Apparatus and method for detecting malicious application based on visualization similarity

What is claimed is: 1 . A malicious application detecting apparatus based on a visualization similarity, comprising: a first storing unit which classifies malicious applications for every group in accordance with characteristics and stores the malicious applications; a second storing unit which stores a target application; an image generating unit which analyzes the malicious applications to generate first visualization images and analyzes the target application to generate a second visualization image; a representative image selecting unit which selects representative images for every group using a similarity of the first visualization images; and a determining unit which compares the representative images with the second visualization image to determine whether the target application is a malicious application. 2 . The apparatus of claim 1 , further comprising: a processing unit which when it is determined that the target application is a malicious application, classifies the target application into a corresponding group to store the target application in the first storing unit. 3 . The apparatus of claim 1 , wherein the image generating unit decompresses a package file of the malicious applications to extract at least one of an execution file, a resource access permission file, and a metadata file. 4 . The apparatus of claim 3 , wherein the image generating unit decompiles the execution file to extract a source code and generates the first visualization images based on the source code. 5 . The apparatus of claim 4 , wherein the image generating unit generates a function list related with a malicious behavior or a character string list related with a malicious behavior based on the source code. 6 . The apparatus of claim 1 , wherein the image generating unit decompresses a package file of the target applications to extract at least one of an execution file, a resource access permission file, and a metadata file. 7 . The apparatus of claim 6 , wherein the image generating unit decompiles the execution file to extract a source code and generates the second visualization image based on the source code. 8 . The apparatus of claim 7 , wherein the image generating unit generates a malicious behavior suspicious function list or a malicious behavior suspicious character string list based on the source code. 9 . The apparatus of claim 1 , further comprising: an analysis difficulty determining unit which, when it is determined that the target application is a malicious application, determines analysis difficulty of the target application. 10 . The apparatus of claim 9 , wherein the analysis difficulty determining unit determines analysis difficulty of the target application based on a similarity between the second visualization image and a representative image for every group, the number of malicious applications for every group, and a frequency of generation of a malicious application for every group. 11 . A malicious application detecting method based on a visualization similarity, comprising: analyzing malicious applications stored for every group in accordance with characteristics to generate first visualization images and analyzing a target application to generate a second visualization image; selecting representative images for every group using a similarity of the first visualization images; and comparing the representative images with the second visualization image to determine whether the target application is a malicious application. 12 . The method of claim 11 , wherein in the analyzing of malicious applications stored for every group in accordance with characteristics to generate first visualization images and the analyzing of a target application to generate a second visualization image; and a package file of the malicious applications is decompressed to extract at least one of an execution file, a resource access permission file, and a metadata file. 13 . The method of claim 12 , wherein in the analyzing of malicious applications stored for every group in accordance with characteristics to generate first visualization images and the analyzing of a target application to generate a second visualization image; and the execution file is decompiled to extract a source code and generate the first visualization images based on the source code. 14 . The method of claim 13 , wherein in the analyzing of malicious applications stored for every group in accordance with characteristics to generate first visualization images and the analyzing of a target application to generate a second visualization image and a function list related with a malicious behavior or a character string list related with a malicious behavior is generated based on the source code. 15 . The method of claim 13 , wherein in the analyzing of malicious applications stored for every group in accordance with characteristics to generate first visualization images and the analyzing of a target application to generate a second visualization image and the resource access permission file is analyzed to generate an access permission list. 16 . The method of claim 11 , wherein in the analyzing of malicious applications stored for every group in accordance with characteristics to generate first visualization images and the analyzing of a target application to generate a second visualization image and a package file of the target applications is decompressed to extract at least one of an execution file, a resource access permission file, and a metadata file. 17 . The method of claim 16 , wherein in the analyzing of malicious applications stored for every group in accordance with characteristics to generate first visualization images and the analyzing of a target application to generate a second visualization image and the execution file is decompiled to extract a source code and generate the second visualization image based on the source code. 18 . The method of claim 17 , wherein in the analyzing of malicious applications stored for every group in accordance with characteristics to generate first visualization images and the analyzing of a target application to generate a second visualization image and a malicious behavior suspicious function list or a malicious behavior suspicious character string list is generated based on the source code. 19 . The method of claim 11 , further comprising: classifying the target application into a corresponding group to store the target application when it is determined that the target application is a malicious application; and determining analysis difficulty of the target application when it is determined that the target application is a malicious application. 20 . The method of claim 19 , wherein in the determining of analysis difficulty of the target application when it is determined that the target application is a malicious application and analysis difficulty of the target application is determined based on at least one of a similarity between the second visualization image of the target application and a representative image for every group, the number of malicious applications for every group, and a frequency of generation of a malicious application for every group.