DOI QR코드

DOI QR Code

지능형 악성코드 분석을 위한 리얼머신 기반의 바이너리 자동실행 환경

Automatic Binary Execution Environment based on Real-machines for Intelligent Malware Analysis

  • 조호묵 (한국과학기술원 사이버보안연구센터) ;
  • 윤관식 (한국과학기술원 사이버보안연구센터) ;
  • 최상용 (한국폴리텍대학 정보보안과) ;
  • 김용민 (전남대학교 문화컨텐츠학부)
  • 투고 : 2015.09.09
  • 심사 : 2016.01.01
  • 발행 : 2016.03.15

초록

최근 악성코드를 이용한 위협은 사이버 상에서 가장 위협적이고 점차 지능화되고 있다. 하지만 안티 바이러스 제품이나 기존의 탐지 솔루션은 복잡해지고 정교해지는 악성코드에 대해 효과적으로 대응하지 못한다. 본 논문에서는 분석 환경 회피 기술을 갖는 악성코드를 보다 효과적으로 식별하기 위해 실제 컴퓨터 환경을 기반으로 악성코드의 동작 및 상태를 감지하고 악성코드의 요구사항을 동적으로 핸들링하는 환경을 제안한다. 제안하는 방법은 리얼머신 기반의 바이너리 자동실행 환경과 가상머신 환경에서의 악성코드 악성행위 활동성을 비교하여 지능형 악성코드를 효과적으로 분석하기 위한 동적 분석환경을 제공할 수 있음을 실험하여 보였다.

There exist many threats in cyber space, however current anti-virus software and other existing solutions do not effectively respond to malware that has become more complex and sophisticated. It was shown experimentally that it is possible for the proposed approach to provide an automatic execution environment for the detection of malicious behavior of active malware, comparing the virtual-machine environment with the real-machine environment based on user interaction. Moreover, the results show that it is possible to provide a dynamic analysis environment in order to analyze the intelligent malware effectively, through the comparison of malicious behavior activity in an automatic binary execution environment based on real-machines and the malicious behavior activity in a virtual-machine environment.

키워드

과제정보

연구 과제 주관 기관 : 정보통신기술진흥센터

참고문헌

  1. Louis Marinos(2015, Jan 27). ENISA Threat Landscape 2014(Overview of current and emerging cyber-threats) [Online]. Available: http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014(download 2015, Sep. 9)
  2. M. Sharif, A. Lanzi, J. Giffin, W. Lee, "Automatic Reverse Engineering of Malware Emulators," 2009 30th IEEE Symposium on Security and Privacy, pp. 94-109, May. 2009.
  3. Egele, Manuel, et al., "A survey on automated dynamic malware-analysis techniques and tools," ACM Computing Surveys (CSUR) 44.2 (2012): 6.
  4. Zovi, D. D. 2006. Hardware Virtualization Based Rootkits. in Black Hat Briefings and Training USA 2006.
  5. G. Jeong, E. Choo, J.Lee, M. Bat-Erdene, H. Lee, "Generic unpacking using entropy analysis," IEEE MALWARE, pp. 98-105, Oct. 2010.
  6. R. Lyda and J. Hamrock, "Using entropy analysis to find encrypted and packed malware," IEEE Security & Privacy, Vol. 5, No. 2, pp. 40-45, Mar. 2007.
  7. A. Moser, C. Krügel, and E. Kirda, "Exploring multiple execution paths for malware analysis," IEEE Security and Privacy, pp. 231-245, May. 2007.
  8. Nwokedi Idika and Aditya P. Mathur, "A Survey of Malware Detection Techniques," Department of Computer Science, Purdue University, Feb. 2007.
  9. S. Momina Tabish, M. Zubair Shafiq, and Muddassar Farooq, "Malware Detection using Statistical Analysis of Byte-Level File Content," the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, Jun. 2009.
  10. Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, and Wenke Lee, "PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware," IEEE, ACSAC'06, pp. 289-300, Dec. 2006.
  11. Vinod P. Nair et al., "MEDUSA: MEtamorphic malware Dynamic analysis Using Signature from API," Proc. of the 3rd International Conference on Security of Information and Networks, pp. 263-269, 2010.
  12. V. Thomas and P Ramagopal, "The rise of autorunbased malware," McAfee, 2009.
  13. KIRDA, E., KRUEGEL, C., BANKS, G., VIGNA, G., and KEMMERER, R., "Behavior-based Spyware Detection," 15th Usenix Security Symposium, 2006.
  14. Raffetseder, T., Krugel, C., and Kirda, E., "Detecting system emulators," 10th International Conference on Information Security (ISC), pp. 1-18, 2007.
  15. Li Sun, Ebringer, T., Boztas, S., "An automatic anti-anti-VMware technique applicable for multistage packed malware," 2008 3rd International Conference on Malicious and Unwanted Software (IEEE), 17-23, 2008.
  16. Graziano, Mariano, et al., "Needles in a haystack: mining information from public dynamic analysis sandboxes for malware intelligence," Proc. of the 24th USENIX Conference on Security Symposium, USENIX Association, 2015.
  17. GHEORGHE, Laura., "Practical Malware Analysis based on Sandboxing," Networking in Education and Research, Joint Event 13th RoEduNet & 8th RENAM Conference, 2014.
  18. [Online]. Available: https://msdn.microsoft.com/library
  19. [Online]. Available: http://malshare.com/
  20. [Online]. Available: http://malc0de.com/database/
  21. [Online]. Available: http://www.vxvault.net/ViriList.php