• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.04a
• /
• pp.376-379
• /
• 2017

전 세계적으로 악성코드는 하루 100만개 이상이 새롭게 발견되고 있으며, 악성코드 발생량은 해마다 증가하고 있는 추세이다. 공격자는 보안장비에서 악성코드가 탐지되는 것을 우회하기 위해 기존 악성코드를 변형한 변종 악성코드를 주로 이용한다. 변종 악성코드는 자동화된 제작도구나 기존 악성코드의 코드를 재사용하므로 비교적 손쉽게 생성될 수 있어 최근 악성코드 급증의 주요 원인으로 지목되고 있다. 본 논문에서는 대량으로 발생하는 악성코드의 효과적인 대응을 위한 행위기반 악성코드 프로파일링 시스템 프로토타입을 제안한다. 동일한 변종 악성코드들은 실제 행위가 유사한 특징을 고려하여 악성코드가 실행되는 과정에서 호출되는 API 시퀀스 정보를 이용하여 악성코드 간 유사도 분석을 수행하였다. 유사도 결과를 기반으로 대량의 악성코드를 자동으로 그룹분류 해주는 시스템 프로토타입을 구현하였다. 악성코드 그룹별로 멤버들 간의 유사도를 전수 비교하므로 그룹의 분류 정확도를 객관적으로 제시할 수 있다. 실제 유포된 악성코드를 대상으로 악성코드 그룹분류 기능과 정확도를 측정한 실험에서는 평균 92.76%의 분류 성능을 보였으며, 외부 전문가 의뢰에서도 84.13%로 비교적 높은 분류 정확도를 보였다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2013.11a
• /
• pp.808-810
• /
• 2013

최근 인터넷 사용이 보편화됨과 더불어 정치적, 경제적인 목적으로 웹사이트와 이메일을 악용한 악성 코드가 급속히 유포되고 있다. 유포된 악성코드의 대부분은 기존 악성코드를 변형한 변종 악성코드이다. 이에 변종 악성코드를 탐지하기 위해 유사 악성코드를 분류하는 연구가 활발하다. 그러나 기존 연구에서는 정적 분석을 통해 얻어진 정보를 가지고 분류하기 때문에 실제 발생되는 행위에 대한 분석이 어려운 단점이 있다. 본 논문에서는 악성코드가 호출하는 API(Application Program Interface) 정보를 추출하고 유사도를 분석하여 악성코드를 분류하는 기법을 제안한다. 악성코드가 호출하는 API의 유사도를 분석하기 위해서 동적 API 후킹이 가능한 악성코드 API 분석 시스템을 개발하고 퍼지해시(Fuzzy Hash)인 ssdeep을 이용하여 비교 가능한 고유패턴을 생성하였다. 실제 변종 악성코드 샘플을 대상으로 한 실험을 수행하여 제안하는 악성코드 분류 기법의 유용성을 확인하였다.

• The Journal of the Korea Contents Association
• /
• v.14 no.10
• /
• pp.32-40
• /
• 2014

While there is a great demand for malware classification to reduce the time required in malware analysis and find a new type of malware, various similarity measurement methods of malware to classify a lot of malwares have been proposed. But, the existing methods to measure similarity just represented the classification results by them and have not carried out performance comparison with other methods. This is because an evaluation model to compare the performance of similarity measurement methods is non-existent. In this paper, we propose a new performance evaluation model on similarity measurement methods of malware by using two indicators: success rate and degree of confidence. In addition, we compare and evaluate the performance of existing similarity measurement methods by using these two indicators.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.2
• /
• pp.347-363
• /
• 2019

Malware has its own unique behavior characteristics, like DNA for living things. To respond APT (Advanced Persistent Threat) attacks in advance, it needs to extract behavioral characteristics from malware. To this end, it needs to do classification for each malware based on its behavioral similarity. In this paper, various similarity of Windows malware is estimated; and based on these similarity values, malware's family is predicted. The similarity measures used in this paper are as follows: 'TF-IDF cosine similarity', 'Nilsimsa similarity', 'malware function cosine similarity' and 'Jaccard similarity'. As a result, we find the prediction rate for each similarity measure is widely different. Although, there is no similarity measure which can be applied to malware classification with high accuracy, this result can be helpful to select a similarity measure to classify specific malware family.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.2
• /
• pp.83-92
• /
• 2009

As the innovative internet technologies and multimedia are being rapidly developed, malicious codes are a remarkable new growth part and supplied by various channel. This project presents a classification methodology for malicious codes in Windows OS (Operating System) environment, develops a test classification system. Thousands of malicious codes are brought in every day. In a result, classification system is needed to analyzers for supporting information which newly brought malicious codes are a new species or a variety. This system provides the similarity for analyzers to judge how much a new species or a variety is different to the known malicious code. It provides to save time and effort, to less a faulty analysis. This research includes the design of classification system and test system. We classify the malicious codes to 9 groups and then 9 groups divide the clusters according to the each property.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1325-1336
• /
• 2012

In the past about 10 different kinds of malicious code were found in one day on the average. However, the number of malicious codes that are found has rapidly increased reachingover 55,000 during the last 10 year. A large number of malicious codes, however, are not new kinds of malicious codes but most of them are new variants of the existing malicious codes as same functions are newly added into the existing malicious codes, or the existing malicious codes are modified to evade anti-virus detection. To deal with a lot of malicious codes including new malicious codes and variants of the existing malicious codes, we need to compare the malicious codes in the past and the similarity and classify the new malicious codes and the variants of the existing malicious codes. A former calculation method of the similarity on the existing malicious codes compare external factors of IPs, URLs, API, Strings, etc or source code levels. The former calculation method of the similarity takes time due to the number of malicious codes and comparable factors on the increase, and it leads to employing fuzzy hashing to reduce the amount of calculation. The existing fuzzy hashing, however, has some limitations, and it causes come problems to the former calculation of the similarity. Therefore, this research paper has suggested a new comparison method for malicious codes to improve performance of the calculation of the similarity using fuzzy hashing and also a classification method employing the new comparison method.

• KIISE Transactions on Computing Practices
• /
• v.21 no.3
• /
• pp.263-268
• /
• 2015

Malware variations could be defined as malicious executable files that have similar functions but different structures. In order to classify the variations, this paper analyzed sequence alignment, the method used in Bioinformatics. This method found common parts of the Malwares' API call information. This method's performance is dependent on the API call information's length; if the length is too long, the performance should be very poor. Therefore we removed the repeated patterns in API call information in order to improve the performance of sequence alignment analysis, before the method was applied. Finally the similarity between malware was analyzed using sequence alignment. The experimental results with the real malware samples were presented.

• Journal of the Korea Society for Simulation
• /
• v.18 no.1
• /
• pp.63-70
• /
• 2009

This project presents a classification methodology for malicious codes in Windows OS (Operating System) environment, develops a test classification system. Thousands of malicious codes are brought in every day. In a result, classification system is needed to analyzers for supporting information which newly brought malicious codes are a new species or a variety. This system provides the similarity for analyzers to judge how much a new species or a variety is different to the known malicious code. It provides to save time and effort, to less a faulty analysis. This research includes the design of classification system and test system. We classify the malicious codes to 9 groups and then 9 groups divide the clusters according to the each property. This system provides the similarity for analyzers to save time and effort. It is used prospect system of malicious code in the future.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2015.04a
• /
• pp.501-503
• /
• 2015

Malicious(악의적인) + Code 즉, 악의적인코드를 포함한 소프트웨어라는 의미로 줄여 Malware(Malicious + Software) 라고 불리는 악성코드는 최근 네트워크와 컴퓨터의 급속한 발전에 따라 기하급수적으로 증가하고 있는 추세이다. 폭발적인 증가율 추세를 보이고 있는 악성코드의 위협을 대비하기 위해 악성코드에 대한 분석이 필요한데 그 분석의 종류로는 초기분석, 동적 분석, 정적분석으로 나누고 장, 단점을 정리하였다. 또한 악성코드 대량화에 따른 효율적인 분석과 빠른 의사결정을 위한 악성코드 유사도에 대한 연구를 소개하고 API Call Sequence와 분류된 API를 이용한 악성행위 유사도 판별법을 제시하고 실험하였다.

• Smart Media Journal
• /
• v.8 no.4
• /
• pp.25-32
• /
• 2019

While the development of the Internet has made information more accessible, this also has provided a variety of intrusion paths for malicious programs. Traditional Signature-based malware-detectors cannot identify new malware. Although Dynamic Analysis may analyze new malware that the Signature cannot do, it still is inefficient for detecting variants while most of the behaviors are similar. In this paper, we propose a detection method using behavioral similarity with existing malicious codes, assuming that they have parallel patterns. The proposed method is to extract the behavior targets common to variants and detect programs that have similar targets. Here, we verified behavioral similarities between variants through the conducted experiments with 1,000 malicious codes.