Browse > Article
http://dx.doi.org/10.3745/KTCCS.2017.6.2.87

A Research of Anomaly Detection Method in MS Office Document  

Cho, Sung Hye (고려대학교 정보보호대학원 정보보호학과)
Lee, Sang Jin (고려대학교 정보보호대학원)
Publication Information
KIPS Transactions on Computer and Communication Systems / v.6, no.2, 2017 , pp. 87-94 More about this Journal
Abstract
Microsoft Office is an office suite of applications developed by Microsoft. Recently users with malicious intent customize Office files as a container of the Malware because MS Office is most commonly used word processing program. To attack target system, many of malicious office files using a variety of skills and techniques like macro function, hiding shell code inside unused area, etc. And, people usually use two techniques to detect these kinds of malware. These are Signature-based detection and Sandbox. However, there is some limits to what it can afford because of the increasing complexity of malwares. Therefore, this paper propose methods to detect malicious MS office files in Computer forensics' way. We checked Macros and potential problem area with structural analysis of the MS Office file for this purpose.
Keywords
MS Office; Malware; Anomaly Detection; doc; ppt; xls; Compound File Binary Format; OLE; Forensic;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Microsoft Corporation, "Word Binary File Format(.doc) Structure Specification," Microsoft Corporation, 2013.
2 Microsoft Corporation, "PowerPoint Binary File Format(.ppt) Structure Specification," Microsoft Corporation, 2013.
3 Microsoft Corporation, "Excel Binary File Format(.xls) Structure Specification," Microsoft Corporation, 2013.
4 Scott Driza, Learn Word 2000 VBA Document Automation, Wordware Publishing Inc., 2000.
5 Foetron, MS Office is Still The Productivity Suite Leader [Internet], http://www.foetron.com/microsoft-office-is-stillthe-productivity-suite-leader/.
6 N. Idika and A. P. Mathur, "A Survey of Malware Detection Techniques," Purdue University, 2007.
7 Simon Byers, "Information leakage caused by hidden data in published documents," IEEE Security Privacy, Vol. 2, No. 2, pp. 23-27, Apr., 2004.   DOI
8 A. Castiglione, De Santis, and C. Soriente, "Taking advantages of a disadvantage: Digital forensics and steganography using document metadata," The Journal of Systems and Software, Vol. 80, Iss.5, pp. 750-764, 2007.   DOI
9 J. H. Park, Bora Park, S. J. Lee, S. H. Hong, and J. H. Park, "Extraction of Residual Information in the Microsoft PowerPoint file from the Viewpoint of Digital Forensics considering PerCom Environment," in Pervasive Computing and Communications, 2008. PerCom 2008. Sixth Annual IEEE International Conference on. IEEE, p.584-589, 2008.
10 J. H. Park and S. J. Lee, "Forensic Investigation of MS Office Files," Graduate School of Information Security, Korea University, Feb., 2009.
11 B. Y. Yoo and S. J. Lee, "Documents Filter Tool Development for Forensic Investigation," Graduate School of Information Security, Korea University, Feb., 2011.
12 KISA, "A Study on Analyzing the Current Malware Detection Technologies and Planning for the Development Model of Detection & Response System," Research Report, Feb., 2016.
13 Microsoft Corporation, "Compound Binary File Format Structure Specification," Microsoft Corporation, 2010.
14 C. Y. Lee, H. G. Kang, T. J. Lee, H. C. Jeong, and Y. J. Won, "A Behavior based Analysis & Detection for Docuent Malicious Code," The Korea Society of Management Information Systems, pp. 532-537, 2012.
15 J. W. Park, S. T. Moon, G. W. Son, I. K. Kim, K. S. Han, E. G. Im, and I. G. Kim, "An Automatic Malware Classfication System using String List and APIs," Journal of Security Engineering, Vol. 8, No. 5, pp. 611-626, 2011.
16 Nurilab, HwpScan2 [Internet], http://www.nurilab.net/hwpscan2.
17 Graham Chantry, New developments in Microsoft Office malware [Internet], https://nakedsecurity.sophos.com/2015/03/06/from-the-labs-new-developments-in-microsoft-office-malware/.