BooJoong Kang

Malware analysis using visualized images and entropy graphs

Today, along with the development of the Internet, the number of malicious software, or malware, distributed especially for monetary profits, is exponentially increasing, and malware authors are developing malware variants using various automated tools and methods. Automated tools and methods may reuse some modules to develop malware variants, so these reused modules can be used to classify malware or to identify malware families. Therefore, similarities may exist among malware variants can be analyzed and used for malware variant detections and the family classification. This paper proposes a new malware family classification method by converting binary files into images and entropy graphs. The experimental results show that the proposed method can effectively distinguish malware families.

Software plagiarism detection: a graph-based approach

As plagiarism of software increases rapidly, there are growing needs for software plagiarism detection systems. In this paper, we propose a software plagiarism detection system using an API-labeled control flow graph (A-CFG) that abstracts the functionalities of a program. The A-CFG can reflect both the sequence and the frequency of APIs, while previous work rarely considers both of them together. To perform a scalable comparison of a pair of A-CFGs, we use random walk with restart (RWR) that computes an importance score for each node in a graph. By the RWR, we can generate a single score vector for an A-CFG and can also compare A-CFGs by comparing their score vectors. Extensive evaluations on a set of Windows applications demonstrate the effectiveness and the scalability of our proposed system compared with existing methods.

Malware categorization using dynamic mnemonic frequency analysis with redundancy filtering

The battle between malware developers and security analysts continues, and the number of malware and malware variants keeps increasing every year. Automated malware generation tools and various detection evasion techniques are also developed every year. To catch up with the advance of malware development technologies, malware analysis techniques need to be advanced to help security analysts. In this paper, we propose a malware analysis method to categorize malware using dynamic mnemonic frequencies. We also proposed a redundancy filtering technique to alleviate drawbacks of dynamic analysis. Experimental results show that our proposed method can categorize malware and can reduce storage overheads of dynamic analysis.

Fast malware family detection method using control flow graphs

As attackers make variants of existing malware, it is possible to detect unknown malware by comparing with already-known malwares information. Control flow graphs have been used in dynamic analysis of program source code. In this paper, we proposed a new method which can analyze and detect malware binaries using control flow graphs and Bloom filter by abstracting common characteristics of malware families. The experimental results showed that processing overhead of our proposed method is much lower than n-gram based methods.

Malware classification using instruction frequencies

Developing variants of malware is a common and effective method to avoid the signature detection of antivirus programs. Malware analysis and signature abstraction are essential technologies to update the detection signature DB for malware detection. Since most malware binary analysis processes are performed manually, malware binary analysis is a time-consuming job. Therefore, efficient malware classification can be used to speed up malware binary analysis. As malware variants of the same malware family may share a portion of their binary code, the sequences of instructions may be similar, or even identical. In this paper, we propose a malware classification method that uses instruction frequencies. Our test results show that there are clear distinctions among malware and normal programs.

Function matching-based binary-level software similarity calculation

This paper proposes a method to calculate similarities of software without any source code information. The proposed method can be used for various applications such as detecting the source code theft and copyright infringement, as well as locating updated parts of software including malware. To determine the similarities of software, we used an approach that matches similar functions included in software. Our function-based matching process is composed of two steps. In step 1, the structural information of call graph in binary file is used to match functions, and the matched functions are not processed in step 2 to reduce the number of detailed matching. In step 2, by using instruction mnemonics, N-gram similarity-based matching is performed. Using the structural matching proposed in this paper, about 30% improvement in the matching performance is achieved with the four-tuple matching which also reduces the false positive rate compared to previous studies. Our other experimental results showed that, in comparison to source code-based approaches, our proposed method has only about 3% difference in similarity calculation with real software samples. Therefore, we argue that our proposed method makes a contribution in the field of binary-based software similarity calculation.

Rule-based anti-anti-debugging system

Anti-debugging technology refers to various ways of preventing binary files from being analyzed in debuggers or other virtual machine environments. If binary files conceal or modify themself using anti-debugging techniques, analyzing these binary files becomes harder. There are some anti-anti-debugging techniques proposed so far, but malware developers make dynamic analysis difficult using various ways, such as execution time delay, debugger detection techniques and so on. In this paper, we propose a rule-based system that can avoid anti-debugging techniques in binary files, and showed several samples of anti-debugging applications and how to detect and patch anti-debugging techniques in common utilities or malicious code effectively.

Rule indexing for efficient intrusion detection systems

As the use of the Internet has increased tremendously, the network traffic involved in malicious activities has also grown significantly. To detect and classify such malicious activities, Snort, the open-sourced network intrusion detection system, is widely used. Snort examines incoming packets with all Snort rules to detect potential malicious packets. Because the portion of malicious packets is usually small, it is not efficient to examine incoming packets with all Snort rules. In this paper, we apply two indexing methods to Snort rules, Prefix Indexing and Random Indexing, to reduce the number of rules to be examined. We also present experimental results with the indexing methods.

Balanced indexing method for efficient intrusion detection systems

To protect a network from malicious activities, intrusion detection systems can be used. Most of intrusion detection systems examine incoming packets with detection signatures to detect potential malicious packets. Because the portion of malicious packets is usually very small, it is not efficient to examine incoming packets with all signatures. In this paper, we propose a method that reduces the number of signatures to be examined and show the experimental results of our proposed method.

Transfer data optimization in parallel computing

Parallel computing is still evolving. Although there are great improvements in the field, still remains to be improved. The major research trend of parallel computing is now shifting to software technology from hardware architecture. We proposed a parallel technique to reduce network latency based on datas behavior of change, implemented it to real application GEOS-Chem, and made it faster