• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.4
• /
• pp.629-635
• /
• 2022

Cyber threats are also increasing with recent social changes and the development of ICT technology. Malicious codes used in cyber threats are becoming more advanced and intelligent, such as analysis environment avoidance technology, concealment, and fileless distribution, to make analysis difficult. Machine learning technology is being used to effectively analyze these malicious codes, but a lot of effort is needed to increase the accuracy of classification. In this paper, we propose a malicious code detection technology based on API call interval characteristics to improve the classification performance of machine learning. The proposed technology uses API call characteristics for each section and entropy of binary to separate characteristic factors into sections based on the extraction malicious code and API call order of normal binary. It was verified that malicious code can be well analyzed using the support vector machine (SVM) algorithm for the extracted characteristic factors.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2022.05a
• /
• pp.377-380
• /
• 2022

An application called an app can be downloaded and used on mobile devices. Among them, Android-based apps have the disadvantage of being implemented on an open source basis and can be exploited by anyone, but unlike iOS, which discloses only a small part of the source code, Android is implemented as an open source, so it can analyze the code. However, since anyone can participate in changing the source code of open source-based Android apps, the number of malicious codes increases and types are bound to vary. Malicious codes that increase exponentially in a short period of time are difficult for humans to detect one by one, so it is efficient to use a technique to detect malicious codes using AI. Most of the existing malicious app detection methods are to extract Features and detect malicious apps. Therefore, three ways to select the optimal feature to be used for learning after feature extraction are proposed. Finally, in the step of modeling with optimal features, ensemble techniques are used in addition to a single model. Ensemble techniques have already shown results beyond the performance of a single model, as has been shown in several studies. Therefore, this paper presents a plan to select the optimal feature and implement a learning model for Android app-based malicious code detection.

• Convergence Security Journal
• /
• v.15 no.4
• /
• pp.83-90
• /
• 2015

Recent, Cyber attacks such as hacking and malicious code techniques are evolving very rapidly changing cyber a ttacks are increasing, the number of malicious code techniques vary accordingly become intelligent. In the case of m alware because of the ambiguity in the number of malware have increased rapidly by name or classified as maliciou s code may have difficulty coping with. This paper investigated the naming convention of the vaccine manufacturer s in Korea to solve this problem, the analysis and offers a naming convention for security control event detection r ule analysis to compare the pattern of the detection rule out based on this current.

• Journal of Internet Computing and Services
• /
• v.21 no.1
• /
• pp.45-55
• /
• 2020

Due to the development of information and communication technology, the number of new / variant malicious codes is increasing rapidly every year, and various types of malicious codes are spreading due to the development of Internet of things and cloud computing technology. In this paper, we propose a malware analysis method based on string information that can be used regardless of operating system environment and represents library call information related to malicious behavior. Attackers can easily create malware using existing code or by using automated authoring tools, and the generated malware operates in a similar way to existing malware. Since most of the strings that can be extracted from malicious code are composed of information closely related to malicious behavior, it is processed by weighting data features using text mining based method to extract them as effective features for malware analysis. Based on the processed data, a model is constructed using various machine learning algorithms to perform experiments on detection of malicious status and classification of malicious groups. Data has been compared and verified against all files used on Windows and Linux operating systems. The accuracy of malicious detection is about 93.5%, the accuracy of group classification is about 90%. The proposed technique has a wide range of applications because it is relatively simple, fast, and operating system independent as a single model because it is not necessary to build a model for each group when classifying malicious groups. In addition, since the string information is extracted through static analysis, it can be processed faster than the analysis method that directly executes the code.

• Journal of Advanced Navigation Technology
• /
• v.17 no.6
• /
• pp.816-822
• /
• 2013

In modern networks, data rate is getting faster and transferred data is extremely increased. At this point, the malicious codes are evolving to various types very fast, and the frequency of occurring new malicious code is very short. So, it is hard to collect/analyze data using general networks with the techniques like traditional intrusion detection or anormaly detection. In this paper, we collect and analyze the data more effectively with cloud environment than general simple networks. Also we analyze the malicious code which is similar to real network's malware, using botnet server/client includes DNS Spoofing attack.

• Convergence Security Journal
• /
• v.19 no.1
• /
• pp.11-17
• /
• 2019

Recently, the abuse of Internet technology has caused economic and mental harm to society as a whole. Especially, malicious code that is newly created or modified is used as a basic means of various application hacking and cyber security threats by bypassing the existing information protection system. However, research on small-capacity executable files that occupy a large portion of actual malicious code is rather limited. In this paper, we propose a model that can analyze the characteristics of known small capacity executable files by using data mining techniques and to use them for detecting unknown malicious codes. Data mining analysis techniques were performed in various ways such as Naive Bayesian, SVM, decision tree, random forest, artificial neural network, and the accuracy was compared according to the detection level of virustotal. As a result, more than 80% classification accuracy was verified for 34,646 analysis files.

• Journal of Internet of Things and Convergence
• /
• v.9 no.1
• /
• pp.1-7
• /
• 2023

Cases in which personal terminals or servers are infected by ransomware are rapidly increasing. Ransomware uses a self-developed encryption module or combines existing symmetric key/public key encryption modules to illegally encrypt files stored in the victim system using a key known only to the attacker. Therefore, in order to decrypt it, it is necessary to know the value of the key used, and since the process of finding the decryption key takes a lot of time, financial costs are eventually paid. At this time, most of the ransomware malware is included in a hidden form in binary files, so when the program is executed, the user is infected with the malicious code without even knowing it. Therefore, in order to respond to ransomware attacks in the form of binary files, it is necessary to identify the encryption module used. Therefore, in this study, we developed a mechanism that can detect and identify by reverse analyzing the encryption module applied to the malicious code hidden in the binary file.

• Communications of the Korean Institute of Information Scientists and Engineers
• /
• v.30 no.1
• /
• pp.44-53
• /
• 2012

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.3
• /
• pp.667-677
• /
• 2012

Vulnerable web applications have been the primary method used by the attackers to spread their malware to a large number of victims. Such attacks commonly make use of malicious links to remotely execute a rather advanced malicious code. The attackers often deploy malwares that utilizes unknown vulnerabilities so-called "zero-day vulnerabilities." The existing computer vaccines are mostly signature-based and thus are effective only against known attack patterns, but not capable of detecting zero-days attacks. To mitigate such limitations of the current solutions, there have been a numerous works that takes a behavior-based approach to improve detection against unknown malwares. However, behavior-based solutions arbitrarily introduced a several limitations that made them unsuitable for real-life situations. This paper proposes an advanced web browser based malicious behavior detection system that solves the problems and limitations of the previous approaches.

• Convergence Security Journal
• /
• v.6 no.4
• /
• pp.49-57
• /
• 2006

Firewall to block a network access of unauthorized IP system and IDS (Intrusion Detection System) to detect malicious code pattern to be known consisted the main current of the information security system at the past. But, with rapid growth the diffusion speed and damage of malicious code like the worm, study of the unknown attack traffic is processed actively. One of such method is detection technique using traffic statistics information on the network viewpoint not to be an individual system. But, it is very difficult but to reserve traffic raw data or statistics information. Therefore, we present extraction technique of a network traffic Raw data and a statistics information like the time series. Also, We confirm the validity of a mixing traffic and show the evidence which is suitable to the experiment.