• Journal of Information Processing Systems
• /
• v.7 no.1
• /
• pp.173-186
• /
• 2011

Due to the disadvantages of signature-based computer virus detection techniques, behavior-based detection methods have developed rapidly in recent years. However, current popular behavior-based detection methods only take API call sequences as program behavior features and the difference between API calls in the detection is not taken into consideration. This paper divides virus behaviors into separate function modules by introducing DLLs into detection. APIs in different modules have different importance. DLLs and APIs are both considered program calling resources. Based on the calling relationships between DLLs and APIs, program calling resources can be pictured as a tree named program behavior resource tree. Important block structures are selected from the tree as program behavior features. Finally, a virus detection model based on behavior the resource tree is proposed and verified by experiment which provides a helpful reference to virus detection.

• 제어로봇시스템학회:학술대회논문집
• /
• 2005.06a
• /
• pp.2337-2341
• /
• 2005

This paper presents the target detection method using Support Vector Machines(SVMs) and the navigation system using behavior-based fuzzy controller. SVM is a machine-learning method based on the principle of structural risk minimization, which performs well when applied to data outside the training set. We formulate detection of target objects as a supervised-learning problem and apply SVM to detect at each location in the image whether a target object is present or not. The behavior-based fuzzy controller is implemented as an individual priority behavior: the highest level behavior is target-seeking, the middle level behavior is obstacle-avoidance, the lowest level is an emergency behavior. We have implemented and tested the proposed method in our mobile robot "Pioneer2-AT". Comparing with a neural-network based detection method, a SVM illustrate the excellence of the proposed method.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.15 no.6
• /
• pp.2188-2203
• /
• 2021

With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.5
• /
• pp.69-78
• /
• 2004

The change of attack techniques paradigm was begun by fast extension of the latest Internet and new attack form appearing. But, Most intrusion detection systems detect only known attack type as IDS is doing based on misuse detection, and active correspondence is difficult in new attack. Therefore, to heighten detection rate for new attack pattern, the experiments to apply various techniques of anomaly detection are appearing. In this paper, we propose an behavior profiling method using Bayesian framework based on graphics from audit data and visualize behavior profile to detect/analyze anomaly behavior. We achieve simulation to translate host/network audit data into BF-XML which is behavior profile of semi-structured data type for anomaly detection and to visualize BF-XML as SVG.

• Proceedings of the Korea Inteligent Information System Society Conference
• /
• 2002.11a
• /
• pp.445-453
• /
• 2002

Past and current customer behavior is the best predicator of future customer behavior. This paper introduces a procedure on personalized defection detection and prevention for an online game site. The basic idea for our defection detection and prevention is adopted from the observation that potential defectors have a tendency to take a couple of months or weeks to gradually change their behavior (i.e. trim-out their usage volume) before their eventual withdrawal. For this purpose, we suggest a SOM (Self-Organizing Map) based procedure to determine the possible states of customer behavior from past behavior data. Based on this representation of the state of behavior, potential defectors are detected by comparing their monitored trajectories of behavior states with frequent and confident trajectories of past defectors. The key feature of this study includes a defection prevention procedure which recommends the desirable behavior state for the ext period so as to lower the likelihood of defection. The defection prevention procedure can be used to design a marketing campaign on an individual basis because it provides desirable behavior patterns for the next period. The experiments demonstrate that our approach is effective for defection prevention and efficient for defection detection because it predicts potential defectors without deterioration of prediction accuracy compared to that of the MLP (Multi-Layer Perceptron) neural network.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.3
• /
• pp.965-983
• /
• 2014

Concurrent behaviors of multithreaded programs cannot be described effectively by automata-based models. Thus, concurrent program intrusion attempts cannot be detected. To address this problem, we proposed the process algebra-based detection model for multithreaded programs (PADMP). We generate process expressions by static binary code analysis. We then add concurrency operators to process expressions and propose a model construction algorithm based on process algebra. We also present a definition of process equivalence and behavior detection rules. Experiments demonstrate that the proposed method can accurately detect errors in multithreaded programs and has linear space-time complexity. The proposed method provides effective support for concurrent behavior modeling and detection.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.9 no.2
• /
• pp.659-679
• /
• 2015

Distributed applications are composed of multiple nodes, which exchange information with individual nodes through message passing. Compared with traditional applications, distributed applications have more complex behavior patterns because a large number of interactions and concurrent behaviors exist among their distributed nodes. Thus, it is difficult to detect anomalous behaviors and determine the location and scope of abnormal nodes, and some attacks and misuse cannot be detected. To address this problem, we introduce a method for detecting anomalous behaviors based on process algebra. We specify the architecture of the behavior detection model and the detection algorithm. The anomalous behavior detection and analysis demonstrate that our method is a good discriminator between normal and anomalous behavior characteristics of distributed applications. Performance evaluation shows that the proposed method enhances efficiency without security degradation.

• The KIPS Transactions:PartC
• /
• v.10C no.4
• /
• pp.397-404
• /
• 2003

Intrusion detection techniques based on program behavior can detect potential intrusions against systems by analyzing system calls made by demon programs or root-privileged programs and building program profiles. But there is a drawback : large profiles must be built for each program. In this paper, we apply $X^2$ distance-based multivariate analysis to profiling program behavior and detecting abnormal behavior in order to reduce profiles. Experiment results show that profiles are relatively small and the detection rate is significant.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.5 no.11
• /
• pp.2191-2203
• /
• 2011

In this paper, we propose a fast and robust algorithm for fighting behavior detection based on Motion Vectors (MV), in order to solve the problem of low speed and weak robustness in traditional fighting behavior detection. Firstly, we analyze the characteristics of fighting scenes and activities, and then use motion estimation algorithm based on block-matching to calculate MV of motion regions. Secondly, we extract features from magnitudes and directions of MV, and normalize these features by using Joint Gaussian Membership Function, and then fuse these features by using weighted arithmetic average method. Finally, we present the conception of Average Maximum Violence Index (AMVI) to judge the fighting behavior in surveillance scenes. Experiments show that the new algorithm achieves high speed and strong robustness for fighting behavior detection in surveillance scenes.

• Journal of KIISE
• /
• v.45 no.3
• /
• pp.294-302
• /
• 2018

With the emergence of the new service industry due to the development of information and communication technology, cyber space risks such as personal information infringement and industrial confidentiality leakage have diversified, and the security problem has emerged as a critical issue. In this paper, we propose a behavior-based anomaly detection method that is suitable for real-time and large-volume data analysis technology. We show that the proposed detection method is superior to existing signature security countermeasures that are based on large-capacity user log data according to in-company personal information abuse and internal information leakage. As the proposed behavior-based anomaly detection method requires a technique for processing large amounts of data, a real-time search engine is used, called Elasticsearch, which is based on an inverted index. In addition, statistical based frequency analysis and preprocessing were performed for data analysis, and the DBSCAN algorithm, which is a density based clustering method, was applied to classify abnormal data with an example for easy analysis through visualization. Unlike the existing anomaly detection system, the proposed behavior-based anomaly detection technique is promising as it enables anomaly detection analysis without the need to set the threshold value separately, and was proposed from a statistical perspective.