• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.1
• /
• pp.197-208
• /
• 2016

In this paper, we propose a method based on a convolutional neural network which is one of the deep neural network. So, we convert a malware code to malware image and train the convolutional neural network. In experiment with classify 9-families, the proposed method records a 96.2%, 98.7% of top-1, 2 error rate. And our model can classify 27 families with 82.9%, 89% of top-1,2 error rate.

• Journal of KIISE
• /
• v.43 no.3
• /
• pp.289-295
• /
• 2016

Malware authors spread malware variants in order to evade detection. It's hard to detect malware variants using static analysis. Therefore dynamic analysis based on API call information is necessary. In this paper, we proposed a malware family recommendation method to assist malware analysts in classifying malware variants. Our proposed method extract API call information of malware families by dynamic analysis. Then the multiple sequence alignment technique was applied to the extracted API call information. A signature of each family was extracted from the alignment results. By the similarity of the extracted signatures, our proposed method recommends three family candidates for unknown malware. We also measured the accuracy of our proposed method in an experiment using real malware samples.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2021.05a
• /
• pp.212-215
• /
• 2021

본 논문에서는 딥러닝의 CNN(Convolution Neural Network) 학습을 통하여 악성코드를 실행시키지 않고서 악성코드 변종을 패밀리 그룹으로 분류하는 방법을 연구한다. 먼저 데이터 전처리를 통해 3가지의 서로 다른 방법으로 악성코드 이미지와 메타데이터를 생성하고 이를 CNN으로 학습시킨다. 첫째, 악성코드의 byte 파일을 8비트 gray-scale 이미지로 시각화하는 방법이다. 둘째, 악성코드 asm 파일의 opcode sequence 정보를 추출하고 이를 이미지로 변환하는 방법이다. 셋째, 악성코드 이미지와 메타데이터를 결합하여 분류에 적용하는 방법이다. 이미지 특징 추출을 위해서는 본고에서 제안한 CNN을 통한 학습 방식과 더불어 3개의 Pre-trained된 CNN 모델을 (InceptionV3, Densnet, Resnet-50) 사용하여 전이학습을 진행한다. 전이학습 시에는 마지막 분류 레이어층에서 본 논문에서 선택한 데이터셋에 대해서만 학습하도록 파인튜닝하였다. 결과적으로 가공된 악성코드 데이터를 적용하여 9개의 악성코드 패밀리로 분류하고 예측 정확도를 측정해 비교 분석한다.

• KIPS Transactions on Software and Data Engineering
• /
• v.11 no.5
• /
• pp.197-202
• /
• 2022

IoT (Internet of Things) devices are being attacked by malware due to many security vulnerabilities, such as the use of weak IDs/passwords and unauthenticated firmware updates. However, due to the diversity of CPU architectures, it is difficult to set up a malware analysis environment and design features. In this paper, we design time series features using the byte sequence of executable files to represent independent features of CPU architectures, and analyze them using recurrent neural networks. The proposed feature is a fixed-length time series pattern extracted from the byte sequence by calculating partial entropy and applying linear interpolation. Temporary changes in the extracted feature are analyzed by RNN and LSTM. In the experiment, the IoT malware detection showed high performance, while low performance was analyzed in the malware family classification. When the entropy patterns for each malware family were compared visually, the Tsunami and Gafgyt families showed similar patterns, resulting in low performance. LSTM is more suitable than RNN for learning temporal changes in the proposed malware features.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.3
• /
• pp.531-539
• /
• 2019

This paper proposes the training features for malware family analysis and analyzes the multi-classification performance of ensemble models. We construct training data by extracting API and DLL information from malware executables and use Random Forest and XGBoost algorithms which are based on decision tree. API, API-DLL, and DLL-CM features for malware detection and family classification are proposed by analyzing frequently used API and DLL information from malware and converting high-dimensional features to low-dimensional features. The proposed feature selection method provides the advantages of data dimension reduction and fast learning. In performance comparison, the malware detection rate is 93.0% for Random Forest, the accuracy of malware family dataset is 92.0% for XGBoost, and the false positive rate of malware family dataset including benign is about 3.5% for Random Forest and XGBoost.

• Journal of Digital Contents Society
• /
• v.19 no.6
• /
• pp.1177-1183
• /
• 2018

Recent developments in machine learning have attracted a lot of attention for techniques such as machine learning and deep learning that implement artificial intelligence. In this paper, binary malicious code using deep learning based R-CNN is imaged and the feature is extracted from the image to classify the family. In this paper, two steps are used in deep learning to image malicious code using CNN. And classify the characteristics of the family of malicious codes using R-CNN. Generate malicious code as an image, extract features, classify the family, and automatically classify the evolution of malicious code. The detection rate of the proposed method is 93.4% and the accuracy is 98.6%. In addition, the CNN processing speed for image processing of malicious code is 23.3 ms, and the R-CNN processing speed is 4ms to classify one sample.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.605-616
• /
• 2021

While malwares must be accurately identifiable from arbitrary programs, existing studies using classification techniques have limitations that they can only be applied to limited samples. In this work, we propose a method to utilize API call frequency to detect and classify malware families from arbitrary programs. Our proposed method defines a rule that checks whether the call frequency of a particular API exceeds the threshold, and identifies a specific family by utilizing the rate information on the corresponding rules. In this paper, decision tree algorithm is applied to define the optimal threshold that can accurately identify a particular family from the training set. The performance measurements using 4,443 samples showed 85.1% precision and 91.3% recall rate for family detection, 97.7% precision and 98.1% reproduction rate for classification, which confirms that our method works to distinguish malware families effectively.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2020.05a
• /
• pp.222-223
• /
• 2020

최근 악성코드로 인한 피해가 증가하고 있다. 악성코드는 악성코드가 속한 종류에 따라서 대응하는 방법도 다르기 때문에 악성코드를 종류별로 분류하는 연구도 중요하다. 기존에는 악성코드 시각화 과정을 통해서 생성된 악성코드의 글로벌 이미지를 사용해 악성코드를 각 종류별로 분류한다. 글로벌 이미지를 악성코드로부터 추출한 바이너리 정보를 사용해서 생성한다. 하지만, 글로벌 이미지만을 사용해서 악성코드를 각 종류별로 분류하는 경우 악성코드의 종류별로 중요한 특징을 고려하기 않기 때문에 분류 정확도가 떨어진다. 본 논문에서는 악성코드의 글로벌 이미지에 악성코드의 종류별 특징을 나타내기 위한 로컬 특징 기반 글로벌 이미지를 사용한 악성코드 분류 방법을 제안한다. 첫 번째, 악성 코드로부터 바이너리를 추출하고 추출된 바이너리를 사용해서 글로벌 이미지를 생성한다. 두 번째, 악성 코드로부터 로컬 특징을 추출하고 악성코드의 종류별 핵심 로컬 특징을 단어-역문서 빈도(Term Frequency Inverse Document Frequency, TFIDF) 알고리즘을 사용해 선택한다. 세 번째, 생성된 글로벌 이미지에 악성코드의 패밀리별 핵심 특징을 픽셀화해서 적용한다. 네 번째, 생성된 로컬 특징 기반 글로벌 이미지를 사용해서 컨볼루션 모델을 학습하고, 학습된 컨볼루션 모델을 사용해서 악성코드를 각 종류별로 분류한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.6
• /
• pp.1067-1076
• /
• 2023

Recently, as variant malware has increased, the scale of cyber hacking incidents is expanding. To respond to intelligent cyberhacking attack, machine learning-based research is actively underway to effectively classify malware families. However, existing classification models have problems where performance deteriorates when the dataset is obfuscated or sparse. In this paper, we propose a hybrid dataset that combines features extracted from ASM files and BYTES files, and evaluate classification performance using FNN. As a result of the experiment, the proposed method showed performance improvement of about 4% compared to a single dataset, and in particular, performance improvement of about 30% for rare families.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2021.11a
• /
• pp.715-718
• /
• 2021

정보통신 기술이 발전함에 따라 악의적인 공격을 통해 보안문제를 발생시키고 있다. 또한 새로운 악성코드가 유포되어 기존의 시그니처 비교방식은 새롭게 발생하는 악성코드를 빠르게 분석 할 수 없다. 새로운 악성코드를 빠르게 분석하고 방어기법을 제안하기 위해 악성코드의 패밀리를 분류할 필요가 있다. 본 논문에서는 악성코드의 바이너리 파일을 이용해 시각화하고 CNN모델을 통해 분류한다. 또한 정확도를 높이기 위해 LBP, HOG를 통해 악성코드 이미지에서 중요한 특성을 찾고 데이터 클래스 불균형에서 오는 문제를 앙상블 모델을 통해 해결하는 시스템을 제안한다.