DOI QR코드

DOI QR Code

동적 분석을 이용한 난독화 된 실행 프로그램의 함수 호출 그래프 생성 연구

The Generation of the Function Calls Graph of an Obfuscated Execution Program Using Dynamic

  • Se-Beom Cheon (Dept. of Information Security, Suwon University) ;
  • DaeYoub Kim (Dept. of Information Security, Suwon University)
  • 투고 : 2022.11.24
  • 심사 : 2023.03.20
  • 발행 : 2023.03.31

초록

악성코드 분석을 위한 기술 중 하나로 실행 프로그램의 함수 호출 관계를 시퀀스 또는 그래프 작성한 후, 그 결과를 분석하는 기술이 제안되었다. 이러한 기술들은 일반적으로 실행 프로그램 파일의 정적 분석을 통해 함수 호출 코드를 분석하고, 함수 호출 관계를 시퀀스 또는 그래프로 정리한다. 그러나 난독화 된 실행 프로그램의 경우, 실행 프로그램 파일의 구성이 표준구성과 다르기 때문에 정적분석 만으로는 함수 호출관계를 명확히 분석하기 어렵다. 본 논문에서는 난독화 된 실행 프로그램의 함수 호출관계를 분석하기 위한 동적 분석 방법을 제안하고, 제안된 기술을 이용하여 함수 호출관계를 그래프로 구성하는 방법을 제안한다.

As one of the techniques for analyzing malicious code, techniques creating a sequence or a graph of function call relationships in an executable program and then analyzing the result are proposed. Such methods generally study function calling in the executable program code through static analysis and organize function call relationships into a sequence or a graph. However, in the case of an obfuscated executable program, it is difficult to analyze the function call relationship only with static analysis because the structure/content of the executable program file is different from the standard structure/content. In this paper, we propose a dynamic analysis method to analyze the function call relationship of an obfuscated execution program. We suggest constructing a function call relationship as a graph using the proposed technique.

키워드

과제정보

This work was supported by the National Research Foundation of Korea(NRF) grant funded by the Korea government(MSIT)(No. NRF-2021R1F1A1062954).

참고문헌

  1. P. Bajpai and R. Enbody, "Preparing Smart Cities for Ransomware Attacks," 2020 3rd International Conference on Data Intelligence and Security (ICDIS), pp.127-133, 2020. DOI: 10.1109/ICDIS50059.2020.00023 
  2. O. A. Aslan and R. Samet, "A Comprehensive Review on Malware Detection Approaches," IEEE Access, vol.8, pp.6249-6271, 2020. DOI: 10.1109/ACCESS.2019.2963724 
  3. S. R. Davies, R. Macfarlane and W. J. Buchanan, "Review of Current Ransomware Detection Techniques," 2021 International Conference on Engineering and Emerging Technologies (ICEET), pp.1-6, 2021. DOI: 10.1109/ICEET53442.2021.9659643 
  4. H. K. Lee, J. H. Seong, Y. C. Kim, J. B. Kim, and G.-Y. Gim, "The Automation Model of Ransomware Analysis and Detection Pattern," Journal of the Korea Institute of Information and Communication Engineering, vol.21, no.8, pp.1581-1588, 2017. DOI: 10.6109/jkiice.2017.21.8.1581 
  5. M. Almousa, S. Basavaraju and M. Anwar, "API-Based Ransomware Detection Using Machine Learning-Based Threat Detection Models," 2021 18th International Conference on Privacy, Security and Trust (PST), pp.1-7, 2021. DOI: 10.1109/PST52912.2021.9647816 
  6. B. Wang, H. Liu, X. Han and D. Xuan, "RanPAS: A Behavior-based System for Ransomware Detection," 2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC), pp.309-314, 2021. DOI: 10.1109/DSC53577.2021.00049 
  7. U. Urooj, B. A. S. Al-rimy, A. Zainal, F. A. Ghaleb, and M. A. Rassam, "Ransomware Detection Using the Dynamic Analysis and Machine Learning: A Survey and Research Directions," Applied Sciences, vol.12, no.1, 2021. DOI: 10.3390/app12010172 
  8. S. H. Lee and J. S. Hwang, "A study on variable selection and classification in dynamic analysis data for ransomware detection," The Korean Journal of Applied Statistics, Vol.31, No4, pp.497-505, 2018.  https://doi.org/10.5351/KJAS.2018.31.4.497
  9. H. S. Kang, S. R. Kim, "Offline Based Ransomware Detection and Analysis Method using Dynamic API Calls Flow Graph," Journal of Digital Contents Society, vol.19, no.2, pp.363-370, 2018. DOI: 10.9728/dcs.2018.19.2.363 
  10. D. H. Choi, (2021) "Graph Database Design and Implementation for Ransomware Detection," Journal of Convergence for Information Technology, Vol.11, no.6, pp.22-32, 2021. DOI: 10.22156/CS4SMB.2021.11.06.024 
  11. J. H. Kwon, J. H. Lee, H. C. Jeong, and H. J. Lee, "Metamorphic Malware Detection using Subgraph Matching," Journal of the Korea Institute of Information Security & Cryptology, vol.21, no.2, pp.37-47, 2011. DOI: 10.1109/ICCKE.2015.7365862 
  12. D. Y. Kim, "Generating Call Graph for PE file," Journal of IKEEE, vol.25, no.3, pp.451-461, 2021. DOI: 10.7471/ikeee.2021.25.3.451 
  13. M. Manna, A. Case, A. Gombe, G. Richard, "Memory analysis of .NET and .Net Core applications," Forensic Science International: Digital Investigation, vol.42, 2022. DOI: 10.1016/j.fsidi.2022.301404 
  14. "ProcDump v.11.0,"https://learn.microsoft.com/ko-kr/sysinternals/downloads/procdump 
  15. "Windows 디버깅 도구(WinDbg),"https://learn.microsoft.com/ko-kr/windows-hardware/drivers/debugger/ 
  16. "MalwareBazaar Database," https://bazaar.abuse.ch/browse