Journal of the Korea Academia-Industrial cooperation Society (한국산학기술학회논문지)

The Korea Academia-Industrial cooperation Society (한국산학기술학회)
권호 표지
DOI QR코드

DOI QR Code

A Malware Detection Method using Analysis of Malicious Script Patterns

악성 스크립트 패턴 분석을 통한 악성코드 탐지 기법

  • Received : 2019.06.03
  • Accepted : 2019.07.05
  • Published : 2019.07.31
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, with the development of the Internet of Things (IoT) and cloud computing technologies, security threats have increased as malicious codes infect IoT devices, and new malware spreads ransomware to cloud servers. In this study, we propose a threat-detection technique that checks obfuscated script patterns to compensate for the shortcomings of conventional signature-based and behavior-based detection methods. Proposed is a malicious code-detection technique that is based on malicious script-pattern analysis that can detect zero-day attacks while maintaining the existing detection rate by registering and checking derived distribution patterns after analyzing the types of malicious scripts distributed through websites. To verify the performance of the proposed technique, a prototype system was developed to collect a total of 390 malicious websites and experiment with 10 major malicious script-distribution patterns derived from analysis. The technique showed an average detection rate of about 86% of all items, while maintaining the existing detection speed based on the detection rule and also detecting zero-day attacks.

최근 IoT, 클라우드 컴퓨팅 기술이 발전하면서 IoT 디바이스를 감염시키는 악성코드와 클라우드 서버에 랜섬웨어를 유포하는 신종 악성코드가 등장하여 보안 위협이 증가하고 있다. 본 연구에서는 기존의 시그니처 기반의 탐지 방식과 행위기반의 탐지 방식의 단점을 보완할 수 있도록 난독화된 스크립트 패턴을 분석하여 점검하는 탐지 기법을 제안한다. 제안하는 탐지 기법은 웹사이트 통해 유포되는 악성 스크립트 유형을 분석하여 유포패턴을 도출한 후, 도출된 유포패턴을 등록하여 점검함으로써 기존의 탐지룰 기반의 탐지속도를 유지하면서도 제로데이 공격에 대한 탐지가 가능한 악성 스크립트 패턴분석 기반의 악성코드 탐지 기법이다. 제안한 기법의 성능을 검증하기 위해 프로토타입 시스템을 개발하였으며, 이를 통해 총 390개의 악성 웹사이트를 수집, 분석에 의해 도출된 10개의 주요 악성 스크립트 유포패턴을 실험한 결과, 전체 항목 평균 약 86%의 높은 탐지율을 보였으며, 기존의 탐지룰 기반의 점검속도를 유지하면서도 제로데이 공격까지도 탐지가 가능한 것을 실험으로 입증하였다.

Keywords

SHGSCZ_2019_v20n7_613_f0001.png 이미지

Fig. 1. Path of distribution of malicious code

SHGSCZ_2019_v20n7_613_f0002.png 이미지

Fig. 2. Process for collecting and analyzing patterns of malicious code distribution

SHGSCZ_2019_v20n7_613_f0003.png 이미지

Fig. 3. Process of performance experiment using detection prototype system

SHGSCZ_2019_v20n7_613_f0004.png 이미지

Fig. 4. DLL information setting of prototype system developed for experiment

SHGSCZ_2019_v20n7_613_f0005.png 이미지

Fig. 5. Analysis result view of prototype system developed for experiment

SHGSCZ_2019_v20n7_613_f0006.png 이미지

Fig. 6. Search source view of prototype system developed for experiment

Table 1. OWASP Top 10 Vulnerabilities

SHGSCZ_2019_v20n7_613_t0001.png 이미지

Table 2. Results of analysis on the distribution patterns of malicious scripts

SHGSCZ_2019_v20n7_613_t0002.png 이미지

Table 3. Malicious script detection items by distribution Pattern

SHGSCZ_2019_v20n7_613_t0003.png 이미지

Table 4. Detection rate by diffusion pattern detection items

SHGSCZ_2019_v20n7_613_t0004.png 이미지

References

  1. S. Y. Min, C. S. Jung, K. H. Lee, E. S. Cho, T. B. Yoon, S. H. You, "Design of Comprehensive Security Vulnerability Analysis System through Efficient Inspection Method according to Necessity of Upgrading System Vulnerability", Journal of the Korea Academia-Industrial, Vol.18, No.7, pp.1-8, 2015. DOI: http://dx.doi.org/10.5762/KAIS.2017.18.7.1
  2. K. S. Jeong, S. Bae, H. Kim, "Evaluation Criteria for Suitable Authentication Method for IoT Service Provider in Industry 4.0 Environment", Journal of the Society of Korea Industrial and Systems Engineering, Vol.40, No.3, pp.116-122, 2017. DOI: https://doi.org/10.11627/jkise.2017.40.3.116
  3. A. Mateen, Q. Zhu, S. Afsar, M. Usman, "IoT and Wireless Sensor Network Monitoring for Campus Security", The Journal of The Institute of Internet, Broadcasting and Communication, Vol.18, No.6, pp.33-41, 2018. DOI: https://doi.org/10.7236/JIIBC.2018.18.6.33
  4. Y. S. Kim, B. K. Lee, "CoAP/6LoWPAN-based Smart Home Network system using DTLS", The Journal of The Institute of Internet, Broadcasting and Communication, Vol.18, No.6, pp.53-61, 2018. DOI: https://doi.org/10.7236/JIIBC.2018.18.6.53
  5. S. T. Yu, S. H. Oh, "Malware Analysis Mechanism using the Word Cloud based on API Statistics", Journal of the Korea Academia-Industrial, Vol.16, No.10, pp.7211-7218, 2015. DOI: http://dx.doi.org/10.5762/KAIS.2015.16.10.7211
  6. S. Y. Min, E. S. Cho, B. W. Jin, "A Implement of Integrated Management Systems for User Fraud Protection and Malware Infection Prevention", Journal of the Korea Academia-Industrial, Vol.16, No.12, pp.8908-8914, 2015. DOI: http://dx.doi.org/10.5762/KAIS.2015.16.12.8908
  7. E. S. Lee, S. R. Kim, Y. K. Kim, "A Study on Enhancing Security Management of IT Outsourcing for Information System Establishment and Operation", The Journal of The Institute of Internet, Broadcasting and Communication, Vol.17, No.4, pp.27-34, 2017. DOI: https://doi.org/10.7236/JIIBC.2017.17.4.27
  8. H. T. Lee, "Analysis of Security Technology for Internet of things", The Journal of The Institute of Internet, Broadcasting and Communication, Vol.17, No.4, pp.43-48, 2017. DOI: https://doi.org/10.7236/JIIBC.2017.17.4.43
  9. H. H. Jung, H. Y. Kwon, "A Study on the Necessity of the Introduction of Professional Certification System for Financial Security", The Journal of The Institute of Internet, Broadcasting and Communication, Vol.17, No.4, pp.209-218, 2017. DOI: https://doi.org/10.7236/JIIBC.2017.17.4.209
  10. K. A. Yang, D. W. Shin, J. K. Kim, B. C. Bae, "Trend and Prospect of Security System Technology for Network", The Journal of The Institute of Internet, Broadcasting and Communication, Vol.18, No.5, pp.1-8, 2018. DOI: https://doi.org/10.7236/JIIBC.2018.18.5.1
  11. S. Y. Lee, J. Y. Kim, "Performance of privacy Amplification in Quantum Key Distribution Systems", The Journal of The Institute of Internet, Broadcasting and Communication, Vol.18, No.5, pp.111-116, 2018. DOI: https://doi.org/10.7236/JIIBC.2018.18.5.111
  12. M. Ahmadi, D. Ulyanov, S. Semenov, M. Trofimov, G. Giacinto, "Novel feature extraction, selection and fusion for effective malware family classification", Proceedings of the sixth ACM conference on data and application security and privacy, pp.183-194. March 2016. DOI: http://dx.doi.org/10.1145/2857705.2857713
  13. S. Hansen, S. T. Larsen, M. T. Stevanovic, J. M. Pedersen, "An approach for detection and family classification of malware based on behavioral analysis", Proceedings of International Conference, In Computing, Networking and Communications(ICNC), IEEE, pp.1-5, Feb. 2016. DOI: http://dx.doi.org/10.1109/ICCNC.2016.7440587
  14. Y. J. Ki, E. J. Kim, H. K. Kim, "A novel approach to detect malware based on API call sequence analysis", International Journal of Distributed Sensor Networks, Vol.2015, No.4, pp. 1-9, 2015. DOI: https://doi.org/10.1155/2015/659101
  15. K. Rieck, T. Holz, C. Willems, P. Dusse, P. Laskov, "Learning and classification of malware behavior", Proceedings of International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, pp.108-125, 2018. DOI: https://doi.org/10.1007/978-3-540-70542-0_6
  16. Y. Fan, Y. Ye, L. Chen, "Malicious sequential pattern mining for automatic malware detection", Expert Systems with Applications, Vol.52, pp.16-25. 2016. DOI: https://doi.org/10.1016/j.eswa.2016.01.002
  17. J. Saxe, K. Berlin, "Deep neural network based malware detection using two dimensional binary program features", Proceedings of Malicious and Unwanted Software(MALWARE), 10th International Conference, IEEE, pp.11-20, Oct. 2015. DOI: https://doi.org/10.1109/MALWARE.2015.7413680
  18. B. Sun, Q. Li, Y. Guo, Q. Wen, X. Lin, W. Liu, "Malware family classification method based on static feature extraction", Proceedings of 3rd International Conference, In Computer and Communications (ICCC), IEEE, pp.507-513. March 2017. DOI: https://doi.org/10.1109/CompComm.2017.8322598
  19. S. Acharya, B. Ehrenreich, J. Marciniak, "OWASP inspired mobile security", Proceedings of International Conference, Bioinformatics and Biomedicine(BIBM), IEEE, pp.782-784, 2015. DOI: https://doi.org/10.1109/BIBM.2015.7359786
  20. P. Royal, M. Halpin, D. Dagon, R. Edmonds, W. Lee, "PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware", Proceedings of 22nd Annual Computer Security Applications Conference (ACSAC'06), IEEE, pp.289-300, 2006. DOI: https://doi.org/10.1109/ACSAC.2006.38
  21. W. Li, C. Li, M. Duan, "Method for detecting the obfuscated malicious code based on behavior connection", Proceedings of 3rd International Conference on Cloud Computing and Intelligence Systems, IEEE, Nov. 2014. DOI: https://doi.org/10.1109/CCIS.2014.7175735
  22. A. Shabtal, R. Moskopvitch, C. Feher, S. Dolev, Y. Elovici, "Detecting unknown malicious code by applying classification techniques on opcode patterns", Security Informatics, Vol.1, No.1, 2012. DOI: https://doi.org/10.1186/2190-8532-1-1
  23. C. She, Y. Ma, J. Wang, L. Jia, "An improved malicious code intrusion detection method based on target tree for space information network", International Journal of Distributed Sensor Networks, Vol. 13, No. 12, 2017. DOI: https://doi.org/10.1177/1550147717747847
  24. D. D. Lille, B. Coppens, D. Raman, B. D. Sutter, "Automatically combining static malware detection techniques", Proceedings of 10th International Conference on Malicious and Unwanted Software(MALWARE), pp.48-55, Oct. 2015. DOI: https://doi.org/10.1109/MALWARE.2015.7413684
  25. P. Vinod, R. Jaipur, V. Laxmi and M. Gaur, "Survey on malware detection methods", Proceedings of the 3rd hackers' workshop on computer and internet security, pp.74-79, 2009.
  26. M. Egele, T. Scholte, E. Kirda, C. Kruegel, "A survey on automated dynamic malware-analysis techniques and tools", ACM computing surveys (CSUR), Vol. 44, No.2, 2012. DOI: https://doi.org/10.1145/2089125.2089126