• The KIPS Transactions:PartC
• /
• v.13C no.1 s.104
• /
• pp.45-54
• /
• 2006

Nowadays, a lot of techniques have been applied for the detection of malicious behavior. However, the current techniques taken into practice are facing with the challenge of much variations of the original malicious behavior, and it is impossible to respond the new forms of behavior appropriately and timely. There are also some limitations can not be solved, such as the error affirmation (positive false) and mistaken obliquity (negative false). With the questions above, we suggest a new method here to improve the current situation. To detect the malicious code, we put forward dealing with the basic source code units through the conceptual graph. Basically, we use conceptual graph to define malicious behavior, and then we are able to compare the similarity relations of the malicious behavior by testing the formalized values which generated by the predefined graphs in the code. In this paper, we show how to make a conceptual graph and propose an efficient method for similarity measure to discern the malicious behavior. As a result of our experiment, we can get more efficient detection rate.

• Journal of IKEEE
• /
• v.25 no.4
• /
• pp.672-678
• /
• 2021

New malware continues to increase and become advanced by every year. Although various studies are going on executable files to diagnose malicious codes, it is difficult to detect attacks that internalize malicious code threats in emails by exploiting non-executable document files, malicious URLs, and malicious macros and JS in documents. In this paper, we introduce a method of analyzing malicious code for email security through proactive detection and blocking of malicious email attacks, and propose a method for determining whether a non-executable document file is malicious based on AI. Among various algorithms, an efficient machine learning modeling is choosed, and an ML workflow system to diagnose malicious code using Kubeflow is proposed.

• Journal of KIISE:Information Networking
• /
• v.29 no.6
• /
• pp.663-673
• /
• 2002

Server-side anti-viruses are useful to protect their domains, because they can detect malicious codes at the gateway of their domains. In prevailing local network, all clients cannot be perfectly controlled by domain administrators, so server-side inspection, for example in e-mail server, is used as an efficient technique of detecting mobile malicious codes. However, current server-side anti-virus systems perform only signature-based detection for known malicious codes, simple filtering, and file name modification. One of the main reasons that they don't have detection features, for unknown malicious codes, is that activity monitoring technique is unavailable for server machines. In this paper, we propose a detection technique that is executed at the server, but it can monitor activities at the clients without any anti-virus features. we describe its implementation.

• Journal of Information Processing Systems
• /
• v.15 no.1
• /
• pp.100-115
• /
• 2019

Malicious code distribution on the Internet is one of the most critical Internet-based threats and distribution technology has evolved to bypass detection systems. As a new defense against the detection bypass technology of malicious attackers, this study proposes the automated tracing of malicious websites in a malware distribution network (MDN). The proposed technology extracts automated links and classifies websites into malicious and normal websites based on link structure. Even if attackers use a new distribution technology, website classification is possible as long as the connections are established through automated links. The use of a real web-browser and proxy server enables an adequate response to attackers' perception of analysis environments and evasion technology and prevents analysis environments from being infected by malicious code. The validity and accuracy of the proposed method for classification are verified using 20,000 links, 10,000 each from normal and malicious websites.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.20 no.7
• /
• pp.613-621
• /
• 2019

Recently, with the development of the Internet of Things (IoT) and cloud computing technologies, security threats have increased as malicious codes infect IoT devices, and new malware spreads ransomware to cloud servers. In this study, we propose a threat-detection technique that checks obfuscated script patterns to compensate for the shortcomings of conventional signature-based and behavior-based detection methods. Proposed is a malicious code-detection technique that is based on malicious script-pattern analysis that can detect zero-day attacks while maintaining the existing detection rate by registering and checking derived distribution patterns after analyzing the types of malicious scripts distributed through websites. To verify the performance of the proposed technique, a prototype system was developed to collect a total of 390 malicious websites and experiment with 10 major malicious script-distribution patterns derived from analysis. The technique showed an average detection rate of about 86% of all items, while maintaining the existing detection speed based on the detection rule and also detecting zero-day attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.105-115
• /
• 2019

Recently, intelligent Android malicious codes have become difficult to detect malicious behavior by static analysis alone. Malicious code with SO file, dynamic loading, and string obfuscation are difficult to extract information about original code even with various tools for static analysis. There are many dynamic analysis methods to solve this problem, but dynamic analysis requires rooting or emulator environment. However, in the case of dynamic analysis, malicious code performs the rooting and the emulator detection to bypass the analysis environment. To solve this problem, this paper investigates a variety of root detection schemes and builds an environment for bypassing the rooting detection in real devices. In addition, SDK code hooking module for Android malicious code analysis is designed using Xposed, and intent tracking for code flow, dynamic loading file information, and various API information extraction are implemented. This work will contribute to the analysis of obfuscated information and behavior of Android Malware.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.3
• /
• pp.1611-1625
• /
• 2019

The emergence of new technologies and devices brings a new environment in the field of cyber security. It is not easy to predict possible security threats about new environment every time without special criteria. In other words, most malicious codes often reuse malicious code that has occurred in the past, such as bypassing detection from anti-virus or including additional functions. Therefore, we are predicting the security threats that can arise in a new environment based on the history of repeated malicious code. In this paper, we classify and define not only the internal information obtained from malicious code analysis but also the features that occur during infection and attack. We propose a method to predict and manage security threats in new environment by continuously managing and extending.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.4
• /
• pp.593-603
• /
• 2020

The advent of malicious code has increased exponentially due to the spread of malicious code generation tools in accordance with the development of the network, but there is a limit to the response through existing malicious code detection methods. According to this situation, a machine learning-based malicious code detection method is evolving, and in this paper, the feature of data is extracted from the PE header for machine-learning-based malicious code detection, and then it is used to automate the malware through autoencoder. Research on how to extract the indicated features and feature importance. In this paper, 549 features composed of information such as DLL/API that can be identified from PE files that are commonly used in malware analysis are extracted, and autoencoder is used through the extracted features to improve the performance of malware detection in machine learning. It was proved to be successful in providing excellent accuracy and reducing the processing time by 2 times by effectively extracting the features of the data by compressively storing the data. The test results have been shown to be useful for classifying malware groups, and in the future, a classifier such as SVM will be introduced to continue research for more accurate malware detection.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.20 no.2
• /
• pp.39-44
• /
• 2020

Malicious codes cause damage to equipments while avoiding detection programs(vaccines). The reason why it is difficult to detect such these new malwares using the existing vaccines is that they use "signature-based" detection techniques. these techniques effectively detect already known malicious codes, however, they have problems about detecting new malicious codes. Therefore, most of vaccines have recognized these drawbacks and additionally make use of "heuristic" techniques. This paper proposes a technology to detecting unknown malicious code using deep learning. In addition, detecting malware skill using Supervisor Learning approach has a clear limitation. This is because, there are countless files that can be run on the devices. Thus, this paper utilizes Stacked Convolution AutoEncoder(SCAE) known as Semi-Supervisor Learning. To be specific, byte information of file was extracted, imaging was carried out, and these images were learned to model. Finally, Accuracy of 98.84% was achieved as a result of inferring unlearned malicious and non-malicious codes to the model.

• Journal of IKEEE
• /
• v.25 no.3
• /
• pp.451-461
• /
• 2021

As various smart devices spread and the damage caused by malicious codes becomes more serious, malicious code detection technology using machine learning technology is attracting attention. However, if the training data of machine learning is constructed based on only the fragmentary characteristics of the code, it is still easy to create variants and new malicious codes that avoid it. To solve such a problem, a research using the function call relationship of malicious code as training data is attracting attention. In particular, it is expected that more advanced malware detection will be possible by measuring the similarity of graphs using GNN. This paper proposes an efficient method to generate a function call graph from binary code to utilize GNN for malware detection.