• Journal of Korea Multimedia Society
• /
• v.10 no.11
• /
• pp.1472-1482
• /
• 2007

The integrated loader/linker plays a very important role in creating all types of information and ensuring information integrity needed for substantial executions by receiving a PE input file, an intermediate representation of a java class file or a .NET environment, thereby allowing for saving information optimized for verification, resolution, initialization, and execution. This paper proposes a loader/linker system for integrating a java class file and .NET-based PE file. As a means of implementing the loader/linker system, a new execution file format(*.evm) and a memory format were designed to save all information of Java class files and .NET-based PE files, and enable the information in those files to be executed in a JVM or .NET environment through the use of saved execution information.

• Convergence Security Journal
• /
• v.8 no.2
• /
• pp.63-70
• /
• 2008

In order not to make the malwares be easily analyzed, the hackers apply various anti-reversing and obfuscation techniques to the malwares. However, as the more anti-revering techniques are applied to the malwares the more abnormal characteristics in the PE file's header which are not shown in the normal PE file, could be observed. In this letter, a new malware detection technique is proposed based on this observation. For the malware detection, we define the Characteristics Vector(CV) which can represent the characteristics of a PE file's header. In the learning phase, we calculate the average CV(ACV) of malwares(ACVM) and normal files(ACVN). To detect the malwares we calculate the 2 Weighted Euclidean Distances(WEDs) from a file's CV to ACVs and they are used to decide whether the file is a malware or not. The proposed technique is very fast and detection rate is fairly high, so it could be applied to the network based attack detection and prevention devices. Moreover, this technique is could be used to detect the unknown malwares because it does not utilize a signature but the malware's characteristics.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.1
• /
• pp.43-50
• /
• 2013

File identification and analysis is an important process of computer forensics, since the process determines which subjects are necessary to be collected and analyzed as digital evidence. An efficient file classification aids in the file identification, especially in case of copyright infringement where we often have huge amounts of files. A lot of file classification methods have been proposed by far, but they have mostly focused on classifying malicious behaviors based on known information. In copyright infringement cases, we need a different approach since our subject includes not only malicious codes, but also vast number of normal files. In this paper, we propose an efficient file classification method that relies on undocumented information in the header of the PE format files. Out method is useful in copyright infringement cases, being applied to any sort of PE format executable file whether the file is malicious, packed, mutated, transformed, virtualized, obfuscated, or not.

• The KIPS Transactions:PartC
• /
• v.16C no.5
• /
• pp.555-562
• /
• 2009

In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus softwares have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

• Journal of Information Processing Systems
• /
• v.12 no.4
• /
• pp.644-660
• /
• 2016

The real-time detection of malware remains an open issue, since most of the existing approaches for malware categorization focus on improving the accuracy rather than the detection time. Therefore, finding a proper balance between these two characteristics is very important, especially for such sensitive systems. In this paper, we present a fast portable executable (PE) malware detection system, which is based on the analysis of the set of Application Programming Interfaces (APIs) called by a program and some technical PE features (TPFs). We used an efficient feature selection method, which first selects the most relevant APIs and TPFs using the chi-square ($KHI^2$) measure, and then the Phi (${\varphi}$) coefficient was used to classify the features in different subsets, based on their relevance. We evaluated our method using different classifiers trained on different combinations of feature subsets. We obtained very satisfying results with more than 98% accuracy. Our system is adequate for real-time detection since it is able to categorize a file (Malware or Benign) in 0.09 seconds.

• Restorative Dentistry and Endodontics
• /
• v.30 no.6
• /
• pp.486-492
• /
• 2005

The purpose of this study was to compare the shaping ability of the two different Ni-Ti file systems and the two different engine systems in simulated canals. A total of four groups of each 10 were tested. Each group was instrumented with HeroShaper and Endo-Mate2 (Croup HE), HeroShaper and Tecnika (Croup HT), ProFile and Endo-Mate2 (Group PE), and ProFile and Tecnika (Croup PT). Canal preparation time was recorded. The images of pre- and post- instrumented root canals were scanned and superimposed. The amounts of increased width and centering ratio were measured and calculated at apical 1, 3 and 5mm levels. These data were statistically analyzed with one-way ANOVA and Duncan's multiple range test The results of this study were as fellows ; 1. Canal preparation time of HT group was the shortest (p<0.05). 2. The amount of increased canal width in HE group was significantly larger than PT group at apical 1mm level (p<0.05) At apical 3mm level, PT group was significantly smaller than other groups (p<0.05). At apical 5mm level, PE group was significantly larger than PT group (p<0.05). 3. The amount of centering ratio in HE group was significantly larger than other groups (p<0.05). At apical 5mm level, HT group was significantly larger than PE group and PT group (p<0.05). Under the condition of this study, torque-controlled endodontic motor is safer than no torque controlled motor, especially when the active file is used.

• Journal of IKEEE
• /
• v.25 no.3
• /
• pp.451-461
• /
• 2021

As various smart devices spread and the damage caused by malicious codes becomes more serious, malicious code detection technology using machine learning technology is attracting attention. However, if the training data of machine learning is constructed based on only the fragmentary characteristics of the code, it is still easy to create variants and new malicious codes that avoid it. To solve such a problem, a research using the function call relationship of malicious code as training data is attracting attention. In particular, it is expected that more advanced malware detection will be possible by measuring the similarity of graphs using GNN. This paper proposes an efficient method to generate a function call graph from binary code to utilize GNN for malware detection.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2017.05a
• /
• pp.249-251
• /
• 2017

In the past, People thought that software security was not important. but Skills of attacking software has growing up in fast, software crack fall down software industry growth and profit of copyright holder was declined. So I propose software crack prevention for changing PE Format. Hackers can analyze program in static. As we change the PE format, we can prevent static analysis. As I insert anti - debugging code the exe file, the program is protected from dynamic analysis.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.5
• /
• pp.1313-1322
• /
• 2016

Recently, many virus and hacking attacks on public organizations and financial institutions by internet are becoming increasingly intelligent and sophisticated. The Advanced Persistent Threat has been considered as an important cyber risk. This attack is basically accomplished by spreading malicious codes through complex networks. To detect and extract PE files in smart manufacturing industry networks, an efficient processing method which is performed before analysis procedure on malicious codes is proposed. We implement a preprocessor of open intrusion detection system Snort for fast extraction of PE files and install on a hardware sensor equipment. As a result of practical experiment, we verify that the network sensor can extract the PE files which are often suspected as a malware.

• Journal of the Korean Institute of Telematics and Electronics C
• /
• v.35C no.2
• /
• pp.29-35
• /
• 1998

This paper describes architectures and design of a SIMD type parallel image processing chip called SliM-II. The chiphas a linear array of 64 processing elements (PEs), operates at 30 MHz in the worst case simulation and gives at least 1.92 GIPS. In contrast to existing array processors, such as IMAP, MGAP-2, VIP, etc., each PE has a multiplier that is quite effective for convolution, template matching, etc. The instruction set can execute an ALU operation, data I/O, and inter-PE communication simulataneously in a single instruction cycle. In addition, during the ALU/multiplier operation, SliM-II provides parallel move between the register file and on-chip memory as in DSP chips, SliM-II can greatly reduce the inter-PE communication overhead, due to the idea a sliding, which is a technique of overlapping inter-PE communication with computation. Moreover, the bandwidth of data I/O and inter-PE communication increases due to bit-parallel data paths. We used the COMPASS$^{TM}$ 3.3 V 0.6.$\mu$m standrd cell library (v8r4.10). The total number of transistors is about 1.5 muillions, the core size is 13.2 * 13.0 mm$^{2}$ and the package type is 208 pin PQ2 (Power Quad 2). The performance evaluation shows that, compared to a existing array processors, a proposed architeture gives a significant improvement for algorithms requiring multiplications.s.