• Journal of Digital Convergence
• /
• v.11 no.12
• /
• pp.381-386
• /
• 2013

As the new variation malicious codes of android platform are drastically increasing, the preparation plan and response is needed. We proposed a high-interaction client honeypot that applied to the android platform. We designed flow for the system. Application plan and the function was analyze. Each detail module was optimized in the Android platform. The system is equipped with the advantage of the high-interaction client honeypot of PC environment. Because the management and storage server was separated it is more flexible and expanded.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.4
• /
• pp.629-635
• /
• 2022

Cyber threats are also increasing with recent social changes and the development of ICT technology. Malicious codes used in cyber threats are becoming more advanced and intelligent, such as analysis environment avoidance technology, concealment, and fileless distribution, to make analysis difficult. Machine learning technology is being used to effectively analyze these malicious codes, but a lot of effort is needed to increase the accuracy of classification. In this paper, we propose a malicious code detection technology based on API call interval characteristics to improve the classification performance of machine learning. The proposed technology uses API call characteristics for each section and entropy of binary to separate characteristic factors into sections based on the extraction malicious code and API call order of normal binary. It was verified that malicious code can be well analyzed using the support vector machine (SVM) algorithm for the extracted characteristic factors.

• Convergence Security Journal
• /
• v.19 no.1
• /
• pp.11-17
• /
• 2019

Recently, the abuse of Internet technology has caused economic and mental harm to society as a whole. Especially, malicious code that is newly created or modified is used as a basic means of various application hacking and cyber security threats by bypassing the existing information protection system. However, research on small-capacity executable files that occupy a large portion of actual malicious code is rather limited. In this paper, we propose a model that can analyze the characteristics of known small capacity executable files by using data mining techniques and to use them for detecting unknown malicious codes. Data mining analysis techniques were performed in various ways such as Naive Bayesian, SVM, decision tree, random forest, artificial neural network, and the accuracy was compared according to the detection level of virustotal. As a result, more than 80% classification accuracy was verified for 34,646 analysis files.

• Journal of the Korea Society of Computer and Information
• /
• v.14 no.9
• /
• pp.47-54
• /
• 2009

Malicious codes, which are spread through WWW are now evolved with various hacking technologies However, detecting technologies for them are seemingly not able to keep up with the improvement of hacking and newly generated malicious codes. In this paper, we define the requirements of detecting systems based on the analysis of malicious codes and their spreading characteristics, and propose an improved detection scheme which monitors HTTP Outbound traffic and detects spreading malicious codes in real time. Our proposed scheme sets up signatures in IDS with confirmed HTML tags and Java scripts which spread malicious codes. Through the verification analysis under the real-attacked environment, we show that our scheme is superior to the existing schemes in satisfying the defined requirements and has a higher detection rate for malicious codes.

• Convergence Security Journal
• /
• v.14 no.2
• /
• pp.17-24
• /
• 2014

Form of backdoor penetration attacks "trapdoor" penetration points to bypass the security features and allow direct access to the data. Backdoor without modifying the source code is available, and even code generation can also be modified after compilation. This approach by rewriting the compiler when you compile the source code to insert a specific area in the back door can be due to the use of the method. Defense operations and the basic structure of the backdoor or off depending on the nature of the damage area can be a little different way. This study is based on the diagnosis of a back door operating mechanism acting backdoor analysis methods derived. Research purposes in advance of the attack patterns of malicious code can respond in a way that is intended to be developed. If we identify the structures of backdoor and the infections patterns through the analysis, in the future we can secure the useful information about malicious behaviors corresponding to hacking attacks.

• Journal of KIISE
• /
• v.44 no.10
• /
• pp.1019-1025
• /
• 2017

Binary similarity analysis is used in vulnerability analysis, malicious code analysis, and plagiarism detection. Proving that a function is equal to a well-known safe functions of different versions through similarity analysis can help to improve the efficiency of the binary code analysis of malicious behavior as well as the efficiency of vulnerability analysis. However, few studies have been carried out on similarity analysis of the same function of different versions. In this paper, we analyze the similarity of function units through various methods based on extractable function information from binary code, and find a way to analyze efficiently with less time. In particular, we perform a comparative analysis of the different versions of the OpenSSL library to determine the way in which similar functions are detected even when the versions differ.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.1
• /
• pp.31-40
• /
• 2024

Recently, static analysis-based signature and pattern detection technologies have limitations due to the advanced IT technologies. Moreover, It is a compatibility problem of multiple architectures and an inherent problem of signature and pattern detection. Malicious codes use obfuscation and packing techniques to hide their identity, and they also avoid existing static analysis-based signature and pattern detection techniques such as code rearrangement, register modification, and branching statement addition. In this paper, We propose an LLVM IR image-based automated static analysis of malicious code technology using machine learning to solve the problems mentioned above. Whether binary is obfuscated or packed, it's decompiled into LLVM IR, which is an intermediate representation dedicated to static analysis and optimization. "Therefore, the LLVM IR code is converted into an image before being fed to the CNN-based transfer learning algorithm ResNet50v2 supported by Keras". As a result, we present a model for image-based detection of malicious code.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.3
• /
• pp.17-28
• /
• 2006

The appearance of variant malicious codes using obfuscation techniques is accelerating the spread of malicious codes around the detection by a vaccine. n a system does not patch detection patterns for vulnerabilities and worms to the vaccine, it can be infected by the worms and malicious codes can be spreaded rapidly to other systems and networks in a few minute. Moreover, It is limited to the conventional pattern based detection and treatment for variants or new malicious codes. In this paper, we propose a method of behavior based detection by the static analysis, the dynamic analysis and the dynamic monitoring to detect a malicious code using obfuscation techniques with the PE compression. Also we show that dynamic monitoring can detect worms with the PE compression which accesses to important resources such as a registry, a cpu, a memory and files with the proposed method for similarity.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.1-8
• /
• 2008

Not only the recent hacking techniques are becoming more malicious with the sophisticated technology but also its consequences are bringing more damages as the broadband Internet is growing rapidly. These may include invasion of information leakage, or identity theft over the internet. Its intent is very destructive which can result in invasion of information leakage, hacking, one of the most disturbing problems on the net. This thesis describes the technology of how you can effectively analyze and detect these kind of E-Mail malicious codes. This research explains how we can cope with malicious code more efficiently by detection method.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.16 no.10
• /
• pp.7211-7218
• /
• 2015

Tens of thousands of malicious codes are generated on average in a day. New types of malicious codes are surging each year. Diverse methods are used to detect such codes including those based on signature, API flow, strings, etc. But most of them are limited in detecting new malicious codes due to bypass techniques. Therefore, a lot of researches have been performed for more efficient detection of malicious codes. Of them, visualization technique is one of the most actively researched areas these days. Since the method enables more intuitive recognition of malicious codes, it is useful in detecting and examining a large number of malicious codes efficiently. In this paper, we analyze the relationships between malicious codes and Native API functions. Also, by applying the word cloud with text mining technique, major Native APIs of malicious codes are visualized to assess their maliciousness. The proposed malicious code analysis method would be helpful in intuitively probing behaviors of malware.