• Title/Summary/Keyword: malware analysis

Search Result 262, Processing Time 0.021 seconds

A Tool for Signature-Based Identification of Safe Open-Source Functions Toward Efficient Malware Analysis (악성코드의 효율적인 분석을 위한 안전한 오픈소스 함수에 대한 시그니처 기반 식별 도구)

  • Lee, Seoksu;Yang, Jonghwan;Jung, Woosik;Kim, Yeongcheol;Cho, Eun-Sun
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.4
    • /
    • pp.721-729
    • /
    • 2017
  • In order to take rapid action against malware, efficiency in malware analysis is essential. For instance, it would be helpful to identify and eliminate open-source function bodies or other safe portions out of the target binary codes. In this paper, we propose an tool to create open source dynamic link library files in Windows environment, extract signature information by opensource and compiler version, and compare open source function information to find suspicious function. In addition, the tool can save the information used in the comparison to the DB and use it later, reducing the analysis time overhead.

Detecting Meltdown and Spectre Malware through Binary Pattern Analysis (바이너리 패턴 분석을 이용한 멜트다운, 스펙터 악성코드 탐지 방법)

  • Kim, Moon-sun;Lee, Man-hee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.6
    • /
    • pp.1365-1373
    • /
    • 2019
  • Meltdown and Spectre are vulnerabilities that exploit out-of-order execution and speculative execution techniques to read memory regions that are not accessible with user privileges. OS patches were released to prevent this attack, but older systems without appropriate patches are still vulnerable. Currently, there are some research to detect Meltdown and Spectre attacks, but most of them proposed dynamic analysis methods. Therefore, this paper proposes a binary signature that can be used to detect Meltdown and Spectre malware without executing them. For this, we collected 13 malicious codes from GitHub and performed binary pattern analysis. Based on this, we proposed a static detection method for Meltdown and Spectre malware. Our results showed that the method identified all the 19 attack files with 0.94% false positive rate when applied to 2,317 normal files.

Packed PE File Detection for Malware Forensics (악성코드 포렌식을 위한 패킹 파일 탐지에 관한 연구)

  • Han, Seung-Won;Lee, Sang-Jin
    • The KIPS Transactions:PartC
    • /
    • v.16C no.5
    • /
    • pp.555-562
    • /
    • 2009
  • In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus softwares have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

Malware Analysis Mechanism using the Word Cloud based on API Statistics (API 통계 기반의 워드 클라우드를 이용한 악성코드 분석 기법)

  • Yu, Sung-Tae;Oh, Soo-Hyun
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.16 no.10
    • /
    • pp.7211-7218
    • /
    • 2015
  • Tens of thousands of malicious codes are generated on average in a day. New types of malicious codes are surging each year. Diverse methods are used to detect such codes including those based on signature, API flow, strings, etc. But most of them are limited in detecting new malicious codes due to bypass techniques. Therefore, a lot of researches have been performed for more efficient detection of malicious codes. Of them, visualization technique is one of the most actively researched areas these days. Since the method enables more intuitive recognition of malicious codes, it is useful in detecting and examining a large number of malicious codes efficiently. In this paper, we analyze the relationships between malicious codes and Native API functions. Also, by applying the word cloud with text mining technique, major Native APIs of malicious codes are visualized to assess their maliciousness. The proposed malicious code analysis method would be helpful in intuitively probing behaviors of malware.

Fast k-NN based Malware Analysis in a Massive Malware Environment

  • Hwang, Jun-ho;Kwak, Jin;Lee, Tae-jin
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.13 no.12
    • /
    • pp.6145-6158
    • /
    • 2019
  • It is a challenge for the current security industry to respond to a large number of malicious codes distributed indiscriminately as well as intelligent APT attacks. As a result, studies using machine learning algorithms are being conducted as proactive prevention rather than post processing. The k-NN algorithm is widely used because it is intuitive and suitable for handling malicious code as unstructured data. In addition, in the malicious code analysis domain, the k-NN algorithm is easy to classify malicious codes based on previously analyzed malicious codes. For example, it is possible to classify malicious code families or analyze malicious code variants through similarity analysis with existing malicious codes. However, the main disadvantage of the k-NN algorithm is that the search time increases as the learning data increases. We propose a fast k-NN algorithm which improves the computation speed problem while taking the value of the k-NN algorithm. In the test environment, the k-NN algorithm was able to perform with only the comparison of the average of similarity of 19.71 times for 6.25 million malicious codes. Considering the way the algorithm works, Fast k-NN algorithm can also be used to search all data that can be vectorized as well as malware and SSDEEP. In the future, it is expected that if the k-NN approach is needed, and the central node can be effectively selected for clustering of large amount of data in various environments, it will be possible to design a sophisticated machine learning based system.

Correlation Analysis of Dataset Size and Accuracy of the CNN-based Malware Detection Algorithm (CNN Mobile Net 기반 악성코드 탐지 모델에서의 학습 데이터 크기와 검출 정확도의 상관관계 분석)

  • Choi, Dong Jun;Lee, Jae Woo
    • Convergence Security Journal
    • /
    • v.20 no.3
    • /
    • pp.53-60
    • /
    • 2020
  • At the present stage of the fourth industrial revolution, machine learning and artificial intelligence technologies are rapidly developing, and there is a movement to apply machine learning technology in the security field. Malicious code, including new and transformed, generates an average of 390,000 a day worldwide. Statistics show that security companies ignore or miss 31 percent of alarms. As many malicious codes are generated, it is becoming difficult for humans to detect all malicious codes. As a result, research on the detection of malware and network intrusion events through machine learning is being actively conducted in academia and industry. In international conferences and journals, research on security data analysis using deep learning, a field of machine learning, is presented. have. However, these papers focus on detection accuracy and modify several parameters to improve detection accuracy but do not consider the ratio of dataset. Therefore, this paper aims to reduce the cost and resources of many machine learning research by finding the ratio of dataset that can derive the highest detection accuracy in CNN Mobile net-based malware detection model.

Compiler Analysis Framework Using SVM-Based Genetic Algorithm : Feature and Model Selection Sensitivity (SVM 기반 유전 알고리즘을 이용한 컴파일러 분석 프레임워크 : 특징 및 모델 선택 민감성)

  • Hwang, Cheol-Hun;Shin, Gun-Yoon;Kim, Dong-Wook;Han, Myung-Mook
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.30 no.4
    • /
    • pp.537-544
    • /
    • 2020
  • Advances in detection techniques, such as mutation and obfuscation, are being advanced with the development of malware technology. In the malware detection technology, unknown malware detection technology is important, and a method for Malware Authorship Attribution that detects an unknown malicious code by identifying the author through distributed malware is being studied. In this paper, we try to extract the compiler information affecting the binary-based author identification method and to investigate the sensitivity of feature selection, probability and non-probability models, and optimization to classification efficiency between studies. In the experiment, the feature selection method through information gain and the support vector machine, which is a non-probability model, showed high efficiency. Among the optimization studies, high classification accuracy was obtained through feature selection and model optimization through the proposed framework, and resulted in 48% feature reduction and 53 faster execution speed. Through this study, we can confirm the sensitivity of feature selection, model, and optimization methods to classification efficiency.

Function partitioning methods for malware variant similarity comparison (변종 악성코드 유사도 비교를 위한 코드영역의 함수 분할 방법)

  • Park, Chan-Kyu;Kim, Hyong-Shik;Lee, Tae Jin;Ryou, Jae-Cheol
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.2
    • /
    • pp.321-330
    • /
    • 2015
  • There have been found many modified malwares which could avoid detection simply by replacing a sequence of characters or a part of code. Since the existing anti-virus program performs signature-based analysis, it is difficult to detect a malware which is slightly different from the well-known malware. This paper suggests a method of detecting modified malwares by extending a hash-value based code comparison. We generated hash values for individual functions and individual code blocks as well as the whole code, and thus use those values to find whether a pair of codes are similar in a certain degree. We also eliminated some numeric data such as constant and address before generating hash values to avoid incorrectness incurred from them. We found that the suggested method could effectively find inherent similarity between original malware and its derived ones.

Program Slicing for Binary code Deobfuscation (역난독화를 위한 바이너리 프로그램 슬라이싱)

  • Mok, Seong-Kyun;Jeon, Hyeon-gu;Cho, Eun-Sun
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.1
    • /
    • pp.59-66
    • /
    • 2017
  • Hackers have obfuscated their malware to avoid being analyzed. Recently, obfuscation tools translate original codes into bytecodes to use virtualized-obfuscation, so that bytecodes are executed by virtual machines. In such cases, malware analysts fail to know about the malware before execution of the codes. We found that program slicing is one of promising program analysis techniques to solve this problem. The main concepts of program slice include slicing criteria given by analysts and sliced statements according to the slicing criteria. This paper proposes a deobfuscation method based on program slicing technique.

Detecting Android Malware Based on Analyzing Abnormal Behaviors of APK File

  • Xuan, Cho Do
    • International Journal of Computer Science & Network Security
    • /
    • v.21 no.6
    • /
    • pp.17-22
    • /
    • 2021
  • The attack trend on end-users via mobile devices is increasing in both the danger level and the number of attacks. Especially, mobile devices using the Android operating system are being recognized as increasingly being exploited and attacked strongly. In addition, one of the recent attack methods on the Android operating system is to take advantage of Android Package Kit (APK) files. Therefore, the problem of early detecting and warning attacks on mobile devices using the Android operating system through the APK file is very necessary today. This paper proposes to use the method of analyzing abnormal behavior of APK files and use it as a basis to conclude about signs of malware attacking the Android operating system. In order to achieve this purpose, we propose 2 main tasks: i) analyzing and extracting abnormal behavior of APK files; ii) detecting malware in APK files based on behavior analysis techniques using machine learning or deep learning algorithms. The difference between our research and other related studies is that instead of focusing on analyzing and extracting typical features of APK files, we will try to analyze and enumerate all the features of the APK file as the basis for classifying malicious APK files and clean APK files.