KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Classification Method for Executable Files based on Comparison of Undocumented Information in the PE Header

실행파일 헤더내 문서화되지 않은 정보의 비교를 통한 실행파일 분류 방법

  • 김정순 (한국전자통신연구원 부설연구소) ;
  • 강정민 (한국전자통신연구원 부설연구소) ;
  • 김강산 (한국전자통신연구원 부설연구소) ;
  • 신욱 (한국전자통신연구원 부설연구소)
  • Received : 2012.11.15
  • Accepted : 2012.11.19
  • Published : 2013.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

File identification and analysis is an important process of computer forensics, since the process determines which subjects are necessary to be collected and analyzed as digital evidence. An efficient file classification aids in the file identification, especially in case of copyright infringement where we often have huge amounts of files. A lot of file classification methods have been proposed by far, but they have mostly focused on classifying malicious behaviors based on known information. In copyright infringement cases, we need a different approach since our subject includes not only malicious codes, but also vast number of normal files. In this paper, we propose an efficient file classification method that relies on undocumented information in the header of the PE format files. Out method is useful in copyright infringement cases, being applied to any sort of PE format executable file whether the file is malicious, packed, mutated, transformed, virtualized, obfuscated, or not.

파일 식별과 분석은 컴퓨터 포렌식 수사과정에서 디지털증거 획득 및 증거분석에 중요한 요소이며 지금까지 많은 연구가 진행되었다. 그러나 실행파일의 식별과 분석은 주로 악성코드에 대해 연구되어 왔기 때문에, 저작권침해 사고와 같은 일반적인 실행파일을 세부적으로 분류하고 탐지해야 할 경우에는 기존의 악성코드 분류 방법은 적용되기 어렵다. 따라서, 본 논문에서는 실행파일 헤더내 문서화되지 않은 정보의 유사도 측정에 근거한 비교를 통해 실행파일을 세부적으로 분류할 수 있는 방법을 제시한다. 제안한 방법은 실행파일의 헤더에 포함된 정보를 이용하기 때문에 일반적인 실행파일뿐만 아니라 기존의 악성코드 및 새로운 악성코드와 변종 그리고 실행압축, 코드변형, 가상화 및 난독화된 실행파일 분류에도 활용이 가능하다.

Keywords

References

  1. M. Gheorghescu, "An Automated virus classification system," in Proceedings of the 2005 Virus Bulletin Conference, pp. 294-300, 2005.
  2. N. Y. Park, Y. M. Kim, and B. N. Noh, "A Behavior based Detection for Malicious Code Using Obfuscation Technique," The Journal of KIISC: Vol.16, No.3, pp.17-28, 2006.
  3. A. Karnik, S. Goswami, and R. Guha, "Detecting Obfuscated Viruses Using Cosine Similarity Analysis," in Proceedings of the 1th Asia International Conference on Modelling & Simulation, pp.165-170, March, 2007.
  4. Q. Zhang and D. S. Reeves, "MetaAware: Identifying Metamorphic Malware," in Proceedings of the 23rd Annual Computer Security Applications Conference, pp.411-420, September, 2007.
  5. G. Bonfante, M. Kaczmarek, and J. Y. Marion, "Morphological Detection of Malware," in Proceedings of the 3rd International Conference on Malicious and Unwanted Software, pp.1-8, October, 2008.
  6. R. Tian, L. M. Batten, and S. C. Versteeg, "Function Length as a Tool for Malware Classification," in Proceedings of the 3rd International Conference on Malicious and Unwanted Software, pp.69-76, October, 2008.
  7. S. M. Tabish, M. Z. Shafiq, and M. Farooq, "Malware Detection using Statistical Analysis of Byte-Level File Content," in Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, pp.23-31, June, 2009.
  8. J. Lee, K. Jeong, and H. Lee, "Detecting Metamorphic Malwares using Code Graphs," in Proceedings of the 2010 ACM Symposium on Applied Computing, pp.1970-1977, March, 2010.
  9. S. Cesare and Y. Xiang, "A Fast Flowgraph Based Classification System for Packed and Polymorphic Malware on the Endhost," in Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications, pp.721-728, April, 2010.
  10. S. K. Cha, I. Moraru, J. Jang, J. Truelove, D. Brumley, and D. G. Andersen, "SplitScreen: Enabling Efficient, Distributed Malware Detection," in Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, April, 2010.
  11. D. Y. Yang and S. C. Yeo, "Windows Abnormal Classification Based on API Call Group Conditions," The Journal of KITCS: Vol.2, No.1, pp.13-20, 2010.
  12. Q. G. Miao, Y. Wang, Y. Cao, X. G. Zhang, and Z. L. Liu, "APICapture - a Tool for Monitoring the Behavior of Malware," in Proceedings of the 3rd International Conference on Advanced Computer Theory and Engineering, pp.390-394, August, 2010.
  13. V. P. Nair, H. Jain, Y. K. Golecha, M. S. Gaur, and V. Laxmi, "MEDUSA: MEtamorphic malware dynamic analysis using signature from API," in Proceedings of the 3rd International Conference on Security of Information and Networks, pp.263-269, September, 2010.
  14. M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan, "Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors," in Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp.45-60, November, 2010.
  15. K. S. Han, I. K. Kim, and E. G. Im, "A Proposal of Evaluation Index for Malware Collecting and Analyzing," The Journal of Security Engineering: Vol.8, No.1, pp.77-88, 2011.
  16. K. S. Han, I. K. Kim, and E. G. Im, "Malware Family Classification Method using API Sequential Characteristic," The Journal of Security Engineering: Vol.8, No.2, pp.319-335, 2011.
  17. J. W. Park, S. T. Moon, G. W. Son, I. K. Kim, K. S. Han, E. G. Im, and I. G. Kim, "An Automatic Malware Classification System using String List and APIs," The Journal of Security Engineering: Vol.8, No.5, pp.611-626, 2011.
  18. S. H. Kim, S. B. Ji, and Y. S. Park, "Malware Analysis Method Using Pin," in Proceedings of the 38th KIISE Fall Conference, Vol.38, No.2(C), pp.187-190, 2011.
  19. ClamAV, http://www.clamav.net/
  20. Rich Signature, http://www.ntcore.com/Files/richsign.htm
  21. CNSECURITY, http://www.cnsec.co.kr