Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

The Next Generation Malware Information Collection Architecture for Cybercrime Investigation

  • Received : 2020.10.05
  • Accepted : 2020.11.02
  • Published : 2020.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, cybercrime has become increasingly difficult to track by applying new technologies such as virtualization technology and distribution tracking avoidance. etc. Therefore, there is a limit to the technology of tracking distributors based on malicious code information through static and dynamic analysis methods. In addition, in the field of cyber investigation, it is more important to track down malicious code distributors than to analyze malicious codes themselves. Accordingly, in this paper, we propose a next-generation malicious code information collection architecture to efficiently track down malicious code distributors by converging traditional analysis methods and recent information collection methods such as OSINT and Intelligence. The architecture we propose in this paper is based on the differences between the existing malicious code analysis system and the investigation point's analysis system, which relates the necessary elemental technologies from the perspective of cybercrime. Thus, the proposed architecture could be a key approach to tracking distributors in cyber criminal investigations.

최근 사이버범죄는 가상화 기술, 유포지 추적 회피 등 다양한 기술 등의 새로운 기술을 적용하여 추적이 점점 어려워지고 있다. 따라서 전통적인 악성코드 분석방법인 정적분석, 동적 분석 등 방법은 악성코드 유포자를 추적하는 데 한계가 있다. 또한, 사이버 수사 분야에서는 악성코드 자체에 대한 분석보다 악성코드 유포자를 추적하는 것이 더욱 중요하다. 이에 따라, 본 논문에서는 악성코드 유포자를 효율적으로 추적하기 위해 전통적인 분석방법과 OSINT, Intelligence 등 최근의 정보수집 방법을 융합한 차세대 악성코드 정보수집 아키텍처를 제안한다. 본 논문에서 제안하는 아키텍처는 기존의 악성코드 분석체계와 수사관점의 분석체계의 차이점을 기반으로 사이버범죄의 관점에서 필요한 요소기술을 연관시킴으로 인해 사이버 범죄 수사에서 유포자 추적을 위한 핵심적인 접근 방법이 될 수 있다.

Keywords

References

  1. ENISA, "ENISA Thread Landscape Report 2018", Jun, 2019
  2. Y.S.Kim, "Ensemble Model using Multiple Profiles for Analytical Classification of Threat Intelligence", JOURNAL OF THE KOREA CONTENTS ASSOCIATION, Vol.17, No.3, pp.231-237, 2017.03, 10.5392/JKCA.2017.17.03.231
  3. Open Threat eXchange(OTX), https://otx.alienvault.com/
  4. Malware Information Sharing Platform(MISP), https://www.misp-project.org/
  5. Changwan Lim, Youngsup Shin, Dongjae Lee, Sungyoung Cho, Insung Han, Haengrok Oh "Real-time Cyber Threat Intelligent Analysis and Prediction Technique, KIISE Transactions on Computing Practices, Vol.25, No.11, pp.565-570, 2019.11,10.5626/KTCP.2019.25.11.565
  6. Choi Wonseok, Kim Jinsoo, "A System for Generating and Sharing Cyber Threat Intelligence on malicious code", Korea Software Congress 2018, pp.1035-1036, PeungChang, korea, Dec, 2018,
  7. Seonhee Seok, Howon Kim, "Visualized Malware Classification Based-on Convolutional Neural Network", Journal of the Korea Institute of Information Security & Cryptology, Vol.26, No.1, pp. 197-208, Feb. 2016, 10.13089/JKIISC.2016.26.1.197
  8. Taejin Lee "Trend of intelligent malicious code analysis technology using machine learning", REVIEW OF KIISC, Vol.28, No.2, pp.12-19, Apr, 2018
  9. Jun-ho Hwang, Tae-jin Lee, "Study of Static Analysis and Ensemble-Based Linux Malware Classification", Journal of the Korea Institute of Information Security & Cryptology, Vol.29, No.6, pp.1327-1337, Dec. 2019,10.13089/JKIISC.2019.29.6.1327
  10. Jun-ho Hwang, Tae-jin Lee, "Malware Packing Analysis Based on Convolutional Neural Network with 2-Dimension Static Feature Set", The Journal of Korean Institute of Communications and Information Sciences, Vol.43, No.12, pp.2089-2099, Dec. 2018, 10.7840/kics.2018.43.12.2089
  11. Seongmin Jeong, Hyeonseok Kim, Youngjae Kim, Myungkeun Yoon, "V-gram: Malware Detection Using Opcode Basic Blocks and Deep Learning", Journal of KIISE, Vol.46, No.7, pp.599-605, Jul, 2018, 10.5626/JOK.2019.46.7.599
  12. M. Sharif, A. Lanzi, J. Giffin, W. Lee, "Automatic Reverse Engineering of Malware Emulators". 2009 30th IEEE Symposium on Security and Privacy. pp. 94-109, May. 2009.
  13. Soon-Gohn Kim, "Code Automatic Analysis Technique for Virtualization-based Obfuscation and Deobfuscation", Journal of Korea Institute of Information, Electronics, and Communication Technology, Vol.11, No.6, pp.724-731, Dec. 2018, 10.17661/JKIIECT.2018.11.6.724
  14. Ki-Hwan Kim, Woo-Jin Joe, Hyong-Shik Kim, "A Malware Variants Detection Method using Malicious Behavior Signature", Korea Software Congress 2019, pp. 1633-1635, Dec. 2019
  15. Jinung Ahn, Hongsun Yoon, Souhwan Jung, "An Enhancement Scheme of Dynamic Analysis for Evasive Android Malware", Journal of the Korea Institute of Information Security & Cryptology, Vol.29, No.3, pp.519-529, Jun, 2019, 10.13089/JKIISC.2019.29.3.519
  16. Ollydbg, http://www.ollydbg.de/
  17. IDA pro, https://www.hex-rays.com/products/ida/
  18. Cuckoo Sandbox, https://cuckoosandbox.org/
  19. IP2Location, https://www.ip2location.com/
  20. MaxMind, https://www.ip2location.com/
  21. GeoByte, https://geobytes.com/iplocator/
  22. NetAcuity, https://www.digitalelement.com/solutions/
  23. DomainTools, https://www.domaintools.com/
  24. Virustotal, https://www.virustotal.com/gui/
  25. C-TAS, https://www.krcert.or.kr/data/noticeView.do?bulletin_writing_sequence=25824

Cited by

  1. 공개정보 기반 타임라인 프로파일링을 위한 확장된 워크플로우 개발 vol.19, pp.3, 2020, https://doi.org/10.14400/jdc.2021.19.3.187