• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.91-101
• /
• 2017

API call sequence analysis is a kind of analysis using API call information extracted in target program. Compared to other techniques, this is advantageous as it can characterize the behavior of the target. However, existing API call sequence analysis has an issue of identifying same characteristics to different function during the analysis. To resolve the identification issue and improve performance of analysis, this study includes the method of API abstraction technique in addition to existing analysis. From there on, similarity between target programs is computed and clustered into similar types by applying LSH to abstracted API call sequence from analyzed target. Thus, this study can attribute in improving the accuracy of the malware analysis based on discovered information on the types of malware identified.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.33 no.12B
• /
• pp.1112-1122
• /
• 2008

This paper reviews the Parlay X and proposes SIP multimedia session control mechanism which is able to be implemented over IMS using Extended Call Control APIs of Parlay X. Parlay X is one of the industrial standards of Open API in the telecommunication to open network resources and capabilities to third party service providers. In this paper, SIP session control mechanism is described by depicting call flows of basic and essential session handling methods including session initiation, transfer, restoration, and termination. We also show how easy Parlay X Extended Call Control APIs can be used for the purpose of complicated calls handling in the IT applications. To verify feasibility of the blended services based on convergence of telecommunication and internet with regard to performance, we accomplish experimental performance of Extended Call Control APIs from IT application through open service gateway. We show Open API could be applied to next generation network based on IMS without serious degradation of the network performance.

• Journal of the Korea Society of Computer and Information
• /
• v.27 no.11
• /
• pp.123-130
• /
• 2022

Recently, studies on the detection and classification of Android malware based on API Call sequence have been actively carried out. However, API Call sequence based malware classification has serious limitations such as excessive time and resource consumption in terms of malware analysis and learning model construction due to the vast amount of data and high-dimensional characteristic of features. In this study, we analyzed various classification models such as LightGBM, Random Forest, and k-Nearest Neighbors after significantly reducing the dimension of features using PCA(Principal Component Analysis) for CICAndMal2020 dataset containing vast API Call information. The experimental result shows that PCA significantly reduces the dimension of features while maintaining the characteristics of the original data and achieves efficient malware classification performance. Both binary classification and multi-class classification achieve higher levels of accuracy than previous studies, even if the data characteristics were reduced to less than 1% of the total size.

• Journal of the Korea Society of Computer and Information
• /
• v.26 no.11
• /
• pp.41-49
• /
• 2021

All application programs, including malware, call the Application Programming Interface (API) upon execution. Recently, using those characteristics, attempts to detect and classify malware based on API Call information have been actively studied. However, datasets containing API Call information require a large amount of computational cost and processing time. In addition, information that does not significantly affect the classification of malware may affect the classification accuracy of the learning model. Therefore, in this paper, we propose a method of extracting a essential feature set after reducing the dimensionality of API Call information by applying various feature selection methods. We used CICAndMal2020, a recently announced Android malware dataset, for the experiment. After extracting the essential feature set through various feature selection methods, Android malware classification was conducted using CNN (Convolutional Neural Network) and the results were analyzed. The results showed that the selected feature set or weight priority varies according to the feature selection methods. And, in the case of binary classification, malware was classified with 97% accuracy even if the feature set was reduced to 15% of the total size. In the case of multiclass classification, an average accuracy of 83% was achieved while reducing the feature set to 8% of the total size.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2022.07a
• /
• pp.249-250
• /
• 2022

최근 API Call을 기반으로 하는 악성코드 탐지 및 분류에 대한 연구가 활발히 진행되고 있다. 그러나 API Call 기반의 데이터는 방대한 양과 다양한 차원의 특성으로 인해 분석과 학습 모델 구축 측면에서 비효율적인 한계가 있다. 이에 본 연구에서는 방대한 API Call 정보를 포함하고 있는 CICAndMal2020 데이터 세트를 대상으로 기존의 특성 선택 기법이 아닌 주성분 분석(Principal Component Analysis)을 사용하여 차원을 대폭 축소 시킨 후 머신러닝 기법을 적용하여 분류를 시도하였다. 실험 결과 전체 9,503개의 특성을 25개의 주성분(전체 대비 약 0.26% 수준)으로 축소시키고 다중 분류 기준 약 84%의 정확도를 나타냈다. 결과적으로 기존 연구에서의 탐지 모델 대비 정확도, F1-score 등의 성능 향상은 물론 차원 축소 측면에서 매우 향상된 결과를 달성하였다.

• Journal of KIISE
• /
• v.44 no.11
• /
• pp.1165-1177
• /
• 2017

Many developers utilize specific APIs to develop software, and to identify the use of a particular API, a developer can refer to a website that provides the API or can retrieve the API from the web. However, the site that provides the API does not necessarily provide guidance on how to use it while it can be partially provided in many other cases. In this paper, we propose a novel system JACE (Java AST collocation-pattern extractor) as a method to reuse commonly-used code as a supplement. The JACE extracts the API call nodes, collocation patterns and analyzes the relations between the collocations to extract significant API patterns from the source code. The following experiment was performed to verify the accuracy of a defined pattern: 794 open source projects were analyzed to extract about 15M API call nodes. Then, the Eclipse plug-in test program was utilized to retrieve the pattern using the top 10 classes of API call nodes. Finally, the code search results from reference pages of the API classes and the Searchcode [1] were compared with the test program results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.4
• /
• pp.629-635
• /
• 2022

Cyber threats are also increasing with recent social changes and the development of ICT technology. Malicious codes used in cyber threats are becoming more advanced and intelligent, such as analysis environment avoidance technology, concealment, and fileless distribution, to make analysis difficult. Machine learning technology is being used to effectively analyze these malicious codes, but a lot of effort is needed to increase the accuracy of classification. In this paper, we propose a malicious code detection technology based on API call interval characteristics to improve the classification performance of machine learning. The proposed technology uses API call characteristics for each section and entropy of binary to separate characteristic factors into sections based on the extraction malicious code and API call order of normal binary. It was verified that malicious code can be well analyzed using the support vector machine (SVM) algorithm for the extracted characteristic factors.

• Journal of KIISE:Software and Applications
• /
• v.36 no.9
• /
• pp.767-776
• /
• 2009

A software birthmark is a set of characteristics that are extracted from a program itself to detect code theft. A dynamic API birthmark is extracted from the run-time API call sequences of a program. The dynamic Windows API birthmarks of Tamada et al. are extracted from API call sequences during the startup period of a program. Therefore. the dynamic birthmarks cannot reflect characteristics of main functions of the program. In this paper. we propose a functional unit birthmark(FDAPI) that is defined as API call sequences recorded during the execution of essential functions of a program. To find out that some functional units of a program are copied from an original program. two FDAPIs are extracted by executing the programs with the same input. The FDAPIs are compared using the semi-global alignment algorithm to compute a similarity between two programs. Programs with the same functionality are compared to show credibility of our birthmark. Binary executables that are compiled differently from the same source code are compared to prove resilience of our birthmark. The experimental result shows that our birthmark can detect module theft of software. to which the existing birthmarks of Tamada et al. cannot be applied.

• Journal of the Korea Society of Computer and Information
• /
• v.28 no.10
• /
• pp.155-161
• /
• 2023

In this paper, we present a WebRTC-based emergency video call system structure that builds a service system in a constant monitoring environment to increase the usability and stability of elevator emergency call devices. The proposed system provides a smooth call environment between the emergency call system in the elevator and maintenance managers in case of an emergency, performs rapid response processing to elevator emergency calls through monitoring of the target elevator, and handles any emergency calls that may occur in the physical space of the elevator. The purpose is to build an environment that can implement low-latency, real-time video call services of voice and video by overcoming the physical constraints required for video calls. To this end, we have established a service environment based on OpenAPI, which is currently used in various fields and its performance has been proven, and provides video calls and emergency situation dissemination through rapid messaging by providing low-latency call quality. The presented system structure will be able to provide a basis for expanding various functions and constructing a reliable service environment and intelligent model for the elevator system through combination with the elevator control panel and various devices.

• KIISE Transactions on Computing Practices
• /
• v.21 no.3
• /
• pp.263-268
• /
• 2015

Malware variations could be defined as malicious executable files that have similar functions but different structures. In order to classify the variations, this paper analyzed sequence alignment, the method used in Bioinformatics. This method found common parts of the Malwares' API call information. This method's performance is dependent on the API call information's length; if the length is too long, the performance should be very poor. Therefore we removed the repeated patterns in API call information in order to improve the performance of sequence alignment analysis, before the method was applied. Finally the similarity between malware was analyzed using sequence alignment. The experimental results with the real malware samples were presented.