인터넷 멀웨어 분류 방법 및 탐지 메커니즘에 관한 고찰

  • 전용희 (대구가톨릭대학교 컴퓨터정보통신공학부) ;
  • 오진태 (한국전자통신연구원 정보보호연구본부 보안게이트웨이연구팀) ;
  • 김익균 (한국전자통신연구원 정보보호연구본부 보안게이트웨이연구팀) ;
  • 장종수 (한국전자통신연구원 정보보호연구본부 보안게이트웨이연구팀)
  • 발행 : 2008.06.30

초록

인터넷에서 발생하고 있는 심각한 문제의 대부분이 멀웨어(Malware)로 인하여 발생하고 있으며, 전 세계적으로 전파되고 그 영향은 점점 악화되고 있다. 이 악성소프트웨어는 점점 더 복잡하여 지고 있으며, 이에 따라 멀웨어에 대한 분석도 어렵게 되고 있다. 그러므로 멀웨어 탐지 기술 및 그 특징에 대한 분석이 절실히 요구된다. 본 논문에서는 효과적인 멀웨어에 대한 탐지 및 대응기법 수립을 위하여 인터넷 멀웨어를 분류하기 위한 방법과 탐지 기법에 대하여 분석 및 고찰하고자한다. 또한 제로-데이 공격에 대응하고자 개발된 ZASMIN(N(Zero-day Attack Signature Manufacture Infrastructure) 시스템의 특징에 대하여도 간략히 기술한다.

키워드

참고문헌

  1. Nwokedi Idika and Aditya P. Mathur, A Survey of Malware Detection Techniques, Department of Computer Science, Purdue University, Feb. 2007
  2. Michael Bailey et al., "Automated Classification and Analysis of Internet Malware", RAID 2007, pp.178-197, 2007
  3. Barford P., Yagneswaran, V., "An inside look at botnets", Advances in Information Security, Springer, Heidelberg, 2006
  4. Microsoft, Microsoft security intelligence report, Oct. 2006. http://www.microsoft.com/technet/security/default. mspx
  5. Joanna Rutkowska, Introducing Stealth Malware Taxonomy, COSEINC Advanced Malware Labs, Nov. 2006, Ver. 1.01
  6. M. Christodorescu and S. Jha, Testing malware detectors, In Proceedings of International Symposium on Software Testing and Analysis, July 2004
  7. G. McGraw and G. Morrisett, Attacking malicious code:A report to the infosec research council, IEEE Software, 17(5):33-44, 2000
  8. A. Vasudevan and R. Yerraballi, Spike:Engineering malware analysis tools using unobtrusive binaryinstrumentation. In Proceedings of the 29th Australasian Computer Science Coference, pp.311-320, 2006
  9. Newsome, J., Karp, B., Song, D., "Polygraph: Automatically generating signatures for polymorphic worms", In Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, USA, May, 2005
  10. Li, Z. et al., "Hasma:Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience", In Proceedings of IEEE Symposium on Security and Privacy, 2006
  11. Moshchuk, A. et al., "A Crawler-based Study of Spyware in the Web", In Proceedings of the Network and Distributed System Security Symposium( NDSS), San Diego, CA, 2006
  12. Ellis D., et al, "A Behavioral Approach to Worm Detection", In Proceedings of the ACM Workshop on Rapid Malcode (WORM04), October 2004, ACM Press, New York, 2004
  13. Kolter, J.Z. and Maloof, M.A., "Learning to Detect and Classify Malicious Executables in the Wild", Journal of Machine Learning Research, 2007
  14. Hastie, T. et al., "The Elements of Statistical Learning", Data Mining, Inference, and Prediction, Springer, Heidelberg, 2001
  15. K. Wang and S. J. Stolfo, "Anomalous payload- based network intrusion detection", In Proceedings of the 7th International Symposium on (RAID), pp. 201-222, Sep. 2004
  16. W. Lee and S. Stolfo, "Data mining approaches for intrusion detection", In Proceedings of the 7th USENIX Security Symposium, 1998
  17. M. Boldt and B. Carlsson, "Analyzing privacyinvasive software using computer forensic methods", http://www.e-evidence.info/b.html, Jan. 2006
  18. R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati, "A fast automation-based approach for detecting anomalous program behaviors", In IEEE Symposium on Security and Privacy, 2001
  19. S. Hofmeyr, S. Forrest, and A. Somayaji, "Intrusion detection using sequences of system calls", Journal of Computer Security, pp. 151-180, 1998
  20. W. Li, K. Wang, S. Stolfo, and B. Herzog, "Fileprints:Identifying file types by n-gram analysis", 6th IEEE Information Assurance Workshop, June 2005
  21. Y. M. Wang, D. Beck, B. Vo, R. Roussev, and C. Verbowski, "Detecting stealth software with strider ghostbuster", In Proceedings of the 2005 International Conference on Defendable Systems and Networks, pp. 368-377, 2005
  22. S. Forrest, A. S. Perelson, L. Allen, and R. Cherukuri, "Self-nonself discrimination", In Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, May 1994
  23. W. Masri and A. Podgurski, "Using dynamic information flow analysis to detect attacks against applications", In Proceedings of the 2005 Workshop on Software Engineering for secure systems- Building Trustworthy Applications, May 2005
  24. J. Xiong, "Act:Attachment chain tracing scheme for email virus detection and control", In Proceedings of the ACM Workshop on Rapid Malcode(WORM)", 2004
  25. C. Ko, G. Fink, and K. Levitt, "Automated detection of vulnerabilities in privileged programs by execution monitoring", In Proceedings of the 10th Annual Computer Security Applications Conference, pp.134-144, Dec. 1994
  26. R. Sekar, T. Bowen, and M. Segal, "On preventing intrusions by process behavior monitoring", USENIX Intrusion Detection Workshop, 1999
  27. R. B. Lee, D. K. Karig, P. McGregor, and Z. Shi, "Enlisting hardware architecture to thwart malicious code injection", International Conference on Security in Pervasive Computing (SPC), 2003
  28. E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, "Noxes:A client-side solution for mitigating cross-site scripting attacks", In the 21st ACM Symposium on Applied Computing (SAC), 2006
  29. G. E. Suh, J. Lee, and S. Devadas, "Secure program execution via dynamic information flow tracking", International Conf. Architectural Support for Programming Languages and Operating Systems, 2004
  30. M. Milenkovic, A. Milenkovic, and E. Jovanov, "Using instruction block signatures to counter code injection attacks", ACM SIGARCH Computer Architecture News, 33;108-117, March 2005
  31. S. E. Schechter, J. Jung, and Berger A. W., "Fast detection of scanning worms infections", In Proceedings of 7th International Symposium on RAID, 2004
  32. C. M. Linn et al., "Protecting against unexpected system calls", Usenix Security Symposium, 2005
  33. J. Bergeron, M, Debbabi, J, Desharnis, M.M. Erhioui, and N. Tawbi, "Static detection of malicious code in executable programs", International Journal of Req. Eng., 2001
  34. J. Bergeron, M, Debbabi, M.M. Erhioui, and B. Ktari, "Static analysis of binary code to isolate malicious behavior", In 8th Workshop on Enabling Technologies:Infrastructure for Collaborative Enterprises, 1999
  35. M. Debbabi et al., "Secure self-certified cots", In Proceedings of the 9th IEEE International Workshop on Enabling Technologies:Infrastructure for Collaborative Enterprises, pp.183- 188, 2000
  36. F. Adelstein, M. Stillerman, and D. Kozen, "Malicious code detection for open firmware", In Proceedings of the 18th Annual Computer Security Applications Conference, 2002
  37. J. Rabek, R. Khazan, S. Lewandowski, and R. Cunningham, "Detection of injected, dynamically generated, and obfuscated malicious code", In Proceedings of the 2003 ACM Workshop on Rapid Malcode, pp.76-82, 2003
  38. D. Wagner and D. Dean, "Intrusion detection via static analysis", IEEE Symposium on Security and Privacy, 2001
  39. J. T. Giffin, S. Jha, and B. Miller, "Detecting manipulated remote call streams", 11th USENIX Security Symposium, 2002
  40. W. Halfond and A. orso, "Amnesia:Analysis and monitoring for neutralizing sql-injection attacks", In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp.174-183, 2005
  41. C. Cowan et al., "Stackguard:Automatic adaptive detection and prevention of buffer-overflow attacks", In Proceedings of the 7th USENIX Security Conference, Jan. 1998
  42. A. Vasudevan and R. Yerraballi, "Spike: Engineering malware analysis tools using unobtrusive binary-instrumentation", In Proceedings of the 29th Australasian Computer Science Conf., pp.311-320, 2006
  43. 오진태, 김익균, 장종수, 전용희, "제로-데이 웜 공격 대응을 위한 ZASMIN 시스템 구조", 한국정보보호학회지, 제18권, 제 1호, 81-87쪽, 2008. 2월
  44. K. Ilgun, R. A. Kemmerer, and Porras P. A., "State transition analysis:A rule-based intrusion detection approach", IEEE Transactions on Software Engineering, 1995
  45. D. Ellis et al., "A behavioral approach to worn detection", Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp.43-53, 2004
  46. A. Sung, J. Xu, P. Chavez, and S. Mukkamala, "Static analyzer of vicious executables (save)", In Proceedings of the 20th Annual Computer Security Applications Conf. (ACSAC '04), 00: 326-334, 2004
  47. M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant, "Semantics-aware malware detection", In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pp.32-46, 2005
  48. S. Kumar and Spafford E. H., "A generic virus scanner in c++", In Proceedings of the 8th Computer Security Applications Conference, pp.210-219, 1992
  49. M. Christodorescu and S. Jha, "Static analysis of executables to detect malicious patterns", USENIX Security Symposium, 2003
  50. C. Krebich and J. Crowcroft, "Honeycomb-creating intrusion detection signatures using honeypots", In 2nd Workshop on Hot Topics in Network, 2003
  51. A. Mori, T. Izumida, T. Sawada, and T. Inoue, "A tool for analyzing and detecting malicious mobile code", In Proceedings of the 28th International Conf. on Software Eng. pp.831- 834, 2006
  52. F. Castaneda, E. C. Sezer, and J. Xu, "Worm vs. worm:preliminary study of an active counter- attack mechanism", Proceedings of the 2004 ACM Workshop on Rapid Malcode, 2004
  53. R. W. Lo, K. N. Levitt, and R. A. Olsson, "Mcf :Malicious code filter", Computers and Society, pp.541-566, 1995
  54. E. Filiol, "Malware pattern scanning schemes secure against black-box analysis", Journal of Computer Virol., 2006