• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.5
• /
• pp.1145-1157
• /
• 2012

Google Android employs a security model based on application permissions to control accesses to system resources and components of other applications from a potentially malicious program. But, this model has security vulnerabilities due to lack of user comprehension and excessive permission requests by 3rd party applications. Broadcast intent message is widely used as a primary means of communication among internal application components. However, this mechanism has also potential security problems because it has no security policy related with it. In this paper, we first present security breach scenarios caused by inappropriate use of application permissions and broadcast intent messages. We then analyze and compare usage patterns of application permissions and broadcast intent message for popular applications on Android market and malwares, respectively. The analysis results show that there exists a characteristic set for application permissions and broadcast intent receiver that are requested by typical malwares. Based on the results, we propose a scheme to detect applications that are suspected as malicious and notify the result to users at installation time.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.3
• /
• pp.501-511
• /
• 2022

In 2021, ransomware attacks became popular, and the number is rapidly increasing every year. Since PowerShell is used as the primary ransomware technique, the need for PowerShell-based malware detection is ever increasing. However, the existing detection techniques have limits in that they cannot detect obfuscated scripts or require a long processing time for deobfuscation. This paper proposes a simple and fast deobfuscation method and a deep learning-based classification model that can detect PowerShell-based malware. Our technique is composed of Word2Vec and a convolutional neural network to learn the meaning of a script extracting important features. We tested the proposed model using 1400 malicious codes and 8600 normal scripts provided by the AI-based PowerShell malicious script detection track of the 2021 Cybersecurity AI/Big Data Utilization Contest. Our method achieved 5.04 times faster deobfuscation than the existing methods with a perfect success rate and high detection performance with FPR of 0.01 and TPR of 0.965.

• International Journal of Computer Science & Network Security
• /
• v.23 no.11
• /
• pp.99-109
• /
• 2023

The darknet is frequently referred to as the hub of illicit online activity. In order to keep track of real-time applications and activities taking place on Darknet, traffic on that network must be analysed. It is without a doubt important to recognise network traffic tied to an unused Internet address in order to spot and investigate malicious online activity. Any observed network traffic is the result of mis-configuration from faked source addresses and another methods that monitor the unused space address because there are no genuine devices or hosts in an unused address block. Digital systems can now detect and identify darknet activity on their own thanks to recent advances in artificial intelligence. In this paper, offer a generalised method for deep learning-based detection and classification of darknet traffic. Furthermore, analyse a cutting-edge complicated dataset that contains a lot of information about darknet traffic. Next, examine various feature selection strategies to choose a best attribute for detecting and classifying darknet traffic. For the purpose of identifying threats using network properties acquired from darknet traffic, devised a hybrid deep learning (DL) approach that combines Recurrent Neural Network (RNN) and Bidirectional LSTM (BiLSTM). This probing technique can tell malicious traffic from legitimate traffic. The results show that the suggested strategy works better than the existing ways by producing the highest level of accuracy for categorising darknet traffic using the Black widow optimization algorithm as a feature selection approach and RNN-BiLSTM as a recognition model.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.5
• /
• pp.1119-1127
• /
• 2018

Most of the cyber attacks are caused by malicious codes. The damage caused by cyber attacks are gradually expanded to IoT and CPS, which is not limited to cyberspace but a serious threat to real life. Accordingly, various malicious code analysis techniques have been appeared. Dynamic analysis have been widely used to easily identify the resulting malicious behavior, but are struggling with an increase in Anti-VM malware that is not working in VM environment detection. On the other hand, static analysis has difficulties in analysis due to various packing techniques. In this paper, we proposed malware classification techniques regardless of known packers or unknown packers through the proposed model. To do this, we designed a model of supervised learning and unsupervised learning for the features that can be used in the PE structure, and conducted the results verification through 98,000 samples. It is expected that accurate analysis will be possible through customized analysis technology for each class.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2021.10a
• /
• pp.458-460
• /
• 2021

The provision and application of public safety network in Korea is still insufficient for security response to the mobile app of public safety network in the stages of development, initial construction, demonstration, and initial service. The available terminals on the Disaster Safety Network (PS-LTE) are open, Android-based, dedicated terminals that potentially have vulnerabilities that can be used for a variety of mobile malware, requiring preemptive responses similar to FirstNet Certified in U.S and Google's Google Play Protect. In this paper, before listing the application service app on the public safety network mobile app store, we construct a data set for malicious and normal apps, extract features, select the most effective AI model, perform static and dynamic analysis, and analyze Based on the result, if it is not a malicious app, it is suggested to list it in the App Store. As it becomes essential to provide a service that blocks malicious behavior app listing in advance, it is essential to provide authorized authentication to minimize the security blind spot of the public safety network, and to provide certified apps for disaster safety and application service support. The safety of the public safety network can be secured.

• The KIPS Transactions:PartA
• /
• v.8A no.4
• /
• pp.391-398
• /
• 2001

To design and develop secure operating systems, the BLP (Bell-La Padula) model that represents the MLP (Multi-Level Policy) has been widely adopted. However, user\`s security level in the most developed systems based on the BLP model is inherited to a process that is actual subject on behalf of the user, regardless whatever the process behavior is. So, there could be information disclosure threat or modification threat by malicious or unreliable processes even though the user is authorized in the system. These problems can be solved by defining the subject as (user, process) ordered pair and by defining the process reliability. Moreover, when the leveled programs which exist as objects in a disk are executed by a process and have different level from the process level, the security level decision problem occurs. This paper presents an extended BLP (E-BLP) model in which process reliability is considered and solves the security level decision problem. And this model is implemented into the Linux kernel 2.4.7.

• Journal of Multimedia Information System
• /
• v.6 no.4
• /
• pp.165-172
• /
• 2019

Machine-learning techniques have been actively employed to information security in recent years. Traditional rule-based security solutions are vulnerable to advanced attacks due to unpredictable behaviors and unknown vulnerabilities. By employing ML techniques, we are able to develop intrusion detection systems (IDS) based on anomaly detection instead of misuse detection. Moreover, threshold issues in anomaly detection can also be resolved through machine-learning. There are very few datasets for network intrusion detection compared to datasets for malicious code. KDD CUP 99 (KDD) is the most widely used dataset for the evaluation of IDS. Numerous studies on ML-based IDS have been using KDD or the upgraded versions of KDD. In this work, we develop an IDS model using CSE-CIC-IDS 2018, a dataset containing the most up-to-date common network attacks. We employ deep-learning techniques and develop a convolutional neural network (CNN) model for CSE-CIC-IDS 2018. We then evaluate its performance comparing with a recurrent neural network (RNN) model. Our experimental results show that the performance of our CNN model is higher than that of the RNN model when applied to CSE-CIC-IDS 2018 dataset. Furthermore, we suggest a way of improving the performance of our model.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.2
• /
• pp.914-934
• /
• 2016

In the mobile distributed environment, an entity may move across domains with great frequency. How to utilize the trust information in the previous domains and quickly establish trust relationships with others in the current domain remains a challenging issue. The classic trust models do not support cross-domain and the existing cross-domain trust models are not in a fully distributed way. This paper improves the outstanding Certified Reputation (CR) model and proposes a Lightweight Cross-domain Trust (LCT) model for the mobile distributed environment in a fully distributed way. The trust certifications, in which the trust ratings contain various trust aspects with different interest preference weights, are collected and provided by the trustees. Furthermore, three factors are comprehensively considered to ease the issue of collusion attacks and make the trust certifications more accurate. Finally, a cross-domain scenario is deployed and implemented, and the comprehensive experiments and analysis are conducted. The results demonstrate that our LCT model obviously outperforms the Bayesian Network (BN) model and the CR model in our cross-domain scenario, and significantly improves the successful interaction rates of the honest entities without increasing the risks of interacting with the malicious entities.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.8
• /
• pp.3926-3945
• /
• 2018

In Jøsang's trust model, trust evaluation is obtained through operators, but there are problems with the mutuality and asymmetry of trust and the impact of event weight on trust evaluation. Trust evaluation is updated dynamically and continuously with time and the process of interactions, but it has not been reflected in Jøsang's model. Therefore, final trust evaluation is not accurate, and malicious fraud cannot be prevented effectively. This causes the success rate of interaction to be low. To solve these problems, a new dynamic trust model is proposed based on extended subjective logic (DTM-ESL). In DTM-ESL, the event weight and the mutuality of trust are fully considered, the original one-way trust relationship is extended to a two-way trust relationship, discounting and consensus operators are improved, and trust renewal is designed based on event weight. The viability and effectiveness of this new model are verified by simulation experiments.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.17 no.8
• /
• pp.2101-2123
• /
• 2023

Recent studies have shown that the neural network-based binary code similarity detection technology performs well in vulnerability mining, plagiarism detection, and malicious code analysis. However, existing cross-architecture methods still suffer from insufficient feature characterization and low discrimination accuracy. To address these issues, this paper proposes a cross-architecture binary function similarity detection method based on composite feature model (SDCFM). Firstly, the binary function is converted into vector representation according to the proposed composite feature model, which is composed of instruction statistical features, control flow graph structural features, and application program interface calling behavioral features. Then, the composite features are embedded by the proposed hierarchical embedding network based on a graph neural network. In which, the block-level features and the function-level features are processed separately and finally fused into the embedding. In addition, to make the trained model more accurate and stable, our method utilizes the embeddings of predecessor nodes to modify the node embedding in the iterative updating process of the graph neural network. To assess the effectiveness of composite feature model, we contrast SDCFM with the state of art method on benchmark datasets. The experimental results show that SDCFM has good performance both on the area under the curve in the binary function similarity detection task and the vulnerable candidate function ranking in vulnerability search task.