Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

Design and Implementation of Preprocessing Part for Dynamic Code Analysis

동적 코드 분석을 위한 전처리부 설계 및 구현

  • 김현철 (남서울대학교 컴퓨터소프트웨어학과)
  • Received : 2019.09.06
  • Accepted : 2019.09.21
  • Published : 2019.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, due to the appearance of various types of malware, the existing static analysis exposes many limitations. Static analysis means analyzing the structure of a code or program with source code or object code without actually executing the (malicious) code. On the other hand, dynamic analysis in the field of information security generally refers to a form that directly executes and analyzes (malware) code, and compares and examines and analyzes the state before and after execution of (malware) code to grasp the execution flow of the program. However, dynamic analysis required analyzing huge amounts of data and logs, and it was difficult to actually store all execution flows. In this paper, we propose and implement a preprocessor architecture of a system that performs malware detection and real-time multi-dynamic analysis based on 2nd generation PT in Windows environment (Windows 10 R5 and above).

최근 다양한 형태의 악성코드 등장으로 인해 기존의 정적 분석은 많은 한계를 노출하고 있다. 정적분석은 (악성)코드를 실제로 실행하지 않고 원시 코드나 목적 코드를 가지고 코드나 프로그램의 구조를 분석하는 것을 의미한다. 한편 정보보안 분야에서의 동적 분석이란 일반적으로 (악성)코드를 직접 실행하여 분석하는 형태로 프로그램의 실행 플로우를 파악하기 위해 (악성)코드의 실행 전후 상태를 비교·조사하여 분석하는 형태를 의미한다. 그러나 동적 분석을 위해서는 막대한 양의 데이터와 로그를 분석해야 하며 모든 실행 플로우를 실제로 저장하기도 어려웠다. 본 논문에서는 윈도우 환경(윈도우 10 R5 이상)에서 2세대 PT를 기반으로 악성코드 탐지 및 실시간 다중 동적 분석을 수행하는 시스템의 전처리기 구조를 제안하였고 이를 구현하였다.

Keywords

References

  1. Napoleon C. Paxton, "Cloud Security: A Review of Current Issues and Proposed Solutions," International Conference on Collaboration and Internet Computing (CIC), pp. 452-455, 2016
  2. Tahira Mahboob; Maryam Zahid; Gulnoor Ahmad, "Adopting information security techniques for cloud computing-A survey," International Conference on Information Technology, Information Systems and Electrical Engineering (ICITISEE), pp. 7-11, 2016
  3. Jörg Thalheim; Pramod Bhatotia; Christof Fetzer, "INSPECTOR: Data Provenance Using Intel Processor Trace (PT)," International Conference on Distributed Computing Systems (ICDCS), pp. 25-34, 2016
  4. Khalid El Makkaoui; Abdellah Ezzati; Abderrahim Beni-Hssane; Cina Motamed, "Cloud security and privacy model for providing secure cloud services," 2016 2nd International Conference on Cloud Computing Technologies and Applications (CloudTech), pp. 81-86, 2016
  5. Bob Duncan; Alfred Bratterud; Andreas Happe, "Enhancing cloud security and privacy: Time for a new approach?," International Conference on Innovative Computing Technology (INTECH), pp. 110-115, 2016
  6. Sin-Fu Lai; Hui-Kai Su; Wen-Hsu Hsiao; Kim-Joan Chen, "Design and implementation of cloud security defense system with software defined networking technologies," International Conference on Information and Communication Technology Convergence (ICTC), pp. 292-207, 2016
  7. Andi Kleen, "Simple Intel CPU processor tracing on Linux," https://github.com/andikleen/simple-pt
  8. Alex Ionescu, "The Windows Library for Intel Process Trace (WinIPT)", https://github.com/ionescu007/winipt