• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.2
• /
• pp.83-92
• /
• 2009

As the innovative internet technologies and multimedia are being rapidly developed, malicious codes are a remarkable new growth part and supplied by various channel. This project presents a classification methodology for malicious codes in Windows OS (Operating System) environment, develops a test classification system. Thousands of malicious codes are brought in every day. In a result, classification system is needed to analyzers for supporting information which newly brought malicious codes are a new species or a variety. This system provides the similarity for analyzers to judge how much a new species or a variety is different to the known malicious code. It provides to save time and effort, to less a faulty analysis. This research includes the design of classification system and test system. We classify the malicious codes to 9 groups and then 9 groups divide the clusters according to the each property.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.1-8
• /
• 2008

Not only the recent hacking techniques are becoming more malicious with the sophisticated technology but also its consequences are bringing more damages as the broadband Internet is growing rapidly. These may include invasion of information leakage, or identity theft over the internet. Its intent is very destructive which can result in invasion of information leakage, hacking, one of the most disturbing problems on the net. This thesis describes the technology of how you can effectively analyze and detect these kind of E-Mail malicious codes. This research explains how we can cope with malicious code more efficiently by detection method.

• Journal of IKEEE
• /
• v.25 no.3
• /
• pp.451-461
• /
• 2021

As various smart devices spread and the damage caused by malicious codes becomes more serious, malicious code detection technology using machine learning technology is attracting attention. However, if the training data of machine learning is constructed based on only the fragmentary characteristics of the code, it is still easy to create variants and new malicious codes that avoid it. To solve such a problem, a research using the function call relationship of malicious code as training data is attracting attention. In particular, it is expected that more advanced malware detection will be possible by measuring the similarity of graphs using GNN. This paper proposes an efficient method to generate a function call graph from binary code to utilize GNN for malware detection.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.04a
• /
• pp.323-325
• /
• 2017

최근 지능형 지속 위협(APT)은 명확한 공격 대상과 정교한 프로그램을 사용하여 치밀하게 공격하는 사회공학적 공격 기법을 사용함으로 상업용 탐지기술의 지속적인 발전과 개발에도 빠르게 증가되고 있다. 기존의 탐지 기법은 알려진 악성코드에 대하여는 효과적으로 대응 가능하나 아무런 정보가 없는 제로데이 공격 등의 악성코드는 탐지하기 어렵다. 특히 최근의 악성코드들은 빠르게 변종을 만들어냄으로 기존의 탐지 기법으로는 한계가 있다. 따라서 본 연구에서는 악성코드에 대한 경로 및 유형, 공격 방법 등을 분석하고 이를 탐지하고 분석하는 선행 기술들 조사하여 DAST 기반의 콘텐츠재구성을 통한 무해화 기술을 제안하였다.

• Journal of the Korea Society of Computer and Information
• /
• v.18 no.5
• /
• pp.69-76
• /
• 2013

In the recent years, cyber attacks by malicious codes called malware has become a social problem. With the explosive appearance and increase of new malware, innumerable disasters caused by metaphoric malware using the existing malicious codes have been reported. To secure more effective detection of malicious codes, in other words, to make a more accurate judgment as to whether suspicious files are malicious or not, this study introduces the malware analysis system, which is based on a profiling technique using the Finite Automata. This new analysis system enables realtime automatic detection of malware with its optimized partial execution method. In this paper, the functions used within a file are expressed by finite automata to find their correlation, and a realtime malware analysis system enabling us to give an immediate judgment as to whether a file is contaminated by malware is suggested.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.785-802
• /
• 2017

As cyber threats using malicious code continue to increase, many security and vaccine companies are putting a lot of effort into analysis and detection of malicious codes. However, obfuscation techniques that make software analysis more difficult are applied to malicious codes, making it difficult to respond quickly to malicious codes. In particular, commercial obfuscation tools can quickly and easily generate new variants of malicious codes so that malicious code analysts can not respond to them. In order for analysts to quickly analyze the actual malicious behavior of the new variants, reverse obfuscation(=de-obfuscation) is needed to disable obfuscation. In this paper, general analysis methodology is proposed to de-obfuscate the software used by a commercial obfuscation tool, Themida. First, We describe operation principle of Themida by analyzing obfuscated executable file using Themida. Next, We extract original code and data information of executable from obfuscated executable using Pintool, DBI(Dynamic Binary Instrumentation) framework, and explain the implementation results of automated analysis tool which can deobfuscate to original executable using the extracted original code and data information. Finally, We evaluate the performance of our automated analysis tool by comparing the original executable with the de-obfuscated executable.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.4
• /
• pp.895-902
• /
• 2016

Smart phone distribution rate has been rising and it's security threat also has been rising. Especially Android smart phone reaches nearly 85% of domestic share. Since repackaging on android smart phone is relatively easy, the number of re-packaged malwares has shown steady increase. While many detection techniques have been proposed in order to prevent malwares, it is not easy to detect re-packaged malwares by static analysis and it is also difficult to operate dynamic analysis in android smart phone. Static analysis proposed in this paper features code reuse of repackaged malwares. We extracted DEX files from android applications and performed static analysis using class names and method names. This process doesn't not include reverse engineering, so it is possible to detect malwares efficiently.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.42 no.1
• /
• pp.193-204
• /
• 2017

The security of Internet systems critically depends on the capability to keep anti-virus (AV) software up-to-date and maintain high detection accuracy against new malware. However, malware variants evolve so quickly they cannot be detected by conventional signature-based detection. In this paper, we proposed a malware classification method based on sequence patterns generated from the network flow of malware samples. We evaluated our method with 766 malware samples and obtained a classification accuracy of approximately 40.4%. In this study, malicious codes were classified only by network behavior of malicious codes, excluding codes and other characteristics. Therefore, this study is expected to be further developed in the future. Also, we can predict the attack groups and additional attacks can be prevented.

• KIPS Transactions on Computer and Communication Systems
• /
• v.8 no.2
• /
• pp.35-40
• /
• 2019

Traditional Malware Detection is susceptible for detecting malware which is modified by polymorphism or obfuscation technology. By learning patterns that are embedded in malware code, machine learning algorithms can detect similar behaviors and replace the current detection methods. Data must collected continuously in order to learn malicious code patterns that change over time. However, the process of storing and processing a large amount of malware files is accompanied by high space and time complexity. In this paper, an HDFS-based distributed processing system is designed to reduce space complexity and accelerate feature extraction time. Using a distributed processing system, we extract two API features based on filtering basis, 2-gram feature and APICFG feature and the generalization performance of ensemble learning models is compared. In experiments, the time complexity of the feature extraction was improved about 3.75 times faster than the processing time of a single computer, and the space complexity was about 5 times more efficient. The 2-gram feature was the best when comparing the classification performance by feature, but the learning time was long due to high dimensionality.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.2
• /
• pp.283-293
• /
• 2012

A new type of malware that extracts personal and account data over an extended period of time and that apparently is resistant to detection by vaccines has been identified. Generally, a malware is installed on a computer through network-to-network connections by utilizing Web vulnerabilities that contain injection, XSS, broken authentication and session management, or insecure direct-object references, among others. After the malware executes registration of an arbitrary service and an arbitrary process on a computer, it then periodically communicates the collected confidential information to a hacker. This paper is a systematic approach to analyzing a new type of malware called "winweng," a kind of worm that frequently made appearances during the first half of 2011. The research describes how the malware came to be in circulation, how it infects computers, how its operations expose its existence and suggests improvements in responses and countermeasures. Keywords: Malware, Worm, Winweng, SNORT.