Journal of Information Processing Systems

  • 제17권4호
  • /
  • Pages.851-865
  • /
  • 2021
  • /
  • 1976-913X(pISSN)
  • /
  • 2092-805X(eISSN)
한국정보처리학회 (Korea Information Processing Society)
권호 표지
DOI QR코드

DOI QR Code

Host-Based Malware Variants Detection Method Using Logs

  • Joe, Woo-Jin (Dept. of Computer Science and Engineering, Chungnam National University) ;
  • Kim, Hyong-Shik (Dept. of Computer Science and Engineering, Chungnam National University)
  • 투고 : 2019.10.16
  • 심사 : 2020.03.16
  • 발행 : 2021.08.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

Enterprise networks in the PyeongChang Winter Olympics were hacked in February 2018. According to a domestic security company's analysis report, attackers destroyed approximately 300 hosts with the aim of interfering with the Olympics. Enterprise have no choice but to rely on digital vaccines since it is overwhelming to analyze all programs executed in the host used by ordinary users. However, traditional vaccines cannot protect the host against variant or new malware because they cannot detect intrusions without signatures for malwares. To overcome this limitation of signature-based detection, there has been much research conducted on the behavior analysis of malwares. However, since most of them rely on a sandbox where only analysis target program is running, we cannot detect malwares intruding the host where many normal programs are running. Therefore, this study proposes a method to detect malware variants in the host through logs rather than the sandbox. The proposed method extracts common behaviors from variants group and finds characteristic behaviors optimized for querying. Through experimentation on 1,584,363 logs, generated by executing 6,430 malware samples, we prove that there exist the common behaviors that variants share and we demonstrate that these behaviors can be used to detect variants.

키워드

과제정보

This work was supported by Institute for Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2019-0-01343, Training Key Talents in Industrial Convergence Security).

참고문헌

  1. Y. Lee, "Hacking into PyeongChang Winter Olympics: a long time ago carefully prepared APT, system destruction attack," 2018 [Online]. Available: https://byline.network/2018/05/3-13/.
  2. G. Andy, "The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History," 2019 [Online]. Available: https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/.
  3. S. Y. Choi, C. G. Lim, and Y. M. Kim, "Automated link tracing for classification of malicious websites in malware distribution networks," Journal of Information Processing Systems, vol. 15, no. 1, pp. 100-115, 2019. https://doi.org/10.3745/JIPS.03.0107
  4. H. Arshad, A. B. Jantan, and O. I. Abiodun, "Digital forensics: review of issues in scientific validation of digital evidence," Journal of Information Processing Systems, vol. 14, no. 2, pp. 346-376, 2018. https://doi.org/10.3745/JIPS.03.0095
  5. A. Souri and R. Hosseini, "A state-of-the-art survey of malware detection approaches using data mining techniques," Human-centric Computing and Information Sciences, vol. 8, article no. 3, 2018. https://doi.org/10.1186/s13673-018-0125-x
  6. Korea Internet & Security Agency, "Research for malware mutants group identification based on data mining," 2017 [Online]. Available: https://www.kisa.or.kr/public/library/report_View.jsp?regno=022709&searchType=&searchKeyword=&pageIndex=1.
  7. AV-TEST Institute, "Latest malware statistics and trends report," 2021 [Online]. Available: https://www.avtest.org/en/statistics/malware/.
  8. T. G. Kim and E. G. Im, "Code Reuse Analysis Techniques for Detection of Malware Variant," Journal of the Korea Institute of Information Security and Cryptology, vol. 24, no. 1, pp. 32-38, 2014.
  9. J. Zhang, K. Zhang, Z. Qin, H. Yin, and Q. Wu, "Sensitive system calls based packed malware variants detection using principal component initialized multilayers neural networks," Cybersecurity, vol. 1, article no. 10, 2018. https://doi.org/10.1186/s42400-018-0010-y
  10. S. B. Park, M. S. Kim, and B. N. Noh, "Detection method using common features of malware variants generated by automated tools," Journal of Korean Institute of Information Technology, vol. 10, no. 9, pp. 67-75, 2012.
  11. D. Moon, H. Lee, and I. Kim, "Host based feature description method for detecting APT attack," Journal of the Korea Institute of Information Security & Cryptology, vol. 24, no. 5, pp. 839-850, 2014. https://doi.org/10.13089/JKIISC.2014.24.5.839
  12. S. Kang, S. Kim, M. Park, and J. Kim, "Study on windows event log-based corporate security audit and malware detection," Journal of the Korea Institute of Information Security & Cryptology, vol. 28, no. 3, pp. 591-603, 2018. https://doi.org/10.13089/JKIISC.2018.28.3.591
  13. Microsoft, "Sysmon v13.23," 2021 [Online]. Available: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.