• Journal of the Korea Convergence Society
• /
• v.8 no.3
• /
• pp.49-61
• /
• 2017

Recently, convenience and usability are increasing with the development and deployment of various mobile applications on the Android platform. However, important information stored in the smartphone is leaked to the outside without knowing the user since the malicious mobile application is continuously increasing. A variety of mobile vaccines have been developed for the Android platform to detect malicious apps. Recently discovered server-based polymorphic(SSP) malicious mobile apps include obfuscation techniques. Therefore, it is not easy to detect existing mobile vaccines because some other form of malicious app is newly created by using SSP mechanism. In this paper, we analyze the correlation between the similarity of the method in the DEX file constituting the core malicious code and the permission similarity measure through APK de-compiling process for the SSP malicious app. According to the analysis results of DEX method similarity and permission similarity, we could extract the characteristics of SSP malicious apps and found the difference that can be distinguished from the normal app.

• Convergence Security Journal
• /
• v.8 no.2
• /
• pp.63-70
• /
• 2008

In order not to make the malwares be easily analyzed, the hackers apply various anti-reversing and obfuscation techniques to the malwares. However, as the more anti-revering techniques are applied to the malwares the more abnormal characteristics in the PE file's header which are not shown in the normal PE file, could be observed. In this letter, a new malware detection technique is proposed based on this observation. For the malware detection, we define the Characteristics Vector(CV) which can represent the characteristics of a PE file's header. In the learning phase, we calculate the average CV(ACV) of malwares(ACVM) and normal files(ACVN). To detect the malwares we calculate the 2 Weighted Euclidean Distances(WEDs) from a file's CV to ACVs and they are used to decide whether the file is a malware or not. The proposed technique is very fast and detection rate is fairly high, so it could be applied to the network based attack detection and prevention devices. Moreover, this technique is could be used to detect the unknown malwares because it does not utilize a signature but the malware's characteristics.

• Journal of Communications and Networks
• /
• v.18 no.3
• /
• pp.273-287
• /
• 2016

White-box cryptography presented by Chow et al. is an obfuscation technique for protecting secret keys in software implementations even if an adversary has full access to the implementation of the encryption algorithm and full control over its execution platforms. Despite its practical importance, progress has not been substantial. In fact, it is repeated that as a proposal for a white-box implementation is reported, an attack of lower complexity is soon announced. This is mainly because most cryptanalytic methods target specific implementations, and there is no general attack tool for white-box cryptography. In this paper, we present an analytic toolbox on white-box implementations of the Chow et al.'s style using lookup tables. According to our toolbox, for a substitution-linear transformation cipher on n bits with S-boxes on m bits, the complexity for recovering the $$O\((3n/max(m_Q,m))2^{3max(m_Q,m)}+2min\{(n/m)L^{m+3}2^{2m},\;(n/m)L^32^{3m}+n{\log}L{\cdot}2^{L/2}\}\)$$, where $m_Q$ is the input size of nonlinear encodings,$m_A$ is the minimized block size of linear encodings, and $L=lcm(m_A,m_Q)$. As a result, a white-box implementation in the Chow et al.'s framework has complexity at most $O\(min\{(2^{2m}/m)n^{m+4},\;n{\log}n{\cdot}2^{n/2}\}\)$ which is much less than $2^n$. To overcome this, we introduce an idea that obfuscates two advanced encryption standard (AES)-128 ciphers at once with input/output encoding on 256 bits. To reduce storage, we use a sparse unsplit input encoding. As a result, our white-box AES implementation has up to 110-bit security against our toolbox, close to that of the original cipher. More generally, we may consider a white-box implementation of the t parallel encryption of AES to increase security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.105-115
• /
• 2019

Recently, intelligent Android malicious codes have become difficult to detect malicious behavior by static analysis alone. Malicious code with SO file, dynamic loading, and string obfuscation are difficult to extract information about original code even with various tools for static analysis. There are many dynamic analysis methods to solve this problem, but dynamic analysis requires rooting or emulator environment. However, in the case of dynamic analysis, malicious code performs the rooting and the emulator detection to bypass the analysis environment. To solve this problem, this paper investigates a variety of root detection schemes and builds an environment for bypassing the rooting detection in real devices. In addition, SDK code hooking module for Android malicious code analysis is designed using Xposed, and intent tracking for code flow, dynamic loading file information, and various API information extraction are implemented. This work will contribute to the analysis of obfuscated information and behavior of Android Malware.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.775-784
• /
• 2019

Malware infringement attacks are continuously increasing in various environments such as mobile, IOT, windows and mac due to the emergence of new and variant malware, and signature-based countermeasures have limitations in detection of malware. In addition, analytical performance is deteriorating due to obfuscation, packing, and anti-VM technique. In this paper, we propose a system that can detect malware based on machine learning by using similarity hashing-based pattern detection technique and static analysis after file classification according to packing. This enables more efficient detection because it utilizes both pattern-based detection, which is well-known malware detection, and machine learning-based detection technology, which is advantageous for detecting new and variant malware. The results of this study were obtained by detecting accuracy of 95.79% or more for benign sample files and malware sample files provided by the AI-based malware detection track of the Information Security R&D Data Challenge 2018 competition. In the future, it is expected that it will be possible to build a system that improves detection performance by applying a feature vector and a detection method to the characteristics of a packed file.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.6
• /
• pp.3199-3218
• /
• 2019

Location-based services (LBSs) have become popular in recent years due to the ever-increasing usage of smart mobile devices and mobile applications through networks. Although LBS application provides great benefits to mobile users, it also raises a sever privacy concern of users due to the untrusted service providers. In the lack of privacy enhancing mechanisms, most applications of the LBS may discourage the user's acceptance of location services in general, and endanger the user's privacy in particular. Therefore, it is a great interest to discuss on the recent privacy-preserving mechanisms in LBSs. Many existing location-privacy protection-mechanisms (LPPMs) make great efforts to increase the attacker's uncertainty on the user's actual whereabouts by generating a multiple of fake-locations together with user's actual positions. In this survey, we present a study and analysis of existing LPPMs and the state-of-art privacy measures in service quality aware LBS applications. We first study the general architecture of privacy qualification system for LBSs by surveying the existing framework and outlining its main feature components. We then give an overview of the basic privacy requirements to be considered in the design and evaluation of LPPMs. Furthermore, we discuss the classification and countermeasure solutions of existing LPPMs for mitigating the current LBS privacy protection challenges. These classifications include anonymization, obfuscation, and an encryption-based technique, as well as the combination of them is called a hybrid mechanism. Finally, we discuss several open issues and research challenges based on the latest progresses for on-going LBS and location privacy research.

• KIPS Transactions on Computer and Communication Systems
• /
• v.8 no.2
• /
• pp.35-40
• /
• 2019

Traditional Malware Detection is susceptible for detecting malware which is modified by polymorphism or obfuscation technology. By learning patterns that are embedded in malware code, machine learning algorithms can detect similar behaviors and replace the current detection methods. Data must collected continuously in order to learn malicious code patterns that change over time. However, the process of storing and processing a large amount of malware files is accompanied by high space and time complexity. In this paper, an HDFS-based distributed processing system is designed to reduce space complexity and accelerate feature extraction time. Using a distributed processing system, we extract two API features based on filtering basis, 2-gram feature and APICFG feature and the generalization performance of ensemble learning models is compared. In experiments, the time complexity of the feature extraction was improved about 3.75 times faster than the processing time of a single computer, and the space complexity was about 5 times more efficient. The 2-gram feature was the best when comparing the classification performance by feature, but the learning time was long due to high dimensionality.

• Journal of Internet Computing and Services
• /
• v.20 no.2
• /
• pp.61-68
• /
• 2019

Although the number of smartphone users is continuously increasing due to the advantage of being able to easily use most of the Internet services, the number of counterfeit applications is rapidly increasing and personal information stored in the smartphone is leaked to the outside. Because Android app was developed with Java language, it is relatively easy to create counterfeit apps if attacker performs the de-compilation process to reverse app by abusing the repackaging vulnerability. Although an obfuscation technique can be applied to prevent this, but most mobile apps are not adopted. Therefore, it is fundamentally impossible to block repackaging attacks on Android mobile apps. In addition, personal information stored in the smartphone is leaked outside because it does not provide a forgery self-verification procedure on installing an app in smartphone. In order to solve this problem, blockchain is used to implement a process of certificated application registration and a fake app identification and detection mechanism is proposed on Hyperledger Fabric framework.

• Journal of Internet Computing and Services
• /
• v.20 no.5
• /
• pp.9-18
• /
• 2019

Android Application Package (APK) is vulnerable to repackaging attacks. Therefore, obfuscation technology was applied inside the Android APK file to cope with repackaging attack. However, as more advanced reverse engineering techniques continue to be developed, fake Android APK files to be released. A new approach is needed to solve this problem. A blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. Each block typically contains a cryptographic hash of theprevious block, a timestamp and transaction data. Once recorded, the data inany given block cannot be altered retroactively without the alteration of all subsequent blocks. Therefore, it is possible to check whether or not theAndroid Mobile APK is forged by applying the blockchain technology. In this paper, we construct a discrimination DApp (Decentralized Application) against forgery Android Mobile APK by recording and maintaining the legitimate APK in the consortium blockchain framework like Hyperledger Fabric by Composer. With proposed DApp, we can prevent the forgery and modification of the appfrom being installed on the user's Smartphone, and normal and legitimate apps will be widely used.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.3
• /
• pp.691-705
• /
• 2012

Buffer overflow vulnerability is the most representative one that an attack method and its countermeasure is frequently developed and changed. This vulnerability is still one of the most critical threat since it was firstly introduced in middle of 1990s. Shellcode is a machine code which can be used in buffer overflow attack. Attackers make the shellcode for their own purposes and insert it into target host's memory space, then manipulate EIP(Extended Instruction Pointer) to intercept control flow of the target host system. Therefore, a lot of research to defend have been studied, and attackers also have done many research to bypass security measures designed for the shellcode defense. In this paper, we investigate shellcode defense and attack techniques briefly and we propose our new methodology which can hide shellcode in the 24bit BMP image. With this proposed technique, we can easily hide any shellcode executable and we can bypass the current detection and prevention techniques.