• Convergence Security Journal
• /
• v.19 no.1
• /
• pp.11-17
• /
• 2019

Recently, the abuse of Internet technology has caused economic and mental harm to society as a whole. Especially, malicious code that is newly created or modified is used as a basic means of various application hacking and cyber security threats by bypassing the existing information protection system. However, research on small-capacity executable files that occupy a large portion of actual malicious code is rather limited. In this paper, we propose a model that can analyze the characteristics of known small capacity executable files by using data mining techniques and to use them for detecting unknown malicious codes. Data mining analysis techniques were performed in various ways such as Naive Bayesian, SVM, decision tree, random forest, artificial neural network, and the accuracy was compared according to the detection level of virustotal. As a result, more than 80% classification accuracy was verified for 34,646 analysis files.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.945-954
• /
• 2022

Billions of malicious codes are detected every year, of which only 0.01% are new types of malware. In this situation, an effective malware type classification tool is needed, but previous studies have limitations in quickly analyzing a large amount of malicious code because it requires a complex and massive amount of data pre-processing. To solve this problem, this paper proposes a method to classify the types of malicious code based on the similarity hash without complex data preprocessing. This approach trains the XGBoost model based on the similarity hash information of the malware. To evaluate this approach, we used the BIG-15 dataset, which is widely used in the field of malware classification. As a result, the malicious code was classified with an accuracy of 98.9% also, identified 3,432 benign files with 100% accuracy. This result is superior to most recent studies using complex preprocessing and deep learning models. Therefore, it is expected that more efficient malware classification is possible using the proposed approach.

• Journal of KIISE:Information Networking
• /
• v.31 no.6
• /
• pp.556-565
• /
• 2004

A Sandbox has been widely used to prevent damages caused by running of unknown malicious codes. It prevents damages by containing running environment of a program. There is a trade-off in using sandbox, between configurability and ease-of-use. MAPbox, an instance system of sandbox, had employed sandbox classification technique to satisfy both configurability and ease-of-use [1]. However, the configurability of MAPbox can be improved further. In this paper, we introduce a technique to attach dynamic class facility to MAPbox and implement MAPbox-advanced one. Newly generated class in our system has an access control with proper privileges. We show an example for improvements which denote our system have increased the configurability of MAPbox. It was determined as abnormal by MAPbox although is not. Our system could determine it as normal. We also show our techniques to overcome obstacles to implement the system.

• The KIPS Transactions:PartC
• /
• v.19C no.3
• /
• pp.185-190
• /
• 2012

The recent trends in malwares show the most widely used for the distribution of malwares that the targeted computer is infected while the user is accessing to the website, without being aware of the fact that, in which the harmful codes are concealed. In this thesis, we propose a new malicious web page detection system based on a real time analysis of normal/abnormal behaviors in client-side. By means of this new approach, it is not only the limitation of conventional methods can be overcome, but also the risk of infection from malwares is mitigated.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.6
• /
• pp.2881-2894
• /
• 2018

Cyber attacks are increasing continuously. On average about one million malicious codes appear every day, and attacks are expanding gradually to IT convergence services (e.g. vehicles and television) and social infrastructure (nuclear energy, power, water, etc.), as well as cyberspace. Analysis of large-scale cyber incidents has revealed that most attacks are started by PCs infected with malicious code. This paper proposes a method of detecting an attack IP automatically by analyzing the characteristics of the e-mail transfer path, which cannot be manipulated by the attacker. In particular, we developed a system based on the proposed model, and operated it for more than four months, and then detected 1,750,000 attack IPs by analyzing 22,570,000 spam e-mails in a commercial environment. A detected attack IP can be used to remove spam e-mails by linking it with the cyber removal system, or to block spam e-mails by linking it with the RBL(Real-time Blocking List) system. In addition, the developed system is expected to play a positive role in preventing cyber attacks, as it can detect a large number of attack IPs when linked with the portal site.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.2
• /
• pp.279-292
• /
• 2015

In this study, we propose an effective network managed security services model that can detect a presence of potential malicious codes inside the energy-based SCADA Systems. Especially, by analyzing the data obtained in the same environment of SCADA Systems, we develop detection factors to applicable to the managed security services and propose the method for the network managed security services. Finally, the proposed network managed security services model through simulation proved possibility to detect malicious traffic in SCADA systems effectively.

• Journal of the Korea Convergence Society
• /
• v.8 no.5
• /
• pp.37-43
• /
• 2017

A registry is a hierarchy database which is designed to store information necessary for operating system and application programs in Windows operating system, and it is involved in all activities such as booting, logging, service execution, application execution, and user behavior. Digital forensic is widely used. In recent years, malicious codes have penetrated into systems in a way that is not recognized by the user, and valuable information is leaked or stolen, causing financial damages. Therefore, this study proposes a method to detect malicious code by using a shareware application without using expensive digital forensic program, so as to analysis hacking methods and prevent hacking damage in advance.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2019.01a
• /
• pp.359-360
• /
• 2019

본 논문에서는 2018년에 성횡한 악성코드에 대한 피해 사례를 살펴본 후 이를 적극적으로 대응하기 위한 방안을 살펴본다. 특히 가상통화 거래소에 대한 해킹 사고 및 가상화폐에 대한 지속적인 해킹 시도가 탐지되면서 관련 소식들이 언론에 지속적으로 보도되었다. 또한 이와 관련하여 PC 및 서버 자원을 몰래 훔쳐 가상통화 채굴에 사용하는 크립토재킹 공격기법도 함께 주목받았다. 랜섬웨어 부문은 갠드크랩 관련 보도가 대부분을 차지할 정도로 국내에서 지속적으로 이슈가 되었다. 또한 미국 법무부에서 최초로 북한 해커조직의 일원을 재판에 넘기면서 해커 그룹에 대한 관심이 집중되기도 했다. 2018년 전반적으로 이러한 가상통화 거래소 해킹, 크립토재킹, 랜섬웨어, 해커 그룹의 4가지 키워드를 도출하였으며, 이 중 해커 그룹은 북한과 중국의 경우를 나누어 총 5가지 주제를 통해 악성코드에 대한 주요 이슈들을 살펴본다. 본 논문에서는 이러한 악성코드의 공격을 근본적으로 해결할 수 있는 방안으로 클라이언트 측에 USB형태의 BBS(Big Bad Stick) 하드웨어를 통하여 제안하는 환경을 제안하고 안전한 서비스가 제공됨을 증명하여 본 연구가 새로운 보안성을 갖춘 시스템임을 보인다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.357-367
• /
• 2018

As information technology of modern society develops, various malicious codes with the purpose of seizing or destroying important system information are developing together. Among them, ransomware is a typical malicious code that prevents access to user's resources. Although researches on detecting ransomware performing encryption have been conducted a lot in recent years, no additional methods have been proposed to recover damaged files after an attack. Also, because the similarity comparison technique was used without considering the repeated encryption, it is highly likely to be recognized as a normal behavior. Therefore, this paper implements a filter driver to control the file system and performs a similarity comparison method that is verified based on the analysis of the encryption pattern of the ransomware. We propose a system to detect the malicious process of the accessed process and recover the damaged file based on the cloud storage.

• Convergence Security Journal
• /
• v.12 no.4
• /
• pp.3-8
• /
• 2012

Smartphones have all the recent technology integration and NFC (Near Field Communication) Technology is one of them and become an essential these days. Despite using smartphones with NFC technology widely, not many security vulnerabilities have been discovered. This paper attempts to identify characteristics and various services in NFC technology, and to present a wide range of security vulnerabilities, prevention, and policies especially in NFC Contactless technology. We describe a security vulnerability and an possible threat based on human vulnerability and traditional malware distribution technic using Peer-to-Peer network on NFC-Enabled smartphones. The vulnerability is as follows: An attacker creates a NFC tag for distributing his or her malicious code to unspecified individuals and apply to hidden spot near by NFC reader in public transport like subway system. The tag will direct smartphone users to a certain website and automatically downloads malicious codes into their smartphones. The infected devices actually help to spread malicious code using P2P mode and finally as traditional DDoS attack, a certain target will be attacked by them at scheduled time.