• Journal of Korea Society of Industrial Information Systems
• /
• v.20 no.2
• /
• pp.65-72
• /
• 2015

An anti-virus is a widely used solution for detecting malicious software in client devices. In particular, signature-based anti-viruses detect malicious software by comparing a file with a signature of a malicious software. Recently, the number of malicious software dramatically increases and hence it results in a performance degradation issue: detection time of signature-based anti-virus increases and throughput decreases. In this paper, we summarize the research results of signature-based anti-viruses which are focusing on solutions overcoming of performance limitations, and propose a new solution. In particular, comparing our solution to SplitScreen which has been known with the best performance, our solution reduces client-side workload and decreases communication cost.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.6
• /
• pp.1341-1351
• /
• 2015

As the popularization of smartphone increases the number of various applications, the number of malicious applications also grows rapidly through the third party App Market or black market. This paper suggests an investigation filter, Androfilter, that detects the fabrication of APK file effectively. Whereas the most of antivirus software uses a separate server to collect, analyze, and update malicious applications, Androfilter assumes Google Play as the trusted party and verifies integrity of an application through a simple query to Google Play. Experiment results show that Androfilter blocks brand new malicious applications that have not been reported yet as well as known malicious applications.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2015.05a
• /
• pp.259-263
• /
• 2015

The vulnerabilities related to Flash player which is widely used in internet browsers and office programs are gradually increased. To detect Flash malwares, previous work focuses on predefined features of ActionScript. However above work cannot detect new/mutated Flash malwares, since predefined features could not cover the new patterns of new/mutated Flash mawares. To solve this problem, we propose a Flash malware detection method that uses machine learning to learn Flash Tag patterns and classify Flash by using machine learning.

• The Journal of the Korea Contents Association
• /
• v.16 no.8
• /
• pp.90-96
• /
• 2016

The 3390 million people, around 83% of the adult population in Korea use smartphone. Although the safety problem of the certificate has been occurred continuously, most of these users use the certificate. These safety issues as a solution to 'The owner of a mobile phone using SMS authentication technology', 'Biometric authentication', etc are being proposed. but, a secure and reliable authentication scheme has not been proposed for replace the certificate yet. and there are many attacks to steal the certificate and private key. For these reasons, security experts recommend to store the certificate and private key on usb flash drive, security tokens, smartphone. but smartphones are easily infected malware, an attacker can steal certificate and private key by malicious code. If an attacker snatchs the certificate, the private key file, and the password for the private key password, he can always act as valid user. In this paper, we proposed a safe way to keep the private key on smartphone using smartphone's unique information and user password. If an attacker knows the user password, the certificate and the private key, he can not know the smart phone's unique information, so it is impossible to use the encrypted private key. Therefore smartphone user use IT service safely.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.3
• /
• pp.499-510
• /
• 2023

Recently, an intelligent and advanced cyber attack attacks a computer network of a public institution using a file containing malicious code or leaks information, and the damage is increasing. Even in public institutions with various information protection systems, known attacks can be detected, but unknown dynamic and encryption attacks can be detected when existing signature-based or static analysis-based malware and ransomware file detection methods are used. vulnerable to The detection method proposed in this study extracts the detection result data of the system that can detect malicious code and ransomware among the information protection systems actually used by public institutions, derives various attributes by combining them, and uses a machine learning classification algorithm. Results are derived through experiments on how the derived properties are classified and which properties have a significant effect on the classification result and accuracy improvement. In the experimental results of this paper, although it is different for each algorithm when a specific attribute is included or not, the learning with a specific attribute shows an increase in accuracy, and later detects malicious code and ransomware files and abnormal behavior in the information protection system. It is expected that it can be used for property selection when creating algorithms.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.205-214
• /
• 2019

Android uses app cache files to improve app execution performance. However, this optimization technique may raise security issues that need to be examined. In this paper, we present a practical design of "Android app cache manipulation attack" to intentionally modify the cache files of a target app, which can be misused for stealing personal information and performing malicious activities on target apps. Even though the Android framework uses a checksum-based integrity check to protect app cache files, we found that attackers can effectively bypass such checks via the modification of checksum of the target cache files. To demonstrate the feasibility of our attack design, we implemented an attack tool, and performed experiments with real-world Android apps. The experiment results show that 25 apps (86.2%) out of 29 are vulnerable to our attacks. To mitigate app cache manipulation attacks, we suggest two possible defense mechanisms: (1) checking the integrity of app cache files; and (2) applying anti-decompilation techniques.

• Journal of Internet Computing and Services
• /
• v.19 no.5
• /
• pp.21-31
• /
• 2018

Cyber penetration attacks can not only damage cyber space but can attack entire infrastructure such as electricity, gas, water, and nuclear power, which can cause enormous damage to the lives of the people. Also, cyber space has already been defined as the fifth battlefield, and strategic responses are very important. Most of recent cyber attacks are caused by malicious code, and since the number is more than 1.6 million per day, automated analysis technology to cope with a large amount of malicious code is very important. However, it is difficult to deal with malicious code encryption, obfuscation and packing, and the dynamic analysis technique is not limited to the performance requirements of dynamic analysis but also to the virtual There is a limit in coping with environment avoiding technology. In this paper, we propose a machine learning based malicious code analysis technique which improve the weakness of the detection performance of existing analysis technology while maintaining the light and high-speed analysis performance applicable to commercial endpoints. The results of this study show that 99.13% accuracy, 99.26% precision and 99.09% recall analysis performance of 71,000 normal file and malicious code in commercial environment and analysis time in PC environment can be analyzed more than 5 per second, and it can be operated independently in the endpoint environment and it is considered that it works in complementary form in operation in conjunction with existing antivirus technology and static and dynamic analysis technology. It is also expected to be used as a core element of EDR technology and malware variant analysis.

• Convergence Security Journal
• /
• v.6 no.2
• /
• pp.21-29
• /
• 2006

Recently, illegal manipulation and forgery threats on computer softwares are increasing. Specially, forge the code of program and disrupt normal operation using a malicious loader program against the Internet application client. In this paper, we first analyze and generate signatures of malicious loader detection. And, we propose a method to secure the application client based on profiling which can detect and filter out abnormal malicious loader requests.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2010.07a
• /
• pp.281-284
• /
• 2010

스마트 폰 사용자의 증가와 개발자들의 참여가 확대되면서, 다양한 스마트 폰 어플리케이션들이 배포되고 있다. 스마트 폰의 운영체제 공급자들은 개발된 어플리케이션을 직접 또는 개발자에게 위임하여 테스트하고 어플리케이션 설치파일의 코드를 서명하여 사용자에게 배포한다. 여기서 코드 서명은 개발자의 확인과 동시에 어플리케이션이 배포과정에서 수정되지 않았음을 보장한다. 사용자 측면에서는 이런 서명이 어플리케이션의 안전성을 판단 할 수 있는 유일한 기준이 된다. 하지만, 코드 서명을 우회하거나 어플리케이션의 설치파일 코드를 수정할 수 있는 방법이 나타나게 되었고, 이것은 사용자가 악성 프로그램을 설치하는 보안 문제로 이어질 수 있다. 본 논문에서는 각 스마트 폰 운영체제별, 어플리케이션의 안전하지 못한 코드 서명으로 발생하는 보안문제를 서술하고, 스마트 폰 어플리케이션의 안전한 코드 서명을 위해 필요한 요구사항에 대해서 논의한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2024.05a
• /
• pp.341-344
• /
• 2024

최근 랜섬웨어의 유포 증가로 인한 금전적 피해가 전세계적으로 급증하고 있다. 랜섬웨어는 사용자의 데이터를 암호화하여 금전을 요구하거나, 사용자의 중요하고 민감한 데이터를 파괴하여 사용하지 못하도록 피해를 입힌다. 이러한 피해를 막기 위해 파일의 API calls 이나, opcode 를 이용하는 탐지 및 분류 연구가 활발하게 진행되고 있다. 본 논문에서는 랜섬웨어를 효과적으로 탐지하기 위해 파일 PE 기능 값을 PCA 와 Wrapper 방법으로 데이터 전처리 후 머신러닝으로 학습하고, 학습한 모델을 활용하여 랜섬웨어를 정상과 악성으로 분류하는 방법을 제안한다. 제안한 방법으로 실험 결과 RF 는 98.25%, DT 96.25%, SVM 95%, NB 83%의 분류 정확도를 보였으며, RF 모델에서 가장 높은 분류 정확도를 달성하였다.