Browse > Article
http://dx.doi.org/10.13089/JKIISC.2006.16.3.17

A Behavior based Detection for Malicious Code Using Obfuscation Technique  

Park Nam-Youl (Chonnam National University)
Kim Yong-Min (Chonnam National University)
Noh Bong-Nam (Chonnam National University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.16, no.3, 2006 , pp. 17-28 More about this Journal
Abstract
The appearance of variant malicious codes using obfuscation techniques is accelerating the spread of malicious codes around the detection by a vaccine. n a system does not patch detection patterns for vulnerabilities and worms to the vaccine, it can be infected by the worms and malicious codes can be spreaded rapidly to other systems and networks in a few minute. Moreover, It is limited to the conventional pattern based detection and treatment for variants or new malicious codes. In this paper, we propose a method of behavior based detection by the static analysis, the dynamic analysis and the dynamic monitoring to detect a malicious code using obfuscation techniques with the PE compression. Also we show that dynamic monitoring can detect worms with the PE compression which accesses to important resources such as a registry, a cpu, a memory and files with the proposed method for similarity.
Keywords
악성코드;행위기반;우회기법;유사도 비교;
Citations & Related Records
연도 인용수 순위
  • Reference
1 이호동, Windows 시스템 실행파일의 구조와 원리, 한빛미디어, 2005
2 Mihai Christodorescu, Somesh Jha, 'Static Analysis of Executables to Detect Malicious Patterns,' 12th USENIX Security Symposium, pp. 169-186, 2003
3 Cullen Linn, Saumya Debray, 'Obfuscation of Executable Code to Improve Resistance to Static Disassembly,' In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pp 290-299, October 2003
4 A. Sung, J. Xu, P. Chavez, and S. Mukkamala, 'Static Analyzer for Vicious Executables (SAVE),' 20th Annual Computer Security Applications Conference, pp. 326-334, Dec. 2004
5 M. Pietrek, 'Inside Windows: An In- Depth Look into the Win32 Portable Executable File Format Part I, II,' MSDN Magazine, March 2002
6 J-Y. Xu, A. H. Sung, P. Chavez, S. Mukkamala, 'Polymorphic Malicious Executable Scanner by API Sequence Analysis,' 4th International Conference on Hybrid Intelligent Systems, pp. 378-383, Dec. 2004
7 J. Bergeron, M. Debbabi, J. Desharnais, M. M. Erhioui, Y. Lavoie and N. Tawbi, 'Static Detection of Malicious Code in Executable Programs,' SREIS '01, 2001
8 Microsoft Corporation, 'Portable Executable Formats,' Formats specification for Windows
9 S. G. Masood, Malware analysis for administrators, http://www.securityfocus.com/ infocus/1780, 2004
10 Jose Nazario, 'Defense and Detection Strategies against Internet Worms,' Artech House, 2004