YoungHan Choi

Automatic Detection for JavaScript Obfuscation Attacks in Web Pages through String Pattern Analysis

Recently, most of malicious web pages include obfuscated codes in order to circumvent the detection of signature-based detection systems. It is difficult to decide whether the sting is obfuscated because the shape of obfuscated strings are changed continuously. In this paper, we propose a novel methodology that can detect obfuscated strings in the malicious web pages. We extracted three metrics as rules for detecting obfuscated strings by analyzing patterns of normal and malicious JavaScript codes. They are N-gram , Entropy , and Word Size . N-gram checks how many each byte code is used in strings. Entropy checks distributed of used byte codes. Word size checks whether there is used very long string. Based on the metrics, we implemented a practical tool for our methodology and evaluated it using read malicious web pages. The experiment results showed that our methodology can detect obfuscated strings in web pages effectively.

Practical Security Testing using File Fuzzing

File Fuzzing is the method that inserts fault into general file and monitors the errors during executing the software with fault-inserted file. In this paper, we propose the practical methodology for security testing of software using two file fuzzing approaches. The methodology focuses on binary fields and TAGs(in markup language) of the file. And we show the practical applying to WMF and HTML file.

Generating Malware DNA to Classify the Similar Malwares

According to the national information security white paper 2013, the number of hacking attempt in 2012 is 17,570 which is increased by 67.4% than in 2011, and it has been increasing year after year. The cause of this increase is considered as pursuit of monetary profit and diversification techniques of infection. However, because the development of malicious code faster than the increase in the number of experts to analyze and respond the malware, it is difficult to respond to security threats due to malicious code. So, the interest on automatic analysis tools is increasing. In this paper, we proposed the method of malware classification by similarity using malware DNA. It helps the experts to reduce the analysis time, to increase the correctness. The proposed method generates `Malware DNA` from extracted features, and then calculates similarity to classify the malwares.

An Empirical Study for Security of Windows DLL Files Using Automated API Fuzz Testing

Fuzz testing is a method that inserts an unexpected data into input of a software system and finds defects of it in order to perform security testing. In this paper , We proposed a novel methodology that performed API fuzz testing automatically and evaluated it for Windows system that most of people in the world used. We implemented an automated API fuzz testing tool that our methodology applied to. Using this tool, we experimented on 1,182 DLL files and 6,117 API functions in a system fold of Windows XP SP2. We found 177 faults in them. Among faults, 10 faults are related to control flow of a program.

Anatomy of Exploit Code in Non-Executable Files using Virtualization

In this paper, we propose a methodology for detecting and analyzing the exploit code in nonexecutable files using virtualization. It is difficult to detect and analyze the exploit code in a non-executable file because the code and real data are mixed in the file. We trace the execution flow of the target software system while parsing the file, and start to analyze the exploit code when the execution flow strays outside of normal modules. The normal module region is the region that the target software system executes normally. By extracting the exploit code from the nonexecutable file, signatures for detecting the nonexecutable material, including the exploit code, can begenerated.

API Fuzz Testing for Security of Libraries in Windows Systems: From Faults To Vulnerabilites

Application programming interface (API) fuzz testing is used to insert unexpected data into the parameters of functions and to monitor for resulting program errors or exceptions in order to test the security of APIs. However, vulnerabilities through which a user cannot insert data into API parameters are not security threats, because attackers cannot exploit such vulnerabilities. In this paper, we propose a methodology that can automatically find paths between inputs of programs and faulty APIs. Where such paths exist, faults in APIs represent security threats. We call our methodology Automated Windows API Fuzz Testing II (AWAFTII). This method extends our previous research for performing API fuzz testing into the AWAFTII process. The AWAFTII process consists of finding faults using API fuzz testing, analyzing those faults, and searching for input data related to parameters of APIs with faults. We implemented a practical tool for AWAFTII and applied it to programs in the system folder of Windows XP SP2. Experimental results show that AWAFTII can detect paths between input of programs and APIs with faults.