• Title/Summary/Keyword: 악성 프로세스

Search Result 54, Processing Time 0.031 seconds

A Method to Collect Trusted Processes for Application Whitelisting in macOS (macOS 운영체제에서 화이트리스트 구축을 위한 신뢰 프로세스 수집 연구)

  • Youn, Jung-moo;Ryu, Jae-cheol
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.2
    • /
    • pp.397-405
    • /
    • 2018
  • Blacklist-based tools are most commonly used to effectively detect suspected malicious processes. The blacklist-based tool compares the malicious code extracted from the existing malicious code with the malicious code. Therefore, it is most effective to detect known malicious codes, but there is a limit to detecting malicious code variants. In order to solve this problem, the necessity of a white list-based tool, which is the opposite of black list, has emerged. Whitelist-based tools do not extract features of malicious code processes, but rather collect reliable processes and verify that the process that checks them is a trusted process. In other words, if malicious code is created using a new vulnerability or if variant malicious code appears, it is not in the list of trusted processes, so it can effectively detect malicious code. In this paper, we propose a method for effectively building a whitelist through research that collects reliable processes in the macOS operating system.

Proposal of Process Hollowing Attack Detection Using Process Virtual Memory Data Similarity (프로세스 가상 메모리 데이터 유사성을 이용한 프로세스 할로윙 공격 탐지)

  • Lim, Su Min;Im, Eul Gyu
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.2
    • /
    • pp.431-438
    • /
    • 2019
  • Fileless malware uses memory injection attacks to hide traces of payloads to perform malicious works. During the memory injection attack, an attack named "process hollowing" is a method of creating paused benign process like system processes. And then injecting a malicious payload into the benign process allows malicious behavior by pretending to be a normal process. In this paper, we propose a method to detect the memory injection regardless of whether or not the malicious action is actually performed when a process hollowing attack occurs. The replication process having same execution condition as the process of suspending the memory injection is executed, the data set belonging to each process virtual memory area is compared using the fuzzy hash, and the similarity is calculated.

A Novel Process Design for Analyzing Malicious Codes That Bypass Analysis Techniques (분석기법을 우회하는 악성코드를 분석하기 위한 프로세스 설계)

  • Lee, Kyung-Roul;Lee, Sun-Young;Yim, Kang-Bin
    • Informatization Policy
    • /
    • v.24 no.4
    • /
    • pp.68-78
    • /
    • 2017
  • Malicious codes are currently becoming more complex and diversified, causing various problems spanning from simple information exposure to financial or psychologically critical damages. Even though many researches have studied using reverse engineering to detect these malicious codes, malicious code developers also utilize bypassing techniques against the code analysis to cause obscurity in code understanding. Furthermore, rootkit techniques are evolving to utilize such bypassing techniques, making it even more difficult to detect infection. Therefore, in this paper, we design the analysis process as a more agile countermeasure to malicious codes that bypass analysis techniques. The proposed analysis process is expected to be able to detect these malicious codes more efficiently.

IoT 장비에 대한 악성 프로세스 실행 제어 제품 시험방법 연구

  • Park, Myungseo;Kim, Jongsung
    • Review of KIISC
    • /
    • v.27 no.6
    • /
    • pp.29-32
    • /
    • 2017
  • 현대 사회에서 주요 사회적 이슈가 되는 CCTV, 네트워크 프린터, 스마트 가전기기 등 IoT 장비 해킹 사고의 발생 횟수 및 피해 규모는 지속적으로 증가하고 있다. 최근 침해사고 사례를 살펴보면, 엔드포인트에 해당하는 IoT 장비의 허술한 보안대책으로 인하여 악성코드 설치 및 실행을 탐지하지 못한 피해가 대부분이다. 이로 인해 IoT 장비에 대한 악성 프로세스 실행 제어 제품이 개발되어 도입되는 추세이지만, 아직까지 안전성 평가에 대한 연구가 부족한 실정이다. 따라서 본 논문에서는 IoT 장비에 대한 악성 프로세스 실행 제어 제품의 기본 보안요구사항을 식별하고, 필요한 시험항목과 시험 시 유의사항에 대해 제안한다.

A Study on the Tracking and Blocking of Malicious Actors through Thread-Based Monitoring (스레드 기반 모니터링을 통한 악의적인 행위 주체 추적 및 차단에 관한 연구)

  • Ko, Boseung;Choi, Wonhyok;Jeong, Dajung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.30 no.1
    • /
    • pp.75-86
    • /
    • 2020
  • With the recent advancement of malware, the actors performing malicious tasks are often not processes. Malicious code injected into the process that is installed by default in the operating system works thread by thread in the same way as DLL / code injection. In this case, diagnosing and blocking the process as malicious can cause serious problems with system operation. This white paper lists the problems of how to use process-based monitoring information to identify and block the malicious state of a process and presents an improved solution.

보안 에이전트 기반의 악성프로세스 검출 시스템 모델

  • Choe, Seong-Muk;Jo, Hui-Hun;Kim, Jong-Bae
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2015.05a
    • /
    • pp.706-707
    • /
    • 2015
  • 최근 인터넷 사용이 급증함에 따라 통신망을 통한 악성코드의 감염 경로가 다양해지고 있다. 특히, 봇(Bot)에 의한 공격은 주로 C&C(command-and-control)서버에서 이루어지는데, C&C서버가 IP 형태로 운영되므로 IP를 차단하는 방식을 통해 보안을 유지할 수밖에 없었다. 그러나 공격자들 역시 이러한 서버 차단을 회피하기 위해 우회적인 방법으로 접속을 시도하는 등 차츰 지능화되고 있다. 이러한 악성코드는 사용자의 시스템에 침입하면, 실행이 되는 동안 일반적인 검출방법으로는 검출해 내기가 쉽지 않다. 따라서 본 논문에서는 악성코드 감염에 의한 피해 확산을 방지하기 위해 보안에 이전트 기반의 악성프로세스 검출시스템 모델을 제시하고자 한다.

  • PDF

A Study on Similarity Comparison for File DNA-Based Metamorphic Malware Detection (파일 DNA 기반의 변종 악성코드 탐지를 위한 유사도 비교에 관한 연구)

  • Jang, Eun-Gyeom;Lee, Sang Jun;Lee, Joong In
    • Journal of the Korea Society of Computer and Information
    • /
    • v.19 no.1
    • /
    • pp.85-94
    • /
    • 2014
  • This paper studied the detection technique using file DNA-based behavior pattern analysis in order to minimize damage to user system by malicious programs before signature or security patch is released. The file DNA-based detection technique was applied to defend against zero day attack and to minimize false detection, by remedying weaknesses of the conventional network-based packet detection technique and process-based detection technique. For the file DNA-based detection technique, abnormal behaviors of malware were splitted into network-related behaviors and process-related behaviors. This technique was employed to check and block crucial behaviors of process and network behaviors operating in user system, according to the fixed conditions, to analyze the similarity of behavior patterns of malware, based on the file DNA which process behaviors and network behaviors are mixed, and to deal with it rapidly through hazard warning and cut-off.

A Malicious Process Control System for Protecting Servers from Internet Worm Attacks (인터넷 웜 공격으로부터 서버를 보호하기 위한 악성 프로세스 제어 시스템)

  • Kim, Ik-Su
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.35 no.3B
    • /
    • pp.431-439
    • /
    • 2010
  • The security systems using signatures cannot protect servers from new types of Internet worms. To protect servers from Internet worms, this paper proposes a system removing malicious processes and executable files without using signatures. The proposed system consists of control servers which offer the same services as those on protected servers, and agents which are installed on the protected servers. When a control server detects multicasting attacks of Internet worm, it sends information about the attacks to an agent. The agent kills malicious processes and removes executable files with this information. Because the proposed system do not use signatures, it can respond to new types of Internet worms effectively. When the proposed system is integrated with legacy security systems, the security of the protected server will be further enhanced.

Security Framework for Improving the Performance of the Malicious Process Control System (악성 프로세스 제어 시스템의 성능 향상을 위한 보안 프레임워크)

  • Kim, Iksu;Choi, Jongmyung
    • Journal of Internet Computing and Services
    • /
    • v.14 no.2
    • /
    • pp.61-71
    • /
    • 2013
  • Until now, there have been various studies against Internet worms. Most of intrusion detection and prevention systems against Internet worms use detection rules, but these systems cannot respond to new Internet worms. For this reason, a malicious process control system which uses the fact that Internet worms multicast malicious packets was proposed. However, the greater the number of servers to be protected increases the cost of the malicious process control system, and the probability of detecting Internet worms attacking only some predetermined IP addresses is low. This paper presents a security framework that can reduce the cost of the malicious process control system and increase the probability of detecting Internet worms attacking only some predetermined IP addresses. In the proposed security framework, virtual machines are used to reduce the cost of control servers and unused IP addresses are used to increase the probability of detecting Internet worms attacking only some predetermined IP addresses. Therefore the proposed security framework can effectively respond to a variety of new Internet worms at lower cost.

Suspicious Process Detection Based on Nearest Neighbors (최근접 이웃 방법에 기반한 비정상 프로세스의 검출)

  • Dongho Jeong;Sangchul Song;Sang-Wook Kim
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2023.05a
    • /
    • pp.392-393
    • /
    • 2023
  • 매년 급증하는 악성코드(malware)로 인해 기업, 공공기관 등 다수의 PC가 있는 대상까지 피해 사례가 늘고 있다. 악성코드로 인한 침해사고 흔적에서 비정상적인 동작을 한 프로세스를 찾는 기술은 해당 PC의 침해 여부 판단, 사후 대응 등 사이버 보안에 기여할 수 있을 것이다. 본 연구에서는 최근접 이웃 방법을 활용하여 시스템 메모리 데이터에서 비정상 프로세스를 검출하는 방안을 제시한다. 또한 실험을 통해 제안 방법이 정확도 및 여러 지표에서 우수한 성능을 달성함을 보였다.