• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.785-802
• /
• 2017

As cyber threats using malicious code continue to increase, many security and vaccine companies are putting a lot of effort into analysis and detection of malicious codes. However, obfuscation techniques that make software analysis more difficult are applied to malicious codes, making it difficult to respond quickly to malicious codes. In particular, commercial obfuscation tools can quickly and easily generate new variants of malicious codes so that malicious code analysts can not respond to them. In order for analysts to quickly analyze the actual malicious behavior of the new variants, reverse obfuscation(=de-obfuscation) is needed to disable obfuscation. In this paper, general analysis methodology is proposed to de-obfuscate the software used by a commercial obfuscation tool, Themida. First, We describe operation principle of Themida by analyzing obfuscated executable file using Themida. Next, We extract original code and data information of executable from obfuscated executable using Pintool, DBI(Dynamic Binary Instrumentation) framework, and explain the implementation results of automated analysis tool which can deobfuscate to original executable using the extracted original code and data information. Finally, We evaluate the performance of our automated analysis tool by comparing the original executable with the de-obfuscated executable.

• Journal of the Institute of Electronics Engineers of Korea SD
• /
• v.46 no.8
• /
• pp.79-85
• /
• 2009

In this paper, an accurate current reference using temperature and process compensation current mirror (TPC-CM) is proposed. The temperature independent reference current is generated by summing a proportional to absolute temperature (PTAT) current and a complementary to absolute temperature (CTAT) current. However, the temperature coefficient and magnitude of the reference current are influenced by the process variation. To calibrate the process variation, the proposed TPC-CM uses two binary weighted current mirrors which control the temperature coefficient and magnitude of the reference current. After the PTAT and CTAT current is measured, the switch codes of the TPC-CM is fixed in order that the magnitude of reference current is independent to temperature. And, the codes are stored in the non-volatile memory. In the simulation, the effect of the process variation is reduced to 0.52% from 19.7% after the calibration using a TPC-CM in chip-by-chip. A current reference chip is fabricated with a 3.3V 0.35um CMOS process. The measured calibrated reference current has 0.42% variation for $20^{\circ}$C${\sim}$100$^{\circ}$C.

• Journal of KIISE
• /
• v.42 no.6
• /
• pp.699-706
• /
• 2015

In recent years, as near-duplicate image has been increasing explosively by the spread of Internet and image-editing technology that allows easy access to image contents, related research has been done briskly. However, BoF (Bag-of-Feature), the most frequently used method for near-duplicate image detection, can cause problems that distinguish the same features from different features or the different features from same features in the quantization process of approximating a high-level local features to low-level. Therefore, a post-verification method for BoF is required to overcome the limitation of vector quantization. In this paper, we proposed and analyzed the performance of a post-verification method for BoF, which converts SIFT (Scale Invariant Feature Transform) descriptors into 128 bits binary codes and compares binary distance regarding of a short ranked list by BoF using the codes. Through an experiment using 1500 original images, it was shown that the near-duplicate detection accuracy was improved by approximately 4% over the previous BoF method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.4
• /
• pp.629-635
• /
• 2022

Cyber threats are also increasing with recent social changes and the development of ICT technology. Malicious codes used in cyber threats are becoming more advanced and intelligent, such as analysis environment avoidance technology, concealment, and fileless distribution, to make analysis difficult. Machine learning technology is being used to effectively analyze these malicious codes, but a lot of effort is needed to increase the accuracy of classification. In this paper, we propose a malicious code detection technology based on API call interval characteristics to improve the classification performance of machine learning. The proposed technology uses API call characteristics for each section and entropy of binary to separate characteristic factors into sections based on the extraction malicious code and API call order of normal binary. It was verified that malicious code can be well analyzed using the support vector machine (SVM) algorithm for the extracted characteristic factors.

• The Transactions of the Korea Information Processing Society
• /
• v.1 no.4
• /
• pp.479-489
• /
• 1994

At the present time, it is an important problem that we are to select a transmission line code for the very-high speed optical transmission system which can confidentially transfer the original information signal sequence efficiently, as it is to be the large capacity and the economization for the optical digital transmission system to transfer the information signal sequence at the very-high speed. Therefore, this paper is to select first the proper transmission line codes for the high speed(more than Mb/s) optical transmission system of the proposed two-level unipolar transmission line codes up to date, and to decide a mBIZ (m Binary with One Zero insertion) code as an optimal transmission line code for the very-high speed optical transmission system, resulting from analyzing the performance at the requirements of the transmission line code, such as the maximum consecutive identical digits, the transmission delay time, the increasing rate of clock, the mark rate, the circuit complexity, the supervision of transmission line error, and power spectrum among the selected transmission line codes.

• Journal of KIISE:Computer Systems and Theory
• /
• v.37 no.5
• /
• pp.304-313
• /
• 2010

There are several methods for malware analyses. However, it is difficult to detect malware exactly with existing detection methods. Especially, malware with strong anti-debugging facilities can detect analyzer and disturb their analyses. Furthermore, it takes too much time to analyze malware. In order to resolve these problems of current analyzers, more improved analysis scheme is required. This paper suggests a dynamic binary instrumentation which supports the instruction analysis and the memory access tracing. Additionally, by supporting the API call tracing with the DLL loading analysis, our system establishes the foundation for analyzing various executable codes. Based on Xen, full-virtualization environment is built using Intel's VT technology. Windows XP can be used as a guest. We analyze representative malware using several functions of our system, and show the accuracy and efficiency enhancements in binary analyses capability of our system.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.30 no.5C
• /
• pp.382-390
• /
• 2005

Huffman codes are widely used for image and video data transmission. As the increase of real-time data, a lot of studies on effective decoding algorithms and architectures have been done. In this paper, we proposed a balanced binary search tree for Huffman decoding and compared the performance of the proposed architecture with that of previous works. Based on definitions of the comparison of codewords with different lengths, the proposed architecture constructs a balanced binary tree which does not include empty internal nodes, and hence it is very efficient in the memory requirement. Performance evaluation results using actual image data show that the proposed architecture requires small number of table entries, and the decoding time is 1, 5, and 2.41 memory accesses in minimum, maximum, and average, respectively.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.6
• /
• pp.1365-1373
• /
• 2019

Meltdown and Spectre are vulnerabilities that exploit out-of-order execution and speculative execution techniques to read memory regions that are not accessible with user privileges. OS patches were released to prevent this attack, but older systems without appropriate patches are still vulnerable. Currently, there are some research to detect Meltdown and Spectre attacks, but most of them proposed dynamic analysis methods. Therefore, this paper proposes a binary signature that can be used to detect Meltdown and Spectre malware without executing them. For this, we collected 13 malicious codes from GitHub and performed binary pattern analysis. Based on this, we proposed a static detection method for Meltdown and Spectre malware. Our results showed that the method identified all the 19 attack files with 0.94% false positive rate when applied to 2,317 normal files.

• Journal of Biomedical Engineering Research
• /
• v.24 no.3
• /
• pp.217-231
• /
• 2003

Coded excitation with complementary Golay sequences is an effective means to increase the SNR and penetration of ultrasound imaging. in which the two complementary binary codes are transmitted successively along each scan-line, reducing the imaging frame rate by half. This method suffers from low frame rate particularly when multiple transmit focusing is employed, since the frame rate will be further reduced in proportion to the number of focal zones. In this paper. a new ultrasound imaging technique based on simultaneous multiple transmit focusing using modified orthogonal Golay codes is proposed to improve lateral resolution with no accompanying decrease in the imaging frame rate, in which a pair of orthogonal Golay codes focused at two different focal depths are transmitted simultaneously. On receive, these modified orthogonal Golay codes are separately compressed into two short pulses and individually focused. These two focused beams are combined to form a frame of image with improved lateral resolution. The Golay codes were modified to improve the transmit power efficiency (TPE) for practical imaging. Computer simulations and experimental results show that the proposed method improves significantly the lateral resolution and penetration of ultrasound imaging compared with the conventional method.

• ETRI Journal
• /
• v.29 no.3
• /
• pp.363-370
• /
• 2007

In this paper, we propose a flexible turbo decoding algorithm for a high order modulation scheme that uses a standard half-rate turbo decoder designed for binary quadrature phase-shift keying (B/QPSK) modulation. A transformation applied to the incoming I-channel and Q-channel symbols allows the use of an off-the-shelf B/QPSK turbo decoder without any modifications. Iterative codes such as turbo codes process the received symbols recursively to improve performance. As the number of iterations increases, the execution time and power consumption also increase. The proposed algorithm reduces the latency and power consumption by combination of the radix-4, dual-path processing, parallel decoding, and early-stop algorithms. We implement the proposed scheme on a field-programmable gate array and compare its decoding speed with that of a conventional decoder. The results show that the proposed flexible decoding algorithm is 6.4 times faster than the conventional scheme.