Journal of KIISE (정보과학회 논문지)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지
DOI QR코드

DOI QR Code

Intelligent Malicious Web-page Detection System based on Real Analysis Environment

리얼 분석환경 기반 지능형 악성 웹페이지 탐지 시스템

  • 송종석 (육군본부 사이버방호과) ;
  • 이경석 (KAIST 사이버보안연구센터) ;
  • 김우승 (KAIST 사이버보안연구센터) ;
  • 오익균 (KAIST 사이버보안연구센터) ;
  • 김용민 (전남대학교 문화콘텐츠학부)
  • Received : 2017.08.14
  • Accepted : 2017.10.24
  • Published : 2018.01.15
⟨ Previous Next ⟩

Abstract

Recently, distribution of malicious codes using the Internet has been one of the most serious cyber threats. Technology of malicious code distribution with detection bypass techniques has been also developing and the research has focused on how to detect and analyze them. However, obfuscated malicious JavaScript is almost impossible to detect, because the existing malicious code distributed web page detection system is based on signature and another limitation is that it requires constant updates of the detection patterns. We propose to overcome these limitations by means of an intelligent malicious code distributed web page detection system using a real browser that can analyze and detect intelligent malicious code distributed web sites effectively.

최근 인터넷의 발전과 동시에 인터넷을 이용한 악성코드 유포는 가장 심각한 사이버 위협 중 하나이며, 탐지 우회 기법이 적용된 악성코드 유포 기술 또한 발전하고 있어, 이를 탐지하고 분석하는 연구가 활발하게 이루어지고 있다. 하지만 기존의 악성코드 유포 웹페이지 탐지 시스템은 시그니처 기반이어서 난독화된 악성 자바스크립트는 탐지가 거의 불가능하며, 탐지 패턴을 지속적으로 업데이트해야 하는 한계가 있다. 이러한 한계점을 극복하기 위해 지능화된 악성코드 유포 웹사이트를 효과적으로 분석 및 탐지할 수 있는 리얼 브라우저를 이용한 지능형 악성코드 유포 웹페이지 탐지 시스템을 제안하고자 한다.

Keywords

Acknowledgement

Supported by : 미래창조과학부

References

  1. KISA, [Online]. Available: http://isis.kisa.or.kr/ (downloaded 2017, Jul. 18)
  2. ENISA Threat Landscape Report 2016, [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2016(downloaded 2017, Jul. 18)
  3. Y. Shindo, A. Satoh, Y. Nakamura and K. Iida, "Lightweight Approach to Detect Drive-by Download Attacks Based on File Type Transition," Proc. of the 2014 CoNEXT on Student Workshop, ACM, 2014.
  4. M. Egeke, T. Scholte, E. Kirda and C. Kruegel, "A survey on automated dynamic malware-analysis techniques and tools," ACM Computing Surveys (CSUR), Vol. 44, No. 2, 2012. 6.
  5. N. Provos, D. McNamee, P. Mavrommatis, K. Wang and N. Modadugu, "The ghost in the browser: Analysis of web-based malware," Proc. of Hotbots, pp. 4-4, Apr. 2007.
  6. D. H. Yoo, J. S. Kim, H. S. Cho and H. R. Park, "Analysis on Characteristics of Web-based Malware Distribution Attacks," The Journal of The Korean Institute of Communication Sciences, Vol. 31, No. 5, pp. 15-19, Apr. 2014. (in Korean)
  7. J. H. Oh, C. T. Im and H. C. Jeong, "Technical Trends and Response Methods of Drive-by Download," Communications of the Korean Institute of Information Scientists and Engineers, Vol. 28, No. 11, pp. 112-116, Nov. 2010. (in Korean)
  8. J. Ma, L. K. Saul, S. Savage and G. M. Voelker, "Identifying suspicious URLs," Proc. of ICML, pp. 681-688, Jun. 2009.
  9. N. P. P. Mavrommatis and M. A. R. F. Monrose, "All your iFRAMEs point to Us," Proc. of Usenix Security, pp. 1-15, Jul. 2008.
  10. M. Cova, C. Kruegel and G. Vigna, "Detection and analysis of drive-by-download attacks and malicious Javascript code," Proc. of WWW, pp. 281-290, Apr. 2010.
  11. A. Moschuk, T. Bragin, D. Deville, S. D. Gribble and H. M. Levy, "SpyProxy: execution based detection of malicious web content," Proc. of Usenix Security, pp. 27-42, Aug. 2007.
  12. [Online]. Available: https://www.honeynet.org/book/export/html/153(downloaded 2017, Jul. 18)
  13. Y. Alosefer and O. Rana, "Honeyware: a web-based low interaction client honeypot," Software Testing, Verification, and Validation Workshops (ICSTW), 2010 Third International Conference on IEEE, pp. 410-417, Apr. 2010.
  14. J. Nazario, "PhoneyC: a virtual client honeypot," LEET'09 Proc. of the 2nd USENIX, pp. 6-6, Apr. 2009.
  15. Y. Takata, M. Akiyama, T. Yagi, T. Hariu and S. Goto, "MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks," COMPSAC '15 Proceedings of the 2015 IEEE 39th Annu, pp. 444-449, Jul. 2015.
  16. W. G. J. Halfond and A. Orso, "Amnesia: analysis and monitoring for neutralizing sql-injection attacks," Proc. of the 20th IEEE/ACM international Conference on Automated software engineeringm," pp. 174-183, Nov. 2005.
  17. KISA, [Online]. Available: https://www.boho.or.kr/filedownload.do?attach_file_seq=985&attach_file_id=EpF985.pdf(downloaded 2017, Jul. 18)