• International journal of advanced smart convergence
• /
• v.6 no.1
• /
• pp.1-8
• /
• 2017

Diverse types of malicious code such as evasive Server-side Polymorphic are developed and distributed in third party open markets. The suspicious new type of polymorphic malware has the ability to actively change and morph its internal data dynamically. As a result, it is very hard to detect this type of suspicious transaction as an evidence of Server-side polymorphic mobile malware because its C&C server was shut downed or an IP address of remote controlling C&C server was changed irregularly. Therefore, we implemented Simulated C&C Server to aggregate activated events perfectly from various Server-side polymorphic mobile malware. Using proposed Simulated C&C Server, we can proof completely and classify veiled server-side polymorphic malicious code more clearly.

• Journal of the Korea Society of Computer and Information
• /
• v.19 no.7
• /
• pp.77-85
• /
• 2014

Recently, several environment damage caused by malicious or suspicious code is increasing. We study comprehensive response system actively for malware detection. Suspicious code is installed on your PC without your consent, users are unaware of the damage. Also, there are need to technology for realtime processing of Big Data. We must develope advanced technology for malware detection. We must analyze the static, dynamic of executable file for fundamentally malware detection in recently and verified by a reputation for verification. It is need to judgment of similarity for realtime response with big data. In this paper, we proposed realtime detection and verification technology using multiple filter. Our malware study suggests a new direction of realtime malware detection.

• Journal of Korea Multimedia Society
• /
• v.11 no.11
• /
• pp.1491-1500
• /
• 2008

This paper proposes an intelligent surveillance system to recognize suspicious patterns of the human behavior by using the Hidden Markov Model. First, the method finds foot area of the human by motion detection algorithm from image sequence of the surveillance camera. Then, these foot locus form observation series of features to learn the HMM. The feature that is position of the human foot is changed to each code that corresponds to a specific label among 16 local partitions of image region. Therefore, specific moving patterns formed by the foot locus are the series of the label numbers. The Baum-Welch algorithm of the HMM learns each suspicious and specific pattern to classify the human behaviors. To recognize the inputted human behavior pattern in a test image, the probabilistic comparison between the learned pattern of the HMM and foot series to be tested decides the categorization of the test pattern. The experimental results show that the method can be applied to detect a suspicious person prowling in corridor.

• International journal of advanced smart convergence
• /
• v.12 no.1
• /
• pp.149-156
• /
• 2023

OOXML-based MS-Office digital files are extensively utilized by businesses and organizations worldwide. However, OOXML-based MS-Office digital files are vulnerable to forgery and corruption attack by including hidden suspicious information, which can lead to activating malware or shell code being hidden in the file. Such malicious code can cause a computer system to malfunction or become infected with ransomware. To prevent such attacks, it is necessary to analyze and detect the corruption of OOXML-based MS-Office files. In this paper, we examine the weaknesses of the existing OOXML-based MS-Office file structure and analyzes how concealment and forgery are performed on MS-Office digital files. As a result, we propose a system to detect hidden data effectively and proactively respond to ransomware attacks exploiting MS-Office security vulnerabilities. Proposed system is designed to provide reliable and efficient detection of hidden data in OOXML-based MS-Office files, which can help organizations protect against potential security threats.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2014.07a
• /
• pp.67-70
• /
• 2014

최근의 다양한 환경에서 악성코드나 의심 코드에 의한 피해가 날로 늘어나고 있는 추세이며 이를 종합적으로 대응할 수 있는 시스템에 대한 연구가 활발히 이루어지고 있는 상황이다. 이러한 악성코드는 사용자의 동의 없이도 PC에 설치되어 사용자가 인지하지 못하는 피해를 지속적으로 영산하고 있으며 그 심각성도 날로 심해지고 있는 실정이다. 또한 다양한 시스템으로부터 수집되는 방대한 양의 데이터를 실시간으로 처리하고 검증하는 기술 및 탐지 기법을 토대로 악성코드를 탐지하고 분석할 수 있는 대응기술로 고도화 되어야만 한다. 이러한 악성코드는 사용자의 PC에 설치되기 이전부터 검사 및 판단하여 사전 대응하는 것이 매우 중요하다. 본 논문에서는 이러한 악성코드가 실제 PC상에 설치되기 이전에 탐지할 수 있는 기법을 제시하며 이를 장치형태로 검증하였다. 본 논문에서 제시하는 기술을 토대로 악상코드 근절에 대한 근본적인 대안을 제시할 것이라 판단한다.

• Journal of the Korean Society of Surveying, Geodesy, Photogrammetry and Cartography
• /
• v.36 no.2
• /
• pp.67-74
• /
• 2018

This study has proposed a methodology to detect suspicious facilities that occupy national and public land by using the cadastral and digital maps. First, we constructed a spatial database of national & public land based on the cadastral maps by linking its management ledger. Using the PNU (Parcel Number) code as a key field, the data managed by different institutions are integrated into a single spatial information DB (database) and then, the use or nonuse state of each parcel is confirmed on the cadastral map. Next, we explored the suspicious facilities that existed in the unused parcel by utilizing the digital topographical map. Then, the proposed methodology was applied for various regions and tested its feasibility. Through this study, it will be possible to improve the utilization of digital maps and to manage the national and public land efficiently and economically.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.429-442
• /
• 2020

The proportion of attacks via office documents is increasing in recent incidents. Although the security of office applications has been strengthened gradually, the attacks through the office documents are still effective due to the sophisticated use of social engineering techniques and advanced attack techniques. In this paper, we propose a method for detecting malicious OOXML(Office Open XML) documents and a framework for detection. To do this, malicious files used in the attack and benign files were collected from the malicious code repository and the search engine. By analyzing the malicious code types of collected files, we identified six "suspicious object" elements that are meaningful in determining whether they are malicious in a document. In addition, we implemented an OOXML document-based malware detection framework based on the detection method to classify the collected files and found that 98.45% of malicious filesets were detected.

• Journal of Internet Computing and Services
• /
• v.15 no.6
• /
• pp.47-54
• /
• 2014

Anti-debugging is one of the techniques implemented within the computer code to hinder attempts at reverse engineering so that attackers or analyzers will not be able to use debuggers to analyze the program. The technique has been applied to various programs and is still commonly used in order to prevent malware or malicious code attacks or to protect the programs from being analyzed. In this paper, we will suggest an automatic detection scheme for anti-debugging routines. With respect to the automatic detection, debuggers and a simulator were used by which trace information on the Application Program Interface(API) as well as executive instructions were extracted. Subsequently, the extracted instructions were examined and compared so as to detect points automatically where suspicious activity was captured as anti-debugging routines. Based on experiments to detect anti-debugging routines using such methods, 21 out of 25 anti-debugging techniques introduced in this paper appear to be able to detect anti-debugging routines properly. The technique in the paper is therefore not dependent upon a certain anti-debugging method. As such, the detection technique is expected to also be available for anti-debugging techniques that will be developed or discovered in the future.

• Journal of the Korea Society of Computer and Information
• /
• v.24 no.5
• /
• pp.27-33
• /
• 2019

One of serious security threats is a botnet-based attack. A botnet in general consists of numerous bots, which are computing devices with networking function, such as personal computers, smartphones, or tiny IoT sensor devices compromised by malicious codes or attackers. Such botnets can launch various serious cyber-attacks like DDoS attacks, propagating mal-wares, and spreading spam e-mails over the network. To establish a botnet, attackers usually inject malicious URLs into web source codes stealthily by using data hiding methods like Javascript obfuscation techniques to avoid being discovered by traditional security systems such as Firewall, IPS(Intrusion Prevention System) or IDS(Intrusion Detection System). Meanwhile, it is non-trivial work in practice for software developers to manually find such malicious URLs which are hidden in numerous web source codes stored in web servers. In this paper, we propose a security defense system to discover such suspicious, malicious URLs hidden in web source codes, and present experiment results that show its discovery performance. In particular, based on our experiment results, our proposed system discovered 100% of URLs hidden by Javascript encoding obfuscation within sample web source files.

• Journal of KIISE:Computer Systems and Theory
• /
• v.33 no.3
• /
• pp.178-192
• /
• 2006

The buffer overflow attack is the single most dominant and lethal form of security exploits as evidenced by recent worm outbreaks such as Code Red and SQL Stammer. In this paper, we propose microarchitectural techniques that can detect and recover from such malicious code attacks. The idea is that the buffer overflow attacks usually exhibit abnormal behaviors in the system. This kind of unusual signs can be easily detected by checking the safety of memory references at runtime, avoiding the potential data or control corruptions made by such attacks. Both the hardware cost and the performance penalty of enforcing the safety guards are negligible. In addition, we propose a more aggressive technique called corruption recovery buffer (CRB), which can further increase the level of security. Combined with the safety guards, the CRB can be used to save suspicious writes made by an attack and can restore the original architecture state before the attack. By performing detailed execution-driven simulations on the programs selected from SPEC CPU2000 benchmark, we evaluate the effectiveness of the proposed microarchitectural techniques. Experimental data shows that enforcing a single safety guard can reduce the number of system failures substantially by protecting the stack against return address corruptions made by the attacks. Furthermore, a small 1KB CRB can nullify additional data corruptions made by stack smashing attacks with only less than 2% performance penalty.