• Proceedings of the Korea Information Processing Society Conference
• /
• 2009.04a
• /
• pp.424-427
• /
• 2009

소프트웨어 버스마크는 프로그램을 식별하는데 사용될 수 있는 프로그램의 고유한 특징을 말한다. 본 논문에서는 자바 메소드의 제어 흐름 그래프 유사도에 기반한 자바 버스마크를 제안한다. 제어 흐름 그래프 유사도는 노드의 유사도와 에지의 유사도로 나누어 계산하였다. 노드의 유사도는 인접 노드의 유사도를 함께 고려했으며, 에지 유사도는 이미 매칭된 노드들 사이의 거리를 측정하는 방법을 사용했다. 본 논문에서 제안한 버스마크를 평가하기 위해서 서로 다른 프로그램을 구별할 수 있는 신뢰도와 프로그램 최적화나 난독화에 견딜 수 있는 강인도에 대한 실험을 하였다. 실험 결과로부터 본 논문에서 제안하는 버스마크가 기존의 정적 버스마크보다 신뢰도가 높으면서도 난독화나 컴파일러 변경에 강인하다는 것을 확인하였다.

• Review of KIISC
• /
• v.28 no.3
• /
• pp.33-37
• /
• 2018

암호 화폐가 다양해지면서 암호 화폐를 채굴하는 방법 또한 다양한 방향으로 생겨났다. CyptoNote라는 프로토콜을 이용한 암호 화폐 중 하나인 모네로를 채굴할 때 메모리를 중점적으로 사용하도록 되어 있다. Coinhive는 광고 없이 수익을 내기위한 방법으로 웹브라우저를 이용한 모네로를 채굴하는 API를 만들었다. 하지만 본래의 목적과 다르게 API를 악의적으로 사용하여 웹브라우저 방문자의 동의 없이 채굴하는 공격인 크립토재킹이 증가하게 되었다. 이러한 공격을 막기 위해 브라우저 확장 어플리케이션이 등장하였으나, 공격자는 이를 우회하기 위해 자바스크립트 난독화를 사용하고 있다. 본 논문에서는, 크립토재킹에 대한 연구동향을 분석하고자 한다.

• Journal of the Korean Society for Library and Information Science
• /
• v.46 no.1
• /
• pp.201-221
• /
• 2012

The study identified the various service factors for dyslexia-friendly library in promoting accessibilities and eliminating barriers. The results from the in-depth interviews and social survey for dyslexia students and their guardians suggested some of the new library policies. These are: 1) more intensive need for PR and ads programs; 2) the revision of the existing library regulations and the assignment of dyslexia librarians; and 3) the expansion and customization of library stocks and dyslexic private rooms.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2019.07a
• /
• pp.139-140
• /
• 2019

난독증은 정상적인 지능에도 불구하고 문장을 읽기가 어려운 독서 장애다. 난독증 진단 방법은 ADHD처럼 증상 체크리스트가 없다. 지적장애를 판정할 때 사용하는 웩슬러 지능검사 같은 전 세계인이 사용하는 아주 보편화된 심리검사도 없다. 미국 진단기준의 최신판인 DSM-5에도 어떤 검사를 해서 기준점수 아래여야 진단할 수 있다고 명확히 써놓지 않았다. 본 논문에서는 이를 해결하기 위해 글자, 단어, 문장, 문단의 단위를 설정하여 화면에 출력하고 아이트래커를 활용하여 읽는 사람의 시선 데이터를 수집하여 히트맵으로 분석한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.67-77
• /
• 2017

A protector is a software for protecting core technologies by using compression and encryption. Nowadays malwares use the protector to conceal the malicious code from the analysis. For detailed analysis of packed program, unpacking the protector is a necessary procedure. Lately, most studies focused on finding OEP to unpack the program. However, in this case, it would be difficult to analyze the program because of the limits to remove protecting functions by finding OEP. In this paper, we studied about the protecting functions in the Themida and propose an unpacking technique for it.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.3
• /
• pp.77-83
• /
• 2012

As web pages provide various services, the distribution of malware via the web pages is being also increased. Malware can make personal information leak, system mal-function and system be zombie. To protect this damages, we should block the malicious web pages. Because the malicious codes embedded in web pages are obfuscated or transformed, it is difficult to detect them using signature-based approaches which are used by current anti-virus software. To overcome this problem, we extracted features to classify malicious web pages and benign ones by analyzing web pages. And we propose a classification method using SVM which is widely used in machine learning. Experimental results show that the proposed method is better than other methods. The proposed method could classify malicious web pages correctly and be helpful to block the distribution of malicious codes.

• Journal of KIISE
• /
• v.42 no.8
• /
• pp.1049-1056
• /
• 2015

Runtime Intrusion Prevention Evaluator (RIPE), published in 2011, is a benchmark suite for evaluating mitigation techniques against 850 attack patterns using only buffer overflow. Since RIPE is built as a single process, defense and attack routines cannot help sharing process states and address space layouts when RIPE is tested. As a result, attack routines can access the memory space for defense routines without restriction. We separate RIPE into two independent processes of defense and attacks so that mitigations based on confidentiality such as address space layout randomization are properly evaluated. In addition, we add an execution mode to test robustness against brute force attacks. Finally, we extend RIPE by adding 38 attack forms to perform format string attacks and virtual table (vtable) hijacking attacks. The revised RIPE contributes to the diversification of attack patterns and precise evaluation of the effectiveness of mitigations.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.105-115
• /
• 2019

Recently, intelligent Android malicious codes have become difficult to detect malicious behavior by static analysis alone. Malicious code with SO file, dynamic loading, and string obfuscation are difficult to extract information about original code even with various tools for static analysis. There are many dynamic analysis methods to solve this problem, but dynamic analysis requires rooting or emulator environment. However, in the case of dynamic analysis, malicious code performs the rooting and the emulator detection to bypass the analysis environment. To solve this problem, this paper investigates a variety of root detection schemes and builds an environment for bypassing the rooting detection in real devices. In addition, SDK code hooking module for Android malicious code analysis is designed using Xposed, and intent tracking for code flow, dynamic loading file information, and various API information extraction are implemented. This work will contribute to the analysis of obfuscated information and behavior of Android Malware.

• Convergence Security Journal
• /
• v.23 no.1
• /
• pp.97-107
• /
• 2023

With the popularization of digital devices in the era of the 4th industrial revolution and the increase in cyber crimes targeting them, the importance of securing digital data evidence is emerging. However, the difficulty in securing digital data evidence is due to the use of anti-forensic techniques that increase analysis time or make it impossible, such as manipulation, deletion, and obfuscation of digital data. Such anti-forensic is defined as a series of actions to damage and block evidence in terms of digital forensics, and is classified into data destruction, data encryption, data concealment, and data tampering as anti-forensic techniques. Therefore, in this study, anti-forensic techniques are categorized into data concealment and deletion (obfuscation and encryption), investigate and analyze recent research trends, and suggest future anti-forensic research directions.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.1
• /
• pp.31-40
• /
• 2024

Recently, static analysis-based signature and pattern detection technologies have limitations due to the advanced IT technologies. Moreover, It is a compatibility problem of multiple architectures and an inherent problem of signature and pattern detection. Malicious codes use obfuscation and packing techniques to hide their identity, and they also avoid existing static analysis-based signature and pattern detection techniques such as code rearrangement, register modification, and branching statement addition. In this paper, We propose an LLVM IR image-based automated static analysis of malicious code technology using machine learning to solve the problems mentioned above. Whether binary is obfuscated or packed, it's decompiled into LLVM IR, which is an intermediate representation dedicated to static analysis and optimization. "Therefore, the LLVM IR code is converted into an image before being fed to the CNN-based transfer learning algorithm ResNet50v2 supported by Keras". As a result, we present a model for image-based detection of malicious code.