based diagnosis method can minimize erroneous detection and non-detection. Further, when an anti-virus program scans a file, the anti-virus program compares only specific portions of scan target files with a signature, whereby scanning can be rapidly performed. However, the signature-based diagnosis method can cope with only already-known viruses and cannot cope with new type viruses.
One of detection methods developed to overcome a limitation of the signature-based diagnosis method is a heuristic detection method. The heuristic detection method diagnoses a file using an action pattern of virus or malware. For example, when any file records data in a specific folder, when any file changes a specific registry, or when any file uses an instruction in which virus or malware frequently uses, the heuristic detection method diagnoses the file as viruses or malware. Therefore, the heuristic detection method regards an action of recording data at a specific folder, an action of changing a specific registry, or an action of using a specific instruction as a signature and compares the signature with instructions of a scan target file.
The heuristic detection method is classified into a method of executing a file in a virtual operating system (OS) and a method of scanning and comparing files without executing the file. Further, the heuristics detection method may detect virus or malware by comparing operation codes (OPcode) of files using an OPcode instruction for a common code section of virus code files as a signature.
As described above, an analysis for an execution file is an element necessary for rapidly coping while performing efficient detection for various viruses. However, most malware (or virus) detection techniques using various file analysis techniques require a complete execution file and are commonly performed in a host computer. That is, the techniques have a structure of analyzing files executed within the host computer. Therefore, the techniques have a limitation in analyzing and dealing executable files transferred in an environment of a high speed network having a large capacity at early stages.