• Proceedings of the Korea Information Processing Society Conference
• /
• 2015.04a
• /
• pp.501-503
• /
• 2015

Malicious(악의적인) + Code 즉, 악의적인코드를 포함한 소프트웨어라는 의미로 줄여 Malware(Malicious + Software) 라고 불리는 악성코드는 최근 네트워크와 컴퓨터의 급속한 발전에 따라 기하급수적으로 증가하고 있는 추세이다. 폭발적인 증가율 추세를 보이고 있는 악성코드의 위협을 대비하기 위해 악성코드에 대한 분석이 필요한데 그 분석의 종류로는 초기분석, 동적 분석, 정적분석으로 나누고 장, 단점을 정리하였다. 또한 악성코드 대량화에 따른 효율적인 분석과 빠른 의사결정을 위한 악성코드 유사도에 대한 연구를 소개하고 API Call Sequence와 분류된 API를 이용한 악성행위 유사도 판별법을 제시하고 실험하였다.

• Journal of Internet of Things and Convergence
• /
• v.9 no.1
• /
• pp.1-7
• /
• 2023

Cases in which personal terminals or servers are infected by ransomware are rapidly increasing. Ransomware uses a self-developed encryption module or combines existing symmetric key/public key encryption modules to illegally encrypt files stored in the victim system using a key known only to the attacker. Therefore, in order to decrypt it, it is necessary to know the value of the key used, and since the process of finding the decryption key takes a lot of time, financial costs are eventually paid. At this time, most of the ransomware malware is included in a hidden form in binary files, so when the program is executed, the user is infected with the malicious code without even knowing it. Therefore, in order to respond to ransomware attacks in the form of binary files, it is necessary to identify the encryption module used. Therefore, in this study, we developed a mechanism that can detect and identify by reverse analyzing the encryption module applied to the malicious code hidden in the binary file.

• Convergence Security Journal
• /
• v.6 no.1
• /
• pp.13-23
• /
• 2006

It is more desirable to execute AV software on server systems rather than on clients for the minimization of damages due to malicious codes. AV software on server system, however, may aggravate the load of server system. In this paper, we propose a new AV software executed on server system without additional loads with a monitor and multi-agent model. The new AV software supports dynamic load balancing that reflects the features of AV engine, and thus it can be executed efficiently on server systems. The results of performance evaluation on the AV software attest to the strong points of the new AV software.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.3
• /
• pp.613-628
• /
• 2019

In-Vehicle Infotainment provides navigation and various functions through the installation of the application. And infotainment is very important to control the entire vehicle by sending commands to the ECU. Infotainment supports a variety of wireless communication protocols to install and update applications. So Infotainment is becoming an attack surface through wireless communcation protocol for hacker's access. If malicious software is installed in infotainment, it can gain control of the vehicle and send a malicious purpose command to the ECU, affecting the life of the driver. Therefore, measures are needed to verify the security and reliability of infotainment software updates, and security requirements must be derived and verified. It must be developed in accordance with SDL to provide security and reliability, and systematic security requirements must be derived by applying threat modeling. Therefore, this paper conducts threat modeling to derive infotainment update security requirements. Also, the security requirements are mapped to the Common Criteria to provide criteria for updating infotainment software.

• Smart Media Journal
• /
• v.13 no.6
• /
• pp.9-15
• /
• 2024

In recent trends, there has been an increase in 'Qshing' attacks, a hybrid form of phishing that exploits fake QR (Quick Response) codes impersonating government agencies to steal personal and financial information. Particularly, this attack method is characterized by its stealthiness, as victims can be redirected to phishing pages or led to download malicious software simply by scanning a QR code, making it difficult for them to realize they have been targeted. In this paper, we have developed a classification technique utilizing machine learning algorithms to identify the maliciousness of URLs embedded in QR codes, and we have explored ways to integrate this with existing QR code readers. To this end, we constructed a dataset from 128,587 malicious URLs and 428,102 benign URLs, extracting 35 different features such as protocol and parameters, and used AutoML to identify the optimal algorithm and hyperparameters, achieving an accuracy of approximately 87.37%. Following this, we designed the integration of the trained classification model with existing QR code readers to implement a service capable of countering Qshing attacks. In conclusion, our findings confirm that deriving an optimized algorithm for classifying malicious URLs in QR codes and integrating it with existing QR code readers presents a viable solution to combat Qshing attacks.

• IEMEK Journal of Embedded Systems and Applications
• /
• v.12 no.6
• /
• pp.359-368
• /
• 2017

As the BadUSB is a vulnerability, in which a hacker tampers the firmware area of a USB flash drive. When the BadUSB device is plugged into the USB port of a host system, a malicious code acts automatically. The host system misunderstands the act of the malicious behavior as an normal behaviour for booting the USB device, so it is hard to detect the malicious code. Also, an antivirus software can't detect the tampered firmware because it inspects not the firmware area but the storage area. Because a lot of computer peripherals (such as USB flash drive, keyboard) are connected to host system with the USB protocols, the vulnerability has a negative ripple effect. However, the countermeasure against the vulnerability is not known now. In this paper, we analyze the tampered area of the firmware when a normal USB device is changed to the BadUSB device and propose the countermeasure to verify the integrity of the area when the USB boots. The proposed method consists of two procedures. The first procedure is to verify the integrity of the area which should be fixed even if the firmware is updated. The verification method use hashes, and the target area includes descriptors. The second procedure is to verify the integrity of the changeable area when the firmware is updated. The verification method use code signing, and the target area includes the function area of the firmware. We also propose the update protocol for the proposed structure and verify it to be true through simulation.

• Journal of Korea Multimedia Society
• /
• v.23 no.5
• /
• pp.650-657
• /
• 2020

The rapid growth of internet users and faster network speed are driving the new ICT services. ICT Technology has improved our way of thinking and style of life, but it has created security problems such as malware, ransomware, and so on. Therefore, we should research against the increase of malware and the emergence of malicious code. For this, it is necessary to accurately and quickly detect and classify malware family. In this paper, we analyzed and classified visualization technology, which is a preprocessing technology used for deep learning-based malware classification. The first method is to convert each byte into one pixel of the image to produce a grayscale image. The second method is to convert 2bytes of the binary to create a pair of coordinates. The third method is the method using LSH. We proposed improving the technique of using the entire existing malicious code file for visualization, extracting only the areas where important information is expected to exist and then visualizing it. As a result of experimenting in the method we proposed, it shows that selecting and visualizing important information and then classifying it, rather than containing all the information in malicious code, can produce better learning results.

• KIISE Transactions on Computing Practices
• /
• v.22 no.3
• /
• pp.139-144
• /
• 2016

There exist many threats in cyber space, however current anti-virus software and other existing solutions do not effectively respond to malware that has become more complex and sophisticated. It was shown experimentally that it is possible for the proposed approach to provide an automatic execution environment for the detection of malicious behavior of active malware, comparing the virtual-machine environment with the real-machine environment based on user interaction. Moreover, the results show that it is possible to provide a dynamic analysis environment in order to analyze the intelligent malware effectively, through the comparison of malicious behavior activity in an automatic binary execution environment based on real-machines and the malicious behavior activity in a virtual-machine environment.

• The KIPS Transactions:PartB
• /
• v.14B no.1 s.111
• /
• pp.59-64
• /
• 2007

In these days, malicious codes have become reality and evolved significantly to become one of the greatest threats to the modern society where important information is stored, processed, and accessed through the internet and the computers. Computer virus is a common type of malicious codes. The standard techniques in anti-virus industry is still based on signatures matching. The detection mechanism searches for a signature pattern that identifies a particular virus or stain of viruses. Though more accurate in detecting known viruses, the technique falls short for detecting new or unknown viruses for which no identifying patterns present. To cope with this problem, anti-virus software has to incorporate the learning mechanism and heuristic. In this paper, we propose a fuzzy diagnosis system(FDS) using fuzzy c-means algorithm(FCM) for the cluster analysis and a decision status measure for giving a diagnosis. We compare proposed system FDS to three well known classifiers-KNN, RF, SVM. Experimental results show that the proposed approach can detect unknown viruses effectively.

• Convergence Security Journal
• /
• v.18 no.5_1
• /
• pp.19-24
• /
• 2018

For a long time now, general-purpose processors have provided dedicated hardware / software tracing modules to provide developers with tools to fix bugs. A hardware tracer generates its enormous data into a log that is used for both performance analysis and debugging. Processor Trace (PT) is a new hardware-based tracing feature for Intel CPUs that traces branches executing on the CPU, which allows the reconstruction of the control flow of all executed code with minimal labor. Hardware tracer has been integrated into the operating system, which allows tight integration with its profiling and debugging mechanisms. However, in the Windows environment, existing studies related to PT focused on decoding only one flow in sequence. In this paper, we propose an extended PT decoder structure that provides basic data for real-time trace and malicious code detection using the functions provided by PT in Windows environment.