• Title/Summary/Keyword: Behavior-Based Detection

Search Result 10, Processing Time 0.189 seconds

Virus Detection Method based on Behavior Resource Tree

  • Zou, Mengsong;Han, Lansheng;Liu, Ming;Liu, Qiwen
    • Journal of Information Processing Systems
    • /
    • v.7 no.1
    • /
    • pp.173-186
    • /
    • 2011
  • Due to the disadvantages of signature-based computer virus detection techniques, behavior-based detection methods have developed rapidly in recent years. However, current popular behavior-based detection methods only take API call sequences as program behavior features and the difference between API calls in the detection is not taken into consideration. This paper divides virus behaviors into separate function modules by introducing DLLs into detection. APIs in different modules have different importance. DLLs and APIs are both considered program calling resources. Based on the calling relationships between DLLs and APIs, program calling resources can be pictured as a tree named program behavior resource tree. Important block structures are selected from the tree as program behavior features. Finally, a virus detection model based on behavior the resource tree is proposed and verified by experiment which provides a helpful reference to virus detection.

A Study of Logical Network Partition and Behavior-based Detection System Using FTS (FTS를 이용한 논리적 망 분리와 행위기반 탐지 시스템에 관한 연구)

  • Kim, MinSu;Shin, SangIl;Ahn, ChungJoon;Kim, Kuinam J.
    • Convergence Security Journal
    • /
    • v.13 no.4
    • /
    • pp.109-115
    • /
    • 2013
  • Security threats through e-mail service, a representative tool to convey information on the internet, are on the sharp rise. The security threats are made in the path where malicious codes are inserted into documents files attached and infect users' systems by taking advantage of the weak points of relevant application programs. Therefore, to block infection of camouflaged malicious codes in the course of file transfer, this work proposed an integrity-checking and behavior-based detection system using File Transfer System (FTS), logical network partition, and conducted a comparison analysis with the conventional security techniques.

Malicious Code Detection using the Effective Preprocessing Method Based on Native API (Native API 의 효과적인 전처리 방법을 이용한 악성 코드 탐지 방법에 관한 연구)

  • Bae, Seong-Jae;Cho, Jae-Ik;Shon, Tae-Shik;Moon, Jong-Sub
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.4
    • /
    • pp.785-796
    • /
    • 2012
  • In this paper, we propose an effective Behavior-based detection technique using the frequency of system calls to detect malicious code, when the number of training data is fewer than the number of properties on system calls. In this study, we collect the Native APIs which are Windows kernel data generated by running program code. Then we adopt the normalized freqeuncy of Native APIs as the basic properties. In addition, the basic properties are transformed to new properties by GLDA(Generalized Linear Discriminant Analysis) that is an effective method to discriminate between malicious code and normal code, although the number of training data is fewer than the number of properties. To detect the malicious code, kNN(k-Nearest Neighbor) classification, one of the bayesian classification technique, was used in this paper. We compared the proposed detection method with the other methods on collected Native APIs to verify efficiency of proposed method. It is presented that proposed detection method has a lower false positive rate than other methods on the threshold value when detection rate is 100%.

A Behavior based Detection for Malicious Code Using Obfuscation Technique (우회기법을 이용하는 악성코드 행위기반 탐지 방법)

  • Park Nam-Youl;Kim Yong-Min;Noh Bong-Nam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.16 no.3
    • /
    • pp.17-28
    • /
    • 2006
  • The appearance of variant malicious codes using obfuscation techniques is accelerating the spread of malicious codes around the detection by a vaccine. n a system does not patch detection patterns for vulnerabilities and worms to the vaccine, it can be infected by the worms and malicious codes can be spreaded rapidly to other systems and networks in a few minute. Moreover, It is limited to the conventional pattern based detection and treatment for variants or new malicious codes. In this paper, we propose a method of behavior based detection by the static analysis, the dynamic analysis and the dynamic monitoring to detect a malicious code using obfuscation techniques with the PE compression. Also we show that dynamic monitoring can detect worms with the PE compression which accesses to important resources such as a registry, a cpu, a memory and files with the proposed method for similarity.

Proposal of worm Self-Defense technologies avoiding Behavior-based detection (행동기반 탐지를 우회하는 웜 자기방어 기법 제안)

  • Kwon, O-Chul;Cho, Jae-Ik;Moon, Jong-Sub
    • Proceedings of the Korean Information Science Society Conference
    • /
    • /
    • pp.27-30
    • /
    • 2007
  • 초기의 웜은 감염 및 확산의 신속성을 중요시하였으나, 생존성은 고려하진 않았다. 하지만 보안도구(Anti-worm)의 발달에 따라 2004년 이후 대규모의 웜 확산에 의한 피해가 보고되지 않고 있다. 이에 웜도 보안도구를 회피하는 자기방어(Self-Defense) 기법을 개발하여 생존성을 증가시키면서 진화하고 있다. 본 논문은 현존하는 웜 자기방어 기법과 그 한계를 분석한 후 행동기반 탐지 기법을 우회하는 자기방어 기법을 제안하도록 하겠다.

  • PDF

On the Configuration and Improvement of Security Control Systems (보안관제시스템 구성 및 개선방안 연구)

  • Yoo, Seung Jae
    • Convergence Security Journal
    • /
    • v.17 no.2
    • /
    • pp.69-80
    • /
    • 2017
  • Due to the advanced IT environment, the role of Security Monitoring & Control becomes more important as the cyber-crime is becoming intelligent, diversified, and advanced. In contrast to the way it relied solely on security devices such as Firewall and IDS in the past, Security Monitoring & Control tasks responding to cyber attacks through real-time monitoring have become wide spread and their role is also important. In response to current cyber threats, since security equipment alone can not be guaranteed a stable defense, the task of Security Monitoring & Control became essential to operate and monitor security equipment and to respond in real time. In this study, we will discuss how to configure network security system effectively and how to improve the real-time Security Monitor & Control.

The Real-Time Detection of the Malicious JavaScript (실시간으로 악성 스크립트를 탐지하는 기술)

  • Choo, Hyun-Lock;Jung, Jong-Hun;Kim, Hwan-Kuk
    • Journal of Internet Computing and Services
    • /
    • v.16 no.4
    • /
    • pp.51-59
    • /
    • 2015
  • JavaScript is a popular technique for activating static HTML. JavaScript has drawn more attention following the introduction of HTML5 Standard. In proportion to JavaScript's growing importance, attacks (ex. DDos, Information leak using its function) become more dangerous. Since these attacks do not create a trail, whether the JavaScript code is malicious or not must be decided. The real attack action is completed while the browser runs the JavaScript code. For these reasons, there is a need for a real-time classification and determination technique for malicious JavaScript. This paper proposes the Analysis Engine for detecting malicious JavaScript by adopting the requirements above. The analysis engine performs static analysis using signature-based detection and dynamic analysis using behavior-based detection. Static analysis can detect malicious JavaScript code, whereas dynamic analysis can detect the action of the JavaScript code.

Detecting malicious behaviors in MMORPG by applying motivation theory (모티베이션 이론을 이용한 온라인 게임 내 부정행위 탐지)

  • Lee, Jae-hyuk;Kang, Sung Wook;Kim, Huy Kang
    • Journal of Korea Game Society
    • /
    • v.15 no.4
    • /
    • pp.69-78
    • /
    • 2015
  • As the online game industry has been growing rapidly, more and more malicious activities to gain economic benefits have been reported as well. Game bot is one of the biggest problems in the online game industry. So we proposed a bot detection method based on the ERG theory of motivation for the first time. Most of the previous studies focused on behavior-based detection by monitoring patterns of the specific actions. In this paper, we applied the motivation theory to analyze user behaviors on a real game dataset. The result shows that normal users in the game followed the ERG theory of motivation in the same way as it works in real world. But in the case of game bots, the theory could not be applied because the game bot has specific reasons, unlike normal game users. We applied the ERG theory to users to distinguish game bot users from normal users. We detected the game bot with high accuracy of 99.78% by applying the theory.

A Malware Detection Method using Analysis of Malicious Script Patterns (악성 스크립트 패턴 분석을 통한 악성코드 탐지 기법)

  • Lee, Yong-Joon;Lee, Chang-Beom
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.20 no.7
    • /
    • pp.613-621
    • /
    • 2019
  • Recently, with the development of the Internet of Things (IoT) and cloud computing technologies, security threats have increased as malicious codes infect IoT devices, and new malware spreads ransomware to cloud servers. In this study, we propose a threat-detection technique that checks obfuscated script patterns to compensate for the shortcomings of conventional signature-based and behavior-based detection methods. Proposed is a malicious code-detection technique that is based on malicious script-pattern analysis that can detect zero-day attacks while maintaining the existing detection rate by registering and checking derived distribution patterns after analyzing the types of malicious scripts distributed through websites. To verify the performance of the proposed technique, a prototype system was developed to collect a total of 390 malicious websites and experiment with 10 major malicious script-distribution patterns derived from analysis. The technique showed an average detection rate of about 86% of all items, while maintaining the existing detection speed based on the detection rule and also detecting zero-day attacks.

Analysis of the Connectivity of Monitoring Nodes and the Coverage of Normal Nodes for Behavior-based Attack Detection in Wireless Sensor Networks (무선 센서 네트워크에서 행위 기반 공격 탐지를 위한 감시 노드의 연결성과 일반 노드의 커버리지 분석)

  • Chong, Kyun-Rak
    • Journal of the Korea Society of Computer and Information
    • /
    • v.18 no.12
    • /
    • pp.27-34
    • /
    • 2013
  • In wireless sensor networks, sensors need to communicate with each other to send their sensing data to the administration node and so they are susceptible to many attacks like garbage packet injection that cannot be prevented by using traditional cryptographic approaches. A behavior-based detection is used to defend against such attacks in which some specialized monitoring nodes overhear the communications of their neighbors to detect bad packets. As monitoring nodes use more energy, it is desirable to use the minimal number of monitoring nodes to cover the whole or maximal part of the network. The monitoring nodes can either be selected among the deployed normal nodes or differ in type from normal nodes. In this study, we have developed an algorithm for selecting the predefined number of monitoring nodes needed to cover the maximum number of normal nodes when the different types of normal nodes and monitoring nodes are deployed. We also have investigated experimentally how the number of monitoring nodes and their transmission range affect the connection ratio of the monitoring nodes and the coverage of the normal nodes.