• Title/Summary/Keyword: malicious code detection

Search Result 165, Processing Time 0.026 seconds

Buffer Overflow Malicious Code Detection by Tracing Executable Area of Memory (메모리 실행영력 추적을 사용한 버퍼오버플로 악성코드 탐지기법)

  • Choi, Sung-Woon;Cho, Jae-Ik;Moon, Jong-Sub
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.19 no.5
    • /
    • pp.189-194
    • /
    • 2009
  • Most of anti-virus programs detect and compare the signature of the malicious code to detect buffer overflow malicious code. Therefore most of anti-virus programs can't detect new or unknown malicious code. This paper introduces a new way to detect malicious code traces memory executable of essentials APIs by malicious code. To prove the usefulness of the technology, 7 sample codes were chosen for compared with other methods of 8 anti-virus programs. Through the simulation, It turns out that other anti-virus programs could detect only a limited portion of the code, because they were implemented just for detecting not heap areas but stack areas. But in other hand, I was able to confirm that the proposed technology is capable to detect the malicious code.

An Effective Malware Detection Mechanism in Android Environment (안드로이드 환경에서의 효과적인 악성코드 탐지 메커니즘)

  • Kim, Eui Tak;Ryu, Keun Ho
    • The Journal of the Korea Contents Association
    • /
    • v.18 no.4
    • /
    • pp.305-313
    • /
    • 2018
  • With the explosive growth of smart phones and efficiency, the Android of an open mobile operating system is gradually increasing in the use and the availability. Android systems has proven its availability and stability in the mobile devices, the home appliances's operating systems, the IoT products, and the mechatronics. However, as the usability increases, the malicious code based on Android also increases exponentially. Unlike ordinary PCs, if malicious codes are infiltrated into mobile products, mobile devices can not be used as a lock and can be leaked a large number of personal contacts, and can be lead to unnecessary billing, and can be cause a huge loss of financial services. Therefore, we proposed a method to detect and delete malicious files in real time in order to solve this problem. In this paper, we also designed a method to detect and delete malicious codes in a more effective manner through the process of installing Android-based applications and signature-based malicious code detection method. The method we proposed and designed can effectively detect malicious code in a limited resource environment, such as mobile environments.

A Behavior based Detection for Malicious Code Using Obfuscation Technique (우회기법을 이용하는 악성코드 행위기반 탐지 방법)

  • Park Nam-Youl;Kim Yong-Min;Noh Bong-Nam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.16 no.3
    • /
    • pp.17-28
    • /
    • 2006
  • The appearance of variant malicious codes using obfuscation techniques is accelerating the spread of malicious codes around the detection by a vaccine. n a system does not patch detection patterns for vulnerabilities and worms to the vaccine, it can be infected by the worms and malicious codes can be spreaded rapidly to other systems and networks in a few minute. Moreover, It is limited to the conventional pattern based detection and treatment for variants or new malicious codes. In this paper, we propose a method of behavior based detection by the static analysis, the dynamic analysis and the dynamic monitoring to detect a malicious code using obfuscation techniques with the PE compression. Also we show that dynamic monitoring can detect worms with the PE compression which accesses to important resources such as a registry, a cpu, a memory and files with the proposed method for similarity.

Study on Improved Detection Rule Formation via Information Leakage Malware Analysis (정보유출 악성코드 분석을 통한 개선된 탐지 규칙 제작 연구)

  • Park, Won-Hyung;Yang, Kyeong-Cheol;Lee, Dong-Hwi;Kim, Kui-Nam J.
    • Convergence Security Journal
    • /
    • v.8 no.4
    • /
    • pp.1-8
    • /
    • 2008
  • Not only the recent hacking techniques are becoming more malicious with the sophisticated technology but also its consequences are bringing more damages as the broadband Internet is growing rapidly. These may include invasion of information leakage, or identity theft over the internet. Its intent is very destructive which can result in invasion of information leakage, hacking, one of the most disturbing problems on the net. This thesis describes the technology of how you can effectively analyze and detect these kind of E-Mail malicious codes. This research explains how we can cope with malicious code more efficiently by detection method.

  • PDF

Detection of Malicious PDF based on Document Structure Features and Stream Objects

  • Kang, Ah Reum;Jeong, Young-Seob;Kim, Se Lyeong;Kim, Jonghyun;Woo, Jiyoung;Choi, Sunoh
    • Journal of the Korea Society of Computer and Information
    • /
    • v.23 no.11
    • /
    • pp.85-93
    • /
    • 2018
  • In recent years, there has been an increasing number of ways to distribute document-based malicious code using vulnerabilities in document files. Because document type malware is not an executable file itself, it is easy to bypass existing security programs, so research on a model to detect it is necessary. In this study, we extract main features from the document structure and the JavaScript contained in the stream object In addition, when JavaScript is inserted, keywords with high occurrence frequency in malicious code such as function name, reserved word and the readable string in the script are extracted. Then, we generate a machine learning model that can distinguish between normal and malicious. In order to make it difficult to bypass, we try to achieve good performance in a black box type algorithm. For an experiment, a large amount of documents compared to previous studies is analyzed. Experimental results show 98.9% detection rate from three different type algorithms. SVM, which is a black box type algorithm and makes obfuscation difficult, shows much higher performance than in previous studies.

Image-Based Machine Learning Model for Malware Detection on LLVM IR (LLVM IR 대상 악성코드 탐지를 위한 이미지 기반 머신러닝 모델)

  • Kyung-bin Park;Yo-seob Yoon;Baasantogtokh Duulga;Kang-bin Yim
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.34 no.1
    • /
    • pp.31-40
    • /
    • 2024
  • Recently, static analysis-based signature and pattern detection technologies have limitations due to the advanced IT technologies. Moreover, It is a compatibility problem of multiple architectures and an inherent problem of signature and pattern detection. Malicious codes use obfuscation and packing techniques to hide their identity, and they also avoid existing static analysis-based signature and pattern detection techniques such as code rearrangement, register modification, and branching statement addition. In this paper, We propose an LLVM IR image-based automated static analysis of malicious code technology using machine learning to solve the problems mentioned above. Whether binary is obfuscated or packed, it's decompiled into LLVM IR, which is an intermediate representation dedicated to static analysis and optimization. "Therefore, the LLVM IR code is converted into an image before being fed to the CNN-based transfer learning algorithm ResNet50v2 supported by Keras". As a result, we present a model for image-based detection of malicious code.

An Improved Detecting Scheme of Malicious Codes using HTTP Outbound Traffic (HTTP Outbound Traffic을 이용한 개선된 악성코드 탐지 기법)

  • Choi, Byung-Ha;Cho, Kyung-San
    • Journal of the Korea Society of Computer and Information
    • /
    • v.14 no.9
    • /
    • pp.47-54
    • /
    • 2009
  • Malicious codes, which are spread through WWW are now evolved with various hacking technologies However, detecting technologies for them are seemingly not able to keep up with the improvement of hacking and newly generated malicious codes. In this paper, we define the requirements of detecting systems based on the analysis of malicious codes and their spreading characteristics, and propose an improved detection scheme which monitors HTTP Outbound traffic and detects spreading malicious codes in real time. Our proposed scheme sets up signatures in IDS with confirmed HTML tags and Java scripts which spread malicious codes. Through the verification analysis under the real-attacked environment, we show that our scheme is superior to the existing schemes in satisfying the defined requirements and has a higher detection rate for malicious codes.

A Study on Generic Unpacking to Prevent Zombie Client on Mobile Platform (좀비 클라이언트 차단을 위한 실행 압축 기술에 관한 연구)

  • Ko, Jong-Bin;Lee, Sang-Ha;Shon, Tae-Shik
    • Journal of Advanced Navigation Technology
    • /
    • v.17 no.5
    • /
    • pp.545-551
    • /
    • 2013
  • Packed technique makes difficult to respond quickly because the malicious-code is reduced size that easy to diffusion and changed code that make spend longer time for analysis. In this paper, we analysed the packing tool softwares and we proposed construction and detection methods of the packed technique for easy to analysis of the packed malicious code based on variation of entropy value.

Analysis and Countermeasure of Malicious Code in Small Businesses (중소기업 환경에서 악성코드 유형 분석과 대응 방안)

  • Hong, Jun Suk;Kim, Young hee;Park, Won Hyung;Kook, Kwang Ho
    • Convergence Security Journal
    • /
    • v.15 no.7
    • /
    • pp.55-62
    • /
    • 2015
  • Due to the development of various information systems and PC, usage of Internet has rapidly increaced which lead to malicious codes rapidly spreading throughout the Internet. By the increasing use of the Internet, the threat by malicious codes has become a serious problem. In particular, Small businesses which lack investments in security personnels makes it impossible to verify and measure the servers and PC infected with malicious codes. We have analized malware infection types by using malicious code detection technology of security monitoring service and proposed countermeasures in small businesses.

VMProtect Operation Principle Analysis and Automatic Deobfuscation Implementation (VMProtect 동작원리 분석 및 자동 역난독화 구현)

  • Bang, Cheol-ho;Suk, Jae Hyuk;Lee, Sang-jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.30 no.4
    • /
    • pp.605-616
    • /
    • 2020
  • Obfuscation technology delays the analysis of a program by modifying internal logic such as data structure and control flow while maintaining the program's functionality. However, the application of such obfuscation technology to malicious code frequently occurs to reduce the detection rate of malware in antivirus software. The obfuscation technology applied to protect software intellectual property is applied to the malicious code in reverse, which not only lowers the detection rate of the malicious code but also makes it difficult to analyze and thus makes it difficult to identify the functionality of the malicious code. The study of reverse obfuscation techniques that can be closely restored should also continue. This paper analyzes the characteristics of obfuscated code with the option of Pack the Output File and Import Protection among detailed obfuscation technologies provided by VMProtect 3.4.0, a popular tool among commercial obfuscation tools. We present a de-obfuscation algorithm.