| 摘要 |
An apparatus and method for providing analysis service based on behavior in a mobile network environment are disclosed. The apparatus includes a control unit configured to control the path of a packet based on predetermined policy information, to block the packet based on a result of an analysis of the packet, or to extract information about the packet and selectively process the extracted information based on the predetermined policy information; a download path and file management engine configured to collect downloaded files corresponding to the URL of the packet, to extract the downloaded files as an app file, and to transfer the extracted app file to a virtual machine; and a virtual machine management engine unit configured to determine whether malware is present in the app file and whether the app file has accessed the resources, and to selectively manage the corresponding app based on a result of the determination. |
| 主权项 |
1. A method of providing analysis service based on behavior in a mobile network environment, the method comprising:
controlling a path of a packet based on predetermined policy information in order to detect malware in the packet loaded from a network interface card (NIC) and then decoded; blocking the packet based on a result of an analysis of the packet for each engine placed in the path, or extracting information about the packet and selectively processing the extracted information for each engine placed in the path based on the predetermined policy information; collecting, by a specific engine, downloaded files corresponding to a uniform resource locator (URL) of the packet, extracting the downloaded files as an app file, and transferring the extracted app file to a virtual machine to which virtualized computing resources based on a manycore processor environment have been allocated; and determining whether malware is present in the app file and whether the app file has accessed the resources by analyzing data and behavior of the app file for each operation system (OS) version of the virtual machine, and selectively managing the corresponding app based on a result of the determination, wherein controlling the path of the packet based on the predetermined policy information comprises: controlling, by a white list engine, a first path of the decoded packet, and determining whether the decoded packet corresponds to a normal file based on an existing normal file list by searching for a download path and files of the decoded packet; controlling, by a black list engine, a second path of the packet if, as a result of the determination, it is found that the decoded packet corresponds to the normal file list, searching for a download path and files of the packet, blocking the packet if, as a result of the search, it is found that the packet corresponds to an existing file list, and transferring the packet to a static analysis engine if, as a result of the search, it is found that the packet does not correspond to the existing file list, the method further comprising: checking whether a timeout range has been exceeded if, as a result of the determination, it is determined that the download path and files of the packet are present in the normal file list of the white list engine; forwarding the packet along a path to the black list engine, of if, as a result of the check, it is found that the timeout range has been exceeded; and forwarding the packet along a path to the static analysis engine if, as a result of the check, it is found that the timeout range has not been exceeded, wherein collecting the downloaded files corresponding to the URL of the packet and extracting the downloaded files as the app file comprises extracting, by a file extraction engine, the app file based on a structure of an attached file from the download URL, buffering the extracted app file in accordance with a size of the app file extracted from the packet, and generating the buffered app file as an app file, and wherein analyzing the data and behavior of the app file for each OS version of the virtual machine comprises: obtaining an event that occurs when the corresponding app accesses resources within a mobile terminal; analyzing the behavior of the app file for each OS version with respect to the app file transferred to a job scheduler for each mobile OS version by checking the obtained event; and determining whether malicious behavior is present by analyzing the behavior of the app file. |
