• ETRI Journal
• /
• v.43 no.2
• /
• pp.332-343
• /
• 2021

With cyberattack techniques on the rise, there have been increasing developments in the detection techniques that defend against such attacks. However, cyber attackers are now developing fileless malware to bypass existing detection techniques. To combat this trend, security vendors are publishing analysis reports to help manage and better understand fileless malware. However, only fragmentary analysis reports for specific fileless cyberattacks exist, and there have been no comprehensive analyses on the variety of fileless cyberattacks that can be encountered. In this study, we analyze 10 selected cyberattacks that have occurred over the past five years in which fileless techniques were utilized. We also propose a methodology for classification based on the attack techniques and characteristics used in fileless cyberattacks. Finally, we describe how the response time can be improved during a fileless attack using our quick and effective classification technique.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.2
• /
• pp.431-438
• /
• 2019

Fileless malware uses memory injection attacks to hide traces of payloads to perform malicious works. During the memory injection attack, an attack named "process hollowing" is a method of creating paused benign process like system processes. And then injecting a malicious payload into the benign process allows malicious behavior by pretending to be a normal process. In this paper, we propose a method to detect the memory injection regardless of whether or not the malicious action is actually performed when a process hollowing attack occurs. The replication process having same execution condition as the process of suspending the memory injection is executed, the data set belonging to each process virtual memory area is compared using the fuzzy hash, and the similarity is calculated.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2020.11a
• /
• pp.366-369
• /
• 2020

기존 악성코드 탐지 방법의 한계점과 심층 학습기술의 적용을 통한 악성코드의 탐지 및 분류방법을 기술하고 탐지에서의 각 학습모델에 대한 테스트 성능 과정 정확도를 비교하여 파일리스 악성코드 탐지에서의 심층 학습기술의 유용성과 발전 가능성을 판단하려 한다.

• ETRI Journal
• /
• v.43 no.3
• /
• pp.549-560
• /
• 2021

Cyberattacks are often difficult to identify with traditional signature-based detection, because attackers continually find ways to bypass the detection methods. Therefore, researchers have introduced artificial intelligence (AI) technology for cybersecurity analysis to detect malicious PowerShell scripts. In this paper, we propose a feature optimization technique for AI-based approaches to enhance the accuracy of malicious PowerShell script detection. We statically analyze the PowerShell script and preprocess it with a method based on the tokens and abstract syntax tree (AST) for feature selection. Here, tokens and AST represent the vocabulary and structure of the PowerShell script, respectively. Performance evaluations with optimized features yield detection rates of 98% in both machine learning (ML) and deep learning (DL) experiments. Among them, the ML model with the 3-gram of selected five tokens and the DL model with experiments based on the AST 3-gram deliver the best performance.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2021.11a
• /
• pp.213-216
• /
• 2021

기술이 발전함에 따라 악성코드 또한 함께 발전하여 보안 위협이 증가되고 있다. 특히 PowerShell 과 같은 스크립트 언어를 사용하여 포렌식이 어려운 Fileless 악성코드가 지속적으로 증가하고 있다. 이에 본 논문에서 PowerShell 데이터셋을 활용하여 기존 패턴은 탐지할 수 없는 한계점을 가진 시그니처 또는 휴리스틱 기반 탐지 기법을 보완하여 기존의 악성코드들을 학습 및 새로운 악성코드를 추측하는 것이 가능한 심층 학습 기술, Graph Convolutional Networks 과 자카드 유사도를 활용하여 기존의 방식에 비해 더 효율적으로 탐지를 이루어 내는지를 판단해보려한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.4
• /
• pp.629-635
• /
• 2022

Cyber threats are also increasing with recent social changes and the development of ICT technology. Malicious codes used in cyber threats are becoming more advanced and intelligent, such as analysis environment avoidance technology, concealment, and fileless distribution, to make analysis difficult. Machine learning technology is being used to effectively analyze these malicious codes, but a lot of effort is needed to increase the accuracy of classification. In this paper, we propose a malicious code detection technology based on API call interval characteristics to improve the classification performance of machine learning. The proposed technology uses API call characteristics for each section and entropy of binary to separate characteristic factors into sections based on the extraction malicious code and API call order of normal binary. It was verified that malicious code can be well analyzed using the support vector machine (SVM) algorithm for the extracted characteristic factors.