Eul Gyu Im

Multiattribute SCADA-Specific Intrusion Detection System for Power Networks

The increased interconnectivity and complexity of supervisory control and data acquisition (SCADA) systems in power system networks has exposed the systems to a multitude of potential vulnerabilities. In this paper, we present a novel approach for a next-generation SCADA-specific intrusion detection system (IDS). The proposed system analyzes multiple attributes in order to provide a comprehensive solution that is able to mitigate varied cyber-attack threats. The multiattribute IDS comprises a heterogeneous white list and behavior-based concept in order to make SCADA cybersystems more secure. This paper also proposes a multilayer cyber-security framework based on IDS for protecting SCADA cybersecurity in smart grids without compromising the availability of normal data. In addition, this paper presents a SCADA-specific cybersecurity testbed to investigate simulated attacks, which has been used in this paper to validate the proposed approach.

Malware analysis using visualized images and entropy graphs

Today, along with the development of the Internet, the number of malicious software, or malware, distributed especially for monetary profits, is exponentially increasing, and malware authors are developing malware variants using various automated tools and methods. Automated tools and methods may reuse some modules to develop malware variants, so these reused modules can be used to classify malware or to identify malware families. Therefore, similarities may exist among malware variants can be analyzed and used for malware variant detections and the family classification. This paper proposes a new malware family classification method by converting binary files into images and entropy graphs. The experimental results show that the proposed method can effectively distinguish malware families.

SVM Training Phase Reduction Using Dataset Feature Filtering for Malware Detection

N-gram analysis is an approach that investigates the structure of a program using bytes, characters, or text strings. A key issue with N-gram analysis is feature selection amidst the explosion of features that occurs when N is increased. The experiments within this paper represent programs as operational code (opcode) density histograms gained through dynamic analysis. A support vector machine is used to create a reference model, which is used to evaluate two methods of feature reduction, which are “area of intersect” and “subspace analysis using eigenvectors.” The findings show that the relationships between features are complex and simple statistics filtering approaches do not provide a viable approach. However, eigenvector subspace analysis produces a suitable filter.

Software plagiarism detection: a graph-based approach

As plagiarism of software increases rapidly, there are growing needs for software plagiarism detection systems. In this paper, we propose a software plagiarism detection system using an API-labeled control flow graph (A-CFG) that abstracts the functionalities of a program. The A-CFG can reflect both the sequence and the frequency of APIs, while previous work rarely considers both of them together. To perform a scalable comparison of a pair of A-CFGs, we use random walk with restart (RWR) that computes an importance score for each node in a graph. By the RWR, we can generate a single score vector for an A-CFG and can also compare A-CFGs by comparing their score vectors. Extensive evaluations on a set of Windows applications demonstrate the effectiveness and the scalability of our proposed system compared with existing methods.

Malware analysis method using visualization of binary files

Malware authors have been generating and disseminating malware variants through various ways, such as reusing modules or using automated malware generation tools. With the help of the malware generation techniques, the number of malware keeps increasing every year. Therefore, new malware analysis techniques are needed to reduce malware analysis overheads. Recently several malware visualization methods were proposed to help malware analysts. In this paper, we proposed a novel method to visually analyze malware by transforming malware binary information into image matrices. Our experimental results show that the image matrices of malware can effectively classify malware families.

Malware categorization using dynamic mnemonic frequency analysis with redundancy filtering

The battle between malware developers and security analysts continues, and the number of malware and malware variants keeps increasing every year. Automated malware generation tools and various detection evasion techniques are also developed every year. To catch up with the advance of malware development technologies, malware analysis techniques need to be advanced to help security analysts. In this paper, we propose a malware analysis method to categorize malware using dynamic mnemonic frequencies. We also proposed a redundancy filtering technique to alleviate drawbacks of dynamic analysis. Experimental results show that our proposed method can categorize malware and can reduce storage overheads of dynamic analysis.

Malware Classification Methods Using API Sequence Characteristics

Malware is generated to gain profits by attackers, and it infects many users’ computers. As a result, attackers can acquire private information such as login IDs, passwords, e-mail addresses, cell-phone numbers and banking account numbers from infected machines. Moreover, infected machines can be used for other cyber-attacks such as DDoS attacks, spam e-mail transmissions, and so on. The number of new malware discovered every day is increasing continuously because the automated tools allow attackers to generate the new malware or their variants easily. Therefore, a rapid malware analysis method is required in order to mitigate the infection rate and secondary damage to users. In this paper, we proposed a malware variant classification method using sequential characteristics of API used, and described experiment results with some malware samples.

Fast malware family detection method using control flow graphs

As attackers make variants of existing malware, it is possible to detect unknown malware by comparing with already-known malwares information. Control flow graphs have been used in dynamic analysis of program source code. In this paper, we proposed a new method which can analyze and detect malware binaries using control flow graphs and Bloom filter by abstracting common characteristics of malware families. The experimental results showed that processing overhead of our proposed method is much lower than n-gram based methods.

Malware classification using instruction frequencies

Developing variants of malware is a common and effective method to avoid the signature detection of antivirus programs. Malware analysis and signature abstraction are essential technologies to update the detection signature DB for malware detection. Since most malware binary analysis processes are performed manually, malware binary analysis is a time-consuming job. Therefore, efficient malware classification can be used to speed up malware binary analysis. As malware variants of the same malware family may share a portion of their binary code, the sequences of instructions may be similar, or even identical. In this paper, we propose a malware classification method that uses instruction frequencies. Our test results show that there are clear distinctions among malware and normal programs.

A scalable, ordered scenario-based network security simulator

A network security simulator becomes more useful for the study on the cyber incidents and their defense mechanisms, as cyber terrors have been increasingly popular. Until now, network security simulations aim at damage estimation of incidents in small-size networks or performance analysis of information protection systems. However, a simulator is needed to handle large-size networks since attacks in these days are based on large-size global networks such as the Internet. The existing simulators have limitations for simulating large-scale Internet attacks. In this paper, a scalable, ordered scenario-based network security simulator is proposed. Our proposed simulator is implemented by expanding the SSFNet program to client-server architectures. A network security scenario is applied to test effectiveness of our proposed simulator.