• Journal of KIISE
• /
• v.45 no.2
• /
• pp.106-112
• /
• 2018

Recently, the number of cyber attacks using malicious code has increased. Various types of malicious code detection techniques have been researched for several years as the damage has increased. In recent years, profiling techniques have been used to identify attack groups. This paper focuses on the identification of attack groups using a detection technique that does not involve malicious code detection. The attacker is identified by using a string or a code signature of the malicious code. In addition, the detection rate is increased by adding a technique to confirm the packing file. We use Yara as a detection technique. We have research about RAT (remote access tool) that is mainly used in attack groups. Further, this paper develops a ruleset using malicious code and packer main feature signatures for RAT which is mainly used by the attack groups. It is possible to detect the attacker by detecting RAT based on the newly created ruleset.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2022.05a
• /
• pp.179-182
• /
• 2022

최근 코로나 19 팬더믹 이후 원격근무의 확대와 더불어 랜섬웨어 팬더믹이 심화하고 있다. 현재 안티바이러스 백신 업체들이 랜섬웨어에 대응하고자 노력하고 있지만, 기존의 파일 시그니처 기반 정적분석은 패킹의 다양화, 난독화, 변종 혹은 신종 랜섬웨어의 등장 앞에 무력화될 수 있고, 실제로 랜섬웨어의 피해 규모 지속 증가가 이를 설명한다. 본 논문에서는 기계학습을 기반으로 한 단일 분석만을 이용하여 탐지모델에 적용하는 것이 아닌 정적 분석 정보(.text Section Opcode)와 동적 분석 정보(Native API)를 추출하고 유사도를 바탕으로 연관성을 찾아 결합하여 기계학습에 적용하는 탐지모델을 제안한다.

• Informatization Policy
• /
• v.24 no.4
• /
• pp.68-78
• /
• 2017

Malicious codes are currently becoming more complex and diversified, causing various problems spanning from simple information exposure to financial or psychologically critical damages. Even though many researches have studied using reverse engineering to detect these malicious codes, malicious code developers also utilize bypassing techniques against the code analysis to cause obscurity in code understanding. Furthermore, rootkit techniques are evolving to utilize such bypassing techniques, making it even more difficult to detect infection. Therefore, in this paper, we design the analysis process as a more agile countermeasure to malicious codes that bypass analysis techniques. The proposed analysis process is expected to be able to detect these malicious codes more efficiently.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.181-192
• /
• 2022

The emergence of new malware is incapacitating existing signature-based malware detection techniques., and applying various anti-analysis techniques makes it difficult to analyze. Recent studies related to signature-based malware detection have limitations in that malware creators can easily bypass them. Therefore, in this study, we try to build a machine learning model that can detect and classify the anti-analysis techniques of packers applied to malware, not using the characteristics of the malware itself. In this study, the n-gram opcodes are extracted from the malicious binary to which various anti-analysis techniques of the commercial packers are applied, and the features are extracted by using TF-IDF, and through this, each anti-analysis technique is detected and classified. In this study, real-world malware samples packed using The mida and VMProtect with multiple anti-analysis techniques were trained and tested with 6 machine learning models, and it constructed the optimal model showing 81.25% accuracy for The mida and 95.65% accuracy for VMProtect.

• KIPS Transactions on Computer and Communication Systems
• /
• v.11 no.10
• /
• pp.363-372
• /
• 2022

Since the recent COVID-19 Pandemic, the ransomware fandom has intensified along with the expansion of remote work. Currently, anti-virus vaccine companies are trying to respond to ransomware, but traditional file signature-based static analysis can be neutralized in the face of diversification, obfuscation, variants, or the emergence of new ransomware. Various studies are being conducted for such ransomware detection, and detection studies using signature-based static analysis and behavior-based dynamic analysis can be seen as the main research type at present. In this paper, the frequency of ".text Section" Opcode and the Native API used in practice was extracted, and the association between feature information selected using K-means Clustering algorithm, Cosine Similarity, and Pearson correlation coefficient was analyzed. In addition, Through experiments to classify and detect worms among other malware types and Cerber-type ransomware, it was verified that the selected feature information was specialized in detecting specific ransomware (Cerber). As a result of combining the finally selected feature information through the above verification and applying it to machine learning and performing hyper parameter optimization, the detection rate was up to 93.3%.

• KIISE Transactions on Computing Practices
• /
• v.24 no.2
• /
• pp.99-104
• /
• 2018

Recently, there are increasing damages by ransomware in the world. Ransomware is a malicious software that infects computer systems and restricts user's access to them by locking the system or encrypting user's files saved in the hard drive. Victims are forced to pay the 'ransom' to recover from the damage and regain access to their personal files. Strong countermeasure is needed due to the extremely vicious way of attack with enormous damage. Malware analysis method can be divided into two approaches: static analysis and dynamic analysis. Recent malwares are usually equipped with elaborate packing techniques which are main obstacles for static analysis of malware. Therefore, this paper suggests a dynamic analysis method to monitor activities of ransomware. The proposed method can analyze ransomwares more accurately. The suggested method is comprised of extracting signatures of benign program, malware, and ransomware, and selecting the most appropriate signatures for ransomware detection.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1553-1561
• /
• 2018

The source code for Android is open and easy to modify depending on the purpose. Recently, this charateristic has been exploited to bypass the runtime protection technique and extract the original executable code. Unfortunately, Android devices are so fragmented that it is difficult to verify the integrity of the system. To solve this problem, this paper proposes a technique to verify the integrity of the execution environment indirectly using the features of the application permission. Before executing the original executable code, it loads and executes the dummy DEX file to monitor for abnormal events and determine whether the system is intact. The proposed technique shows a performance overhead of about 2 seconds and shows that it can detect the bypassing technique that is currently disclosed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.5
• /
• pp.1119-1127
• /
• 2018

Most of the cyber attacks are caused by malicious codes. The damage caused by cyber attacks are gradually expanded to IoT and CPS, which is not limited to cyberspace but a serious threat to real life. Accordingly, various malicious code analysis techniques have been appeared. Dynamic analysis have been widely used to easily identify the resulting malicious behavior, but are struggling with an increase in Anti-VM malware that is not working in VM environment detection. On the other hand, static analysis has difficulties in analysis due to various packing techniques. In this paper, we proposed malware classification techniques regardless of known packers or unknown packers through the proposed model. To do this, we designed a model of supervised learning and unsupervised learning for the features that can be used in the PE structure, and conducted the results verification through 98,000 samples. It is expected that accurate analysis will be possible through customized analysis technology for each class.

• Journal of Digital Contents Society
• /
• v.15 no.3
• /
• pp.373-380
• /
• 2014

Malicious codes uses generic unpacking technique to make it hard for analyzers to detect their programs. Recently their has been several researches about generic packet to prevent or detect these techniques. And they try to focus on the codes that repeats while generic packing is doing compression because generic packing technique executes after it is decompressed. And they try to focus on the codes that repeats while generic packing is doing compression because generic packing technique executes after it is decompressed. Therefore, this makes a interesting performance which shows a similar address value from the codes which are repeated several times what is different from the normal program codes. By dividing these codes into regularly separated areas we can find that the generic unpacking codes have a small entropy value compared to normal codes. Using this method, it is possible to identify any program if it is a generic unpacking code or not even though we do not know what kind of algorithm it uses. This paper suggests a way of disarming the generic codes by using the low value entropy value which comes out from the Opcode addresses when generic unpacking codes try to decompress.

• Journal of Internet Computing and Services
• /
• v.19 no.5
• /
• pp.21-31
• /
• 2018

Cyber penetration attacks can not only damage cyber space but can attack entire infrastructure such as electricity, gas, water, and nuclear power, which can cause enormous damage to the lives of the people. Also, cyber space has already been defined as the fifth battlefield, and strategic responses are very important. Most of recent cyber attacks are caused by malicious code, and since the number is more than 1.6 million per day, automated analysis technology to cope with a large amount of malicious code is very important. However, it is difficult to deal with malicious code encryption, obfuscation and packing, and the dynamic analysis technique is not limited to the performance requirements of dynamic analysis but also to the virtual There is a limit in coping with environment avoiding technology. In this paper, we propose a machine learning based malicious code analysis technique which improve the weakness of the detection performance of existing analysis technology while maintaining the light and high-speed analysis performance applicable to commercial endpoints. The results of this study show that 99.13% accuracy, 99.26% precision and 99.09% recall analysis performance of 71,000 normal file and malicious code in commercial environment and analysis time in PC environment can be analyzed more than 5 per second, and it can be operated independently in the endpoint environment and it is considered that it works in complementary form in operation in conjunction with existing antivirus technology and static and dynamic analysis technology. It is also expected to be used as a core element of EDR technology and malware variant analysis.