• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1325-1336
• /
• 2012

In the past about 10 different kinds of malicious code were found in one day on the average. However, the number of malicious codes that are found has rapidly increased reachingover 55,000 during the last 10 year. A large number of malicious codes, however, are not new kinds of malicious codes but most of them are new variants of the existing malicious codes as same functions are newly added into the existing malicious codes, or the existing malicious codes are modified to evade anti-virus detection. To deal with a lot of malicious codes including new malicious codes and variants of the existing malicious codes, we need to compare the malicious codes in the past and the similarity and classify the new malicious codes and the variants of the existing malicious codes. A former calculation method of the similarity on the existing malicious codes compare external factors of IPs, URLs, API, Strings, etc or source code levels. The former calculation method of the similarity takes time due to the number of malicious codes and comparable factors on the increase, and it leads to employing fuzzy hashing to reduce the amount of calculation. The existing fuzzy hashing, however, has some limitations, and it causes come problems to the former calculation of the similarity. Therefore, this research paper has suggested a new comparison method for malicious codes to improve performance of the calculation of the similarity using fuzzy hashing and also a classification method employing the new comparison method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.5
• /
• pp.1087-1097
• /
• 2017

As the penetration rate of smartphones increases, the number of malicious codes targeting smartphones is increasing. I 360 Security 's smartphone malware statistics show that malicious code increased 437 percent in the first quarter of 2016 compared to the fourth quarter of 2015. In particular, malicious applications, which are the main means of distributing malicious code on smartphones, are aimed at leakage of user information, data destruction, and money withdrawal. Often, it is operated by an API, which is an interface that allows you to control the functions provided by the operating system or programming language. In this paper, we propose a mechanism to detect malicious application based on the similarity of API pattern in normal application and malicious application by learning pattern of API in application derived from static analysis. In addition, we show a technique for improving the detection rate and detection rate for each label derived by using the corresponding mechanism for the sample data. In particular, in the case of the proposed mechanism, it is possible to detect when the API pattern of the new malicious application is similar to the previously learned patterns at a certain level. Future researches of various features of the application and applying them to this mechanism are expected to be able to detect new malicious applications of anti-malware system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.785-802
• /
• 2017

As cyber threats using malicious code continue to increase, many security and vaccine companies are putting a lot of effort into analysis and detection of malicious codes. However, obfuscation techniques that make software analysis more difficult are applied to malicious codes, making it difficult to respond quickly to malicious codes. In particular, commercial obfuscation tools can quickly and easily generate new variants of malicious codes so that malicious code analysts can not respond to them. In order for analysts to quickly analyze the actual malicious behavior of the new variants, reverse obfuscation(=de-obfuscation) is needed to disable obfuscation. In this paper, general analysis methodology is proposed to de-obfuscate the software used by a commercial obfuscation tool, Themida. First, We describe operation principle of Themida by analyzing obfuscated executable file using Themida. Next, We extract original code and data information of executable from obfuscated executable using Pintool, DBI(Dynamic Binary Instrumentation) framework, and explain the implementation results of automated analysis tool which can deobfuscate to original executable using the extracted original code and data information. Finally, We evaluate the performance of our automated analysis tool by comparing the original executable with the de-obfuscated executable.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.1
• /
• pp.93-101
• /
• 2009

This paper proposes the detection method of spreading mails which hacker injects malicious codes to steal the information. And I developed the 'Analysis model' which is decoding traffics when hacker's encoding them to steal the information. I researched 'Methodology of intrusion detection techniques' in the computer network monitoring. As a result of this simulation, I developed more efficient rules to detect the PCs which are infected malicious codes in the hacking mail. By proposing this security policy which can be applicable in the computer network environment including every government or company, I want to be helpful to minimize the damage by hacking mail with malicious codes.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.15 no.8
• /
• pp.5256-5262
• /
• 2014

Recently, Distributed Denial of Service (DDoS) attacks, such as spreading malicious code, cyber-terrorism, have occurred in government agencies, the press and the financial sector. DDoS attacks are the simplest Internet-based infringement attacks techniques that have fatal consequences. DDoS attacks have caused bandwidth consumption at the network layer. These attacks are difficult to detect defend against because the attack packets are not significantly different from normal traffic. Abnormal traffic is threatening the stability of the network. Therefore, the abnormal traffic by generating indications will need to be detected in advance. This study examined the abnormal traffic detection technique using a forecasting model-based trend model.

• Convergence Security Journal
• /
• v.20 no.3
• /
• pp.53-60
• /
• 2020

At the present stage of the fourth industrial revolution, machine learning and artificial intelligence technologies are rapidly developing, and there is a movement to apply machine learning technology in the security field. Malicious code, including new and transformed, generates an average of 390,000 a day worldwide. Statistics show that security companies ignore or miss 31 percent of alarms. As many malicious codes are generated, it is becoming difficult for humans to detect all malicious codes. As a result, research on the detection of malware and network intrusion events through machine learning is being actively conducted in academia and industry. In international conferences and journals, research on security data analysis using deep learning, a field of machine learning, is presented. have. However, these papers focus on detection accuracy and modify several parameters to improve detection accuracy but do not consider the ratio of dataset. Therefore, this paper aims to reduce the cost and resources of many machine learning research by finding the ratio of dataset that can derive the highest detection accuracy in CNN Mobile net-based malware detection model.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1043-1052
• /
• 2020

Signature-based malicious code detection methods share a common limitation; it is very hard to detect modified malicious codes or new malware utilizing zero-day vulnerabilities. To overcome this limitation, many studies are actively carried out to classify malicious codes using N-gram. Although they can detect malicious codes with high accuracy, it is difficult to identify malicious codes that uses very short codes such as Spectre. We propose a function level N-gram comparison algorithm to effectively identify the Spectre binary. To test the validity of this algorithm, we built N-gram data sets from 165 normal binaries and 25 malignant binaries. When we used Random Forest models, the model performance experiments identified Spectre malicious functions with 99.99% accuracy and its f1-score was 92%.

• Convergence Security Journal
• /
• v.23 no.1
• /
• pp.55-61
• /
• 2023

QR Code is a two-dimensional code in the form of a matrix that contains data in a square-shaped black-and-white grid pattern, and has recently been used in various fields. In particular, in order to prevent the spread of COVID-19, the usage increased rapidly by identifying the movement path in the form of a QR code that anyone can easily and conveniently use. As such, Qshing attacks and damages using QR codes are increasing in proportion to the usage of QR codes. Therefore, in this paper, a system was implemented to block movement to harmful sites and installation of malicious codes when scanning QR codes.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.3
• /
• pp.87-96
• /
• 2014

Hackers try to achieve their purpose in a variety of ways, such as operating own website and hacking a website. Hackers seize a large amount of private information after they have made a zombie PC by using malicious code to upload the website and it would be used another hacking. Almost detection technique is the use Snort rule. When unknown code and the patterns in IDS/IPS devices are matching on network, it detects unknown code as malicious code. However, if unknown code is not matching, unknown code would be normal and it would attack system. Hackers try to find patterns and make shellcode to avoid patterns. So, new method is needed to detect that kinds of shellcode. In this paper, we proposed a noble method to detect the shellcode by using Shannon's information entropy.

• Journal of the Korea Society of Computer and Information
• /
• v.24 no.5
• /
• pp.27-33
• /
• 2019

One of serious security threats is a botnet-based attack. A botnet in general consists of numerous bots, which are computing devices with networking function, such as personal computers, smartphones, or tiny IoT sensor devices compromised by malicious codes or attackers. Such botnets can launch various serious cyber-attacks like DDoS attacks, propagating mal-wares, and spreading spam e-mails over the network. To establish a botnet, attackers usually inject malicious URLs into web source codes stealthily by using data hiding methods like Javascript obfuscation techniques to avoid being discovered by traditional security systems such as Firewall, IPS(Intrusion Prevention System) or IDS(Intrusion Detection System). Meanwhile, it is non-trivial work in practice for software developers to manually find such malicious URLs which are hidden in numerous web source codes stored in web servers. In this paper, we propose a security defense system to discover such suspicious, malicious URLs hidden in web source codes, and present experiment results that show its discovery performance. In particular, based on our experiment results, our proposed system discovered 100% of URLs hidden by Javascript encoding obfuscation within sample web source files.