US 12,481,755 B2
Apparatus and method for collecting malicious code meta information
Jae Han Jeong, Naju-si (KR); Chan Woong Hwang, Naju-si (KR); Jae Gyu Jeon, Naju-si (KR); and Woong Go, Naju-si (KR)
Assigned to Korea Internet & Security Agency, Naju-si (KR)
Filed by Korea Internet & Security Agency, Naju-si (KR)
Filed on Feb. 12, 2024, as Appl. No. 18/438,539.
Claims priority of application No. 10-2023-0024119 (KR), filed on Feb. 23, 2023.
Prior Publication US 2024/0289454 A1, Aug. 29, 2024
Int. Cl. G06F 21/00 (2013.01); G06F 16/38 (2019.01); G06F 21/56 (2013.01)
CPC G06F 21/563 (2013.01) [G06F 16/38 (2019.01)] 8 Claims
OG exemplary drawing
 
1. An apparatus for collecting malicious code meta information, the apparatus comprising:
an application programming interface (API) key setting unit configured to register as a member of a collection channel related to malicious code of cyber attacks so as to be issued an API key from the collection channel, and set the API key as an initialization input;
a collection channel access unit configured to, upon the set API key being input by an administrator, access at least one collection channel, for which registration as a member has been made, through the API key;
an execution command interpretation unit configured to, subsequent to accessing the collection channel, upon input of an execution command for collecting meta information related to malicious code by the administrator, interpret the input execution command; and
a meta information management unit configured to receive malicious code feature information provided from the collection channel according to the interpreted execution command, register as a member of at least one collection channel connected to a network so as to be issued an API key to extract meta information, and manage the meta information in a JSON format for each attack group,
wherein the execution command interpretation unit includes:
an input parameter recognition unit configured to, upon indicator of compromise (IOC) information related to the malicious code being input as an input parameter in the execution command, recognize the input parameter;
an IOC list loading unit configured to, when the recognized input parameter is a file format, load IOC list information including a hash value, an internet protocol (IP) value, a domain value, and a uniform resource locator (URL) value preset in the file format;
an input value identification unit configured to identify at least one IOC value selected from the hash value, the IP value, the domain value, and the URL value in the loaded IOC list information loaded in the file format;
a type identification unit configured to, when the recognized input parameter is a single piece of IOC information, identify a type of the single piece of IOC information; and
a request value generation unit configured to generate a request value for each collection channel according to the identified IOC value and the identified type.