Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

Research on Malicious code hidden website detection method through WhiteList-based Malicious code Behavior Analysis

WhiteList 기반의 악성코드 행위분석을 통한 악성코드 은닉 웹사이트 탐지 방안 연구

  • Ha, Jung-Woo (Korea University, Graduate School for Information Management Engineering) ;
  • Kim, Huy-Kang (Korea University, Graduate School for Information Management Engineering) ;
  • Lim, Jong-In (Korea University, Graduate School for Information Management Engineering)
  • 하정우 (고려대학교 정보경영공학전문대학원) ;
  • 김휘강 (고려대학교 정보경영공학전문대학원) ;
  • 임종인 (고려대학교 정보경영공학전문대학원)
  • Received : 2010.10.25
  • Accepted : 2011.05.07
  • Published : 2011.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, there is significant increasing of massive attacks, which try to infect PCs that visit websites containing pre-implanted malicious code. When visiting the websites, these hidden malicious codes can gain monetary profit or can send various cyber attacks such as BOTNET for DDoS attacks, personal information theft and, etc. Also, this kind of malicious activities is continuously increasing, and their evasion techniques become professional and intellectual. So far, the current signature-based detection to detect websites, which contain malicious codes has a limitation to prevent internet users from being exposed to malicious codes. Since, it is impossible to detect with only blacklist when an attacker changes the string in the malicious codes proactively. In this paper, we propose a novel approach that can detect unknown malicious code, which is not well detected by a signature-based detection. Our method can detect new malicious codes even though the codes' signatures are not in the pattern database of Anti-Virus program. Moreover, our method can overcome various obfuscation techniques such as the frequent change of the included redirection URL in the malicious codes. Finally, we confirm that our proposed system shows better detection performance rather than MC-Finder, which adopts pattern matching, Google's crawling based malware site detection, and McAfee.

최근 DDoS공격용 좀비, 기업정보 및 개인정보 절취 등 각종 사이버 테러 및 금전적 이윤 획득의 목적으로 웹사이트를 해킹, 악성코드를 은닉함으로써 웹사이트 접속PC를 악성코드에 감염시키는 공격이 지속적으로 증가하고 있으며 은닉기술 및 회피기술 또한 지능화 전문화되고 있는 실정이다. 악성코드가 은닉된 웹사이트를 탐지하기 위한 현존기술은 BlackList 기반 패턴매칭 방식으로 공격자가 악성코드의 문자열 변경 또는 악성코드를 변경할 경우 탐지가 불가능하여 많은 접속자가 악성코드 감염에 노출될 수 밖에 없는 한계점이 존재한다. 본 논문에서는 기존 패턴매칭 방식의 한계점을 극복하기 위한 방안으로 WhiteList 기반의 악성코드 프로세스 행위분석 탐지기술을 제시하였다. 제안방식의 실험 결과 현존기술인 악성코드 스트링을 비교하는 패턴매칭의 MC-Finder는 0.8%, 패턴매칭과 행위분석을 동시에 적용하고 있는 구글은 4.9%, McAfee는 1.5%임에 비해 WhiteList 기반의 악성코드 프로세스 행위분석 기술은 10.8%의 탐지율을 보였으며, 이로써 제안방식이 악성코드 설치를 위해 악용되는 웹 사이트 탐지에 더욱 효과적이라는 것을 증명할 수 있었다.

Keywords

References

  1. 한국인터넷진흥원, "2009 정보시스템 해킹.바이러스 현황 및 대응," 연구보고서 KISA-RP-2009-0014, pp.17-18, 2009.
  2. 심원태, "악성코드 은닉사이트 탐지시스템 개발과 운영(MCFinder)," 제 11회 정보보호 심포지움 SIS. pp.5-6, 2006
  3. NIE(Internet Explorer)ls Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, Negendra Modadugu, "The Ghost In The Browser Analysis of Web-based Malware," Proceedings of the first conference on First Workshop on Hot Topics in Understanding Bonets, pp. 35-37. April 2007
  4. Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy. A Crawler-based Study of Spyware on the Web. In Proceedings of the 2006 Network and Distributed System Security Symposium, pp. 39-40, February 2006.
  5. Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King. Automated Web Patrol with Strider HoneyMonkeys. In Proceedings of the 2006 Network and Distributed System Security Symposium, pp. 35-49, February 2006
  6. NIE(Internet Explorer)ls Provos Panayiotis Mavrommatis Google Inc , "All Your iFRAMEs Point to Us "Google Technical Report provos-2008a, pp. 28-40, February 2008
  7. Google Code Labs, Google Safe Browsing API Developer's Guide, http://code.google. com/intl/ko-KR/apis/safebrowsing/developers_guide.html
  8. MSDN Library, Process and Thread Functions, http://msdn.microsoft.com/ en-us/library/ms687393(VS.85).aspx, 2008
  9. MSDN Library, Process and Thread Functions, http://msdn.microsoft.com/ en-us/library/bb762153(VS.85).aspx, 2008
  10. Systemsoftware Mathias Rauen, madCodeHook, http://www.madshi.net, 2010
  11. McAfee, Mapping the Mal Web, http://www.siteadvisor.com/studies/Mapping_Mal_Web_jun2009.pdf, 2009
  12. Mihai Christodorescu, Somesh Jha, Sanjit A. Seshia, Dawn Song, and Randal E. Bryant. Semantics-aware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 50-51, May 2005.
  13. Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, Ming-Wei Wu, Yennun Huang, and Sy-Yen Kuo. Gatekeeper: Monitoring auto-start extensibility points (ASEPs) for spyware management. In Proceedings of the 18th Large Installation System Administration Conference (LISA '04), Atlanta, GA, pp. 1-5, November 2004.
  14. Darrell M. Kienzle and Matthew C. Elder. Recent worms: A survey and trends. In Proceedings of the 2003 ACM Workshop on Rapid Malcode, Washington, DC, pp. 40-49, October 2003.
  15. David Moore, Vern Paxson, Stefan Savage, Colleen Shannon an d Stuart Staniford, and Nicholas Weaver. Inside the slammer worm. IEEE Security and Privacy, 1(4), pp. 33-39, July 2003. https://doi.org/10.1109/MSECP.2003.1219056
  16. Prabhat K. Singh and Arun Lakhotia. Analysis and detection of computer viruses and worms: An annotated bibliography. ACM SIGPLAN Notices, 37(2) pp. 29-35, February 2002.