Nowadays, malicious codes multiply exponentially while they are immensely diversified by evolving into innumerous types of variants. So many websites are thus exposed to intrusions of malicious codes. The malicious codes can extract personal information with regard to games, internet banking, and the like, to thereby leak them once they succeed in intrusion. A computer with a hacking tool installed therein by a malicious code becomes a zombie computer and may be used for other malicious activities. Meanwhile, the malicious codes can conduct attacks on not only the website intruded but also users who visit the website they have attacked, in various manners such as phishing, drive-by-download or the like.
To prevent damage to users caused by such malicious codes, security programs and systems have been developed. Prevention techniques currently widely used against the drive-by-download attack include various methods such as a signature-based detection method and a preemptive prevention method.
The signature-based detection method is a technique that blocks web sites reported from users or distinguished by inspecting downloadable files by using anti-virus (AV) engines to thereby prevent them from spreading the malicious codes. In this method, samples are collected as victims of malicious code attacks report their damage afterward, or signatures capable of identifying the malicious codes are extracted via a honey pot. Therefore, the signature-based malicious code detection method has a problem that a certain number of victims are inevitably attacked before the users report attacks afterward. In other words, it is impossible to protect against a zero-day attack that takes place before the presence of security problems of a system is announced. Moreover, protection against variants of known malicious codes is not perfect, either.
The preemptive prevention method is to determine the presence of a malicious code based on the activity performed by a program. One example of this method is a technique such as host intrusion prevention system (HIPS) that protects weak points of the host system. This method cannot detect the presence of malicious codes with certainty of 100% because even though detected activities are suspicious, normal codes can conduct such activities, too. Accordingly, in this method, when a suspicious activity is detected, the user will be asked as to whether to continue to execute the corresponding code through a notification window or the like. Such a notification window frequently appears in a system protected by the preemptive prevention method to thereby make the user feel uncomfortable. Moreover, even if the notification window gives a warning about the execution of a suspicious act, it is practically difficult for ordinary users, who are not computer security experts, to be aware of the malicious code and determine whether or not to continue execution of the suspicious act.