• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.11a
• /
• pp.490-491
• /
• 2014

쿠쿠 샌드박스(Cuckoo Sandbox)는 가상머신을 이용해 악성코드를 자동으로 동적 분석할 수 있는 도구이다. 우선 악성코드의 MD5값을 이용하여 VirusTotal을 이용해 종류를 분류하고, 쿠쿠 샌드박스로 악성코드 동적을 분석하여 결과파일을 이용해 악성코드에서 호출한 API들에 대한 정보를 추출하고, 다양한 종류별 악성코드 그룹에 대해서 API빈도를 종합하고, 또한 다른 종류군의 악성코드 그룹과 API 빈도를 비교해 특정 종류의 악성코드 그룹에 대한 특징적인 API를 찾아내어 향후 이런 특징 API들을 이용해 악성코드의 종류를 자동으로 판정하기 위한 방법을 제시한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.11a
• /
• pp.257-258
• /
• 2017

머신러닝 기법을 다양한 분야에 사용되는 연구가 한창이다. 본 논문에서는 악성 코드의 분류 시스템에 머신러닝 기법을 적용하였다. 악성 코드 파일을 적당한 크기로 이미지화하여 텐서 플로우의 인셉션 V3에 적용하였다. 실험 결과, 이미지의 사이즈 조정과 파라미터 조정을 통해 매우 만족할 만한 수준으로 악성 코드를 잘 분류함을 확인할 수 있었다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.839-850
• /
• 2014

As the social and financial damages caused by APT attack such as 3.20 cyber terror are increased, the technical solution against APT attack is required. It is, however, difficult to protect APT attack with existing security equipments because the attack use a zero-day malware persistingly. In this paper, we propose a host based anomaly detection method to overcome the limitation of the conventional signature-based intrusion detection system. First, we defined 39 features to identify between normal and abnormal behavior, and then collected 8.7 million feature data set that are occurred during running both malware and normal executable file. Further, each process is represented as 83-dimensional vector that profiles the frequency of appearance of features. the vector also includes the frequency of features generated in the child processes of each process. Therefore, it is possible to represent the whole behavior information of the process while the process is running. In the experimental results which is applying C4.5 decision tree algorithm, we have confirmed 2.0% and 5.8% for the false positive and the false negative, respectively.

• Journal of Platform Technology
• /
• v.9 no.3
• /
• pp.3-17
• /
• 2021

Advanced persistent threat (APT) attacks are attacks aimed at a particular entity as a set of latent and persistent computer hacking processes. These APT attacks are usually carried out through various methods, including spam mail and disguised banner advertising. The same name is also used for files, since most of them are distributed via spam mail disguised as invoices, shipment documents, and purchase orders. In addition, such Infostealer attacks were the most frequently discovered malicious code in the first week of February 2021. CDR is a 'Content Disarm & Reconstruction' technology that can prevent the risk of malware infection by removing potential security threats from files and recombining them into safe files. Gartner, a global IT advisory organization, recommends CDR as a solution to attacks in the form of attachments. There is a program using CDR techniques released as open source is called 'Dangerzone'. The program supports the extension of most document files, but does not support the extension of HWP files that are widely used in Korea. In addition, Gmail blocks malicious URLs first, but it does not block malicious URLs in mail systems such as Naver and Daum, so malicious URLs can be easily distributed. Based on this problem, we developed a 'Dangerzone' program that supports the HWP extension to prevent APT attacks, and a Chrome extension that performs URL checking in Naver and Daum mail and blocking banner ads.

• KSCI Review
• /
• v.14 no.2
• /
• pp.255-262
• /
• 2006

A Malicious code is used to SMiShing disguised as finance mobile Vishing, using Phishing, Pharming mail, VoIP service etc. to capture of personal information. A Malicious code deletes in Anti-Virus Spyware removal programs. or to cure use. By the way, the Malicious cord which is parasitic as use a DLL Injection technique, and operate are Isass.exe, winlogon.exe. csrss.exe of the window operating system. Be connected to the process that you shall be certainly performed of an exe back, and a treatment does not work. A user forces voluntarily a process, and rebooting occurs, or a blue screen occurs, and Compulsory end, operating system everyone does. Propose a treatment way like a bird curing a bad voice code to use a DLL Injection technique to occur in these fatal results. Click KILL DLL since insert voluntarily an end function to Thread for a new treatment, and Injection did again the Thread which finish an action of DLL, and an end function has as control Thread, and delete. The cornerstone that the treatment way that experimented on at these papers and a plan to solve will become a researcher or the revolutionary dimension that faced of a computer virus, and strengthen economic financial company meeting Ubiquitous Security will become.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2017.10a
• /
• pp.360-361
• /
• 2017

The infrastructure of the country and society is connected to cyberspace. Malicious codes that steal financial information from websites such as plastic surgeons, dentists, and hospitals that are confirmed as IP in Daegu South Korea area are spreading In particular, financial information is an important privacy target. Takeover of financial information leads to personal financial loss. In this paper, we analyze the recent pharming malicious code that takes financial information. Attack files with social engineering methods are spread as executables in the banner, disguised as downloaders. When the user selects the banner, the attack file infects the PC with malicious code to the user. The infected PC takes users to the farming site and seizes financial information and personal security card information. The fraudulent financial information causes a financial loss to the user. The research in this paper will contribute to secure financial security.

• Convergence Security Journal
• /
• v.19 no.1
• /
• pp.11-17
• /
• 2019

Recently, the abuse of Internet technology has caused economic and mental harm to society as a whole. Especially, malicious code that is newly created or modified is used as a basic means of various application hacking and cyber security threats by bypassing the existing information protection system. However, research on small-capacity executable files that occupy a large portion of actual malicious code is rather limited. In this paper, we propose a model that can analyze the characteristics of known small capacity executable files by using data mining techniques and to use them for detecting unknown malicious codes. Data mining analysis techniques were performed in various ways such as Naive Bayesian, SVM, decision tree, random forest, artificial neural network, and the accuracy was compared according to the detection level of virustotal. As a result, more than 80% classification accuracy was verified for 34,646 analysis files.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2018.10a
• /
• pp.306-308
• /
• 2018

This paper proposes a variant malicious code detection algorithm in a mobile environment using a deep learning algorithm. In order to solve the problem of malicious code detection method based on Android, we have proved high detection rate through signature based malicious code detection method and realtime malicious file detection algorithm using machine learning method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.105-115
• /
• 2019

Recently, intelligent Android malicious codes have become difficult to detect malicious behavior by static analysis alone. Malicious code with SO file, dynamic loading, and string obfuscation are difficult to extract information about original code even with various tools for static analysis. There are many dynamic analysis methods to solve this problem, but dynamic analysis requires rooting or emulator environment. However, in the case of dynamic analysis, malicious code performs the rooting and the emulator detection to bypass the analysis environment. To solve this problem, this paper investigates a variety of root detection schemes and builds an environment for bypassing the rooting detection in real devices. In addition, SDK code hooking module for Android malicious code analysis is designed using Xposed, and intent tracking for code flow, dynamic loading file information, and various API information extraction are implemented. This work will contribute to the analysis of obfuscated information and behavior of Android Malware.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.5
• /
• pp.1313-1322
• /
• 2016

Recently, many virus and hacking attacks on public organizations and financial institutions by internet are becoming increasingly intelligent and sophisticated. The Advanced Persistent Threat has been considered as an important cyber risk. This attack is basically accomplished by spreading malicious codes through complex networks. To detect and extract PE files in smart manufacturing industry networks, an efficient processing method which is performed before analysis procedure on malicious codes is proposed. We implement a preprocessor of open intrusion detection system Snort for fast extraction of PE files and install on a hardware sensor equipment. As a result of practical experiment, we verify that the network sensor can extract the PE files which are often suspected as a malware.