System for detecting and blocking metamorphic malware using the Intermediate driver

摘要

The present invention relates to a system and a method for detecting and blocking variants of malware using an intermediate driver and, more specifically, to a system and a method for detecting and blocking variants of malware using an intermediate driver which complements the shortcomings of a conventional signature analysis by proposing a model which analyzes state changes in a system and a network by using a network driver interface specification (NDIS) intermediate driver and detects and blocks malware having an irregular pattern in a kernel mode. The present invention detects state behavior by using protocol type, IP address, MAC, use port, length, and time information extracted from packet information.