• Journal of the Korea Society of Computer and Information
• /
• v.20 no.6
• /
• pp.37-42
• /
• 2015

In this paper, we propose malware database in mobile memory for realtime malware URL detection and we support realtime malware URL detection engine, that is control the web service for more secure mobile service. Recently, mobile malware is on the rise and to be new threat on mobile environment. In particular the mobile characteristics, the damage of malware is more important, because it leads to monetary damages for the user. There are many researches in cybercriminals prevention and malware detection, but it is still insufficient. Additionally we propose the method for prevention Smishing within SMS, MMS. In the near future, mobile venders must build the secure mobile environment with fundamental measures based on our research.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.7
• /
• pp.1290-1295
• /
• 2016

Recently, as mobile internet usage has been increasing rapidly, malware attacks through user's web browsers has been spreading in a way of social engineering or drive-by downloading. Existing defense mechanism against drive-by download attack mainly focused on final download sites and distribution paths. However, detection and prevention of injection sites to inject malicious code into the comprised websites have not been fully investigated. In this paper, for the purpose of improving defense mechanisms against these malware downloads attacks, we focus on detecting the injection site which is the key source of malware downloads spreading. As a result, in addition to the current URL blacklist techniques, we proposed the enhanced method which adds features of detecting the injection site to prevent the malware spreading. We empirically show that the proposed method can effectively minimize malware infections by blocking the source of the infection spreading, compared to other approaches of the URL blacklisting that directly uses the drive-by browser exploits.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.869-882
• /
• 2012

With the growth of Web services and the development of web exploit toolkits, web-based malware has increased dramatically. Using Javascript Obfuscation, recent web-based malware hide a malicious URL and the exploit code. Thus, pattern matching for network intrusion detection systems has difficulty of detecting malware. Though various methods have proposed to detect Javascript malware on a users' web browser, the overall detection is needed to counter advanced attacks such as APTs(Advanced Persistent Treats), aimed at penetration into a certain an organization's intranet. To overcome the limitation of previous pattern matching for network intrusion detection systems, a novel deobfuscating method to handle obfuscated Javascript is needed. In this paper, we propose a framework for effective hidden malware detection through an automated deobfuscation regardless of advanced obfuscation techniques with overriding JavaScript functions and a separate JavaScript interpreter through to improve jsunpack-n.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2014.07a
• /
• pp.365-367
• /
• 2014

최근 웹 서비스의 증가와 악성코드는 그 수를 판단 할 수 없을 정도로 빠르게 늘어나고 있다. 매년 늘어나는 악성코드는 금전적 이윤 추구가 악성코드의 주된 동기가 되고 있으며 이는 공공기관 및 보안 업체에서도 악성코드를 탐지하기 위한 연구가 활발히 진행되고 있다. 본 논문에서는 실시간으로 패킷을 분석할수 있는 필터링과 웹 크롤링을 통해 도메인 및 하위 URL까지 자동적으로 탐지할 수 있는 악성코드 탐지 시스템을 제안한다.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.25 no.9
• /
• pp.1227-1233
• /
• 2021

QR Code has been used in various forms such as simple business cards and URLs. Recently, the influence of Corona 19 Fundemik has led to the use of QR Codes to track travel routes through visits and entry / exit records, and QR Code usage has skyrocketed. In this way, most people have come to use it in the masses and are constantly under threat. In the case of QR Code, you do not know what you are doing until you execute it. Therefore, if you undoubtedly execute a QR Code with a malicious URL inserted, you will be directly exposed to security threats. Therefore, this paper provides a cloud-based malware QR Code detection system that can make a normal connection only when there is no abnormality after determining whether it is a malicious QR Code when scanning the QR Code.

• Journal of the Korea Society of Computer and Information
• /
• v.27 no.5
• /
• pp.149-156
• /
• 2022

Recently, there have been many reports of document-type malicious code injecting malicious code into Microsoft Office files. Document-type malicious code is often hidden by encoding the malicious code in the document. Therefore, document-type malware can easily bypass anti-virus programs. We found that malicious code was inserted into the Visual Basic for Applications (VBA) macro, a function supported by Microsoft Office. Malicious codes such as shellcodes that run external programs and URL-related codes that download files from external URLs were identified. We selected 354 keywords repeatedly appearing in malicious Microsoft Office files and defined the number of times each keyword appears in the body of the document as a feature. We performed machine learning with SVM, naïve Bayes, logistic regression, and random forest algorithms. As a result, each algorithm showed accuracies of 0.994, 0.659, 0.995, and 0.998, respectively.

• Convergence Security Journal
• /
• v.23 no.2
• /
• pp.3-10
• /
• 2023

In the malware distribution network existing on the web, there is a central node that plays a key role in distributing malware. If you find and block this node, you can effectively block the propagation of malware. In this study, a centrality search method applied with risk analysis in a complex network is proposed, and a method for finding a core node in a malware distribution network is introduced through this approach. In addition, there is a big difference between a benign network and a malicious network in terms of in-degree and out-degree, and also in terms of network layout. Through these characteristics, we can discriminate between malicious and benign networks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.3
• /
• pp.555-564
• /
• 2022

Recently, cyberattacks are using hacking techniques utilizing intelligent and advanced malicious codes for non-face-to-face environments such as telecommuting, telemedicine, and automatic industrial facilities, and the damage is increasing. Traditional information protection systems, such as anti-virus, are a method of detecting known malicious URLs based on signature patterns, so unknown malicious URLs cannot be detected. In addition, the conventional static analysis-based malicious URL detection method is vulnerable to dynamic loading and cryptographic attacks. This study proposes a technique for efficiently detecting malicious URLs by dynamically learning malicious URL data. In the proposed detection technique, malicious codes are classified using machine learning-based feature selection algorithms, and the accuracy is improved by removing obfuscation elements after preprocessing using Weighted Euclidean Distance(WED). According to the experimental results, the proposed machine learning-based malicious URL detection technique shows an accuracy of 89.17%, which is improved by 2.82% compared to the conventional method.

• Convergence Security Journal
• /
• v.15 no.1
• /
• pp.3-9
• /
• 2015

In this paper, a detection technique of smishing using a TaintDroid is suggested. Suggesting system detects malicious acts by transmitting a URL to the TaintDroid server and installing a relevant application to a virtual device of the TaintDroid server, when a smartphone user receives a text message including the URL suspected as a smishing. Through this we want to distinguish an application that can not install because of suspicion of a smishing in an actual smartphone whether said application is malicious application or not by testing with the virtual device of said system. The detection technique of a smishing using the TaintDroid suggested in this paper is possible to detect in a new form a smishing with a text message and to identifying which application it is through analysis of results from a user.

• Journal of Information Processing Systems
• /
• v.12 no.3
• /
• pp.422-435
• /
• 2016

Despite the convenience brought by the advances in web and Internet technology, users are increasingly being exposed to the danger of various types of cyber attacks. In particular, recent studies have shown that today's cyber attacks usually occur on the web via malware distribution and the stealing of personal information. A drive-by download is a kind of web-based attack for malware distribution. Researchers have proposed various methods for detecting a drive-by download attack effectively. However, existing methods have limitations against recent evasion techniques, including JavaScript obfuscation, hiding, and dynamic code evaluation. In this paper, we propose an emulation-based malicious webpage detection method. Based on our study on the limitations of the existing methods and the state-of-the-art evasion techniques, we will introduce four features that can detect malware distribution networks and we applied them to the proposed method. Our performance evaluation using a URL scan engine provided by VirusTotal shows that the proposed method detects malicious webpages more precisely than existing solutions.