KR102548985B1 - Methods and apparatus for machine learning modeling for detecting malicious document files - Google Patents

Abstract

The present specification provides a machine learning method for a server to detect malicious document files, which collects sample data for training an artificial intelligence model for detecting the malicious document files, classifies the sample data based on the type of file, extracts dynamic features of the sample data based on the classified sample data, and trains the artificial intelligence model using the dynamic features.

Description

Machine learning modeling method for detecting malicious document files and apparatus therefor { METHODS AND APPARATUS FOR MACHINE LEARNING MODELING FOR DETECTING MALICIOUS DOCUMENT FILES }

The present specification relates to a machine learning modeling method and apparatus for detecting a malicious document file based on a reversing engine.

In the Advanced Persistent Threat (APT) attack, an attacker sets a specific target and applies advanced attack techniques to continuously utilize various types of malicious codes to steal target information. In particular, APT attacks are often undetectable in the initial intrusion stage, and often use Non-Portable Executable (Non-PE) files containing malicious codes.

Document behavior is the behavior of executing the action of an application program related to non-executable files. Existing APT solutions operate based on document behavior. judge whether This takes a long time to analyze because it waits for all document behaviors to appear and then determines whether or not it is malignant.

In addition, existing APT solutions run non-executable files in the sandbox and then judge them based on changes in the sandbox. For example, an APT solution can grasp the approximate function of a document action through WINDOWS API hooking, but a general document process includes many functions, so it is difficult to determine which action is triggered by using a function of a document. It's hard to know exactly what happened.

Malicious document files are mass-produced using malicious code creation tools. Mass-produced malicious document files have similar characteristics, and detection signatures and behavior detection patterns are required to detect them.

Signatures and detection patterns must be created by an analyst by directly analyzing them to find their commonalities. This process can be classified into static analysis and dynamic analysis, and the process of creating a signature and detection pattern suitable for each can be detected more quickly through an artificial intelligence model.

An object of the present specification is to propose a machine learning modeling method and apparatus for detecting a malicious document file.

The technical problems to be achieved by this specification are not limited to the above-mentioned technical problems, and other technical problems not mentioned are clear to those skilled in the art from the detailed description of the specification below. will be understandable.

One aspect of the present specification is a method for machine learning modeling for a server to detect a malicious document file, comprising: collecting sample data for learning an artificial intelligence model for detecting the malicious document file; classifying the sample data based on the type of file; extracting a dynamic feature of the sample data based on the classified sample data; and learning the artificial intelligence model using the dynamic features. can include

Also, based on the classified sample data, extracting static features of the sample data; and learning the artificial intelligence model using the static features. can contain more.

Also, the dynamic feature may be information extracted through a debugging engine.

The extracting of the dynamic feature may include setting a breakpoint for extracting the dynamic feature in the sample data; executing the sample data, and monitoring whether a process of an application program related to the sample data is stopped at the breakpoint; and based on the stopping of the process, extracting the dynamic feature; can include

In addition, the extracting of the dynamic feature may include determining whether a new module related to the sample data is loaded based on the fact that the process is not interrupted; may further include.

Also, the dynamic feature may include 1) information related to external connection, 2) information related to a macro, and 3) information related to a process of the sample data.

Another aspect of the present specification is a server performing machine learning modeling for detecting a malicious document file, comprising: a communication unit; memory containing a debugging engine; and a processor functionally controlling the communication unit and the memory. wherein the processor collects sample data for learning an artificial intelligence model for detecting the malicious document file, classifies the sample data based on a file type, and based on the classified sample data, Dynamic features of the sample data may be extracted, and the artificial intelligence model may be trained using the dynamic features.

According to an embodiment of the present specification, machine learning modeling for detecting a malicious document file may be performed.

Effects obtainable in the present specification are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description below. .

1 is a block diagram for explaining an electronic device related to the present specification.
2 is a diagram showing a server or client related to the present specification.
3 is an example of an abnormal input that can be applied to this specification.
4 illustrates a method for determining a document behavior to which this specification can be applied.
5 is a block diagram of an AI device according to an embodiment of the present specification.
6 is an example of a machine learning modeling method according to an embodiment of the present specification.
7 is an example of dynamic feature extraction to which the present specification can be applied.
The accompanying drawings, which are included as part of the detailed description to aid understanding of the present specification, provide examples of the present specification and describe technical features of the present specification together with the detailed description.

Hereinafter, the embodiments disclosed in this specification will be described in detail with reference to the accompanying drawings, but the same or similar components are given the same reference numerals regardless of reference numerals, and redundant description thereof will be omitted. The suffixes "module" and "unit" for components used in the following description are given or used together in consideration of ease of writing the specification, and do not have meanings or roles that are distinct from each other by themselves. In addition, in describing the embodiments disclosed in this specification, if it is determined that a detailed description of a related known technology may obscure the gist of the embodiment disclosed in this specification, the detailed description thereof will be omitted. In addition, the accompanying drawings are only for easy understanding of the embodiments disclosed in this specification, the technical idea disclosed in this specification is not limited by the accompanying drawings, and all changes included in the spirit and technical scope of this specification , it should be understood to include equivalents or substitutes.

Terms including ordinal numbers, such as first and second, may be used to describe various components, but the components are not limited by the terms. These terms are only used for the purpose of distinguishing one component from another.

It is understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, but other elements may exist in the middle. It should be. On the other hand, when an element is referred to as “directly connected” or “directly connected” to another element, it should be understood that no other element exists in the middle.

Singular expressions include plural expressions unless the context clearly dictates otherwise.

In this specification, terms such as "comprise" or "having" are intended to indicate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, but one or more other features It should be understood that the presence or addition of numbers, steps, operations, components, parts, or combinations thereof is not precluded.

Also, the term “unit” used in the specification means a software or hardware component, and “unit” performs certain roles. However, "unit" is not meant to be limited to software or hardware. A “unit” may be configured to reside in an addressable storage medium and may be configured to reproduce on one or more processors. Thus, as an example, “unit” can refer to components such as software components, object-oriented software components, class components and task components, processes, functions, properties, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays and variables. Functionality provided within components and "parts" may be combined into fewer components and "parts" or further separated into additional components and "parts".

Also, according to one embodiment of the present specification, "unit" may be implemented as a processor and a memory. The term “processor” should be interpreted broadly to include general-purpose processors, central processing units (CPUs), microprocessors, digital signal processors (DSPs), controllers, microcontrollers, state machines, and the like. In some circumstances, “processor” may refer to an application specific integrated circuit (ASIC), programmable logic device (PLD), field programmable gate array (FPGA), or the like. The term "processor" refers to a combination of processing devices, such as, for example, a combination of a DSP and a microprocessor, a combination of a plurality of microprocessors, a combination of one or more microprocessors in conjunction with a DSP core, or any other such configuration. may also refer to

The term “memory” should be interpreted broadly to include any electronic component capable of storing electronic information. The term memory includes random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), programmable read-only memory (PROM), erasable-programmable read-only memory (EPROM), electrical may refer to various types of processor-readable media, such as erasable PROM (EEPROM), flash memory, magnetic or optical data storage, registers, and the like. A memory is said to be in electronic communication with the processor if the processor can read information from and/or write information to the memory. Memory integrated with the processor is in electronic communication with the processor.

As used herein, a "non-executable file" is a concept opposite to an executable file or an executable file, and means a file that is not itself executed. For example, the non-executable file may be a PDF file, a Korean file, a document file such as a word file, an image file such as a JPG file, a video file, a JavaScript file, and an HTML file, but is not limited thereto.

Hereinafter, with reference to the accompanying drawings, embodiments will be described in detail so that those skilled in the art can easily carry out the embodiments. In addition, in order to clearly describe the present disclosure in the drawings, parts irrelevant to the description may be omitted.

1 is a block diagram for explaining an electronic device related to the present specification.

The electronic device 100 includes a wireless communication unit 110, an input unit 120, a sensing unit 140, an output unit 150, an interface unit 160, a memory 170, a control unit 180, and a power supply unit 190. ) and the like. The components shown in FIG. 1 are not essential to implement an electronic device, so an electronic device described in this specification may have more or fewer components than those listed above.

More specifically, among the components, the wireless communication unit 110 is between the electronic device 100 and the wireless communication system, between the electronic device 100 and other electronic devices 100, or between the electronic device 100 and an external server. It may include one or more modules enabling wireless communication between Also, the wireless communication unit 110 may include one or more modules that connect the electronic device 100 to one or more networks.

The wireless communication unit 110 may include at least one of a broadcast reception module 111, a mobile communication module 112, a wireless Internet module 113, a short-distance communication module 114, and a location information module 115. .

The input unit 120 includes a camera 121 or video input unit for inputting a video signal, a microphone 122 for inputting an audio signal, or a user input unit 123 for receiving information from a user, for example , a touch key, a push key (mechanical key, etc.). Voice data or image data collected by the input unit 120 may be analyzed and processed as a user's control command.

The sensing unit 140 may include one or more sensors for sensing at least one of information within the electronic device, environmental information surrounding the electronic device, and user information. For example, the sensing unit 140 may include a proximity sensor 141, an illumination sensor 142, a touch sensor, an acceleration sensor, a magnetic sensor, and gravity. Sensor (G-sensor), gyroscope sensor (gyroscope sensor), motion sensor (motion sensor), RGB sensor, infrared sensor (IR sensor), finger scan sensor, ultrasonic sensor , optical sensor (e.g. camera (see 121)), microphone (see 122), battery gauge, environmental sensor (e.g. barometer, soil hygrometer, thermometer, radiation detection sensor) , a heat sensor, a gas sensor, etc.), and a chemical sensor (eg, an electronic nose, a health care sensor, a biometric sensor, etc.). Meanwhile, the electronic device disclosed in this specification may combine and utilize information sensed by at least two or more of these sensors.

The output unit 150 is for generating an output related to sight, hearing, or touch, and includes at least one of a display unit 151, a sound output unit 152, a haptic module 153, and an optical output unit 154. can do. The display unit 151 may implement a touch screen by forming a mutual layer structure or integrally with the touch sensor. Such a touch screen may function as a user input unit 123 providing an input interface between the electronic device 100 and the user and provide an output interface between the electronic device 100 and the user.

The interface unit 160 serves as a passage for various types of external devices connected to the electronic device 100 . The interface unit 160 connects a device equipped with a wired/wireless headset port, an external charger port, a wired/wireless data port, a memory card port, and an identification module. It may include at least one of a port, an audio input/output (I/O) port, a video input/output (I/O) port, and an earphone port. In response to the external device being connected to the interface unit 160, the electronic device 100 may perform appropriate control related to the connected external device.

Also, the memory 170 stores data supporting various functions of the electronic device 100 . The memory 170 may store a plurality of application programs (application programs or applications) running in the electronic device 100 , data for operating the electronic device 100 , and commands. At least some of these application programs may be downloaded from an external server through wireless communication. In addition, at least some of these application programs may exist on the electronic device 100 from the time of shipment for basic functions of the electronic device 100 (eg, incoming and outgoing calls, outgoing functions, message receiving, and outgoing functions). Meanwhile, the application program may be stored in the memory 170, installed on the electronic device 100, and driven by the control unit 180 to perform an operation (or function) of the electronic device.

The controller 180 controls general operations of the electronic device 100 in addition to operations related to the application program. The control unit 180 may provide or process appropriate information or functions to the user by processing signals, data, information, etc. input or output through the components described above or by running an application program stored in the memory 170.

In addition, the controller 180 may control at least some of the components discussed in conjunction with FIG. 1 in order to drive an application program stored in the memory 170 . Furthermore, the controller 180 may combine and operate at least two or more of the components included in the electronic device 100 to drive the application program.

The power supply unit 190 receives external power and internal power under the control of the controller 180 and supplies power to each component included in the electronic device 100 . The power supply unit 190 includes a battery, and the battery may be a built-in battery or a replaceable battery.

At least some of the components may operate in cooperation with each other in order to implement an operation, control, or control method of an electronic device according to various embodiments described below. Also, the operation, control, or control method of the electronic device may be implemented on the electronic device by driving at least one application program stored in the memory 170 .

In this specification, the server (or cloud server) or client may include the electronic device 100, and the electronic device 100 may be collectively referred to as a terminal.

The terminal may communicate with an external server (or cloud server) or a client through a network connection.

2 is a diagram showing a server or client related to the present specification.

In this specification, a server (or cloud server) or a client may include a control unit 200 and a communication unit 230. The control unit 200 may include a processor 210 and a memory 220. The processor 210 may execute instructions stored in the memory 220 . The processor 210 may control the communication unit 230 . The memory 220 may include cache memory. The cache memory may temporarily store an original document to be described later for a certain period of time.

The processor 210 may control the operation of the server or client based on instructions stored in the memory 220 . A server or client may include one processor or may include a plurality of processors. When the server or the client includes a plurality of processors, at least some of the plurality of processors may be located at physically separated distances. In addition, the server or client may be implemented in various known ways without being limited thereto.

The communication unit 230 may include one or more modules enabling wireless communication between a server or client and a wireless communication system, between a server or client and another server or client, or between a server or client and an external server (terminal). there is. Also, the communication unit 210 may include one or more modules that connect a server or a client to one or more networks.

The controller 200 may control at least some of the components of the server or client in order to drive the application program stored in the memory 220 . Furthermore, the control unit 200 may combine and operate at least two or more of the components included in the server or client to drive the application program.

In this specification, the server may include a reversing engine or/and a CDR engine providing CDR services.

Reversing Engine

A reversing engine is an analysis/diagnostic engine that automates the reverse engineering (reversing) process for non-executable files. This is called reverse engineering, and through this, the server can learn about the principles and structure of software without source code by entering the assembly stage, which is a language that computers can execute. Using this, the server can know the structure of general software (for example, msoffice, pdf), malicious code behavior, and how to exploit vulnerabilities.

For example, the reversing engine may perform the following steps.

1. File analysis: As a step of analyzing the appearance of the non-executable file itself (eg, attribute, author, date of creation, file type), similar to general vaccine programs, maliciousness can be diagnosed only with the information of the non-executable file itself. can

2.Static analysis: This is a step of extracting and analyzing data in non-executable files to determine whether they are normal or malicious. Non-executable files are not executed, and internal data is extracted according to the file structure and analyzed for comparison to diagnose maliciousness. there is. This may be suitable for macros, URL extraction analysis, and the like.

3.Dynamic analysis: This is a step of analyzing behaviors while executing and monitoring non-executable files to determine whether they are malicious. It is easy to detect malicious behaviors using normal functions such as macros, hyperlinks, and DDE.

4. Debugging analysis: This is a step of analyzing vulnerabilities and exploits by executing and debugging non-executable files. Detecting vulnerabilities of applications using text, tables, fonts, pictures, etc. in documents, including macros, hyperlinks, and DDE suitable for doing

The reversing engine may include a debugging engine that may be used for debugging analysis. The debugging engine can diagnose vulnerabilities occurring in document input, processing, and output stages by using the debugging mode for the process of reading non-executable files. Vulnerability here refers to the use of errors and bugs that occur when an application program receives an unexpected value from the code (logic) developed by the application developer. Malicious document behavior such as remote code execution can be executed.

A debugging engine may include a debugger. A debugger is a tool for reverse engineering and can mean a program or process capable of breaking points in other target programs at the assembly level.

Content Disarm and Reconstruction (CDR)

The CDR service is a solution that disassembles non-executable files, removes malicious or unnecessary files, and creates new files by making the contents the same as the original as much as possible.

In other words, Contents Disarm and Reconstruction (CDR) means a service that disarms and reconstructs the contents in a document to create a safe document and provides it to customers. For example, Word, Excel, PowerPoint, Hangul, PDF) may be targeted, and the harmless target content may be active content (eg, macro, hyperlink, OLE object, etc.).

3 is an example of an abnormal input that can be applied to this specification.

Referring to FIG. 3, when an application program receives an abnormal value (for example, when the input value exceeds the normal range of 2) through a non-executable file, the application program is changed into an execution flow unintended by the developer and is vulnerable. this can work. The debugging engine automatically debugs the document browsing process, sets a breakpoint at a specific point related to the vulnerability, checks a specific value related to the input value, determines whether the input value is a value that causes a vulnerability, and diagnoses whether the input value is malicious.

More specifically, the debugging engine can start debugging by identifying non-executable files and running an application to view them. When a module related to a document behavior is loaded while viewing a non-executable file, the debugging engine checks whether the module is an analysis target module, and if it is an analysis target, it can set a breakpoint at a designated address.

For example, a malicious non-executable file may have branching points at which an application program is terminated or branched into a flow in which no malicious activity occurs unless a specific condition such as an application version or an operating system environment is satisfied. The server can set a breakpoint at a divergence point that has been previously analyzed by an analyst and has this possibility.

In addition, the server may set conditions associated with a corresponding branching point to continuously execute the application program without terminating or lead to a flow in which a malicious action may occur.

If the process stops at the corresponding breakpoint while the process of the application program is running, the server may perform a step of detecting whether or not there is a vulnerability according to the detection logic and then storing the result in an analysis report.

The automated reversing engine included in the server can analyze and diagnose malicious non-executable files through a diagnosis algorithm researched and developed by an analyst by automatically performing and analyzing the above steps.

4 illustrates a method for determining a document behavior to which this specification can be applied.

Referring to FIG. 4 , the server may include non-executable files and application programs (eg, MSOFFICE, Hancom Office, etc.) for executing non-executable files.

The server executes the process of the application program in debugging mode (S4010). For example, the server may execute a document process for opening a non-executable file to be analyzed by an application program in a debugging mode (DEBUG_ONLY_THIS_PROCESS) using the CreateProcess API. Through this, the server can receive the debug event of the application program process.

In more detail, the server can execute the application process by passing the “DEBUG_ONLY_THIS_PROCESS” flag using the CreateProcess API.

Based on the process of the application program, the server sets a first breakpoint at a point matching the document behavior (S4020). For example, the server can set a breakpoint by changing the OP (operating) code related to the process of the application program loaded into memory to “0xCC”. The OP code means an instruction code and may be a code in which work contents to be actually performed by the CPU are prepared. To do this, the server can change the memory using WriteProcessMemory.

In the server, information about a document act and a point where the document act is matched may be set in advance. For example, the server can set breakpoints using the WriteProcessMemory API according to the predefined behavior matching Break Point Table.

The server checks whether the non-executable file is being executed (S4030). More specifically, after setting a break point, the server checks whether other non-executable files requested for analysis are being read. Depending on the functions required by the non-executable file, the application process loads the necessary modules into the memory, so the application program has a state in which other non-executable files are not read in order to secure the reliability of determining the document behavior of the target non-executable file. should be For example, if a malicious non-executable file is read, the reliability of the document behavior determination result may be lowered.

Based on the fact that the non-executable file is not being executed, the server executes the non-executable file to be analyzed (S4040). In more detail, the server reads the non-executable file requested by the user for analysis using an application program process (eg, EXCEL, WORD, PPT, etc.) suitable for the format. For example, the server can browse the sample.ppt file using MS Power Point. Alternatively, the server may directly execute the file to be analyzed without checking whether the non-executable file is running.

The server determines whether a new module related to the non-executable file to be analyzed is loaded on the memory (S4050). When the non-executable file to be analyzed is executed by the application program process, the server checks whether a new module is loaded.

For example, the server may receive a debugging event when a debugging event occurs in an application program process using a debugging mode. The server can determine a new module (eg, DLL memory loading) when a LOAD DLL event occurs using the corresponding event. More specifically, the server may determine that a new module has been uploaded when a “LOAD_DLL_DEBUG_EVENT” event occurs.

For example, the server may newly load a module suitable for an application program process function into memory in order to use a function (for example, a macro, an ActiveX function, etc.) required in a non-executable file to be analyzed.

Based on the load of the new module, the server sets a second breakpoint at a point matching the document action (S4060). If it is not determined that the new module is loaded, the server does not set a second breakpoint.

The server monitors whether the application process is stopped at the first breakpoint and/or the second breakpoint (S4070). For example, the server can check whether the application process is stopped at the breakpoint and control of the process is transferred to the debugger. The debugger that has taken over control can check at which breakpoint it was interrupted.

Based on the monitoring result, the server generates document action information matching the first breakpoint and/or the second breakpoint (S4080). For example, the server can check the address value of the breakpoint. Thereafter, the server may generate and store information on a document activity matched with an address value of a breakpoint based on information about a corresponding document activity and a point where the corresponding document activity is matched.

Table 1 below is an example of the document behavior matched with the stored address value of the breakpoint.

The server determines whether the reading of the non-executable file to be analyzed is terminated (S4090). For example, the server may determine whether the viewing of the non-executable file to be analyzed is terminated in a manner such as when a preset time has elapsed or a message box (Alert) or a break point has not been passed for a certain period of time.

If the browsing is not terminated, the server continuously monitors whether the process of the application program is stopped at the breakpoint. Through this, the server can wait for the document action to fully manifest.

Thereafter, the server may transmit the stored document behavior information to the terminal. To this end, the terminal may include a management program capable of communicating with the server and controlling the operation of the server. The terminal may provide document action information to the user through the management application program.

Existing APT solutions extract document behavior based on sandbox changes after document behavior is manifested. This increases the analysis time because the sandbox has to wait until the document behavior is manifested. Also, since the last part is finally checked (eg, after sandbox change), the analysis speed in this specification is slower.

In addition, the server of the present specification may start analysis from the time when the application process is executed in the stage before the change of the sandbox.

In addition, since changes in document behavior are checked from the assembly level (eg, CPU instruction processing stage), the analysis speed (behavior extraction) is faster than that of existing APT solutions.

In addition, the existing APT solution waits until the document action appears, so it is difficult to know the end point. However, in this specification, since the server can roughly determine the end point of a document action, it is possible to analyze quickly.

In addition, in this specification, the server can accurately grasp the function used by the application program process corresponding to the document action.

5 is a block diagram of an AI device according to an embodiment of the present specification.

Referring to FIG. 5 , the AI device 20 may include an electronic device including an AI module capable of performing AI processing or a server including the AI module. In addition, the AI device 20 may be included in at least a part of the electronic device 100 shown in FIG. 1 to perform at least a part of AI processing together.

The AI device 20 may include an AI processor 21, a memory 25 and/or a communication unit 27.

The AI device 20 is a computing device capable of learning an artificial intelligence model, and may be implemented in various electronic devices such as a server, a desktop PC, a notebook PC, and a tablet PC.

The AI processor 21 may learn an artificial intelligence model using a program stored in the memory 25 . In particular, the AI processor 21 can create an artificial intelligence model for detecting malicious documents on the memory 25, and will train this artificial intelligence model using data that can be collected through a reversing engine. can

For example, AI models can be created using DecisionTree-based ensemble models such as XGBoost. In more detail, since the method by which malware analysts create policies (e.g., signatures, behavior detection patterns) to detect malicious codes is similar to DecisionTree, the artificial intelligence model in this specification is more effective when using DecisionTree-based ensemble models. High performance can be expected.

6 is an example of a machine learning modeling method according to an embodiment of the present specification.

Referring to FIG. 6 , the server may collect and pre-process sample data for learning the artificial intelligence model to perform learning of the artificial intelligence model.

Since malicious document files produced in large quantities have similar patterns, the server can effectively detect malicious document files by using an artificial intelligence model that has learned the behavior patterns of these data characteristics and malicious document files.

The server collects sample data for learning (S6010). For example, the server may collect sample data from users or networks. Sample data includes non-executable files.

The server removes redundant data based on the sample data and performs labeling (S6020). For example, the server may analyze information of the sample data, remove redundant data, and label whether the data is malicious or normal.

The server classifies the sample data (S6030). For example, sample data may be classified according to file types. In more detail, the server may classify sample data into CFB type (eg DOC, XLS, PPT), OOXML type (eg DOCX, XLSX, PPTX), PDF type or HWP type.

The server extracts static features and/or dynamic features based on the classified sample data (S6040). For example, the server may extract static features and/or dynamic features necessary for learning for each file type. More specifically, the static feature is information that can be analyzed and extracted by the server without executing the non-executable file, and the dynamic feature may mean information that the server extracts through a debugging engine.

Table 2 illustrates static features in PDF type documents.

classification item explanation Metadata Document general information - Extracting general information from documents.
- Malicious documents contain abnormal values
ex) Editor name, author name, number of document revisions, total document editing time, etc. Body document body - Extraction of information that can be obtained from the body of the document. - Malicious documents often have a more monotonous structure than normal documents.
ex) Number of document pages, number of paragraphs, number of characters, number of included images, etc. Structure PDF Keywords - Use the number of occurrences of the identified Pdf Keyword ex) obj, endobj, stream, endstream, /Page, /Encrypt, /ObjStm, /JS, /JavaScript, /AA, /OpenAction, /AcroForm, etc. auto run Open Action & Automatic Annotation - A function to set a specific action to be performed when viewing a document. - An attacker can use this function to perform malicious actions in conjunction with JavaScript when viewing documents.
ex) Whether OpenAction, Automatic Annotation are included & number Scripts JavaScript - An attacker can inject JavaScript into a document and cause the attacker to perform desired actions. ex) Whether or not JavaScript is included Suspicious Object Embedded File - PDF can insert various objects such as images and links through the embed function
- Attackers can insert malicious content here.
ex) Number of embedded files

Table 3 exemplifies static features in Office type documents.

classification item explanation Metadata Document general information - Extracting general information from documents.
- Malicious documents contain abnormal values
ex) Editor name, author name, whether the document is encrypted, number of document revisions, total editing time of the document, number of document pages, etc. Body document body - Extraction of information that can be obtained from the document body.
- Malicious documents often have a more monotonous structure than normal documents
ex) Number of document pages, number of paragraphs, number of characters, number of included images, etc. Structure Storage & Stream - Documents in Ole format are composed of Storage and Stream, whose structure is similar to the concept of folders and files. Macro VBA Macro - When a user reads a document or performs a specific action after reading the document, a macro designed to perform the desired action by the attacker can be inserted into the document to perform malicious actions.
- By extracting the inserted VBA macro, the existence and type of specific keywords frequently used in malicious behavior are used.
ex) AutoExec, Hex String, IP address, URLs, executable filenames, email addresses External Links DDE - DDE (Dynamic Data Exchange) is a function for sharing data between Windows applications and is used to import data from external sources.
- An attacker can use this function to connect to a malicious code distribution site and distribute malicious code.
ex) DDE link insertion Suspicious Object SWF - It can be used for attacks by inserting malicious code as a flash file for animation, or inserting a malicious code distribution site. ex) Whether or not a SWF file is included, whether a SWF file in an incorrect format is included

Table 4 illustrates dynamic features that can be applied to each type of document.

classification item explanation external connection linkURL - The URL address of the server to which you try to connect when viewing documents Linkinfo - Automatic connection type information when viewing documents
- Malicious code can be downloaded using the connection function
ex) AttachedTemplate, Frame, LinkedObject macro Obj - Class information instantiated by macro
- Utilize object information mainly used by malicious macros to learn features
ex) wscript.shell, msxml2.xmlhttp, etc. ObjRun - Utilize as a feature whether macros that can be used maliciously in instantiated classes are executed
ex) run, open, exec, etc. ExecuteMacro - Information indicating that the macro has been executed execution information ProcInfo - Use sub-process generation information as a learning feature when reading document files
- A malicious document file can create a malicious executable file as a sub-process
ex) Process name, process argument value, execution path, etc.

Similar to the above example, the server may set static/dynamic characteristics for each type of document. The server pre-processes static and/or dynamic characteristics (S6050). For example, the server may preprocess static features and/or dynamic features into a form that the AI model can understand.

The server trains the artificial intelligence model using the preprocessed static features and/or dynamic features (S6060).

7 is an example of dynamic feature extraction to which the present specification can be applied.

Referring to FIG. 7 , a method of extracting dynamic features through the debugging engine of S6040 is exemplified in more detail. This may be performed concurrently with or separately from the document behavior determination method described in FIG. 4 .

The server sets breakpoints for extracting dynamic features from sample data through the debugging engine (S7010). For example, information about a point matching a dynamic feature may be previously set in the server according to the type of corresponding sample data. More specifically, the server can set breakpoints using the WriteProcessMemory API according to the predefined dynamic feature matching Breakpoint Table.

The server executes the sample data and monitors whether the process of the application program related to the sample data is stopped at the breakpoint (S7020).

If the process is not interrupted, the server determines whether a new module related to the sample data is loaded (S7030). For example, the server may determine that a new module has been uploaded when a “LOAD_DLL_DEBUG_EVENT” event occurs. When a new module is loaded, the server may set a break point for the new module and monitor whether a process of an application program related to the new module is stopped.

When the process is stopped, the server extracts dynamic features (S7040).

For example, the server may extract, record and aggregate dynamic feature data based on breakpoints. The server may extract dynamic data by repeating the above-described operation at other breakpoints of the sample data.

More specifically, if the breakpoint is to extract dynamic characteristics related to macro auto-execution, the server can check the EAX register when the process is halted. Thereafter, the server checks the data of the memory pointed to by the EAX register, and if the “Auto_Open” keyword is confirmed, the macro auto-execution feature data can be extracted and recorded. It goes without saying that for other dynamic features, they can be similarly extracted.

In the present specification, the server may increase the detection rate of document-type malicious code by using the learned artificial intelligence model. In addition, while the reversing engine is analyzing, it is possible to expect an increase in the detection rate of document-type malware by obtaining static feature results and combining the results of two discrimination models (eg, a reversing engine and a static feature model). .

In addition, mass-produced malicious codes using normal functions of documents (eg, macros, remote data connections, etc.) can be detected using an artificial intelligence model, thereby maximizing the detection rate.

The above specification can be implemented as computer readable code on a medium on which a program is recorded. A computer-readable medium includes all types of recording devices in which data that can be read by a computer system is stored. Examples of computer-readable media include Hard Disk Drive (HDD), Solid State Disk (SSD), Silicon Disk Drive (SDD), ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc. , and also includes those implemented in the form of a carrier wave (eg, transmission over the Internet). Accordingly, the above detailed description should not be construed as limiting in all respects and should be considered illustrative. The scope of this specification should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of this specification are included in the scope of this specification.

In addition, although services and embodiments have been described above, this is only an example and does not limit the present specification, and those skilled in the art to which this specification belongs will not deviate from the essential characteristics of the present service and embodiments. It will be appreciated that various modifications and applications not exemplified above are possible. For example, each component specifically shown in the embodiments can be modified and implemented. And differences related to these modifications and applications should be construed as being included in the scope of the present specification as defined in the appended claims.

Claims (7)

In the method for machine learning modeling for a server to detect a malicious document file,
collecting sample data for learning an artificial intelligence model for detecting the malicious document file;
classifying the sample data according to a file type, wherein the file type includes a CFB type, an OOXML type, a PDF type, and an HWP type;
extracting dynamic features and static features of the sample data based on the classified sample data; and
learning the artificial intelligence model using the dynamic feature and the static feature;
including,
The dynamic feature is
As information extracted through a debugging engine, 1) features related to external links when the malicious document file is executed, 2) features related to automatic execution of macros, and 3) execution of the malicious document file contains characteristics related to the child process being created,
The static feature is
1) When the file type is the PDF type: (1) features related to PDF keywords, (2) features related to Open Action & Automatic Annotation, and (3) features related to embedded files,
2) When the file type is the CFB type, the OOXML type, or the HWP type: (1) Features related to Storage & Stream, (2) Features related to the macro, (3) Features related to DDE, and (4) including features related to SWF;
modeling method.
delete delete According to claim 1,
The step of extracting the dynamic feature is
setting a first breakpoint for extracting the dynamic feature in the sample data;
executing the sample data and first monitoring whether a process of an application program related to the sample data is stopped at the breakpoint; and
based on the stopping of the process, extracting the dynamic feature;
Including, modeling method.
According to claim 4,
The step of extracting the dynamic feature is
judging whether a new module related to the sample data has been loaded based on the fact that the process is not interrupted;
setting a second breakpoint for extracting the dynamic feature according to the load of the new module;
second monitoring whether the process of the application program is stopped at the second breakpoint; and
extracting the dynamic feature based on 1) a result of the first monitoring or 2) a result of the second monitoring;
Further comprising a, modeling method.
delete In a server that performs machine learning modeling for detecting a malicious document file,
communications department;
memory containing a debugging engine; and
a processor functionally controlling the communication unit and the memory; including,
The processor
Sample data for learning the artificial intelligence model for detecting the malicious document file is collected, and the sample data is classified based on the file type, and the file type is a CFB type, an OOXML type, a PDF type, and a HWP type. Including, extracting dynamic and static features of the sample data based on the classified sample data, and learning the artificial intelligence model using the dynamic and static features;
The dynamic feature is
As information extracted through a debugging engine, 1) features related to external links when the malicious document file is executed, 2) features related to automatic execution of macros, and 3) execution of the malicious document file contains characteristics related to the child process being created,
The static feature is
1) When the file type is the PDF type: (1) features related to PDF keywords, (2) features related to Open Action & Automatic Annotation, and (3) features related to embedded files,
2) When the file type is the CFB type, the OOXML type, or the HWP type: (1) Features related to Storage & Stream, (2) Features related to the macro, (3) Features related to DDE, and (4) A server, including features related to the SWF.

Images