• Journal of KIISE:Software and Applications
• /
• v.36 no.9
• /
• pp.767-776
• /
• 2009

A software birthmark is a set of characteristics that are extracted from a program itself to detect code theft. A dynamic API birthmark is extracted from the run-time API call sequences of a program. The dynamic Windows API birthmarks of Tamada et al. are extracted from API call sequences during the startup period of a program. Therefore. the dynamic birthmarks cannot reflect characteristics of main functions of the program. In this paper. we propose a functional unit birthmark(FDAPI) that is defined as API call sequences recorded during the execution of essential functions of a program. To find out that some functional units of a program are copied from an original program. two FDAPIs are extracted by executing the programs with the same input. The FDAPIs are compared using the semi-global alignment algorithm to compute a similarity between two programs. Programs with the same functionality are compared to show credibility of our birthmark. Binary executables that are compiled differently from the same source code are compared to prove resilience of our birthmark. The experimental result shows that our birthmark can detect module theft of software. to which the existing birthmarks of Tamada et al. cannot be applied.

• International Journal of Advanced Culture Technology
• /
• v.9 no.4
• /
• pp.288-294
• /
• 2021

There are various ways to be infected with malicious code due to the increase in Internet use, such as the web, affiliate programs, P2P, illegal software, DNS alteration of routers, word processor vulnerabilities, spam mail, and storage media. In addition, malicious codes are produced more easily than before through automatic generation programs due to evasion technology according to the advancement of production technology. In the past, the propagation speed of malicious code was slow, the infection route was limited, and the propagation technology had a simple structure, so there was enough time to study countermeasures. However, current malicious codes have become very intelligent by absorbing technologies such as concealment technology and self-transformation, causing problems such as distributed denial of service attacks (DDoS), spam sending and personal information theft. The existing malware detection technique, which is a signature detection technique, cannot respond when it encounters a malicious code whose attack pattern has been changed or a new type of malicious code. In addition, it is difficult to perform static analysis on malicious code to which code obfuscation, encryption, and packing techniques are applied to make malicious code analysis difficult. Therefore, in this paper, a method to detect malicious code through dynamic analysis and static analysis using Trojan-type Downloader/Dropper malicious code was showed, and suggested to malicious code detection and countermeasures.

• Journal of KIISE:Computing Practices and Letters
• /
• v.14 no.9
• /
• pp.911-915
• /
• 2008

Software birthmark is the inherent characteristics that can identify a program. In this paper, we propose a Java class theft detection technique based on static API traces of class files. We utilize control flow analysis to increase resilience, and we apply the semi-global alignment trace comparison algorithm to increase credibility. The credibility and resilience experiments for XML parsers show that our birthmark is more efficient than existing birthmarks.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.40 no.4
• /
• pp.700-708
• /
• 2015

A software birthmark is the set of characteristics of a program which can be used to identify the program. Many researchers have studied on detecting theft of java programs using some birthmarks. In case of Android apps, code obfuscation techniques are used to protect the apps against reverse-engineering and tampering. However, attackers can also use the obfuscation techniques in order to conceal a stolen program. A birthmark (feature) of an app can be alterable by code obfuscations. Therefore, it is necessary to detect Android app theft based on the birthmark which is resilient to code obfuscation. In this paper, we propose an effective Android app birthmark and app theft detection through the proposed birthmark. By analyzing some obfuscation tools, we have first selected parameter and the return types of methods as an adequate birthmark. Then, we have measured similarity of target apps using the birthmarks extracted from the apps, where some target apps are not obfuscated and the others obfuscated. The measurement results show that our proposed birthmark is effective for detecting Android app theft even though the apps are obfuscated.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.4
• /
• pp.177-180
• /
• 2013

A software birthmark means inherent characteristics that can be used to identify a program. Because the software birthmark is difficult to remove by simple program transformation, it can be used to detect code theft. In this paper, we propose a birthmark technique based on API k-gram of Android applications. Android SDK provides various libraries that help programmers to develop application easily. In order to use Android SDK, we have to use API method calls. The API call instructions are hard to be replaced or removed, so they can be a inherent characteristics of an application. To show the effectiveness of the proposed birthmark, we compared it with previous birthmarks and evaluated it with open source applications. From the experiments, we verified that the credibility and resilience of our birthmark is higher than previous birthmarks.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.1-8
• /
• 2008

Not only the recent hacking techniques are becoming more malicious with the sophisticated technology but also its consequences are bringing more damages as the broadband Internet is growing rapidly. These may include invasion of information leakage, or identity theft over the internet. Its intent is very destructive which can result in invasion of information leakage, hacking, one of the most disturbing problems on the net. This thesis describes the technology of how you can effectively analyze and detect these kind of E-Mail malicious codes. This research explains how we can cope with malicious code more efficiently by detection method.

• Journal of the Korea Society of Computer and Information
• /
• v.28 no.7
• /
• pp.85-93
• /
• 2023

Software birthmark refers to a unique feature inherent in software that can be extracted from program binaries even in the absence of the original source code of the program. Like human genetic information, the similarity between programs can be calculated numerically, so it can be used to determine whether software is stolen or copied. In this paper, we propose a new birthmark technique for Android applications developed using Unity. The source codes of Unity-based Android applications use C# language, and since the core logic of the program is included in the DLL module, it must be approached in a different way from normal Android applications. In this paper, a Unity birthmark extraction and comparison system was implemented, and reliability and resilience were evaluated. The use of the Unity birthmark technique proposed in this paper is expected to be effective in preventing illegal copy or code theft of the Unity-based Android applications.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.4
• /
• pp.61-75
• /
• 2011

Recently, there is significant increasing of massive attacks, which try to infect PCs that visit websites containing pre-implanted malicious code. When visiting the websites, these hidden malicious codes can gain monetary profit or can send various cyber attacks such as BOTNET for DDoS attacks, personal information theft and, etc. Also, this kind of malicious activities is continuously increasing, and their evasion techniques become professional and intellectual. So far, the current signature-based detection to detect websites, which contain malicious codes has a limitation to prevent internet users from being exposed to malicious codes. Since, it is impossible to detect with only blacklist when an attacker changes the string in the malicious codes proactively. In this paper, we propose a novel approach that can detect unknown malicious code, which is not well detected by a signature-based detection. Our method can detect new malicious codes even though the codes' signatures are not in the pattern database of Anti-Virus program. Moreover, our method can overcome various obfuscation techniques such as the frequent change of the included redirection URL in the malicious codes. Finally, we confirm that our proposed system shows better detection performance rather than MC-Finder, which adopts pattern matching, Google's crawling based malware site detection, and McAfee.

• The Journal of the Korea Contents Association
• /
• v.13 no.11
• /
• pp.37-47
• /
• 2013

Recently, lots of research results on program comparison have been reported since the code theft become frequent as the increase of code mobility. This paper proposes a plagiarism detection method using class structures. The proposed method constructs a graph representing the referential relationship between the member variables and the methods. This relationship is shown as a bipartite graph and the test for graph isomorphism is applied on the set of graphs to measure the similarity of the programs. In order to measure the effectiveness of this method, an experiment was conducted on the test set, the set of Java source codes submitted as solutions for the programming assignments in Object-Oriented Programming course of Pusan National University in 2012. In order to evaluate the accuracy of the proposed method, the F-measure is compared to those of JPlag and Stigmata. According to the experimental result, the F-measure of the proposed method is higher than those of JPlag and Stigmata by 0.17 and 0.34, respectively.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.6
• /
• pp.89-98
• /
• 2007

We have come a long way in the information age. Thanks to the advancement of such technologies as the internet, we have discovered new ways to convey information on a broader scope. However, negative aspects exist as is with anything else. These may include invasion of privacy over the web, or identity theft over the internet. What is more alarming is that malwares so called 'maliciouscodes' are rapidly spreading. Its intent is very destructive which can result in hacking, phishing and as aforementioned, one of the most disturbing problems on the net, invasion of privacy. This thesis describes the technology of how you can effectively analyze and detect these kind of malicious codes. We propose sequencial hybrid analysis for API calls that are hooked inside user-mode and kernel-level of Windows. This research explains how we can cope with malicious code more efficiently by abstracting malicious function signature and hiding attribute.