| 发明名称 |
Apparatus and method for detecting malicious sites |
| 摘要 |
The invention relates to an apparatus for detecting malicious sites, comprising: a monitoring unit for monitoring all processes being executed in a computing apparatus; a hook code insertion unit for inserting a hook code in a process executed in a browser when the execution of the browser is detected by the monitoring unit; a danger level determining unit that, upon the detection of a website movement, uses the hook code to inspect a stack structure of a process implemented according to the website movement and determine whether or not to perform the stack structure inspection, and determines whether or not the website to which the movement has been made is a malicious site; and a database for storing a list of sites determined to be malicious. |
| 申请公布号 |
US8745740(B2) |
申请公布日期 |
2014.06.03 |
| 申请号 |
US201013505858 |
申请日期 |
2010.11.01 |
| 申请人 |
AHNLAB., Inc. |
发明人 |
Oh Ju Hyun;Lee Chang Woo;Park Chong Phil |
| 分类号 |
H04L29/06;G06F21/00;G06F21/52 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. An apparatus for detecting malicious sites, the apparatus comprising:
a monitoring unit configured to monitor all processes executed in a computing apparatus; a database for storing the website determined to be malicious in a malicious site list; a hook code insertion unit configured to insert a first hook code at an execution starting point of a process executed by a browser and insert a second hook code at an execution intermediate point of the process executed by the browser; and a danger level determining unit that, upon detection of a website movement, inspects a stack structure of a process created by the website movement using the hook code, checks whether or not the stack structure inspection has been done, and determines whether or not the website to which the movement has been made is a malicious site, wherein the danger level determining unit comprises: a process determining unit configured to perform the inspection of the stack structure of the process created according to the website movement by using the first hook code; and a hook code execution determining unit configured to check whether or not the stack structure inspection using the first hook code has been performed by using the second hook code; check whether or not a certificate exists in a program of the process created according to the website movement by using the first hook code, and if there is no certificate in the program, perform an inspection of the stack structure based on information of the manufacturers of dynamic link library (DLL) files included in the stack of a specific process and information of a unique process of each website and a unique call stack structure in the unique process.
|
| 地址 |
Gyeonggi-Do KR |
