• Journal of KIISE:Databases
• /
• v.31 no.2
• /
• pp.122-131
• /
• 2004

Traditional works on indexing have been suggested for low dimensional data under dynamic environments. But recent database applications require efficient processing of huge sire of high dimensional data under static environments. Thus many indexing strategies suggested especially in partitioning ones do not adapt to these new environments. In our study, we point out these facts and propose a new partitioning strategy, which complies with new applications' requirements and is derived from analysis. As a preliminary step to propose our method, we apply a packing technique on the one hand and exploit observations on the Minkowski-sum cost model on the other, under uniform data distribution. Observations predict that unbalanced partitioning strategy may be more query-efficient than balanced partitioning strategy for high dimensional data. Thus we propose our method, called CSP (Cyclic Spliced Partitioning method). Analysis on this method explicitly suggests metrics on how to partition high dimensional data. By the cost model, simulations, and experiments, we show excellent performance of our method over balanced strategy. By experimental studies on other indices and packing methods, we also show the superiority of our method.

• Proceedings of the Korean Society of Broadcast Engineers Conference
• /
• 2021.06a
• /
• pp.75-77
• /
• 2021

MPEG 비디오 그룹은 제한된 3D 공간 내에서 움직임 시차(motion parallax)를 제공하면서 원하는 시점(view)을 렌더링(rendering)하기 위한 표준으로 TMIV(Test Model for Immersive Video)라는 테스트 모델과 함께 효율적인 몰입형 비디오의 부호화를 위한 MIV(MPEG Immersive Video) 표준을 개발하고 있다. 몰입감 있는 시각적 경험을 제공하기 위해서는 많은 수의 시점 비디오가 필요하기 때문에 방대한 양의 비디오를 고효율로 압축하는 것이 불가피하다. TMIV 는 여러 개의 입력 시점 비디오를 소수의 아틀라스(atlas) 비디오로 변환하여 부호화되는 화소수를 줄이게 된다. 아틀라스는 선택된 소수의 기본 시점(basic view) 비디오와 기본 시점으로부터 합성할 수 없는 나머지 추가 시점(additional view) 비디오의 영역들을 패치(patch)로 만들어 패킹(packing)한 비디오이다. 본 논문에서는 아틀라스 비디오의 보다 효율적인 부호화를 위해서 패치 내에 생기는 작은 홀(hole)들을 채우는 기법을 제안한다. 제안기법은 기존 TMIV8.0 에 비해 1.2%의 BD-rate 이 향상된 성능을 보인다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.1
• /
• pp.31-40
• /
• 2024

Recently, static analysis-based signature and pattern detection technologies have limitations due to the advanced IT technologies. Moreover, It is a compatibility problem of multiple architectures and an inherent problem of signature and pattern detection. Malicious codes use obfuscation and packing techniques to hide their identity, and they also avoid existing static analysis-based signature and pattern detection techniques such as code rearrangement, register modification, and branching statement addition. In this paper, We propose an LLVM IR image-based automated static analysis of malicious code technology using machine learning to solve the problems mentioned above. Whether binary is obfuscated or packed, it's decompiled into LLVM IR, which is an intermediate representation dedicated to static analysis and optimization. "Therefore, the LLVM IR code is converted into an image before being fed to the CNN-based transfer learning algorithm ResNet50v2 supported by Keras". As a result, we present a model for image-based detection of malicious code.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1553-1561
• /
• 2018

The source code for Android is open and easy to modify depending on the purpose. Recently, this charateristic has been exploited to bypass the runtime protection technique and extract the original executable code. Unfortunately, Android devices are so fragmented that it is difficult to verify the integrity of the system. To solve this problem, this paper proposes a technique to verify the integrity of the execution environment indirectly using the features of the application permission. Before executing the original executable code, it loads and executes the dummy DEX file to monitor for abnormal events and determine whether the system is intact. The proposed technique shows a performance overhead of about 2 seconds and shows that it can detect the bypassing technique that is currently disclosed.

• KIPS Transactions on Computer and Communication Systems
• /
• v.7 no.6
• /
• pp.155-164
• /
• 2018

Many malicious programs have been compressed or encrypted using various commercial packers to prevent reverse engineering, So malicious code analysts must decompress or decrypt them first. The OEP (Original Entry Point) is the address of the first instruction executed after returning the encrypted or compressed executable file back to the original binary state. Several unpackers, including PinDemonium, execute the packed file and keep tracks of the addresses until the OEP appears and find the OEP among the addresses. However, instead of finding exact one OEP, unpackers provide a relatively large set of OEP candidates and sometimes OEP is missing among candidates. In other words, existing unpackers have difficulty in finding the correct OEP. We have developed new tool which provides fewer OEP candidate sets by adding two methods based on the property of the OEP. In this paper, we propose two methods to provide fewer OEP candidate sets by using the property that the function call sequence and parameters are same between packed program and original program. First way is based on a function call. Programs written in the C/C++ language are compiled to translate languages into binary code. Compiler-specific system functions are added to the compiled program. After examining these functions, we have added a method that we suggest to PinDemonium to detect the unpacking work by matching the patterns of system functions that are called in packed programs and unpacked programs. Second way is based on parameters. The parameters include not only the user-entered inputs, but also the system inputs. We have added a method that we suggest to PinDemonium to find the OEP using the system parameters of a particular function in stack memory. OEP detection experiments were performed on sample programs packed by 16 commercial packers. We can reduce the OEP candidate by more than 40% on average compared to PinDemonium except 2 commercial packers which are can not be executed due to the anti-debugging technique.

• Proceedings of the Korean Society of Broadcast Engineers Conference
• /
• 2022.06a
• /
• pp.239-241
• /
• 2022

MIV(MPEG Immersive Video) 표준은 제한된 3D 공간의 다양한 위치의 뷰(view)들을 효율적으로 압축하여 사용자에게 임의의 위치 및 방향에 대한 6 자유도(6DoF)의 몰입감을 제공한다. MIV 의 참조 소프트웨어인 TMIV(Test Model for Immersive Video)에서는 몰입감을 제공하기 위한 여러 시점의 입력 뷰들 간의 중복 영역을 제거하고 남은 영역들을 패치(patch)로 만들어 패킹(packing)한 아틀라스(atlas)를 생성하고 이를 압축 전송한다. 아틀라스 영상은 일반적인 영상 달리 많은 불연속성을 포함하고 있으며 이는 부호화 효율을 크게 저하시키다 본 논문에서는 아틀라스 영상의 부호화 손실을 줄이기 위한 신경망 기반의 후처리 필터링 기법을 제시한다. 제안기법은 기존의 TMIV 와 비교하여 아틀라스의 복원 화질 향상을 보여준다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2023.05a
• /
• pp.131-133
• /
• 2023

악성코드를 유포할 때 프로그램 코드만으로 악성코드의 유무를 확인할 수 없도록 조치하여 분석을 지연시키는 방식을 사용하는 방향으로 발전하고 있다. 악성코드를 실행하지 않고 코드와 구조만으로 분석하는 정적 분석으로는 악성코드를 판별할 수 없어 코드를 직접 실행해 분석하는 동적 분석을 이용해야 한다. 본 논문에서는 난독화된 비정상적인 코드를 직접 실행한 동적 분석데이터와 일반적이지 않은 섹션들의 정보를 추출한 정적 분석데이터를 이용해 동적-정적 분석 데이터와 딥러닝 모델을 통해 난독화 및 패킹된 악성코드를 탐지하는 기법을 제안한다.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37C no.11
• /
• pp.1045-1053
• /
• 2012

Link-16 is a widely used TDL (Tactical Data Link) which uses TDMA (Time Division Multiple Access). Link-16 is a very low rate system, so it supports small size of data like tactical message and voice. However, there are related works to transmit situation awareness information like image due to the increasing interest about EBO(Effect-Based Operation), recently. Special TDMA scheduling is needed not static TDMA of Link-16 for image transmission because image data has much larger size than the existing tactical data. In this paper, we proposed Link-16K which enhances the Link-16 MAC. The proposed Link-16K is compatible with Link-16, and includes dynamic TDMA, new packing method, and an efficient retransmission scheme for image transmission effectively. We can see that image transmission delay is reduced and channel utilization is increased through simulation results of proposed idea.

• Journal of KIISE
• /
• v.41 no.10
• /
• pp.792-798
• /
• 2014

In spatial databases, R-tree is one of the most widely used indexing structures and many variants have been proposed for its performance improvement. Among these variants, Hilbert R-tree is a representative method using Hilbert curve to process large amounts of data without high cost split techniques to construct the R-tree. This Hilbert R-tree, however, is hardly applicable to large-scale applications in practice mainly due to high pre-processing costs and slow bulk-load time. To overcome the limitations of Hilbert R-tree, we propose a novel approach for parallelizing Hilbert mapping and thus accelerating bulk-loading of Hilbert R-tree on GPU memory. Hilbert R-tree based on GPU improves bulk-loading performance by applying the inversed-cell method and exploiting parallelism for packing the R-tree structure. Our experimental results show that the proposed scheme is up to 45 times faster compared to the traditional CPU-based bulk-loading schemes.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.181-192
• /
• 2022

The emergence of new malware is incapacitating existing signature-based malware detection techniques., and applying various anti-analysis techniques makes it difficult to analyze. Recent studies related to signature-based malware detection have limitations in that malware creators can easily bypass them. Therefore, in this study, we try to build a machine learning model that can detect and classify the anti-analysis techniques of packers applied to malware, not using the characteristics of the malware itself. In this study, the n-gram opcodes are extracted from the malicious binary to which various anti-analysis techniques of the commercial packers are applied, and the features are extracted by using TF-IDF, and through this, each anti-analysis technique is detected and classified. In this study, real-world malware samples packed using The mida and VMProtect with multiple anti-analysis techniques were trained and tested with 6 machine learning models, and it constructed the optimal model showing 81.25% accuracy for The mida and 95.65% accuracy for VMProtect.