• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.04a
• /
• pp.395-397
• /
• 2014

국내에서 가장 폭넓게 사용되는 모바일 운영체제인 안드로이드는 수 많은 악성코드에 대한 위협 속에 있다. 그 중에서 가장 위협적인 공격은 루트 권한을 획득하는 악성코드이다. 따라서 본 연구는 가상화 환경을 통해 안드로이드 시스템에서 실존하는 루트 권한 획득을 탐지하는 시스템을 소개 하고 있다. 이를 위해 CPU 제조사에서 제공하는 가상화 기반 기술을 활용하였으며 결과적으로 시스템 상에서 루트 권한으로 동작하는 프로세스를 감지할 수 있었다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.6
• /
• pp.1341-1351
• /
• 2015

As the popularization of smartphone increases the number of various applications, the number of malicious applications also grows rapidly through the third party App Market or black market. This paper suggests an investigation filter, Androfilter, that detects the fabrication of APK file effectively. Whereas the most of antivirus software uses a separate server to collect, analyze, and update malicious applications, Androfilter assumes Google Play as the trusted party and verifies integrity of an application through a simple query to Google Play. Experiment results show that Androfilter blocks brand new malicious applications that have not been reported yet as well as known malicious applications.

• Journal of KIISE:Computer Systems and Theory
• /
• v.29 no.4
• /
• pp.220-231
• /
• 2002

Trojan-horse programs are the programs that disguise normal and useful programs but do malicious thing to the hosts. This paper proposes an anti-Trojan horse mechanism using the information attached to the code by the developers. In this mechanism, each code is accompanied with the information on their possible accesses to resources, and based on this information users determine whether the code is malicious or not. Even in the case a code is accepted by users due to its non-malicious appearance, its runtime behaviors are monitored and halted whenever any attempts to malicious operations are detected. By hiring such runtime monitoring system, this mechanism enables detecting unknown Trojan horses and reduces the decision-making overhead being compared to the previous monitoring-based approaches. We describe the mechanism in a formal way to show the advantages and the limitations of the security this mechanism provides.

• Proceedings of the Korean Information Science Society Conference
• /
• 2003.04a
• /
• pp.407-409
• /
• 2003

매크로 바이러스를 비롯한 악성 스크립트 바이러스는 이진 코드와는 달리 텍스트 형식으로 코드가 저장되기 때문에 많은 수의 변종이 가능하고 다형성을 지닌 형태로의 제작이 쉬워 새로운 형태의 출현이 빈번하다［1］. 이에 따라 시그니처 기반의 감지 기법을 탈피한 다양한 기법들이 제안되고 있으나 세밀한 수준의 분석으로 인한 시간 지연과 높은 긍정 오류의 문제로 현실적으로 적용되지 못하는 실정이다. 이를 개선하여 비교적 짧은 시간에 정적 분석을 끝내고 코드 삽입 기법을 병행하여 긍정 오류 문제를 해결한 기법이 제안 되었다［2］. 그러나 이 기법에서 사용하는 정적 분석은 다형성 스크립트 바이러스에 대하여 고려하고 있지 않다. 본 논문에서는 제안된 정적 분석 기법을 확장 하여 다형성 스크립트 바이러스를 탐지할 수 있는 기법을 제시 한다.

• Proceedings of the Korea Contents Association Conference
• /
• 2019.05a
• /
• pp.329-330
• /
• 2019

인터넷 기술 및 통신 기술의 급격한 발전과 사물 인터넷을 기반으로 산업 구조가 재편됨에 따라 점차 지능화, 다변화 있는 보안 위협들에 대하여 기존 시스템 보안 중심의 취약성 분석 및 데이터 암호화를 통해 구성된 보안 시스템은 한계를 보이고 있다. 특히 외부 침입 방지를 위해 별도의 사설망을 구축하여 물리적으로 분리된 보안망에 대한 악성코드 유입 등의 보안 위협 발생도 꾸준히 증가하고 있으며 보안 침해 상황 발생 시 빠른 대응도 점차 어려워지고 있다. 이에 본 연구에서는 새로운 유형의 보안 취약성 탐지를 위해 기존 보안 시스템을 구성하는 리엑티브(reactive) 기법 및 휴리스틱(heuristic) 탐지 기법이 아닌 네트워크 패킷 수집 및 분석과 대상 시스템의 비지니스 모델 매칭을 통한 사용자 행위 패턴을 해석하였다. 그리고 실시간 행위 분석을 수행하여 사용자 행위 중심의 이상 징후 감시 기준을 설립함으로써 보안 위협에 대한 행위 유형 판단 기준 및 이상 감지 판단 방법에 대해 제안한다.

• Journal of KIISE:Computing Practices and Letters
• /
• v.14 no.5
• /
• pp.517-521
• /
• 2008

A worm is a malware that propagates quickly from host to host without any human intervention. Need of early worm detection has changed research paradigm from signature based worm detection to the behavioral based detection. To increase effectiveness of proposed solution, in this paper we present mechanism of detection and prevention of worm in distributed fashion. Furthermore, to minimize the worm destruction; upon worm detection we propagate the possible attack aleγt to neighboring nodes in secure and organized manner. Considering worm behavior, our proposed mechanism detects worm cycles and infection chains to detect the sudden change in network performance. And our model neither needs to maintain a huge database of signatures nor needs to have too much computing power, that is why it is very light and simple. So, our proposed scheme is suitable for the ubiquitous environment. Simulation results illustrate better detection and prevention which leads to the reduction of infection rate.

• Journal of Industrial Convergence
• /
• v.16 no.2
• /
• pp.25-31
• /
• 2018

An APT attack is a new hacking technique that continuously attacks specific targets and is called an APT attack in which a hacker exploits various security threats to continually attack a company or organization's network. Protect employees in a specific organization and access their internal servers or databases until they acquire significant assets of the company or organization, such as personal information leaks or critical data breaches. Also, APT attacks are not attacked at once, and it is difficult to detect hacking over the years. This white paper examines ongoing APT attacks and identifies, educates, and proposes measures to build a security management system, from the executives of each organization to the general staff. It also provides security updates and up-to-date antivirus software to prevent malicious code from infiltrating your company or organization, which can exploit vulnerabilities in your organization that could infect malicious code. And provides an environment to respond to APT attacks.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.21 no.4
• /
• pp.25-29
• /
• 2021

The strip binary is a binary from which debug symbol information has been deleted, and therefore it is difficult to analyze the binary through techniques such as reverse engineering. Traditional binary analysis tools rely on debug symbolic information to analyze binaries, making it difficult to detect or analyze malicious code with features of these strip binaries. In order to solve this problem, the need for a technology capable of effectively extracting the information of the strip binary has emerged. In this paper, focusing on the fact that the byte code of the binary file is generated very differently depending on compiler version, optimazer level, etc. For effective compiler version extraction, the entire byte code is read and imaged as the target of the stripped binaries and this is applied to the convolution neural network. Finally, we achieve an accuracy of 93.5%, and we provide an opportunity to analyze stripped binary more effectively than before.

• The KIPS Transactions:PartC
• /
• v.14C no.3 s.113
• /
• pp.199-208
• /
• 2007

In a ubiquitous network environment, detecting the leakage of personal information is very important. The leakage of personal information might cause severe problem such as impersonation, cyber criminal and personal privacy violation. In this paper, we have proposed a detection method of personal information leakage based on network traffic characteristics. The experimental results indicate that the traffic character of a real campus network shows the self-similarity and Proposed method can detect the anomaly of leakage of personal information by malicious code.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2016.05a
• /
• pp.441-444
• /
• 2016

Peace on the Korean Peninsula is threatened by physical aggressions and cyber terrors such as nuclear tests, missile launchings, senior government officials' smart phone hackings and DDos attacks to banking systems. Cyber attacks such as vulnerability for the hackings, malware distributions are generally defended by passive defense through the detecting signs of first invasion and attack, data analysis, adding library and updating vaccine programs. In this paper the concept of security program based on Google TensorFlow machine learning ability to perform adding libraries and solving security vulnerabilities by itself is researched and proposed.