• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.17 no.6
• /
• pp.11-17
• /
• 2017

We proposed malware detection method, which use the feature vector that consist of Opcode(operation code) and Windows API Calls extracted from executable files. And, we implemented our feature vector and measured the performance of it by using Bernoulli Naïve Bayes and K-Nearest Neighbor classifier. In experimental result, when using the K-NN classifier with the proposed method, we obtain 95.21% malware detection accuracy. It was better than existing methods using only either Opcode or Windows API Calls.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.18 no.1
• /
• pp.211-216
• /
• 2018

In this paper, we studied the way that classify whether unknown PE file is malware or not. In the classification problem of malware detection domain, feature extraction and classifier are important. For that purpose, we studied what the feature is good for classifier and the which classifier is good for the selected feature. So, we try to find the good combination of feature and classifier for detecting malware. For it, we did experiments at two step. In step one, we compared the accuracy of features using Opcode only, Win. API only, the one with both. We founded that the feature, Opcode and Win. API, is better than others. In step two, we compared AUC value of classifiers, Bernoulli Naïve Bayes, K-nearest neighbor, Support Vector Machine and Decision Tree. We founded that Decision Tree is better than others.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2023.01a
• /
• pp.103-106
• /
• 2023

코로나 팬데믹 사태로 인해 업무환경이 재택근무를 하는 환경으로 바뀌고 악성코드의 변종 또한 빠르게 발전하고 있다. 악성코드를 분석하고 백신 프로그램을 만들면 새로운 변종 악성코드가 생기고 변종에 대한 백신프로그램이 만들어 질 때까지 변종된 악성코드는 사용자에게 위협이 된다. 본 연구에서는 머신러닝 알고리즘을 사용하여 악성파일 여부를 예측하는 방법을 제시하였다. 일반적인 악성코드의 구조를 갖는 Portable Executable 구조 파일을 파이썬의 LIEF 라이브러리를 사용하여 Certificate, Imports, Opcode 등 3가지 feature에 대해 정적분석을 하였다. 학습 데이터로는 정상파일 320개와 악성파일 530개를 사용하였다. Certificate는 hasSignature(디지털 서명정보), isValidcertificate(디지털 서명의 유효성), isNotExpired(인증서의 유효성)의 feature set을 사용하고, Imports는 Import Address Table의 function 빈도수를 비교하여 feature set을 구축하였다. Opcode는 tri-gram으로 추출하여 빈도수를 비교하여 feature set을 구축하였다. 테스트 데이터로는 정상파일 360개 악성파일 610개를 사용하였으며 Feature set을 사용하여 random forest, decision tree, bagging, adaboost 등 4가지 머신러닝 알고리즘을 대상으로 성능을 비교하였고, bagging 알고리즘에서 약 0.98의 정확도를 보였다.

• Journal of KIISE
• /
• v.42 no.5
• /
• pp.558-565
• /
• 2015

Recently, the number of new malware and malware variants has dramatically increased. As a result, the time for analyzing malware and the efforts of malware analyzers have also increased. Therefore, malware classification helps malware analyzers decrease the overhead of malware analysis, and the classification is useful in studying the malware's genealogy. In this paper, we proposed a set of key opcode to classify the malware. In our experiments, we selected the top 10-opcode as key opcode, and the key opcode decreased the training time of a Supervised learning algorithm by 91% with preserving classification accuracy.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.4
• /
• pp.155-160
• /
• 2010

Since the RSA cryptosystem based on Chinese Remainder Theorem is vulnerable to many fault insertion attacks, some countermeasures against them were proposed. Recently, Kim et al. or Ha et al. respectively proposed each countermeasure scheme based on fault propagation method. Unfortunately, Hur et al. insist that these countermeasures are vulnerable to their opcode modification fault attack. In this paper, we show that the proposed attack can not apply to almost CRT-RSA countermeasures which use multi-precision operations in long bit computation. Therefore, the countermeasure against fault attack proposed by Kim et al. or Ha et al. are still secure.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2022.05a
• /
• pp.179-182
• /
• 2022

최근 코로나 19 팬더믹 이후 원격근무의 확대와 더불어 랜섬웨어 팬더믹이 심화하고 있다. 현재 안티바이러스 백신 업체들이 랜섬웨어에 대응하고자 노력하고 있지만, 기존의 파일 시그니처 기반 정적분석은 패킹의 다양화, 난독화, 변종 혹은 신종 랜섬웨어의 등장 앞에 무력화될 수 있고, 실제로 랜섬웨어의 피해 규모 지속 증가가 이를 설명한다. 본 논문에서는 기계학습을 기반으로 한 단일 분석만을 이용하여 탐지모델에 적용하는 것이 아닌 정적 분석 정보(.text Section Opcode)와 동적 분석 정보(Native API)를 추출하고 유사도를 바탕으로 연관성을 찾아 결합하여 기계학습에 적용하는 탐지모델을 제안한다.

• KIPS Transactions on Computer and Communication Systems
• /
• v.11 no.10
• /
• pp.363-372
• /
• 2022

Since the recent COVID-19 Pandemic, the ransomware fandom has intensified along with the expansion of remote work. Currently, anti-virus vaccine companies are trying to respond to ransomware, but traditional file signature-based static analysis can be neutralized in the face of diversification, obfuscation, variants, or the emergence of new ransomware. Various studies are being conducted for such ransomware detection, and detection studies using signature-based static analysis and behavior-based dynamic analysis can be seen as the main research type at present. In this paper, the frequency of ".text Section" Opcode and the Native API used in practice was extracted, and the association between feature information selected using K-means Clustering algorithm, Cosine Similarity, and Pearson correlation coefficient was analyzed. In addition, Through experiments to classify and detect worms among other malware types and Cerber-type ransomware, it was verified that the selected feature information was specialized in detecting specific ransomware (Cerber). As a result of combining the finally selected feature information through the above verification and applying it to machine learning and performing hyper parameter optimization, the detection rate was up to 93.3%.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.933-943
• /
• 2022

As the Internet develops and the utilization rate of computers increases, the threats posed by malware keep increasing. This leads to the demand for a system to automatically analyzes a large amount of malware. In this paper, an automatic malware analysis technique using a deep learning algorithm is introduced. Our proposed method uses CNN (Convolutional Neural Network) to analyze the malicious features represented as images. To reflect semantic information of malware for detection, our method uses the opcode frequency data of binary for image generation, rather than using bytes of binary. As a result of the experiments using the datasets consisting of 20,000 samples, it was found that the proposed method can detect malicious codes with 91% accuracy.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.181-192
• /
• 2022

The emergence of new malware is incapacitating existing signature-based malware detection techniques., and applying various anti-analysis techniques makes it difficult to analyze. Recent studies related to signature-based malware detection have limitations in that malware creators can easily bypass them. Therefore, in this study, we try to build a machine learning model that can detect and classify the anti-analysis techniques of packers applied to malware, not using the characteristics of the malware itself. In this study, the n-gram opcodes are extracted from the malicious binary to which various anti-analysis techniques of the commercial packers are applied, and the features are extracted by using TF-IDF, and through this, each anti-analysis technique is detected and classified. In this study, real-world malware samples packed using The mida and VMProtect with multiple anti-analysis techniques were trained and tested with 6 machine learning models, and it constructed the optimal model showing 81.25% accuracy for The mida and 95.65% accuracy for VMProtect.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.6
• /
• pp.185-190
• /
• 2009

As the use of RSA based on chinese remainder theorem(CRT-RSA) is being generalized, the security of CRT-RSA has been important. Since Bellcore researchers introduced the fault attacks on CRT-RSA, various countermeasures have been proposed. In 1999, Shamir firstly proposed a countermeasure using checking procedure. After Shamir's countermeasure was introduced, various countermeasures based on checking procedure have been proposed. However, Shamir's countermeasure was known to be vulnerable to the modified operand attack by Joey et al. in 2001, and the checking procedure was known to be vulnerable to the modified opcode attack by Yen et al. in 2003. Yen et al. proposed a new countermeasure without checking procedure, but their countermeasure was known to be also vulnerable to the modified operand attack by Yen and Kim in 2007. In this paper, we point out that pre, but countermeasures were vulnerable to the modified operand attack or the modified opcode attack.