프로세스 마이닝을 이용한 변종 악성코드 탐지 기법

Abstract

In the past, most hacking and malicious acts via the Internet were carried out without any special purpose. However, recent cyber attacks have been carried out to gain financial and social benefits. In particular, the possibility of exposure to cyber threats such as Ransomware, Cloud, APT, and DDos has increased significantly due to the recent advancement of information technology. In addition, there is a need for continuous action to counter new and unknown variant malicious codes that continuously come out. A typical method for detecting variant malicious codes is heuristic based detection. Heuristic based detection is to predict and detect possible malicious codes in advance based on the malicious codes that have been detected so far. In general, heuristic diagnosis can be classified into signature and behavior-based diagnosis depending on diagnosis time. Signature heuristic diagnosis presented in this paper to detect variant malicious behavior is a technique to diagnose a specific condition (code) that is suspected to be malicious codes. The key to this technique is to detect variants suspect of malicious behavior in case they have similar detection rules, patterns, or codes. However, there are some drawbacks with this technique, namely, the detection time, the error occurrence, and the high possibility of misdiagnosing a normal file as a malicious file. To overcome these drawbacks, we propose a variant malicious code detection technique using process mining. Process mining is to derive a process model from the event logs, which can be very useful for finding processes that are not visualized. Each process module is created by refining the API function data of the malicious file through the static analysis. The code is classified as a variant when it is set as an exceptional process pattern instead of a normal process pattern, based on the results of the process modeling and the features of the similarity between the normal file and the malicious file, the similarity among the classified malicious code groups, and the typical similarity of the malicious code groups.