• Proceedings of the Korea Information Processing Society Conference
• /
• 2015.04a
• /
• pp.376-379
• /
• 2015

최근 발생한 다양한 해킹 사건에서와 같이, 신규 또는 알려지지 않은 악성코드를 이용한 지능형 지속 공격이 점차 증가하고 있다. 기존의 악성 코드가 해커의 단순한 호기심이나 해커 자신의 능력을 과시하기 위해 제작되어 불특정 다수를 공격했다면, 최근의 해킹 사건에서 사용된 악성코드는 오직 특정 대상만을 목표로 하여 제작, 사용되고 있는 것이 특징이다. 현재 대다수의 악성코드 탐지 방식인 블랙리스트 기반의 시그니처에 의한 탐지방식에서는 악성코드의 일부분이라도 변경이 되면 해당 악성코드를 탐지할 수가 없기 때문에 신규 악성 코드를 탐지하고 대응하는 것이 어렵다. 그러므로 지능형 지속 공격에 대응하기 위해서는 새로운 형태의 파일 탐지 기술이 필요하다. 이에 본 논문에서는 파일의 다양한 속성 및 사용자 분포에 따른 평판점수를 통해 신규 악성코드를 탐지하는 기법을 제안한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2021.05a
• /
• pp.212-215
• /
• 2021

본 논문에서는 딥러닝의 CNN(Convolution Neural Network) 학습을 통하여 악성코드를 실행시키지 않고서 악성코드 변종을 패밀리 그룹으로 분류하는 방법을 연구한다. 먼저 데이터 전처리를 통해 3가지의 서로 다른 방법으로 악성코드 이미지와 메타데이터를 생성하고 이를 CNN으로 학습시킨다. 첫째, 악성코드의 byte 파일을 8비트 gray-scale 이미지로 시각화하는 방법이다. 둘째, 악성코드 asm 파일의 opcode sequence 정보를 추출하고 이를 이미지로 변환하는 방법이다. 셋째, 악성코드 이미지와 메타데이터를 결합하여 분류에 적용하는 방법이다. 이미지 특징 추출을 위해서는 본고에서 제안한 CNN을 통한 학습 방식과 더불어 3개의 Pre-trained된 CNN 모델을 (InceptionV3, Densnet, Resnet-50) 사용하여 전이학습을 진행한다. 전이학습 시에는 마지막 분류 레이어층에서 본 논문에서 선택한 데이터셋에 대해서만 학습하도록 파인튜닝하였다. 결과적으로 가공된 악성코드 데이터를 적용하여 9개의 악성코드 패밀리로 분류하고 예측 정확도를 측정해 비교 분석한다.

• Journal of the Korea Society of Computer and Information
• /
• v.10 no.6 s.38
• /
• pp.127-136
• /
• 2005

Recently, the damages occurring from the malware are increasing rapidly, regardless of continuous development of commercial vaccines . Generally, the vaccine detects well-known malware effectively, but it becomes helpless without any information against the unknown ones. Also, the malware generates its variations fast enough, so that the vaccine always gets behind in its updates. In this paper, we are describing a design and development of malware detection tool, which can detect such malware effectively. We first analyze the general functionality of the malware, and then extracts specific signatures. Such that, we can actively cope with a malware, which may come in previous type, a new type, and any of its mutations also.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2020.07a
• /
• pp.85-88
• /
• 2020

최근 악성코드의 발전은 사이버 위협의 전방면에 걸쳐 영향을 주고 있다. DDoS, APT를 포함한 스팸 발송 등과 같은 사이버 공격은 악성코드를 기반으로 한다. 또한 이에 대응하기 위해 다양한 형태의 악성코드 솔루션이 존재하고 있다. 악성코드 솔루션은 오픈소스와 상업용 프로그램으로 나눌 수 있는데 상업용 프로그램은 악성코드뿐만 아니라 PC관리의 전반적인 부분을 담당하고 있다. 악성코드를 탐지하는 방법은 시그니처 방식과 해시DB를 이용한 방식 등 다양한 방식이 있다. 본 논문에서는 오픈소스기반 악성코드 솔루션을 비교하여 어떠한 방식이 더 효과적인가를 분석하였다. 이를 통해 악성코드 방지 프로그램을 개발하려는 개발자가 비용효과적인 악성코드 탐지 방법을 잘 선택할 수 있는 가이드라인을 제공한다.

• Journal of KIISE
• /
• v.42 no.5
• /
• pp.558-565
• /
• 2015

Recently, the number of new malware and malware variants has dramatically increased. As a result, the time for analyzing malware and the efforts of malware analyzers have also increased. Therefore, malware classification helps malware analyzers decrease the overhead of malware analysis, and the classification is useful in studying the malware's genealogy. In this paper, we proposed a set of key opcode to classify the malware. In our experiments, we selected the top 10-opcode as key opcode, and the key opcode decreased the training time of a Supervised learning algorithm by 91% with preserving classification accuracy.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.2
• /
• pp.83-92
• /
• 2009

As the innovative internet technologies and multimedia are being rapidly developed, malicious codes are a remarkable new growth part and supplied by various channel. This project presents a classification methodology for malicious codes in Windows OS (Operating System) environment, develops a test classification system. Thousands of malicious codes are brought in every day. In a result, classification system is needed to analyzers for supporting information which newly brought malicious codes are a new species or a variety. This system provides the similarity for analyzers to judge how much a new species or a variety is different to the known malicious code. It provides to save time and effort, to less a faulty analysis. This research includes the design of classification system and test system. We classify the malicious codes to 9 groups and then 9 groups divide the clusters according to the each property.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.4
• /
• pp.679-694
• /
• 2013

According to the national information security white paper 2013, the number of hacking attempt in 2012 is 17,570 which is increased by 67.4% than in 2011, and it has been increasing year after year. The cause of this increase is considered as pursuit of monetary profit and diversification techniques of infection. However, because the development of malicious code faster than the increase in the number of experts to analyze and respond the malware, it is difficult to respond to security threats due to malicious code. So, the interest on automatic analysis tools is increasing. In this paper, we proposed the method of malware classification by similarity using malware DNA. It helps the experts to reduce the analysis time, to increase the correctness. The proposed method generates 'Malware DNA' from extracted features, and then calculates similarity to classify the malwares.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.6A
• /
• pp.107-114
• /
• 2008

The Bot is a kind of worm/virus that can be used to launch the distributed denial-of-service(DDoS) attacks or send massive amount of spam e-mails, etc. A lot of organizations make an effort to counter the Botnet's attacks. In Korea, we use DNS sinkhole system to protect from the Botnet's attack, while in Japan "so called" CCC(Cyber Clean Center) has been developed to protect from the Botnet's attacks. But in case of DNS sinkhole system, there is a problem since it cannot cure the Bot infected PCs themselves and in case of CCC there is a problem since only 30% of users with the Botnet-infected PCs can cooperate to cure themself. In this paper we propose a new method that prevent the Botnet's attacks and cure the Bot-infected PCs at the same time.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2021.10a
• /
• pp.455-457
• /
• 2021

App is used on mobile devices such as smartphones and also has malicious code, which can be divided into normal and malicious depending on the presence or absence of hacking codes. Because there are many kind of malware, it is difficult to detect directly, we propose a method to detect malicious app using AI. Most of the existing methods are to detect malicious app by extracting features from malicious app. However, the number of types have increased exponentially, making it impossible to detect malicious code. Therefore, we would like to propose two more methods besides detecting malicious app by extracting features from most existing malicious app. The first method is to learn normal app to extract normal's features, as opposed to the existing method of learning malicious app and find abnormalities (malicious app). The second one is an 'ensemble technique' that combines the existing method with the first proposal. These two methods need to be studied so that they can be used in future mobile environment.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2022.05a
• /
• pp.374-376
• /
• 2022

The Malware App Analysis Tool is a system that analyzes Android-based apps by the AI-based algorithm defined in the tool and detects whether malware code is included. Currently, as the spred of smartphones is activated, crimes using malware apps have increased, and accordingly, security for malware apps is required. Android operating systems used in smartphones have a share of more than 70% and are open-source-based, so not only will there be many vulnerabilities and malware, but also more damage to malware apps, increasing demand for tools to detect and analyze malware apps. However, this paper is proposed because there are many difficulties in designing and developing a malware app analysis tool because the security functional requirements for the malware app analysis tool are not clearly specified. Through the developed protection profile, technology can be improved based on the design and development of malware app analysis tools, safety can be secured by minimizing damage to malware apps, and furthermore, trust in malware app analysis tools can be guaranted through common criteria.