• The KIPS Transactions:PartC
• /
• v.9C no.5
• /
• pp.765-774
• /
• 2002

Analyzing the code using static heuristics is a widely used technique for detecting unknown malicious codes. It decides the maliciousness of a code by searching for some fragments that had been frequently found in known malicious codes. However, in script codes, it tries to search for sequences of method calls, not code fragments, because finding such fragments is much difficult. This technique makes many false alarms because such method calls can be also used in normal scripts. Thus, static heuristics for scripts are used only to detect malicious behavior consisting of specific method calls which is seldom used in normal scripts. In this paper. we suggest a static analysis that can detect malicious behavior more accurately, by concerning not only the method calls but also parameters and return values. The result of experiments show that malicious behaviors, which were difficult to detect by previous works, due to high false positive, will be detected by our method.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.16 no.2
• /
• pp.53-59
• /
• 2020

Malicious file upload attacks mean that the attacker to upload or transfer files of dangerous types that can be automatically processed within the web server's environment. Uploaded file content can include exploits, malware and malicious scripts. An attacker can user malicious content to manipulate the application behavior. As a method of detecting a malicious file upload attack, it is generally used to find a file type by detecting a file extension or a signature of the file. However, this type of file type detection has the disadvantage that it can not detect files that are not encoded with a specific program, such as PHP files. Therefore, in this paper, research was conducted on how to detect and block any program by using essential commands or variable names used in the corresponding program when writing a specific program. The performance evaluation results show that it detected specific files effectively using the suggested method.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.3
• /
• pp.1611-1625
• /
• 2019

The emergence of new technologies and devices brings a new environment in the field of cyber security. It is not easy to predict possible security threats about new environment every time without special criteria. In other words, most malicious codes often reuse malicious code that has occurred in the past, such as bypassing detection from anti-virus or including additional functions. Therefore, we are predicting the security threats that can arise in a new environment based on the history of repeated malicious code. In this paper, we classify and define not only the internal information obtained from malicious code analysis but also the features that occur during infection and attack. We propose a method to predict and manage security threats in new environment by continuously managing and extending.

• Journal of Information Processing Systems
• /
• v.12 no.3
• /
• pp.538-547
• /
• 2016

Cloud computing is a new style of computing in which dynamically scalable and reconfigurable resources are provided as a service over the internet. The MapReduce framework is currently the most dominant programming model in cloud computing. It is necessary to protect the integrity of MapReduce data processing services. Malicious workers, who can be divided into collusive workers and non-collusive workers, try to generate bad results in order to attack the cloud computing. So, figuring out how to efficiently detect the malicious workers has been very important, as existing solutions are not effective enough in defeating malicious behavior. In this paper, we propose a security protection framework to detect the malicious workers and ensure computation integrity in the map phase of MapReduce. Our simulation results show that our proposed security protection framework can efficiently detect both collusive and non-collusive workers and guarantee high computation accuracy.

• Advances in nano research
• /
• v.15 no.6
• /
• pp.513-520
• /
• 2023

The exponential proliferation of cutting-edge computing technologies has spurred organizations to outsource their data and computational needs. In the realm of cloud-based computing environments, ensuring robust security, encompassing principles such as confidentiality, availability, and integrity, stands as an overarching imperative. Elevating security measures beyond conventional strategies hinges on a profound comprehension of malware's multifaceted behavioral landscape. This paper presents an innovative paradigm aimed at empowering cloud service providers to adeptly model user behaviors. Our approach harnesses the power of a Particle Swarm Optimization-based Probabilistic Neural Network (PSO-PNN) for detection and recognition processes. Within the initial recognition module, user behaviors are translated into a comprehensible format, and the identification of malicious nano-structures behaviors is orchestrated through a multi-layer neural network. Leveraging the UNSW-NB15 dataset, we meticulously validate our approach, effectively characterizing diverse manifestations of malicious nano-structures behaviors exhibited by users. The experimental results unequivocally underscore the promise of our method in fortifying security monitoring and the discernment of malicious nano-structures behaviors.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.105-115
• /
• 2019

Recently, intelligent Android malicious codes have become difficult to detect malicious behavior by static analysis alone. Malicious code with SO file, dynamic loading, and string obfuscation are difficult to extract information about original code even with various tools for static analysis. There are many dynamic analysis methods to solve this problem, but dynamic analysis requires rooting or emulator environment. However, in the case of dynamic analysis, malicious code performs the rooting and the emulator detection to bypass the analysis environment. To solve this problem, this paper investigates a variety of root detection schemes and builds an environment for bypassing the rooting detection in real devices. In addition, SDK code hooking module for Android malicious code analysis is designed using Xposed, and intent tracking for code flow, dynamic loading file information, and various API information extraction are implemented. This work will contribute to the analysis of obfuscated information and behavior of Android Malware.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.3
• /
• pp.17-28
• /
• 2006

The appearance of variant malicious codes using obfuscation techniques is accelerating the spread of malicious codes around the detection by a vaccine. n a system does not patch detection patterns for vulnerabilities and worms to the vaccine, it can be infected by the worms and malicious codes can be spreaded rapidly to other systems and networks in a few minute. Moreover, It is limited to the conventional pattern based detection and treatment for variants or new malicious codes. In this paper, we propose a method of behavior based detection by the static analysis, the dynamic analysis and the dynamic monitoring to detect a malicious code using obfuscation techniques with the PE compression. Also we show that dynamic monitoring can detect worms with the PE compression which accesses to important resources such as a registry, a cpu, a memory and files with the proposed method for similarity.

• Journal of the Korea Society of Computer and Information
• /
• v.18 no.3
• /
• pp.35-45
• /
• 2013

MANET has a weak point because it allows access from not only legal nodes but also illegal nodes. Most of the MANET researches had been focused on attack on routing path or packet forwarding. Nevertheless, there are insuffcient studies on a comprehensive approach to detect various attacks on malicious nodes at packet forwarding processes. In this paper, we propose a technique, named DTecBC (detection technique of malicious node behaviors based on collaboration), which can handle more effciently various types of malicious node attacks on MANET environment. The DTecBC is designed to detect malicious nodes by communication between neighboring nodes, and manage malicious nodes using a maintain table. OPNET tool was used to compare with Watchdog, CONFIDANT, SRRPPnT for verifying effectiveness of our approach. As a result, DTecBC detects various behaviors of malicious nodes more effectively than other techniques.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.145-154
• /
• 2014

In this paper, we propose a novel anti-malware system based on behavior profiling, called Andro-profiler. Andro-profiler consists of mobile devices and a remote server, and is implemented in Droidbox. Our aim is to detect and classify malware using an automatic classifier based on behavior profiling. First, we propose the representative behavior profiling for each malware family represented by system calls coupled with Droidbox system logs. This is done by executing the malicious application on an emulator and extracting integrated system logs. By comparing the behavior profiling of malicious applications with representative behavior profiling for each malware family, we can detect and classify them into malware families. Andro-profiler shows over 99% of classification accuracy in classifying malware families.

• Smart Media Journal
• /
• v.8 no.4
• /
• pp.25-32
• /
• 2019

While the development of the Internet has made information more accessible, this also has provided a variety of intrusion paths for malicious programs. Traditional Signature-based malware-detectors cannot identify new malware. Although Dynamic Analysis may analyze new malware that the Signature cannot do, it still is inefficient for detecting variants while most of the behaviors are similar. In this paper, we propose a detection method using behavioral similarity with existing malicious codes, assuming that they have parallel patterns. The proposed method is to extract the behavior targets common to variants and detect programs that have similar targets. Here, we verified behavioral similarities between variants through the conducted experiments with 1,000 malicious codes.