The present invention relates to a system and method for analyzing a patch file, which can detect malware, a computer virus, a back door, a function degradation code, etc. contained a patch file of an application program by determining the similarity between the patch file of the application program and an existing file in terms of an operation pattern and a file type and additionally determining whether high risk level behavior is performed by the patch file.
In the field of computer technology, patching refers to an operation of correcting a failure in various types of application programs or data installed on a computer or the like, or an operation of changing the existing information of an application program or data into the newest information. Accordingly, various types of application programs installed on a computer are patched through the installation of patch files periodically provided, and thus a user can stably use the corresponding application programs via patching.
Meanwhile, with the development of social engineering attacks, there occur many cases where a serious failure is caused to a system on which a corresponding patch file has been installed by distributing malware as if the malware were a normal patch file, by including a patch file infected with malware, or by including a backdoor.
Despite this serious situation, conventionally, there is no method for determining whether an update file (a patch file) for a specific application program is a patch file provided by the corresponding manufacturer of the application program, with the result that computers are frequently infected with malware by patch files.
To overcome the above-described problem, conventional vaccine programs identify the operation pattern of malware or the like, and, when the corresponding operation pattern has been identified, consider that infection with malware has occurred and cure the infection.
However, the conventional vaccine programs determine only whether a patch file is malware, and cannot determine whether the corresponding patch file is a normal patch file manufactured by a corresponding manufacturer. Furthermore, when there is no information about an operation pattern, it cannot be determined whether infection with malware has occurred, and the determination of whether infection has occurred is focused on only the analysis of an operation pattern. A problem still remains in that the conventional vaccine programs cannot detect new types of malware based on a logic bomb, a hidden code, or the like.