1. Field of the Invention
The present invention relates to an apparatus and method for automatically analyzing a behavior of an application program operating in an operating system, and more particularly, to an apparatus and method for automatically analyzing a program in order to detect malicious codes that are programmed to perform malicious behaviors only when a specific event occurs or when a specific program execution condition is satisfied.
2. Discussion of Related Art
Current malicious code analysis is generally performed by a security company that creates a pattern for detecting malicious codes through the malicious code analysis. The malicious code analysis takes at least one or two hours, or more than one day depending on the capability of an analyzer or an analysis interference level of the malicious code. Also, a malicious code detecting scheme by pattern matching cannot positively cope with a new malicious code or a variant of an existing malicious code, which does not have the corresponding malicious code sample.
In particular, malicious codes such as Trojan horse, backdoor, and Bot normally operate like other Windows application programs in a general situation, but are triggered to perform malicious behaviors only when a specific event incurs, or when a specific program execution condition is satisfied. The specific event may include, for example, receiving a specific packet via a network, downloading a command through accessing an external Universal Resource Locator (URL), etc. The specific program execution condition may include, for example, a specific time, a case other than a debugging mode, a case other than a virtual machine, etc. Since a normal behavior and a malicious behavior coexist in one program and the malicious behavior generally does not work, it is difficult to accurately analyze it with automatic analysis based on a static/dynamic analysis scheme.
As to the static analysis scheme, there are various techniques disturbing the static analysis. Particularly, in the case of compressed execution file, since only a decompressed portion of the file is analyzed through the static analysis, it is difficult to analyze what kind of behavior the actual file performs.
In order to overcome the above limitation of the static analysis, a program behavior analysis schemes using dynamic analysis is widely being studied. A representative example of the dynamic analysis scheme is a sandbox analysis scheme. The sandbox analysis scheme executes a program suspected as a malicious code, separately from a currently used system, and observes behaviors of the program in many ways, for example, application program interface (API) hooking. However, the dynamic analysis scheme also may not accurately analyze behaviors of malicious codes such as Trojan horse, backdoor, and Bot. Since the malicious codes are likely to be programmed to detect that its executing environment is in sandbox and to perform only normal operations, there is some constraint on such analysis.