• Proceedings of the Korea Information Processing Society Conference
• /
• 2021.05a
• /
• pp.212-215
• /
• 2021

본 논문에서는 딥러닝의 CNN(Convolution Neural Network) 학습을 통하여 악성코드를 실행시키지 않고서 악성코드 변종을 패밀리 그룹으로 분류하는 방법을 연구한다. 먼저 데이터 전처리를 통해 3가지의 서로 다른 방법으로 악성코드 이미지와 메타데이터를 생성하고 이를 CNN으로 학습시킨다. 첫째, 악성코드의 byte 파일을 8비트 gray-scale 이미지로 시각화하는 방법이다. 둘째, 악성코드 asm 파일의 opcode sequence 정보를 추출하고 이를 이미지로 변환하는 방법이다. 셋째, 악성코드 이미지와 메타데이터를 결합하여 분류에 적용하는 방법이다. 이미지 특징 추출을 위해서는 본고에서 제안한 CNN을 통한 학습 방식과 더불어 3개의 Pre-trained된 CNN 모델을 (InceptionV3, Densnet, Resnet-50) 사용하여 전이학습을 진행한다. 전이학습 시에는 마지막 분류 레이어층에서 본 논문에서 선택한 데이터셋에 대해서만 학습하도록 파인튜닝하였다. 결과적으로 가공된 악성코드 데이터를 적용하여 9개의 악성코드 패밀리로 분류하고 예측 정확도를 측정해 비교 분석한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2021.11a
• /
• pp.715-718
• /
• 2021

정보통신 기술이 발전함에 따라 악의적인 공격을 통해 보안문제를 발생시키고 있다. 또한 새로운 악성코드가 유포되어 기존의 시그니처 비교방식은 새롭게 발생하는 악성코드를 빠르게 분석 할 수 없다. 새로운 악성코드를 빠르게 분석하고 방어기법을 제안하기 위해 악성코드의 패밀리를 분류할 필요가 있다. 본 논문에서는 악성코드의 바이너리 파일을 이용해 시각화하고 CNN모델을 통해 분류한다. 또한 정확도를 높이기 위해 LBP, HOG를 통해 악성코드 이미지에서 중요한 특성을 찾고 데이터 클래스 불균형에서 오는 문제를 앙상블 모델을 통해 해결하는 시스템을 제안한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2023.11a
• /
• pp.796-798
• /
• 2023

IoT 기기 사용량의 증가로 인해 해킹 사례도 함께 증가하며 보안의 중요성이 커지고 있다. 본 논문은 IoT 보안 취약점을 해결하기 위해 정상/악성코드의 데이터셋을 Grayscale로 변환하여 악성코드/정상코드로 분류하는 알고리즘을 개발해 IoT 기기에서 성능을 검증한다. 분류에 이용되는 딥러닝 알고리즘은 CNN(Convolutional Neural Network)으로 99.60%의 평균 정확도를 나타내며 IoT 기기(라즈베리파이)에서도 잘 작동됨을 확인할 수 있다.

• International Journal of Computer Science & Network Security
• /
• v.24 no.5
• /
• pp.205-211
• /
• 2024

The increasing number of botnet attacks incorporating new evasion techniques making it infeasible to completely secure complex computer network system. The botnet infections are likely to be happen, the timely detection and response to these infections helps to stop attackers before any damage is done. The current practice in traditional IP networks require manual intervention to response to any detected malicious infection. This manual response process is more probable to delay and increase the risk of damage. To automate this manual process, this paper proposes to automatically select relevant countermeasures for detected botnet infection. The propose approach uses the concept of flow trace to detect botnet behavior patterns from current and historical network activity. The approach uses the multiclass machine learning based approach to detect and classify the botnet activity into IRC, HTTP, and P2P botnet. This classification helps to calculate the risk score of the detected botnet infection. The relevant countermeasures selected from available pool based on risk score of detected infection.

• Convergence Security Journal
• /
• v.23 no.1
• /
• pp.69-77
• /
• 2023

Recently, ransomware damage has been increasing rapidly around the world, including Irish health authorities and U.S. oil pipelines, and is causing damage to all sectors of society. In particular, research using machine learning as well as existing detection methods is increasing for ransomware detection and response. However, traditional machine learning has a problem in that it is difficult to extract accurate predictions because the model tends to predict in the direction where there is a lot of data. Accordingly, in an imbalance class consisting of a large number of non-Ransomware (normal code or malware) and a small number of Ransomware, a technique for resolving the imbalance and improving ransomware detection performance is proposed. In this experiment, we use two scenarios (Binary, Multi Classification) to confirm that the sampling technique improves the detection performance of a small number of classes while maintaining the detection performance of a large number of classes. In particular, the proposed mixed sampling technique (SMOTE+ENN) resulted in a performance(G-mean, F1-score) improvement of more than 10%.

• Journal of Advanced Navigation Technology
• /
• v.28 no.1
• /
• pp.27-36
• /
• 2024

In this paper, we analyze the unified requirements of international association of classification societies - cyber resilience of ships, ahead of implementation of the agreement on July 1, 2024, and respond to ship cyber security and resilience programs based on 5 requirements, 17 details, and documents that must be submitted or maintained according to the ship's cyber resilience,. Measures include document management such as classification certification documents and design documents, configuration of a network with enhanced security, establishment of processes for accident response, configuration management using software tools, integrated network management, malware protection, and detection of ship network security threats with security management solutions. proposed a technology capable of real-time response.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1325-1336
• /
• 2012

In the past about 10 different kinds of malicious code were found in one day on the average. However, the number of malicious codes that are found has rapidly increased reachingover 55,000 during the last 10 year. A large number of malicious codes, however, are not new kinds of malicious codes but most of them are new variants of the existing malicious codes as same functions are newly added into the existing malicious codes, or the existing malicious codes are modified to evade anti-virus detection. To deal with a lot of malicious codes including new malicious codes and variants of the existing malicious codes, we need to compare the malicious codes in the past and the similarity and classify the new malicious codes and the variants of the existing malicious codes. A former calculation method of the similarity on the existing malicious codes compare external factors of IPs, URLs, API, Strings, etc or source code levels. The former calculation method of the similarity takes time due to the number of malicious codes and comparable factors on the increase, and it leads to employing fuzzy hashing to reduce the amount of calculation. The existing fuzzy hashing, however, has some limitations, and it causes come problems to the former calculation of the similarity. Therefore, this research paper has suggested a new comparison method for malicious codes to improve performance of the calculation of the similarity using fuzzy hashing and also a classification method employing the new comparison method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.6A
• /
• pp.129-137
• /
• 2008

As the use of the internet increases, the distribution of spam mail has also vastly increased. The email's main use was for the exchange of information, however, currently it is being more frequently used for advertisement and malware distribution. This is a serious problem because it consumes a large amount of the limited internet resources. Furthermore, an extensive amount of computer, network and human resources are consumed to prevent it. As a result much research is being done to prevent and filter spam. Currently, research is being done on readable sentences which do not use proper grammar. This type of spam can not be classified by previous vocabulary analysis or document classification methods. This paper proposes a method to filter spam by using the subject of the mail and N-GRAM for indexing and Bayesian, SVM algorithms for classification.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2013.11a
• /
• pp.808-810
• /
• 2013

최근 인터넷 사용이 보편화됨과 더불어 정치적, 경제적인 목적으로 웹사이트와 이메일을 악용한 악성 코드가 급속히 유포되고 있다. 유포된 악성코드의 대부분은 기존 악성코드를 변형한 변종 악성코드이다. 이에 변종 악성코드를 탐지하기 위해 유사 악성코드를 분류하는 연구가 활발하다. 그러나 기존 연구에서는 정적 분석을 통해 얻어진 정보를 가지고 분류하기 때문에 실제 발생되는 행위에 대한 분석이 어려운 단점이 있다. 본 논문에서는 악성코드가 호출하는 API(Application Program Interface) 정보를 추출하고 유사도를 분석하여 악성코드를 분류하는 기법을 제안한다. 악성코드가 호출하는 API의 유사도를 분석하기 위해서 동적 API 후킹이 가능한 악성코드 API 분석 시스템을 개발하고 퍼지해시(Fuzzy Hash)인 ssdeep을 이용하여 비교 가능한 고유패턴을 생성하였다. 실제 변종 악성코드 샘플을 대상으로 한 실험을 수행하여 제안하는 악성코드 분류 기법의 유용성을 확인하였다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.37-44
• /
• 2011

Recently malicious activities that is a DDoS, spam, propagation of malware, steeling person information, phishing on the Internet are related malicious botnet. To detect malicious botnet, Many researchers study a detection system for malicious botnet, but these applies specific protocol, action or attack based botnet. In this reason, we study a selection of measurement to detec malicious botnet in this paper. we collect a traffic of malicious botnet and analyze it for feature of network traffic. And we select a feature based measurement. we expect to help a detection of malicious botnet through this study.