• Journal of Internet Computing and Services
• /
• v.14 no.6
• /
• pp.125-139
• /
• 2013

Distribution of malicious applications developed by attackers is increasing along with general normal applications due to the openness of the Android-based open market. Mechanism that allows more accurate ways to distinguish normal apps and malicious apps for common mobile devices should be developed in order to reduce the damage caused by the rampant malicious applications. This paper analysed the normal event pattern from the most highly used game apps in the Android open market to analyse the event pattern from normal apps and malicious apps of mobile devices that are based on the Android platform, and analysed the malicious event pattern from the malicious apps and the disguising malicious apps in the form of a game app among 1260 malware samples distributed by Android MalGenome Project. As described, experiment that extracts normal app and malicious app events was performed using Strace, the Linux-based system call extraction tool, targeting normal apps and malicious apps on Android-based mobile devices. Relevance analysis for each event set was performed on collected events that occurred when normal apps and malicious apps were running. This paper successfully extracted event similarity through this process of analyzing the event occurrence characteristics, pattern and distribution on each set of normal apps and malicious apps, and lastly suggested a mechanism that determines whether any given app is malicious.

• Journal of the Korea Convergence Society
• /
• v.8 no.4
• /
• pp.25-36
• /
• 2017

As smartphone users have increased in recent years, various applications have been developed and used especially for Android-based mobile devices. However, malicious applications developed by attackers for malicious purposes are also distributed through 3rd party open markets, and damage such as leakage of personal information or financial information of users in mobile terminals is continuously increasing. Therefore, to prevent this, a method is needed to distinguish malicious apps from normal apps for Android-based mobile terminal users. In this paper, we analyze the existing researches that detect malicious apps by extracting the system call events that occur when the app is executed. Based on this, we propose a technique to identify malicious apps by analyzing the sequence similarity of kernel layer events occurring in the process of running an app on commercial Android mobile devices.

• Journal of Convergence for Information Technology
• /
• v.12 no.2
• /
• pp.47-53
• /
• 2022

Recently, with the change of the intelligent security paradigm, study to apply various information generated from various information security systems to AI-based anomaly detection is increasing. Therefore, in this study, in order to convert log-like time series data into a vector, which is a numerical feature, the CBOW and Skip-gram inference methods of deep learning-based Word2Vec model and statistical method based on the coincidence frequency were used to transform the published ADFA system call data. In relation to this, an experiment was carried out through conversion into various embedding vectors considering the dimension of vector, the length of sequence, and the window size. In addition, the performance of the embedding methods used as well as the detection performance were compared and evaluated through GRU-based anomaly detection model using vectors generated by the embedding model as an input. Compared to the statistical model, it was confirmed that the Skip-gram maintains more stable performance without biasing a specific window size or sequence length, and is more effective in making each event of sequence data into an embedding vector.

• KIPS Transactions on Software and Data Engineering
• /
• v.4 no.4
• /
• pp.169-176
• /
• 2015

Recently smartphone market is rapidly growing and application market has also grown significantly. Mobile applications have been provided in various forms, such as education, game, SNS, weather and news. And It is distributed through a variety of distribution channels. Malicious applications deployed with malicious objectives are growing as well as applications that can be useful in everyday life well. In this study, Events from a malicious application that is provided by the normal application deployment and Android MalGenome Project through the open market were extracted and analyzed. And using the results, We create a model to determine whether the application is malicious. Finally, model was evaluated using a variety of statistical method.

• The Transactions of the Korea Information Processing Society
• /
• v.13 no.9
• /
• pp.404-412
• /
• 2024

The adoption of cloud environments has revolutionized application deployment and management, with microservices architecture and container technology serving as key enablers of this transformation. However, these advancements have introduced new challenges, particularly the necessity to precisely understand service interactions and conduct detailed analyses of internal processes within complex service environments such as microservices. Traditional monitoring techniques have proven inadequate in effectively analyzing these complex environments, leading to increased interest in eBPF (extended Berkeley Packet Filter) technology as a solution. eBPF is a powerful tool capable of real-time event collection and analysis within the Linux kernel, enabling the monitoring of various events, including file system activities within the kernel space. This paper proposes a container activity analysis system based on eBPF, which monitors events occurring in the kernel space of both containers and host systems in real-time and analyzes the collected data. Furthermore, this paper conducts a comparative analysis of prominent eBPF-based container monitoring systems (Tetragon, Falco, and Tracee), focusing on aspects such as event detection methods, default policy application, event type identification, and system call blocking and alert generation. Through this evaluation, the paper identifies the strengths and weaknesses of each system and determines the necessary features for effective container process monitoring and restriction. In addition, the proposed system is evaluated in terms of container metadata collection, internal activity monitoring, and system metadata integration, and the effectiveness and future potential of eBPF-based monitoring systems.

• 한국IT서비스학회:학술대회논문집
• /
• 2009.05a
• /
• pp.365-368
• /
• 2009

고속 인터넷 망 구축과 멀티미디어 통신 수요의 증가에 따라 VoIP는 기존의 PSTN 망의 대체 혹은 확장 기술로서 지속적으로 검증되어 왔다. 음성 데이터 처리 규약들 중 SIP는 다른 규약에 비해 신호 처리 단계가 간단하기 때문에 이를 기반으로 RTP를 활용하여 음성 통신 시스템을 구축하는 사례가 늘어나고 있다. 그러나 RTP의 특성상 패킷을 처리할 때마다 복원 과정이 필요하며, 다중 세션으로 통신이 발생할 경우 전체 패킷들의 관리가 복잡해지므로 이들 간에 혼선 없이 데이터를 처리 및 유지할 수 있는 방법론이 요구된다. 본 논문에서는 SIP 기반의 IP 전화를 통해서 고객과 상담원 간의 통화 이벤트가 발생하는 일반 콜센터 환경에서 RTP 음성 데이터를 처리하는 다중 세션 어플리케이션의 구축 사례를 제시한다. 구현한 시스템은 IP 전화에서 발생하는 통화 내역을 통합 스위치 서버에서 포트 미러링하여 녹취 및 녹음 서버로 전송하며, 전송된 패킷 정보들의 세션이 유지되고 있는 동안 음성 데이터를 실시간으로 모니터링한다.

• Journal of KIISE:Computing Practices and Letters
• /
• v.10 no.2
• /
• pp.146-155
• /
• 2004

Currently most of commercial operating systems contain a high-level audit feature to increase their own security level. Linux does not fall behind the other commercial operating systems in performance and stability, but Linux does not have a good audit feature. Linux is required to support a higher security feature than C2 level of the TCSEC in order to be used as a server operating system, which requires the kernel-level audit feature that provides the system call auditing feature and audit event. In this paper, we present LxBSM, which is a kernel module to provide the kernel-level audit features. The audit record format of LxBSM is compatible with that of Sunshield BSM. The LxBSM is implemented as a loadable kernel module, so it has the enhanced usability. It provides the rich audit records including the user-level audit events such as login/logout. It supports both the pipe and file interface for increasing the connectivity between LxBSM and intrusion detection systems (IDS). The performance of LxBSM is compared and evaluated with that of Linux kernel without the audit features. The response time was increased when the system calls were called to create the audit data, such as fork, execve, open, and close. However any other performance degradation was not observed.

• Journal of the Korea Society of Computer and Information
• /
• v.9 no.1
• /
• pp.79-86
• /
• 2004

In general, operating system is offering the security function of OS level to support several web services. However, it is true that security side of OS level is weak from many parts. Specially, it is needed to audit/trace function in security kernel level to satisfy security more than B2 level that define in TCSEC(Trusted Computer System Evaluation Criteria). So we need to create audit data at system call invocation for this, and do to create audit data of equal format about almost event and supply information to do traceback late. This Paper Proposes audit/trace system module that use LKM(Loadable Kernel Module) technique. It is applicable without alteration about existing linux kernel to ensure safe evidence. It offers interface that can utilize external audit data such as intrusion detection system, and also offers safe role based system that is divided system administrator and security administrator These data will going to utilize to computer forensics' data that legal confrontation is Possible.