`
`
`
`
`
`
`
`I III IIIIIIII a mui DID 11111 0,111!IliillF1111,9111111111111111111111IIIIIIIIIIII
`
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2019/0180028 Al
`Jun. 13, 2019
`(43) Pub. Date:
`SEO
`
`(54) SECURITY ENHANCEMENT METHOD AND
`ELECTRONIC DEVICE THEREFOR
`
`(71) Applicant: Samsung Electronics Co., Ltd.,
`Suwon-si (KR)
`
`(72)
`
`Inventor: Jaewoo SEO, Suwon-si (KR)
`
`(52)
`
`G06F 21/57
`GO6F 8/61
`U.S. Cl.
`CPC
`
`(2006.01)
`(2006.01)
`
`GO6F 21/51 (2013.01); GO6F 21/121
`(2013.01); GO6F 21/629 (2013.01); GO6F
`21/53 (2013.01); G06F 2221/2101 (2013.01);
`GO6F 8/62 (2013.01); G06F 2221/033
`(2013.01); GO6F 2221/2141 (2013.01); G06F
`2221/2149 (2013.01); GO6F 21/577 (2013.01)
`
`(21) Appl. No.: 16/211,654
`
`(22) Filed:
`
`Dec. 6, 2018
`
`(30)
`
`Foreign Application Priority Data
`
`Dec. 7, 2017
`
`(KR)
`
`10-2017-0167588
`
`Publication Classification
`
`(51) Int. Cl.
`GO6F 21/51
`GO6F 21/12
`GO6F 21/62
`GO6F 21/53
`
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`
`10
`
`ENCRYPTION CODE
`IDENTIFICATION MODEL
`TRAINING DEVICE
`
`ABSTRACT
`(57)
`An electronic device and method that are robust against
`attacks on encryption-related vulnerabilities as detection of
`an encryption algorithm based on if artificial intelligence
`technology is enabled are provided. A security enhancement
`method includes a hooking loading of an executable code
`into a memory, inputting the executable code into an encryp-
`tion code identification model that is based on an artificial
`neural network, determining, by the encryption code iden-
`tification model, whether the loading of the executable code
`into the memory is allowed, and when the loading of the
`executable code is not allowed, blocking the loading of the
`executable code into the memory.
`
`20
`
`ENCRYPTION ALGORITHM
`VULNERABILITY
`COLLECTING DEVICE
`
`40
`
`ENCRYPTION CODE
`IDENTIFICATION MODEL
`
`42
`
`ENCRYPTION
`ALGORITHM
`VULNERABILITY
`INFORMATION
`30
`
`NETWORK
`
`44
`
`VULNERABLE ENCRYPTION
`ALGORITHM EXECUTION
`NOTIFICATION
`
`7-
`
`100b
`
`100c
`
`100a
`
`100d
`
`100e
`
`WIZ, Inc. EXHIBIT - 1094
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 1 of 18
`
`US 2019/0180028 Al
`
`10
`
`ENCRYPTION CODE
`IDENTIFICATION MODEL
`TRAINING DEVICE
`
`FIG. 1
`
`2O
`
`ENCRYPTION ALGORITHM
`VULNERABILITY
`COLLECTING DEVICE
`
`40
`
`ENCRYPTION CODE
`IDENTIFICATION MODEL
`
`42
`
`ENCRYPTION
`ALGORITHM
`VULNERABILITY
`INFORMATION
`30
`
`NETWORK
`
`44
`
`VULNERABLE ENCRYPTION
`ALGORITHM EXECUTION
`NOTIFICATION
`
`O
`
`100b
`
`O
`
`1OOc
`
`100a
`
`10U4:1
`
`100e
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 2 of 18
`
`US 2019/0180028 Al
`
`FIG. 2A
`
`50
`
`INSTALL?
`
`YES
`
`NO
`
`51
`
`IS ENCRYPTION
`ALGORITHM PROVIDED BY OS
`OR IS ENCRYPTION ALGORITHM
`SELF-PROVIDED
`
`SELF-PROVIDED
`ENCRYPTION
`ALGORITHM IS USED
`
`DETECT: AFTER HOOKING RAM
`LOAD OF EXECUTABLE CODE,
`DETECT WHETHER EXECUTABLE
`CODE INCLUDES ENCRYPTION
`ALGORITHM CODE
`
`-52
`
`USING ENCRYPTION
`ALGORITHM
`PROVIDED BY OS
`
`56- DETECT: DETECT ENCRYPTION
`API INSIDE OS
`
`-53
`
`57-
`
`CASE: APP IS LEGITIMATELY
`INSTALLED, AND ENCRYPTION
`API PROVIDED BY OS IS USED
`
`CASE: ALTHOUGH LEGITIMATELY
`INSTALLED APP, ENCRYPTION
`ALGORITHM CODE IS INCLUDED
`IN EXECUTABLE CODE
`IN LIGHT OF
`SECURITY
`
`54 N
`RESPOND: BLOCK
`ALL SELF-
`PROVIDED
`ENCRYPTION
`ALGORITHMS
`
`IN LIGHT OF
`USABILITY
`/ 55
`RESPOND: BLOCK WHEN
`ALGORITHM DIFFERENT
`FROM ENCRYPTION
`ALGORITHMS DESCRIBED
`IN REQUIRED PERMISSION
`INFORMATION OF APP IS
`USED
`
`58-- RESPOND: BLOCK WHEN
`ALGORITHM DIFFERENT FROM
`(ENCRYPTION ALGORITHMS,
`ACCESSIBLE OBJECTS)
`DESCRIBED IN REQUIRED
`PERMISSION INFORMATION OF
`APP IS USED
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 3 of 18
`
`US 2019/0180028 Al
`
`FIG. 2B
`
`0
`
`59
`
`SELF-PROVIDED
`ENCRYPTION
`ALGORITHM IS USED
`
`IS ENCRYPTION
`ALGORITHM PROVIDED BY OS OR
`SELF-PROVIDED ENCRYPTION
`ALGORITHM?
`
`USING ENCRYPTION
`ALGORITHM
`PROVIDED BY OS
`
`DETECT: AFTER HOOKING RAM
`LOAD OF EXECUTABLE CODE,
`DETECT WHETHER EXECUTABLE
`CODE INCLUDES ENCRYPTION
`ALGORITHM CODE
`
`-60
`
`-61
`
`CASE: APP IS NOT LEGITIMATELY
`INSTALLED, ENCRYPTION
`ALGORITHM CODE IS INCLUDED
`IN EXECUTABLE CODE
`IN LIGHT OF
`SECURITY
`
`62
`RESPOND: BLOCK
`ALL SELF-PROVIDED
`ENCRYPTION
`ALGORITHMS
`
`IN LIGHT OF
`USABILITY
`
`63
`RESPOND: BLOCK
`WHEN NOT ENCRYPTION
`ALGORITHMS DESIGNATED
`AS SAFE
`
`64_1
`
`DETECT: DETECT CALL OF
`ENCRYPTION API INSIDE OS
`
`65
`
`CASE: ALTHOUGH APP IS NOT
`LEGITIMATELY INSTALLED,
`ENCRYPTION API PROVIDED
`BY OS IS USED
`
`66- RESPOND: DETERMINING
`WHETHER ENCRYPTION IS
`ALLOWED THROUGH
`COMPARISON WITH REQUIRED
`PERMISSION INFORMATION OF
`APP IS IMPOSSIBLE, BLOCK
`UNCONDITIONALLY
`
`

`

`Patent Application Publication
`
`813o 17 JamiS 610Z `£i •unf
`
`IV 8Z00810/610Z SR
`
`COLLECTOR
`INFORMATION
`VULNERABILITY
`
`82
`
`MACHINE LEARNING
`ENCRYPTION CODE
`
`MODULE
`
`81
`
`VULNERABILITY
`
`LIST
`
`LIST
`ACCES
`
`79
`
`7
`
`78
`
`LIST MANAGER
`VULNERABILITY
`
`ACCESS LIST
`7
`
`MANAGER
`
`NOTIFICATION
`
`MODULE
`
`7
`
`CONTROLLER
`
`- 76
`
`IDENTIFICATION
`ENCRYPTION CODE
`
`MODEL
`
`t
`
`MEMORY
`
`MODULE
`HOOKING
`
`75
`
`74
`
`INSTALLER
`
`APP#N
`
`APP#1
`
`71
`
`70
`
`70
`
`7O
`
`FIG. 3
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 5 of 18
`
`US 2019/0180028 Al
`
`FIG. 4
`
`101
`
`106
`
`_7 -100
`
`104
`INPUT/OUTPUT
`INTERFACE
`
`103
`
`STORAGE
`
`122b
`
`11
`
`I I
`
`-110
`
`133b
`
`PROCESSOR
`
`OPERATING SYSTEM
`
`SECURITY ENVIRONMENT
`
`MONITORING INSTRUCTION
`
`r
`
`r
`
`L
`
`A
`H107
`
`102
`
`OPERATING SYSTEM
`
`I-122a
`
`134d
`
`CALL
`
`ENCRYPTION API
` [
`I encrypt(crypto-type, object)
`
`1
`
`▪
`I
`I )
`
`4-124
`
`I I
`-I I
`
`1-, 120
`
`▪
`; rq, -122
`
`J 1
`
`j1
`
`L
`
`r
`
`I I
`
` I
`1
`( 1
`I
`
`L
`r
`
`L
`
`SECURITY ENVIRONMENT
`ENCRYPTION CODE
`IDENTIFICATION MODEL
`
`J
`
`MONITORING INSTRUCTION
`
`r
`ACCESS 1132b
`LIST
`I/
`
`VULNERABILITY 11 131b
`LIST
`I I
`▪i t 133b
` J
`134b
`1
`
`PP#1 EXECUTIO CODE
`133d
`
`34c
`
`133c
`136c
`_„
`r-
`SECURITY TEST
`PROCESS
`
`
`APP#3 H
`sr—
`INSTALLER
`
`136d
`
`135b
`L-:X
`136b
`
`1--
`
`L
`
`MEMORY
`
`B
`U
`S
`
`131a
`
`VULNERABILITY LIST
`
`132a1
`
`ACCESS LIST
`
`
`
`—1 133a
`
`ENCRYPTION
`ALGORITHM
`MONITOR
`
` APP#1 EXECUTION CODE
`134a
`
`135a
`
` APP#2 EXECUTION CODE
`
`
`
`
`APP#3 INSTALLER CODE
`
`136a -1
`
`105
`
`NETWORK
`INTERFACE
`
`30
`
`NETWORK
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 6 of 18
`
`US 2019/0180028 Al
`
`FIG. 5
`
`MONITORING INSTRUCTION
`
`- 133b
`
`MEMORY LOAD HOOKING INSTRUCTION
`
`FL— 133b-1
`
`EXECUTABLE CODE FEATURE DATA
`EXTRACTION INSTRUCTION
`
`ENCRYPTION ALGORITHM CLASSIFIER
`INSTRUCTION
`
`ACCESS LIST INQUIRY INSTRUCTION
`
`L_
`r-
`
`I I 133b-2
`
`i
`
`133b-3
`
`_J
`1
`1--r- 133b-4
`
`VULNERABILITY LIST INQUIRY INSTRUCTION h --133b-5
`
`MEMORY LOAD PERMISSION
`DETERMINATION INSTRUCTION
`
`MEMORY LOAD HOOKING RELEASING
`INSTRUCTION
`
`L_ 133b-6
`
`I
`
`133b-7
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 7 of 18
`
`US 2019/0180028 Al
`
`FIG. 6
`
`APP#2
`EXECUTION CODE
`
`[
`
`135a
`
`INPUT
`
`EXECUTABLE CODE FEATURE DATA
`EXTRACTION INSTRUCTION
`[STATIC ANALYSIS + DYNAMIC ANALYSIS]
`
`133b-2
`
`FEATURE DATA
`
`122
`
`133b-3
`
`
`
`ENCRYPTION CODE IDENTIFICATIO N MODEL
`
`ENCRYPTION ALGORITHM
`CLASSIFIER INSTRUCTION
`
`aes-128-cbc
`V
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 8 of 18
`
`US 2019/0180028 Al
`
`FIG. 7
`
`ACCESS LIST
`
`y -132b
`
`APP ID
`
`APP#1
`
`APP#2
`
`APP#3
`
`APP#4
`
`AVAILABLE ENCRYPTION
`ALGORITHM
`
`ACCESSIBLE
`OBJECT
`
`sha-256 I aes-128—cbc
`
`RSA
`
`hmac-128
`
`contacts
`
`photo
`
`file I photo
`
`hmac-128 I sha-256
`
`contacts I file
`
`

`

`Patent Application Publication
`
`81 Jo 6 loollS 610Z `£i 'unt
`
`TV 8Z00810/610Z SR
`
`30
`
`INTERFACE
`NETWORK
`
`APP#2 EXECUTION CODE
`
`105--
`
`135a—
`
` APP#1 EXECUTION CODE
`
`134a
`
`
`
`135b
`
`134b
`
`ALGORITHM MONITOR
`
`ENCRYPTION
`
`133a
`
`ACCESS LIST
`
`132a—I
`
`VULNERABILITY LIST
`
`131' a
`
`MONITORING PROCESSOR
`ENCRYPTION ALGORITHM 122
`
`13313
`
`MEMORY
`
`MODEL
`
`IDENTIFICATIONI
`
`ENCRYPTION
`
`CODE
`
`FAIL
`PASS
`
`r
`r
`INSTRUCTION
`MONITORING
`
`
`
`APP#1 EXECUTION CODE'
`
`134c
`
`VULNERABILITY
`
`LIST
`
`ACCESS
`
`LIST
`
`131b
`
`108
`
`132b
`
`102
`
`—107
`
`STORAGE
`
`INPUT/OUTPUT
`104
`
`INTERFACE
`
`103-
`
`U
`B
`
`.106
`
`1
`
`PROCESSOR
`
`100
`
`FIG. 8
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 10 of 18 US 2019/0180028 Al
`
`FIG. 9A
`
`(START
`
`HOOK MEMORY LOAD OF
`EXECUTABLE CODE
`
`S102
`
`INPUT EXECUTABLE CODE TO ENCRYPTION
`CODE IDENTIFICATION MODEL
`
` S105
`
`ENCRYPTION CODE IDENTIFICATION MODEL
`DETERMINES WHETHER MEMORY LOAD
`OF EXECUTABLE CODE IS ALLOWED
`
`f- -- S107
`
`IS MEMORY LOAD
`ALLOWED?
`
`YES
`RELEASE MEMORY
`LOAD HOOKING
`
`- 5112
`
`NO
`
`S114
`
`S116
`
`BLOCK MEMORY LOAD
`
`S118
`PROVIDE NOTIFICATION
`ABOUT BLOCKING OF
`MEMORY LOAD
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 11 of 18 US 2019/0180028 Al
`
`FIG. 9B
`
`START
`
`DOWNLOAD ENCRYPTION CODE
`IDENTIFICATION MODEL
`
`S100
`
`HOOK MEMORY LOAD OF EXECUTABLE CODE
`
`S102
`
`EXECUTE EXECUTABLE CODE IN
`SECURITY ENVIRONMENT
`
`EXTRACT FEATURE DATA
`
`S 04
`
`06
`
`DETERMINE ENCRYPTION ALGORITHM
`INDICATED BY FEATURE DATA (BY USING.
`ENCRYPTION CODE IDENTIFICATION MODEL)
`
`1-- S 08
`
`DETERMINE WHETHER MEMORY LOAD OF
`EXECUTABLE CODE IS ALLOWED BY USING
`RESULT OF DETERMINATION
`
`10
`
`S112
`
`NO
`
`IS MEMORY LOAD
`ALLOWED?
`
`y S114
`YES
`RETURN FROM MEMORY LOAD
`HOOKING FUNCTION
`
`S116
`
`BLOCK MEMORY LOAD
`
`S118
`PROVIDE NOTIFICATION ABOUT
`BLOCKING OF MEMORY LOAD
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 12 of 18 US 2019/0180028 Al
`
`FIG. 9C
`
`(START)
`
`HOOK MEMORY LOAD OF EXECUTABLE CODE
`
`S102
`
`EXECUTE EXECUTABLE CODE IN
`SECURITY ENVIRONMENT
`
`EXTRACT FEATURE DATA
`
`DETERMINE ENCRYPTION ALGORITHM
`INDICATED BY FEATURE DATA (BY USING
`ENCRYPTION CODE IDENTIFICATION MODEL)
`
` 1---- S104
` F---- S106
`
`S1
`08
`
`DETERMINE WHETHER MEMORY LOAD OF
`EXECUTABLE CODE IS ALLOWED BY USING
`RESULT OF DETERMINATION
`
` -S1
`10
`
`IS MEMORY
`LOAD ALLOWED?
`
`-S112
`
`NO
`
`S114
`YES
`RETURN FROM MEMORY
`LOAD HOOKING FUNCTION
`
`S116
`
`BLOCK MEMORY LOAD
`
`S118
`PROVIDE NOTIFICATION ABOUT
`BLOCKING OF MEMORY LOAD
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 13 of 18 US 2019/0180028 Al
`
`FIG. 10A
`
`START
`
`DOWNLOAD ENCRYPTION CODE
`IDENTIFICATION MODEL
`
`S100
`
`EXECUTE INSTALLER OF APPLICATION
`
`S103
`
`EXECUTE EXECUTABLE CODE IN
`SECURITY ENVIRONMENT
`
`S104
`
`EXTRACT FEATURE DATA
`
`S1 06
`
`DETERMINE ENCRYPTION ALGORITHM
`FEATURE DATA (BY USING ENCRYPTION
`CODE IDENTIFICATION MODEL)
`
`1-- S108
`
`DETERMINE WHETHER EXECUTABLE
`CODE HAS PASSED SECURITY TEST
`BY USING RESULT OF DETERMINATION
`
`HAS
`SECURITY TEST BEEN
`PASSED?
`
`S113
`
`NO
`
`YES
`
`y S119
`
`COMPLETE INSTALLATION
`
`z_S117
`PERFORM PROCESS
`ACCORDING TO FAILURE
`OF SECURITY TEST
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 14 of 18 US 2019/0180028 Al
`
`FIG. 10B
`
`(START)
`
`EXECUTE INSTALLER OF APPLICATION
`
`S103
`
`EXECUTE EXECUTABLE CODE IN
`SECURITY ENVIRONMENT
`
`EXTRACT FEATURE DATA
`
`DETERMINE ENCRYPTION ALGORITHM
`INDICATED BY FEATURE DATA (BY
`USING ENCRYPTION CODE
`IDENTIFICATION MODEL)
`
`DETERMINE WHETHER EXECUTABLE
`CODE HAS PASSED SECURITY TEST BY
`USING RESULT OF DETERMINATION
`
` 1----- S104
`
`S106
`
`S1 08
`
`S110
`
`HAS
`SECURITY TEST BEEN
`PASSED?
`
`S113
`
`NO
`
`YES
`
`S119
`
`COMPLETE INSTALLATION
`
`S117
`PERFORM PROCESS
`ACCORDING TO FAILURE
`OF SECURITY TEST
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 15 of 18 US 2019/0180028 Al
`
`FIG. 11A
`
`(START)
`
`DOWNLOAD ENCRYPTION CODE
`IDENTIFICATION MODEL
`
`SI OO
`
`S101
`
`IT IS TIME TO
`PERFORM PRE-SECURITY
`TEST?
`
`YES
`
`SELECT APP TO BE SUBJECT OF SECURITY TEST
`(FOR EXAMPLE, FOR DAILY TEST, FIRST TYPE APP,
`AND WEEKLY TEST, SECOND TYPE APP)
`
`EXECUTE EXECUTABLE CODE OF APP SELECTED
`AS SUBJECT OF SECURITY TEST, IN SECURITY
`ENVIRONMENT
`
`S102
`
`- S104
`
`EXTRACT FEATURE DATA
`
`- S106
`
`DETERMINE ENCRYPTION ALGORITHM INDICATED
`BY FEATURE DATA (BY USING ENCRYPTION CODE — S108
`IDENTIFICATION MODEL)
`
`DETERMINE WHETHER EXECUTABLE CODE dAS
`PASSED SECURITY TEST BY USING RESULT OF
`DETERMINATION
`
`S110
`
`HAS SECURITY
`TEST BEEN PASSED?
`
`S113
`
`NO
`
`YES
`RECORD TEST
`SUCCESS LOG
`
`r S120
`PERFORM PROCESS ACCORDING
`TO FAILURE OF SECURITY TEST
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 16 of 18 US 2019/0180028 Al
`
`FIG. 11B
`
`(START)
`
`101
`
`IT IS TIME TO
`PERFORM PRE-SECURITY
`TEST?
`
`YES
`
`SELECT APP TO BE SUBJECT OF SECURITY TEST
`(FOR EXAMPLE, FOR DAILY TEST, FIRST TYPE APP,
`AND WEEKLY TEST, SECOND TYPE APP)
`
`EXECUTE EXECUTABLE CODE OF APP SELECTED
`AS SUBJECT OF SECURITY TEST, IN SECURITY
`ENVIRONMENT
`
`S102
`
`6104
`
`EXTRACT FEATURE DATA
`
`- S106
`
`DETERMINE ENCRYPTION ALGORITHM INDICATED
`BY FEATURE DATA (BY USING ENCRYPTION CODE
`IDENTIFICATION MODEL)
`
` S108
`
`DETERMINE WHETHER EXECUTABLE CODE HAS
`PASSED SECURITY TEST BY USING RESULT OF
`DETERMINATION
`
`5110
`
`HAS SECURITY
`TEST BEEN PASSED?
`
`S113
`
`NO
`
`YES
`RECORD TEST
`SUCCESS LOG
`
`512O
`S117
`PERFORM PROCESS ACCORDING
`TO FAILURE OF SECURITY TEST
`
`

`

`Patent Application Publication
`
`IV 8Z00810/610Z Sfl
`
`LOW FREQUENCY
`
`FREQUENCY OF PRETEST
`
`HIGH FREQUENCY
`
`(DATA IMPORTANCE: LOW)
`
`WEB BROWSER
`
`(DATA IMPORTANCE: MIDDLE)
`
`SNS—RELATED APP
`
`)
`send
`set
`
`wo
`
`+
`
`HEALTH-RELATED APP, FINANCE APP
`....
`_)
`
`(DATA IMPORTANCE: HIGH)
`
`CAL
`500
`
`ACJAS
`23456
`
`4
`
`iGoo.. Settings Help
`
`Sign in
`
`Restaurants Coffee Bars More
`
`Q,
`
`Goo..
`
`jWeb\ Images Places News more
`
`0 o
`/139
`
`00 c=
`
`I
`INFORMATION TO SHARE.
`I HAVE SOME IMPORTANT
`
`1
`
`4a
`
`sLIM KEOKJEONG
`
`YES
`J
`
`Z-S,HELLO
`
`LIM KEOKJEONG
`
`0
`
`NVITEDDJNAGNG
`
`GL0
`
`AND
`OKJE NHOO GNIG
`
`LIM KEOKJEONG
`
`2 is
`
`MIGELal M
`
` GROUP CHATTING3 cl, I -
`
`0
`
`Q
`
`0
`
`00
`
`<
`
`(
`
`z138
`
`HIV
`V 116
`
`RI
`1600
`
`km
`0.5
`
`I'D
`
`©
`
`A
`
`I _
`
`I,
`
`.0 ®u iii"
`
`r4' ,
`0 0
`
`137
`
`,
`
`,
`
`00
`
`,
`
`e-
`
`FIG. 12
`
`

`

`Patent Application Publication
`
`Jun. 13, 2019 Sheet 18 of 18 US 2019/0180028 Al
`
`FIG. 13
`
`(START)
`
`OBTAIN (AVAILABLE ENCRYPTION ALGORITHM,
`ACCESSIBLE OBJECT) FROM APPLICATION'S REQUIRED
`PERMISSION INFORMATION WHEN INSTALLING APP
`
`STORE (APP ID, AVAILABLE ENCRYPTION ALGORITHM,
`ACCESSIBLE OBJECT) IN ACCESS LIST
`
`S200
`
`S201
`
`DOWNLOAD VULNERABILITY LIST FROM EXTERNAL
`DEVICE AND STORE VULNERABILITY LIST
`
`I-
`
`- S202
`
`DETECT CALL OF ENCRYPTION API
`
`---- S204
`
`I
`IDENTIFY ENCRYPTION ALGORITHM TYPE, OBJECT TO BE
`ENCRYPTED, ACCORDING TO ID OF APP, API PARAMETER.
`
`DETERMINE IDENTIFIED INFORMATION FROM
`ACCESS LIST TO DETERMINE WHETHER
`(ENCRYPTION ALGORITHM, OBJECT TO BE ENCRYPTED)
`IS WITHIN ACCESS RIGHTS OF APP
`
`S206
`
`S208
`
`S210
`
`NO
`
`WITHIN ACCESS
`RIGHTS?
`
`YES
`CHECK VULNERABILITY LIST FOR
`VULNERABILITY OF ENCRYPTION ALGORITHM
`
`S212
`
`S214
`
`IS THERE
`PROBLEM IN EXECUTION 0
`ENCRYPTION API?
`
`YES
`
`S216
`
`NO
`f.
`EXECUTE CALLED
`ENCRYPTION API NORMALLY
`
`NOTIFY
`
`S220
`z
`BLOCK EXECUTION OF CALLED
`ENCRYPTION API
`
`

`

`US 2019/0180028 Al
`
`1
`
`Jun. 13, 2019
`
`SECURITY ENHANCEMENT METHOD AND
`ELECTRONIC DEVICE THEREFOR
`
`CROSS-REFERENCE TO RELATED
`APPLICATION(S)
`
`[0001] This application is based on and claims priority
`under 35 U.S.C. § 119(a) of a Korean patent application
`number 10-2017-0167588, filed on Dec. 7, 2017, in the
`Korean Intellectual Property Office, the disclosure of which
`is incorporated by reference herein in its entirety.
`
`BACKGROUND
`
`1. Field
`
`[0002] The disclosure relates to an artificial intelligence
`(AI) system which mimics recognition and judgment of the
`human brain by using a machine-learning algorithm such as
`deep learning, and application thereof. More particularly, the
`disclosure relates to an electronic device that is robust to
`encryption exploit by enabling detection of an encryption
`algorithm based on AI technology, and a method thereof.
`More particularly, the disclosure relates to an electronic
`device capable of coping with an exploit that exploits
`encryption vulnerabilities, such as unauthorized data
`encryption, irrespective of a user's intention, or data encryp-
`tion beyond the rights acquired in relation to encryption, and
`a method that may be performed using the electronic device.
`
`2. Description of Related Art
`
`[0003] AI system is a computer system that implements
`human-level intelligence. According to an AI system, unlike
`existing rule-based smart systems, a machine learns by
`itself, makes judgments, and becomes more intelligent. The
`more an AI system is used, the greater the recognition rate
`and the more accurately a user's preferences are understood,
`and thus rule-based smart systems of the related art are
`gradually being replaced with deep-learning-based AI sys-
`tems.
`[0004] AI technology consists of machine learning such as
`deep learning, and element technologies utilizing machine
`learning.
`[0005] Machine learning is an algorithm-based technology
`that classifies and learns the characteristics of input data
`independently. Element technology is a technology that
`simulates functions of the human brain such as recognition
`and judgment by using a machine-learning algorithm such as
`deep learning, and is divided into fields such as linguistic
`comprehension, visual comprehension, reasoning/predic-
`tion, knowledge representation, and motion control.
`[0006] Various fields in which AI technology is applied are
`as follows. Linguistic comprehension is a technique of
`recognizing human language and characters and applying
`and processing the same, and includes natural language
`processing, machine translation, dialogue systems, query
`responses, speech recognition/synthesis, and the like. Visual
`comprehension is a technique of recognizing and processing
`objects like in the human visual system, and includes object
`recognition, object tracking, image search, human recogni-
`tion, scene understanding, spatial understanding, and image
`enhancement. Inferential prediction is a technique of making
`logical inferences and predictions by judging information,
`and includes knowledge/probability-based reasoning, opti-
`mization prediction, preference-based planning, and recom-
`
`mendation. Knowledge representation is a technique of
`automating human experience information into knowledge
`data and includes knowledge building (data generation/
`classification) and knowledge management (data utiliza-
`tion). Motion control is a technique of controlling autono-
`mous driving of a vehicle and motion of a robot, and
`includes motion control (navigation, collision, and travel-
`ing), operation control (behavior control), and the like.
`[0007] When data is encrypted by a malicious program
`such as ransomware or malware without permission, it is
`very difficult to restore the encrypted data. Therefore, it is
`preferable to block encryption before the malicious program
`encrypts data.
`[0008] According to technology of the related art, a mali-
`cious program is identified based on a program identifier
`such as a signature or a hash value of an executable code or
`by analyzing the behavior of the malicious program, and the
`identified malicious program is removed or execution
`thereof is blocked. However, according to technology of the
`related art, since new malicious programs are constantly
`emerging, a considerable amount of time and expense are
`required to quickly and accurately identify new malicious
`programs. Also, even when a program is determined not to
`be a malicious program, it is impossible to prevent an act of
`the program of performing encryption beyond the rights
`approved for that program.
`[0009]
`In order to take action against various patterns of
`inappropriate data encryption, the aid of artificial intelli-
`gence technology that simulates judgment of the human
`brain is needed. That is, it is necessary to provide a security
`enhancement technique for enhancing the ability to detect
`vulnerability exploits related to encryption based on detec-
`tion of an encryption algorithm based on artificial intelli-
`gence technology.
`[0010] The above information is presented as background
`information only to assist with an understanding of the
`disclosure. No determination has been made, and no asser-
`tion is made, as to whether any of the above might be
`applicable as prior art with regard to the disclosure.
`
`SUMMARY
`
`[0011] Aspects of the disclosure are to address at least the
`above-mentioned problems and/or disadvantages and to
`provide at least the advantages described below. Accord-
`ingly, an aspect of the disclosure is to provide a security-
`enhancing electronic device and a security enhancement
`method that are robust against an encryption-based hacking
`attack.
`[0012] Another aspect of the disclosure is to provide an
`electronic device and method in which an encryption algo-
`rithm executable code included in an executable code of an
`application is identified, and execution of the application is
`blocked based on at least one of whether an encryption
`algorithm executable code is found and a type of the found
`encryption algorithm.
`[0013] Another aspect of the disclosure is to provide an
`electronic device and method in which loading of an appli-
`cation into a memory is selectively blocked based on a result
`of identifying an encryption algorithm included in an
`executable code of the application.
`[0014] Another aspect of the disclosure is to provide an
`electronic device and method in which an application is
`executed in a security environment blocked from the out-
`
`

`

`US 2019/0180028 Al
`
`Jun. 13, 2019
`
`2
`
`side, and an encryption algorithm included in the application
`is identified based on a result of the execution.
`[0015] Another aspect of the disclosure is to provide an
`electronic device and method, to which artificial intelligence
`technology is applied, in which an encryption algorithm
`included in an executable code of an application is identified
`by using an encryption code identification model obtained
`by machine learning by using feature data extracted using a
`result of static analysis and dynamic analysis of the execut-
`able code of the application.
`[0016] Another aspect of the disclosure is to provide an
`electronic device and method in which whether to allow
`installation of an application is determined based on a result
`of identifying an encryption algorithm included in an
`executable code of the application.
`[0017] Another aspect of the disclosure is to provide an
`electronic device and method in which stability of an
`encryption function of an application is pretested based on
`a result of identifying an encryption algorithm included in an
`executable code of the application.
`[0018] Another aspect of the disclosure is to provide an
`electronic device and method in which an encryption
`attempt beyond the rights of access approved for an appli-
`cation is detected and prevented.
`[0019] Another aspect of the disclosure is to provide an
`electronic device in which a security environment, in which
`a test is performed by hooking a memory load of an
`application, is implemented by using an additional exclusive
`processor.
`[0020] Another aspect of the disclosure is to provide a
`system in which enhancement of security of a user terminal
`is induced by updating, in the user terminal, an encryption
`code identification model obtained by machine learning
`through feature data about a code of an encryption algorithm
`and information about vulnerabilities of an encryption algo-
`rithm.
`[0021] Additional aspects will be set forth in part in the
`description which follows and, in part, will be apparent from
`the description, or may be learned by practice of the pre-
`sented embodiments.
`[0022]
`In accordance with an aspect of the disclosure, a
`security enhancement method performed using an electronic
`device is provided. The security enhancement method
`includes, hooking loading of executable code into a memory,
`inputting the executable code into an encryption code iden-
`tification model, determining, by using the encryption code
`identification model, whether the loading of the executable
`code into the memory is allowed, and when the loading of
`the executable code is not allowed, blocking the loading of
`the executable code into the memory.
`[0023] The method further comprises extracting feature
`data from the executable code and inputting the feature data
`into the encryption code identification model. The feature
`data may include a call sequence of a mathematical function
`or a logical function that is repeatedly called during execu-
`tion of the executable code. The feature data may include
`power consumption data related to power consumption of a
`central processing unit (CPU) during execution of the
`executable code. The power consumption data includes a
`number of CPU operation cycles when the power consump-
`tion of the CPU is equal to or greater than a threshold.
`[0024] The determining of whether a memory load of the
`executable code is allowed may include when output data of
`the encryption code identification model indicates that
`
`encryption code is detected in the executable code, the
`loading of the executable code is not allowed, and when the
`output data of the encryption code identification model
`indicates that encryption code is not detected in the execut-
`able code, the loading of the executable code is allowed.
`[0025] The security enhancement method may further
`include, when installing an application including the execut-
`able code, obtaining available encryption algorithms from
`permission information included in an installation package
`of the application, and matching and storing identification
`information of the application and the available encryption
`algorithms in an access list, wherein, when output data of the
`encryption code identification model identifies an encryp-
`tion algorithm that is not in the access list, the loading of the
`executable code is not allowed.
`[0026] The security enhancement method may further
`include receiving vulnerability information of an encryption
`algorithm from an external device and storing the vulner-
`ability information in a vulnerability list, wherein, when
`output data of the encryption code identification model
`identifies a vulnerability in the vulnerability list, the loading
`of the executable code is not allowed.
`[0027] The method may further comprise determining
`whether to perform the hooking based on at least one of
`whether the executable code is included in a white list, a
`frequency of execution of the executable code, or a period
`of time that has elapsed since an installation or an update of
`an application that includes the executable code, and deter-
`mining whether to perform the hooking based on whether
`there is an installation history of an application including the
`executable code.
`[0028]
`In accordance with another aspect of the disclo-
`sure, a security enhancement method performed using an
`electronic device is provided. The security enhancement
`method includes, when installing an application, inputting
`executable code of the application into an encryption code
`identification model, determining whether the executable
`code passes a security test based on output data of the
`encryption code identification, and when the security test
`fails, performing a designated process on the application.
`The determining whether the executable code has passed a
`security test by using output data of the encryption code
`identification model may include determining that the
`executable code failed in passing the security test when an
`encryption algorithm indicated by output data of the encryp-
`tion code identification model does not match with infor-
`mation about an available encryption algorithm obtained
`from the application's required permission information
`included in an installation package of the application.
`[0029]
`In accordance with another aspect of the disclo-
`sure, a security enhancement method performed using an
`electronic device is provided. The security enhancement
`method includes performing, on a first type of application, a
`security audit at a first frequency, without user manipulation
`for executing the first type of application, and performing,
`on a second type of application, the security audit at a second
`frequency, without user manipulation for executing the
`second type of application, wherein the security audit
`includes inputting executable code of an application to an
`encryption code identification model, determining whether
`the executable code has passed a security test based on data
`output from the encryption code identification model.
`[0030]
`In accordance with another aspect of the disclo-
`sure, a security enhancement method performed using an
`
`

`

`US 2019/0180028 Al
`
`Jun. 13, 2019
`
`3
`
`electronic device is provided. The security enhancement
`method includes obtaining available encryption algorithms
`and accessible objects
`from permission
`information
`included in an installation package of an application, match-
`ing and storing identification information of the application,
`the available encryption algorithms, and the accessible
`objects in an access list, detecting an instruction to encrypt
`an object using an encryption algorithm of an encryption
`application programming interface (API), the encryption
`API being provided by an operating system installed on the
`electronic device, determining, based on the access list,
`whether the encryption algorithm and the object can access
`the encryption API based on access rights of an application,
`and when the encryption algorithm or the object cannot
`access the encryption API, blocking the instruction.
`[0031] The security enhancement method may further
`include receiving vulnerability information of an encryption
`algorithm from an external device, updating a vulnerability
`list based on the vulnerability information, and determining
`whether to perform the instruction based on whether the
`vulnerability list includes a vulnerability to be performed by
`the instruction.
`[0032] The security enhancement method may further
`include receiving vulnerability information of an encryption
`algorithm from an external device, updating a vulnerability
`list based on the vulnerability information, and when the
`vulnerability information includes a vulnerability to be
`performed by the instruction, notifying the external device
`of execution of the vulnerability of the encryption algorithm.
`The external device may collect vulnerability information of
`an encryption algorithm, and transmit the information to the
`electronic device, generate statistical data by collecting
`execution notifications of the vulnerability encryption algo-
`rithm from the electronic device, and transmit the statistical
`data to a system on the developer's side of an application
`that uses the vulnerable encryption algorithm.
`[0033]
`In accordance with another aspect of the disclo-
`sure, an electronic device is provided. The electronic device
`includes a processor, a storage configured to store an appli-
`cation, and a memory storing a plurality of instructions
`executable by the processor, wherein the plurality of instruc-
`tions include an instruction to hook loading of executable
`code of the application into the memory, an instruction to
`input the executable code into an encryption code identifi-
`cation model, an instruction to determine whether the load-
`ing of the executable code is allowed based on the encryp-
`tion code identification model, and an instruction to, when
`the loading of the executable code is not allowed, block the
`loading of the executable code into the memory.
`[0034] The plurality of instructions may further comprise
`an instruction to execute the executable code in a security
`environment, and an instruction to input a value into the
`encryption code identification model based on a result of the
`execution of the executable code, wherein the security
`environment is a sandbox environment, and the result of
`execution of the executable code does not affect system
`resources outside of the sandbox environment.
`[0035] The storage further is further configured to store an
`access
`list
`including available encryption algorithms
`obtained from permission information included in an instal-
`lation package of the application. plurality of instructions
`may further comprise an instruction to determine whether
`output data of the encryption code identification model
`identifies an encryption algorithm that is not in the access
`
`list. The access list includes accessible objects obtained from
`the application's required permission information, matched
`with identification information of the application, and the
`plurality of instructions may further include an instruction to
`detect a call of an encryption API, the encryption API being
`provided by an operating system installed on the electronic