• Journal of Convergence for Information Technology
• /
• v.12 no.4
• /
• pp.126-132
• /
• 2022

At present, due to the rapid spread of smartphones and activation of IoT, malicious codes are disseminated using SNS, or intelligent intrusions such as intelligent APT and ransomware are in progress. The damage caused by the intelligent intrusion is also becoming more consequential, threatening, and emergent than the previous intrusion. Therefore, in this paper, we propose an intelligent intrusion situation-aware reasoning system to detect transgression behavior made by such intelligent malicious code. The proposed system was used to detect and respond to various intelligent intrusions at an early stage. The anticipated system is composed of an event monitor, event manager, situation manager, response manager, and database, and through close interaction between each component, it identifies the previously recognized intrusive behavior and learns about the new invasive activities. It was detected through the function to improve the performance of the inference device. In addition, it was found that the proposed system detects and responds to intelligent intrusions through the state of detecting ransomware, which is an intelligent intrusion type.

• Journal of IKEEE
• /
• v.26 no.3
• /
• pp.380-388
• /
• 2022

The traditional malware detection technologies collect known malicious programs and analyze their characteristics. Then such a detection technology makes a blacklist based on the analyzed malicious characteristics and checks programs in the user's system based on the blacklist to determine whether each program is malware. However, such an approach can detect known malicious programs, but responding to unknown or variant malware is challenging. In addition, since such detection technologies generally monitor all programs in the system in real-time, there is a disadvantage that they can degrade the system performance. In order to solve such problems, various methods have been proposed to analyze major behaviors of malicious programs and to respond to them. The main characteristic of ransomware is to access and encrypt the user's file. So, a new approach is to produce the whitelist of programs installed in the user's system and allow the only programs listed on the whitelist to access the user's files. However, although it applies such an approach, attackers can still perform malicious behavior by performing a DLL(Dynamic-Link Library) injection attack on a regular program registered on the whitelist. This paper proposes a method to respond effectively to attacks using DLL injection.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.3
• /
• pp.501-511
• /
• 2022

In 2021, ransomware attacks became popular, and the number is rapidly increasing every year. Since PowerShell is used as the primary ransomware technique, the need for PowerShell-based malware detection is ever increasing. However, the existing detection techniques have limits in that they cannot detect obfuscated scripts or require a long processing time for deobfuscation. This paper proposes a simple and fast deobfuscation method and a deep learning-based classification model that can detect PowerShell-based malware. Our technique is composed of Word2Vec and a convolutional neural network to learn the meaning of a script extracting important features. We tested the proposed model using 1400 malicious codes and 8600 normal scripts provided by the AI-based PowerShell malicious script detection track of the 2021 Cybersecurity AI/Big Data Utilization Contest. Our method achieved 5.04 times faster deobfuscation than the existing methods with a perfect success rate and high detection performance with FPR of 0.01 and TPR of 0.965.

• Journal of Intelligence and Information Systems
• /
• v.24 no.2
• /
• pp.195-220
• /
• 2018

In this study, we conducted an empirical analysis of the factors that affect the change of Bitcoin Closing Price. Previous studies have focused on the security of the block chain system, the economic ripple effects caused by the cryptocurrency, legal implications and the acceptance to consumer about cryptocurrency. In various area, cryptocurrency was studied and many researcher and people including government, regardless of country, try to utilize cryptocurrency and applicate to its technology. Despite of rapid and dramatic change of cryptocurrencies' price and growth of its effects, empirical study of the factors affecting the price change of cryptocurrency was lack. There were only a few limited studies, business reports and short working paper. Therefore, it is necessary to determine what factors effect on the change of closing Bitcoin price. For analysis, hypotheses were constructed from three dimensions of consumer, industry, and macroeconomics for analysis, and time series data were collected for variables of each dimension. Consumer variables consist of search traffic of Bitcoin, search traffic of bitcoin ban, search traffic of ransomware and search traffic of war. Industry variables were composed GPU vendors' stock price and memory vendors' stock price. Macro-economy variables were contemplated such as U.S. dollar index futures, FOMC policy interest rates, WTI crude oil price. Using above variables, we did times series regression analysis to find relationship between those variables and change of Bitcoin Closing Price. Before the regression analysis to confirm the relationship between change of Bitcoin Closing Price and the other variables, we performed the Unit-root test to verifying the stationary of time series data to avoid spurious regression. Then, using a stationary data, we did the regression analysis. As a result of the analysis, we found that the change of Bitcoin Closing Price has negative effects with search traffic of 'Bitcoin Ban' and US dollar index futures, while change of GPU vendors' stock price and change of WTI crude oil price showed positive effects. In case of 'Bitcoin Ban', it is directly determining the maintenance or abolition of Bitcoin trade, that's why consumer reacted sensitively and effected on change of Bitcoin Closing Price. GPU is raw material of Bitcoin mining. Generally, increasing of companies' stock price means the growth of the sales of those companies' products and services. GPU's demands increases are indirectly reflected to the GPU vendors' stock price. Making an interpretation, a rise in prices of GPU has put a crimp on the mining of Bitcoin. Consequently, GPU vendors' stock price effects on change of Bitcoin Closing Price. And we confirmed U.S. dollar index futures moved in the opposite direction with change of Bitcoin Closing Price. It moved like Gold. Gold was considered as a safe asset to consumers and it means consumer think that Bitcoin is a safe asset. On the other hand, WTI oil price went Bitcoin Closing Price's way. It implies that Bitcoin are regarded to investment asset like raw materials market's product. The variables that were not significant in the analysis were search traffic of bitcoin, search traffic of ransomware, search traffic of war, memory vendor's stock price, FOMC policy interest rates. In search traffic of bitcoin, we judged that interest in Bitcoin did not lead to purchase of Bitcoin. It means search traffic of Bitcoin didn't reflect all of Bitcoin's demand. So, it implies there are some factors that regulate and mediate the Bitcoin purchase. In search traffic of ransomware, it is hard to say concern of ransomware determined the whole Bitcoin demand. Because only a few people damaged by ransomware and the percentage of hackers requiring Bitcoins was low. Also, its information security problem is events not continuous issues. Search traffic of war was not significant. Like stock market, generally it has negative in relation to war, but exceptional case like Gulf war, it moves stakeholders' profits and environment. We think that this is the same case. In memory vendor stock price, this is because memory vendors' flagship products were not VRAM which is essential for Bitcoin supply. In FOMC policy interest rates, when the interest rate is low, the surplus capital is invested in securities such as stocks. But Bitcoin' price fluctuation was large so it is not recognized as an attractive commodity to the consumers. In addition, unlike the stock market, Bitcoin doesn't have any safety policy such as Circuit breakers and Sidecar. Through this study, we verified what factors effect on change of Bitcoin Closing Price, and interpreted why such change happened. In addition, establishing the characteristics of Bitcoin as a safe asset and investment asset, we provide a guide how consumer, financial institution and government organization approach to the cryptocurrency. Moreover, corroborating the factors affecting change of Bitcoin Closing Price, researcher will get some clue and qualification which factors have to be considered in hereafter cryptocurrency study.

• Review of KIISC
• /
• v.29 no.6
• /
• pp.39-48
• /
• 2019

랜섬웨어(Ransomware)는 몸값(Ransom)과 소프트웨어(Software)의 합성어로 사용자 시스템을 장악하여 중요 문서 및 파일을 암호화하고 암호화된 파일의 복호화를 대가로 가상 화폐를 요구한다. 랜섬웨어로 인한 피해는 매년 증가하고 있으며 새로운 랜섬웨어의 등장과 변종의 출현이 빈번하다. 이에 본 논문은 2019년에 등장하거나 영향을 주고 있는 랜섬웨어에 대한 유포방법, 유포 대상, 알고리즘 사용 현황을 밝히고 국내 외 피해 사례를 소개한다. 그리고 분기 별로 감염율 상위 5개의 랜섬웨어를 살펴보고 평균 요구 금액에 대해 기술한다. 마지막으로 주요 및 신규 랜섬웨어 대해 유포 경로, 특징, 암호화 알고리즘, 복호화 요소 및 복호화 도구에 대해서는 표로 요약하며 자세히 서술한다.

• Proceedings of the Korea Contents Association Conference
• /
• 2017.05a
• /
• pp.91-92
• /
• 2017

발전하는 IoT시대에 컴퓨터의 사용은 현대인들과 밀접한 관계가 되어 있다. 이로 인해, 우리는 다양한 문서들을 직접 종이에 일일이 적는 불편함을 컴퓨터를 통해 편하게 문서화를 할 수 있게 되었다. 그러나 모든 문서가 컴퓨터에 저장이 되어 있다 보니 이를 악용한 바이러스가 바로 랜섬웨어이다. 본 논문에서는 랜섬웨어의 의미와 동작원리에 대해 알아보고, 예방 대책을 제안하고자 한다.

• Journal of the Korea Society of Computer and Information
• /
• v.22 no.10
• /
• pp.93-100
• /
• 2017

Current internet has evolved from the sharing and efficiency aspects of information, it is still vulnerable to the fact that the Internet is not secure in terms of security and is not safe to secure of security mechanism. Repeating patches on continuous hacking are continuously demanding additional resources for network or system equipment, and consequently the costs continue to increase. Businesses and individuals alike are speeding up the damage caused by crime like of ransomware, not jusy simple attacks, and businesses and individuals need to respond to cyber security. In addition, the ongoing introduce of security device, and separate of networks for secure transmission of contents in the existing TCP/IP system, but it is still lacking in security. To complement the security implications of this existing TCP/IP Internet Protocol, we intend to propose a Secure Contents Transport System (SCTS) on the network using the CCN concept.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.11a
• /
• pp.254-256
• /
• 2017

본 논문에서는 소셜 네트워크 서비스 중 트위터를 마이닝하여 실시간으로 랜섬웨어 위험도 분석을 하는 시스템을 설계한다. 이를 위해 2017년 5월 12일에 가장 피해가 컸던 워너크라이 랜섬웨어를 중심으로 5월 10일에서 20일 사이의 트윗 데이터를 마이닝하고, 기존 시스템인 구글 트렌드와의 유사성을 비교 실험하여 트윗 데이터의 가치를 확인한다. 마지막으로 제안하는 시스템에 대한 향후 연구주제를 제시한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2016.04a
• /
• pp.292-293
• /
• 2016

랜섬웨어는 현재 보안 문제 중 가장 뜨거운 이슈로 떠오르고 있다. 러시아에서 처음으로 등장한 랜섬웨어 공격은 거의 4,000가지 유형을 가지고 있으며, 전 세계 3억7천만 원의 피해를 가져왔다. 또한, 기존의 공격보다 더 발달 된 기술은 계속해서 등장하고 있다. 본 논문에서는 랜섬웨어의 Cryptolocker 공격 방법을 분석했다. 전체 시나리오에 대한 이해와 분석은 대책을 위한 새로운 계획을 위해 제안하고자 한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2020.05a
• /
• pp.177-179
• /
• 2020

최근의 사이버 침해 사고는 공격 대상을 지정하여 지속적으로 공격을 시도하는 APT(Advanced Persistent Threat)와 랜섬웨어(Ransomware) 공격이 주를 이룬다. APT 공격은 dirve by download 를 통하여 의도하지 않은 파일의 다운로드를 유도하고, 다운로드 된 파일은 역통신채널을 만들어 내부 데이터를 외부로 유출하는 방식으로 공격에 사용되는 악성 파일이 사용자 모르게 다운로드 되어 실행된다. 랜섬웨어는 스피어 피싱 (Spear-phishing) 과 같은 사회공학기법을 이용하여 신뢰 된 출처로 유장 된 파일을 실행하도록 하여 주요 파일들을 암호화 한다. 때문에 사용자와 공격자 사이 네트워크 중간에 위치한 패킷 기반의 보안 장비들은 사용자에 의해 다운로드 되는 파일들을 선제적으로 식별하고, 차단하여 침해 확산을 방지 할 수 있는 방안이 필요하다. 본 논문에서는 네트워크 패킷 레벨에서 알려진 악성파일을 식별하고 실시간 차단하는 방안에 대하여 연구하고자 한다.