KR20150119519A - Apparatus and Method for Controlling Permission for an Application Using Reputation Information - Google Patents

Abstract

The present invention relates to an apparatus and a method for controlling rights of an application. A terminal apparatus for blocking a malicious application that generates a large amount of traffic includes a traffic detection module for checking traffic caused by one or more applications installed in the terminal apparatus for a predetermined period of time; A traffic collection module for receiving an average traffic value and a reputation level of the application from a management server; A flatness setting module for setting a flatness for the application; And an application authority control module for restricting communication authority and execution of the application, and a method according to the present invention. According to the present invention, a malicious application capable of generating a mass harmful traffic in a terminal device can be predicted and the authority can be controlled in advance, thereby preventing a mobile terminal from becoming a zombie and attacking a critical server. In addition, there is an advantage that the safety and reliability of use of the mobile terminal can be greatly improved by preventing the occurrence of communication charges and battery consumption due to excessive harmful traffic unknown to the terminal user.

Description

TECHNICAL FIELD The present invention relates to an apparatus and a method for controlling rights of an application using reputation information,

The present invention relates to an apparatus and method for controlling rights of an application, and more particularly, to an apparatus and a method for controlling permission of a malicious application that generates excessive harmful traffic.

The contents described in this section merely provide background information on the embodiment of the present invention and do not constitute the prior art.

As the mobile platform evolves into an open structure, mobile terminals are exposed to various security threats caused by mobile malicious codes and the like. In an open environment, everyone can create and distribute content, which leads to the development and use of various application programs. However, since it is possible to create and distribute applications containing malicious code, security threats are continuously increased there is a problem.

Similar to PCs, mobile terminals can become zombie if they are infected with malicious code, which can cause massive traffic attacks on attack target servers such as DDoS (Distributed Denial of Service). A DoDOS attack refers to an act of overloading in a short period of time by remotely controlling dozens or even millions of PCs and connecting to a specific website at the same time.

Security techniques used to detect cyber attacks include signatures that analyze file specific patterns, heuristics that analyze file properties and attributes, and behavioral analysis of an active process, Behavior-based techniques, and Reputation-based detection techniques using reputation scores.

Signature based detection is the longest used malware detection technique. After collecting samples for each malicious code, it creates a signature for the unique malicious behavior and detects it. Malicious code is classified into virus, Trojan, backdoor and worm depending on malicious activity. Malicious code signature and scanning engine are used to detect malicious code. do. Signature techniques minimize exact detection and misdiagnosis, but it takes a lot of time to update signatures through sample collection and analysis for every malicious code. It is also difficult to cope with new malicious code such as Zero Day Attack, which attacks unknown security flaws. Today, attackers are creating more than 600,000 new variant threats every day, and the majority of these threats are attacking systems in their 20s or less.

Reputation-based security technology is an emerging security detection technique for handling malicious code that has not yet been collected and analyzed. It can be used to find a malicious code detection solution through mutual information exchange in a cloud that provides reliable public wisdom. Technique. Reputation-based security technology uses reputation information of users to check the reliability of undetected files and applications and to detect the risk factors.

In the present invention, a reputation-based security technology that can complement existing security technologies such as signature, heuristic, and behavior-based detection is used to prevent a security threat from malicious code exposure of a mobile terminal, We propose an application control device and method that can resolve constraints of existing technology by checking whether the user can trust and use it when he / she emerges through the reputation of other users.

Korean Patent Publication No. 10-2013-0009094, published on Jan. 23, 2013 (name: smartphone integrated security control system and method)

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and it is an aspect of the present invention to accomplish the above object, and an object of the present invention is to provide a terminal device in which an authority of a malicious application, A device and a method for preventing damage to a terminal user are proposed.

The problems to be solved by the present invention are not limited to those mentioned above, and another problem to be solved can be clearly understood by those skilled in the art from the following description.

According to an aspect of the present invention, there is provided a terminal device for blocking malicious applications that generate a large amount of traffic, the terminal device comprising: at least one application installed in the terminal device; module; A traffic collection module for receiving an average traffic value and a reputation level of the application from a management server; A flatness setting module for setting a flatness for the application; And an application rights control module for limiting communication rights and execution of the application.

According to another aspect of the present invention, there is provided a management server for blocking a malicious application generating a mass traffic in a terminal device, comprising: a flatness management module for receiving and storing a flatness of an application from one or more terminal devices; A malicious code prediction module for analyzing the received flatness level to predict a malicious application; A terminal state check module for receiving and analyzing the state of the terminal device; And a remote control module for transmitting an isolation command for restricting a communication function of the terminal device when abnormal terminal traffic occurs in the terminal device.

According to another aspect of the present invention, there is provided a method for blocking a malicious application generating a mass traffic in a terminal device, the method comprising: receiving and storing a black list predicted from the management server as a malicious application; Monitoring whether a new application is installed in the terminal device; Determining whether the installed new application is included in the black list; And restricting one of communication authority and execution of the application when the application is included in the black list.

According to another aspect of the present invention, there is provided a method for blocking a malicious application generating a large amount of traffic in a terminal device, the method comprising: periodically detecting traffic caused by an application installed in the terminal device; Receiving the average traffic and reputation of the application from the management server if the triggered traffic is excessive; Comparing the traffic caused by the terminal device with the average traffic; And restricting any one of communication permission and execution of the application when the application is suspected to be malicious code as a result of the comparison and the flatness analysis.

According to another aspect of the present invention, there is provided a computer-readable recording medium recording a program for executing an application authority control method.

According to the apparatus and method for controlling an application of an application of the present invention, it is possible to predict a malicious application capable of generating mass harmful traffic in a terminal device and to control the authority in advance to prevent zombie of a mobile terminal and attack of a critical server .

In addition, there is an effect that the safety and reliability of use of the mobile terminal can be greatly improved by preventing communication charges and battery consumption due to excessive harmful traffic unknown to the terminal user.

The effects obtained in the present invention are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the following description .

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the technical features of the invention.
1 is a diagram illustrating a schematic configuration of an application rights control system according to an embodiment of the present invention.
2 is a diagram illustrating a configuration of a terminal device according to an embodiment of the present invention.
3 is a diagram illustrating a configuration of a management server according to an embodiment of the present invention.
4 is a diagram illustrating an application rights control method according to an embodiment of the present invention.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The following detailed description, together with the accompanying drawings, is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced. The following detailed description includes specific details in order to provide a thorough understanding of the present invention. However, those skilled in the art will appreciate that the present invention may be practiced without these specific details.

In some instances, well-known structures and devices may be omitted or may be shown in block diagram form, centering on the core functionality of each structure and device, to avoid obscuring the concepts of the present invention.

Throughout the specification, when an element is referred to as "comprising" or " including ", it is meant that the element does not exclude other elements, do. Also, the terms " part, "" module," and " module ", etc. in the specification mean a unit for processing at least one function or operation and may be implemented by hardware or software or a combination of hardware and software have. Also, the terms " a or ", "one "," the ", and the like are synonyms in the context of describing the invention (particularly in the context of the following claims) May be used in a sense including both singular and plural, unless the context clearly dictates otherwise.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions in the embodiments of the present invention, which may vary depending on the intention of the user, the intention or the custom of the operator. Therefore, the definition should be based on the contents throughout this specification.

Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings.

1 is a diagram illustrating a schematic configuration of an application rights control system according to an embodiment of the present invention.

The terminal device 100 is a device capable of installing and running an application through the communication network 300. For example, the terminal device 100 mainly includes a wireless communication terminal such as a smart phone. However, the terminal device 100 is not limited to a personal computer, a laptop computer, a personal digital assistant, a mainframe computer, a mini computer, and a Web TV, and other devices in which applications are installed and can cause traffic.

An application driven by the terminal device 100 is an individual application program and provides a service through a setting right for a hardware device of the terminal device 100 in an environment connected to the management server 200 via the communication network 300. [

The management server 200 is a device that analyzes the reputation of an application to determine whether the malicious application is malicious or not, and controls the terminal device 100 that is expected to suffer damage due to the malicious application.

The terminal device 100 is connected to the management server 200 via the communication network 300 using any known data communication networking technology.

The communication network 300 refers to a connection means capable of providing a connection between the terminal device 100 and the management server 200. A wide area network (WAN), a local area network (LAN), an intranet, a Code Division Multiple Access (CDMA), a Wideband Code Division Multiple Access (WCDMA) System for Mobile Communications), LTE (Long Term Evolution), or any type of network to be implemented in the future regardless of its name.

Hereinafter, the components of the terminal device 100 will be described in detail with reference to FIG.

2 is a diagram illustrating a configuration of a terminal device according to an embodiment of the present invention.

The traffic detection module 101, the traffic collection module 103, the flatness level setting module 105, the application rights control module 107, the terminal status transmission module 109 and the terminal isolation module 111 are functions Refers to a unit for processing an operation and is usually implemented by a functional unit included in one monitoring agent or a combination of hardware or software or hardware and software, Can be integrated.

The traffic detection module 101 is a module for checking to what extent the application installed in the terminal device 100 generates traffic. It mainly operates in a scheduling format and detects traffic generated by an application during a certain period of time.

The traffic collecting module 103 analyzes the average value of the traffic generated by the application from the management server 200 and the level of the flatness of the application so that the traffic detected by the traffic detection module 101 can be referred to as normal It is a module that receives and displays average value.

Through this method, it is possible to collect information that other terminal users, communities, and security companies continuously provide for applications that are not registered in the black list or whitelist of the terminal device 100, So you can deal with unknown security threats in a cloud sourcing fashion. That is, the module is able to predict the risk by referring to information generated in other terminal apparatuses apart from the traffic generation order in the terminal apparatus 100.

The average traffic and reputation information of the applications collected by the traffic collection module 103 can be targeted to all applications installed in the terminal device 100. Preferably, however, the traffic detected by the traffic detection module 101 It is effective to target the top n applications that have occurred.

The flatness level setting module 105 is a module for setting a flatness level for an application having a possibility of malicious code from a list of applications that have generated a large amount of traffic in a predetermined period detected by the traffic detection module 101 and reporting the flatness level to the management server. For example, an application in which the usage amount of the user of the terminal device 100 is not actually large among the excessive traffic generation applications may set a reputation level that malicious code possibility is dangerous.

The application authority control module 107 is a module for restricting communication authority or execution of the terminal device 100 in order to prevent a danger when an application is suspected of malicious code.

The technical meaning of restricting the communication authority of an application is as follows. An application has permissions that it can execute on its own. For example, if the terminal is an Android operating system, android.permission.ACCESS_FINE_LOCATION (permission for viewing location information), android.permission.WRITE_EXTERNAL_STROAGE (permission for external memory), android.permission.INTERNET ( Internet usage rights), android.permission.RECEIVE_SMS (SMS reception rights). Among them, by deleting the communication related permissions, it is possible to block the excessive traffic caused by malicious code.

Controlling the execution of an application is to block the execution of the application itself irrespective of the restriction of the authority. For example, it is similar to running an exe in a Windows program, but not running itself.

The terminal status transmission module 109 is a module for informing the management server 200 of status information indicating whether the terminal device 100 is operating normally. (Telephone number, international mobile equipment identity (IMEI), Wi-Fi MAC number, etc.) of the terminal device 100. In addition, ). If the terminal device 100 is not in a state of being logged in to the management server 200, the management server 200 must determine which terminal device 100 transmits the information.

The terminal isolation module 111 is a module for controlling the hardware device itself of the terminal device 100 to block the use of communication functions such as mobile communication (LTE, etc.), Wi-Fi, Bluetooth and NFC.

The terminal isolation module 111 controls the hardware irrespective of the privilege of the application, thereby preventing communication functions such as mobile communication, Wi-Fi, Bluetooth, and NFC from being used even if the application has communication authority.

Hereinafter, the components of the management server 200 will be described in detail with reference to FIG.

3 is a diagram illustrating a configuration of a management server according to an embodiment of the present invention.

The flatness management module 201 is a module for collecting and analyzing the flatness level reported from the terminal device 100 and setting the flatness level for each application.

The malicious code prediction module 203 is a module for predicting the malicious code of the application through the flatness degree analyzed by the flatness level management module 201 and blacklisting the applications that are predicted to be malicious.

The remote control module 205 is a module for transmitting an isolated command in a Push format to the terminal isolation module 111 to restrict the communication function of the terminal device 100. The isolation command can be transmitted in the form of a push message, an SMS message, or the like.

The management server 200 transmits the isolation command to the terminal device 100 via the relay server 400 as shown in FIG. 4 according to the format of the isolation command.

The terminal status check module 207 checks the agent status of the terminal device 100 transmitted from the terminal status transmission module 109 and the terminal identification information such as the telephone number, International Mobile Equipment Identity (IMEI), Wi- Is a module for receiving and managing

The flatness level management module 201, the malicious code prediction module 203, the remote control module 205 and the terminal status check module 207 are units for processing one function or operation, Software, and any one or more of the configurations may be physically separated or integrated.

Hereinafter, an application authority control method according to an embodiment of the present invention will be described.

4 is a diagram illustrating an application rights control method according to an embodiment of the present invention.

The traffic detection module 101 detects traffic generated for each of the applications installed in the terminal device 100 at regular intervals (S401).

The traffic collection module 103 requests the management server for an application in which a large amount of traffic is generated as a result of traffic detection by the traffic detection module 101, and receives an average traffic value generated by the application and a reputation level reflecting evaluation of other terminal users (S403).

The average traffic and reputation information of the applications collected by the traffic collection module 103 can be targeted to all applications installed in the terminal device 100. Preferably, however, among the applications detected by the traffic detection module 101, It is efficient to target the top n applications that have occurred as described above.

The flatness level setting module 105 sets the flatness level of the application by referring to the traffic generated by the application, the average traffic, and the flatness level (S405), and transmits the result to the management server (S407).

The management server 200 analyzes the reputation of the application transmitted from the terminal device 100 to predict whether the application is malicious or not, and catalogs the malicious application in a black list (S409). The accuracy of the analysis can be improved by transmitting the flatness degree from the various terminal devices 100 as much as possible.

The predicted black list is transmitted to the terminal device 100 (S411), and the terminal device 100 compares the application with the black list at the time of installation of the new application (S413) The authority of the application is limited (S415).

If the new application to be installed is an application included in the black list, the authority of the application may be limited or may be optionally controlled through the user's confirmation process if necessary.

Steps S417 to S425 are included in the black list. However, in the case where the user arbitrarily allows the communication privilege of the application, it is an optional process to prevent damage due to the unfiltered malicious application.

The terminal status transmission module 109 transmits the status of the airplane program, the identification ID of the terminal device 100, and generated traffic to the management server 200 for achieving the object of the present invention installed in the terminal device 100 (S417). The state value of the terminal may be repeatedly performed in accordance with a predetermined period.

The management server 200 analyzes the status value and the traffic of the received terminal device 100 and if it is determined that the terminal device 100 is infected with malicious code and is generating abnormal traffic in step S419, 400 (S421).

The relay server 400 processes the terminal isolation command in the form of a push message, an SMS message, or the like, and transmits the terminal isolation command to the terminal isolation module 111 (S423). The terminal isolation module 111 receiving the terminal isolation command blocks the use of communication media such as mobile communication (LTE, etc.), Wi-Fi, Bluetooth, NFC, etc. in place of restricting the communication authority for each application (S425).

However, if it is determined in step S405 that the application has a high probability of being suspected of being a malicious application, the terminal 100 may immediately go to step S415 to block the application right or execution.

4, it is described that steps S401 to S425 are sequentially performed. However, this is merely an exemplary description of the technical idea of the present embodiment, and it is obvious to those skilled in the art that the present embodiment It is to be understood that various changes and modifications may be made to the invention without departing from the essential characteristics thereof, that is, by changing the order described in FIG. 4 or by executing one or more of steps S401 to S425 in parallel, But is not limited thereto. For example, the traffic detection step in step S401 and the terminal state delivery step in step S417 are not limited to the illustrated order, but are performed periodically and repeatedly.

Each block of the block diagrams attached hereto and combinations of steps of the flowchart diagrams may be performed by computer program instructions. These computer program instructions may be loaded into a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus so that the instructions, which may be executed by a processor of a computer or other programmable data processing apparatus, And means for performing the functions described in each step are created. These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce a manufacturing item containing instruction means for performing the functions described in each block or flowchart of the block diagram. Computer program instructions may also be stored on a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the processing equipment provide the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.

Also, each block or each step may represent a module, segment, or portion of code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative embodiments, the functions mentioned in the blocks or steps may occur out of order. For example, two blocks or steps shown in succession may in fact be performed substantially concurrently, or the blocks or steps may sometimes be performed in reverse order according to the corresponding function.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents thereof should be construed as falling within the scope of the present invention.

According to the apparatus and method for controlling an application of an application of the present invention, it is possible to utilize a malicious application capable of generating a mass harmful traffic in a terminal device as a solution for predicting a permission and to control the authority in advance, It is not only the use of the related technology but also the possibility of commercialization or operation of the applied device as well as the possibility of being practically and practically usable.

100: terminal device 200: management server
300: communication network 400: relay server
101: Traffic detection module 103: Traffic collection module
105: Flatness setting module 107: Application authority control module
109: terminal status transmission module 111: terminal isolation module
201: Flatness management module 203: Malicious code prediction module
205: remote control module 207: terminal status check module

Claims (13)

1. A terminal device for blocking a malicious application generating a large amount of traffic, comprising:
A traffic detection module for checking traffic caused by one or more applications installed in the terminal device for a predetermined period of time;
A traffic collection module for receiving an average traffic value and a reputation level of the application from a management server;
A flatness setting module for setting a flatness for the application; And
An application rights control module for limiting communication rights and execution of the application;
And a terminal device. The method according to claim 1,
A terminal state transmission module for transmitting the state of the terminal device to a management server; And
A terminal isolation module for receiving a terminal isolation command from the management server and deactivating a communication function of the terminal;
The terminal device further comprising: 3. The method of claim 2,
Wherein the state of the terminal apparatus, which is transmitted to the management server,
An operation state of an agent installed in the terminal device, and an identification ID of the terminal. 3. The method of claim 2,
Wherein the traffic detection module detects the traffic and the status transmission of the terminal device is repeatedly performed at predetermined intervals. The method according to claim 1,
Wherein the application authority control module comprises:
Wherein the terminal device determines whether the application corresponds to a black list stored in the terminal device at a time point when the application predicted by the malicious code is installed and limits the communication authority of the application. The method according to claim 1,
Wherein the traffic collection module comprises:
And collects an average traffic value and a flatness level for an application ranked in a traffic occurrence ranking among the applications of the terminal device generating the mass traffic. 1. A management server for blocking a malicious application generating a mass traffic in a terminal device,
A flatness management module for receiving and storing the flatness of the application from one or more terminal devices;
A malicious code prediction module for analyzing the received flatness level to predict a malicious application;
A terminal state check module for receiving and analyzing the state of the terminal device;
A remote control module for transmitting an isolation command for restricting a communication function of the terminal device when abnormal terminal traffic occurs in the terminal device;
And a management server that manages the management server. 8. The method of claim 7,
The malicious code prediction module includes:
Predicts and black lists the malicious code according to a result of the flatness analysis, and transmits the malicious code to the terminal device. A method for blocking a malicious application generating a large amount of traffic in a terminal apparatus,
Receiving and storing a black list predicted from the management server as a malicious application by the terminal device;
Monitoring whether a new application is installed in the terminal device;
Determining whether the installed new application is included in the black list; And
Limiting the communication right and execution of the application when the application is included in the black list;
Wherein the application rights control method comprises: 10. The method of claim 9,
The terminal device periodically transmitting its status and traffic to a management server;
Receiving from the management server an isolation command of the terminal device when it is determined that the state of the terminal device is in a state where abnormal traffic is generated; And
A terminal isolation step of deactivating a communication function of the terminal device according to the isolation command;
Further comprising the steps of: 10. The method of claim 9,
Wherein the blacklist is obtained by analyzing the list of applications received from the at least one terminal device by the management server. A method for blocking a malicious application generating a large amount of traffic in a terminal apparatus,
Periodically detecting traffic caused by an application installed in the terminal device;
Receiving the average traffic and reputation of the application from the management server if the triggered traffic is excessive;
Comparing the traffic caused by the terminal device with the average traffic;
Limiting communication privilege and execution of the application when the application is suspected to be malicious code as a result of the comparison and the flatness analysis;
Wherein the application rights control method comprises: A computer-readable recording medium storing the program for executing the application authority control method according to any one of claims 9 to 12.

Images