• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.2
• /
• pp.37-47
• /
• 2011

In the recent years, malicious codes called malware are having shown significant increase due to the code obfuscation to evade detection mechanisms. When the code obfuscation technique is applied to malwares, they can change their instruction sequence and also even their signature. These malwares which have same functionality and different appearance are able to evade signature-based AV products. Thus, AV venders paid large amount of cost to analyze and classify malware for generating the new signature. In this paper, we propose a novel approach for detecting metamorphic malwares. The proposed mechanism first converts malware's API call sequences to call graph through dynamic analysis. After that, the callgraph is converted to semantic signature using 128 abstract nodes. Finally, we extract all subgraphs and analyze how similar two malware's behaviors are through subgraph similarity. To validate proposed mechanism, we use 273 real-world malwares include obfuscated malware and analyze 10,100 comparison results. In the evaluation, all metamorphic malwares are classified correctly, and similar module behaviors among different malwares are also discovered.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.2
• /
• pp.347-363
• /
• 2019

Malware has its own unique behavior characteristics, like DNA for living things. To respond APT (Advanced Persistent Threat) attacks in advance, it needs to extract behavioral characteristics from malware. To this end, it needs to do classification for each malware based on its behavioral similarity. In this paper, various similarity of Windows malware is estimated; and based on these similarity values, malware's family is predicted. The similarity measures used in this paper are as follows: 'TF-IDF cosine similarity', 'Nilsimsa similarity', 'malware function cosine similarity' and 'Jaccard similarity'. As a result, we find the prediction rate for each similarity measure is widely different. Although, there is no similarity measure which can be applied to malware classification with high accuracy, this result can be helpful to select a similarity measure to classify specific malware family.

• Information and Communications Magazine
• /
• v.31 no.5
• /
• pp.15-19
• /
• 2014

인터넷의 사용이 증가하며, 웹을 통한 악성코드유포가 주요 위협으로 등장하였다. 본고에서는 인터넷을 통한 악성코드 유포방법 중 가장 대표적 공격방법이 웹 기반 악성코드 유포공격의 특성을 분석한다.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.20 no.2
• /
• pp.39-44
• /
• 2020

Malicious codes cause damage to equipments while avoiding detection programs(vaccines). The reason why it is difficult to detect such these new malwares using the existing vaccines is that they use "signature-based" detection techniques. these techniques effectively detect already known malicious codes, however, they have problems about detecting new malicious codes. Therefore, most of vaccines have recognized these drawbacks and additionally make use of "heuristic" techniques. This paper proposes a technology to detecting unknown malicious code using deep learning. In addition, detecting malware skill using Supervisor Learning approach has a clear limitation. This is because, there are countless files that can be run on the devices. Thus, this paper utilizes Stacked Convolution AutoEncoder(SCAE) known as Semi-Supervisor Learning. To be specific, byte information of file was extracted, imaging was carried out, and these images were learned to model. Finally, Accuracy of 98.84% was achieved as a result of inferring unlearned malicious and non-malicious codes to the model.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.933-943
• /
• 2022

As the Internet develops and the utilization rate of computers increases, the threats posed by malware keep increasing. This leads to the demand for a system to automatically analyzes a large amount of malware. In this paper, an automatic malware analysis technique using a deep learning algorithm is introduced. Our proposed method uses CNN (Convolutional Neural Network) to analyze the malicious features represented as images. To reflect semantic information of malware for detection, our method uses the opcode frequency data of binary for image generation, rather than using bytes of binary. As a result of the experiments using the datasets consisting of 20,000 samples, it was found that the proposed method can detect malicious codes with 91% accuracy.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.4B
• /
• pp.599-609
• /
• 2010

Korean government has recently abrogated WIPI policy to open domestic mobile phone market to the world, which may result in the influx of foreign smart phones. This circumstance has given users more wide range of choices to buy a product and also has brought benefit to buy mobile phone cheaply. On the other hands, this change might have brought potential danger of mobile malware incidents which have only occurred in foreign countries. There are standardized analysis methods and response guides for computer malwares, not but for mobile malwares in our country. In this paper, we introduce existing mobile malwares and available tools for their analysis. Considering domestic circumstances which might not be properly protected against mobile malwares, we propose analysis methods and response guide of mobile malwares.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2010.05a
• /
• pp.299-302
• /
• 2010

Recently, the malicious code is not easily detectable in the vaccine for the virus, malicious code as a compressed file by modulation pattern is the tendency to delay. Among the many antivirus engines on the market a compressed file that can be modulated by malicious code, and test whether the pattern will need to know. We cover a multi-compressed files, malicious code modulated secreted by examining patterns of test engine is being detected is through a computer simulation. Analysis of secreted activities of malicious code and infect the host file tampering with the system driver files and registry, it gets registered is analyzed. this study will contribute hidden malicious code inspection and enhance vaccine efficacy in reducing the damage caused by malicious code.

• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06c
• /
• pp.230-232
• /
• 2012

악성코드인지의 가부가 나지 않은 실행 파일이 언제, 어떻게 동작하는지 여부를 판단과 수집을 위해 분석가들은 악성코드에 노출되기 쉬운 환경으로 조성된 PC를 이용하여 악성코드를 수집, 분석을 해왔다.이러한 PC를 악성코드의 인큐베이터라고도 할 수 있겠다. 이러한 PC를 두는 것은 시간 등에 큰 제약을 받게 되며, 분석이 쉬운 환경이 아니다. 이러한 환경 개선을 위해서 앞선 분석가들은 샌드박스 형태의 도구를 이용하고자 했다. 하지만 샌드박스 형태의 도구는 굉장히 제한적인 기능만을 제공하고 악성코드의 가부가 결정된 실행 파일에게만 적용시킬 수 있는 등의 단점을 가지고 있었다. 이 후 제안된 방법은 실제 PC와 근접한 수준의 환경을 제공하는 가상 PC이다. 이러한 가상 PC는 분석자에게 많은 편의를 제공하였으나 시간적인 부분에서 가지는 제한점은 기존과 동일하다. 본 논문에서는 가상 PC 분석 환경에서 시계를 가속하여 이러한 시간적인 부분에 대해 분석시간을 단축할 수 있는 방법을 제안한다. 이 방법을 적용할 경우 특정 시기 혹은 특정 시간 뒤에 동작하는 악성 코드의 활동시기와 조건을 가속한 시간만큼 단축하여 확인할 수 있다. 즉, PC를 감염시킨 뒤에 48시간이 지난 뒤에 공격 활동을 시작하는 악성코드가 시계를 2배로 가속하는 가상머신이라면 24시간 뒤에 행위를 탐지할 수 있다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.93-103
• /
• 2019

Recently, malicious code distribution of ransomware through a web site based on a drive-by-download attack has resulted in service disruptions to the web site and damage to PC files for end users. Therefore, analyzing the characteristics of the target web site industry, distribution time, application type, and type of malicious code that is being exploited can predict and respond to the attacker's attack activities by analyzing the status and trend of malicious code sites. In this paper, we will examine the distribution of malicious codes to 3.43 million websites in Korea to draw out the characteristics of each detected landing site, exploit site, and distribution site, and discuss countermeasures.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2022.05a
• /
• pp.432-435
• /
• 2022

최근 IT 산업의 지속적인 발전으로 사용자들을 위협하는 악성코드, 피싱, 랜섬웨어와 같은 사이버 공격 또한 계속해서 발전하고 더 지능화되고 있으며 변종 악성코드도 기하급수적으로 늘어나고 있다. 지금까지의 시그니처 패턴 기반의 탐지법으로는 이러한 방대한 양의 알려지지 않은 악성코드를 탐지할 수 없다. 따라서 CNN(Convolutional Neural Network)을 활용하여 악성코드를 탐지하는 기법들이 제안되고 있다. 이에 본 논문에서는 CNN 모델 중 낮은 인식 오류율을 지닌 모델을 선정하여 정확도(Accuracy)와 F1-score 평가 지표를 통해 비교하고자 한다. 두 가지의 악성코드 이미지화 방법을 사용하였으며, 2015 년 이후 ILSVRC 에서 우승을 차지한 모델들과, 추가로 2019 년에 발표된 EfficientNet 을 사용하여 악성코드 이미지를 분류하였다. 그 결과 2 바이트를 한 쌍의 좌표로 변환하여 생성한 256 * 256 크기의 악성코드 이미지를 ResNet-152 모델을 이용해 분류하는 것이 우수한 성능을 보임을 실험적으로 확인하였다.