프로세스 마이닝을 이용한 변종 악성코드 탐지 기법

Metadata Downloads
Issued Date
In the past, most hacking and malicious acts via the Internet were carried out without any special purpose. However, recent cyber attacks have been carried out to gain financial and social benefits. In particular, the possibility of exposure to cyber threats such as Ransomware, Cloud, APT, and DDos has increased significantly due to the recent advancement of information technology. In addition, there is a need for continuous action to counter new and unknown variant malicious codes that continuously come out. A typical method for detecting variant malicious codes is heuristic based detection. Heuristic based detection is to predict and detect possible malicious codes in advance based on the malicious codes that have been detected so far. In general, heuristic diagnosis can be classified into signature and behavior-based diagnosis depending on diagnosis time. Signature heuristic diagnosis presented in this paper to detect variant malicious behavior is a technique to diagnose a specific condition (code) that is suspected to be malicious codes. The key to this technique is to detect variants suspect of malicious behavior in case they have similar detection rules, patterns, or codes. However, there are some drawbacks with this technique, namely, the detection time, the error occurrence, and the high possibility of misdiagnosing a normal file as a malicious file. To overcome these drawbacks, we propose a variant malicious code detection technique using process mining. Process mining is to derive a process model from the event logs, which can be very useful for finding processes that are not visualized. Each process module is created by refining the API function data of the malicious file through the static analysis. The code is classified as a variant when it is set as an exceptional process pattern instead of a normal process pattern, based on the results of the process modeling and the features of the similarity between the normal file and the malicious file, the similarity among the classified malicious code groups, and the typical similarity of the malicious code groups.
Alternative Title
Variant Malware Behavior Detection Technique Using Process Mining
Alternative Author(s)
Jihoon Han
산업기술융합대학원 소프트웨어융합공학과
Awarded Date
2018. 2
Table Of Contents
Ⅰ. 서론··································································································································1
A. 연구 배경 및 목적 ·································································································1
B. 연구 내용 및 구성 ··································································································4
Ⅱ. 관련 연구 ························································································································5
A. 악성 행위 탐지와 분류 방법 ·············································································5
B. 프로세스 마이닝 ······································································································7
Ⅲ. 프로세스 마이닝을 적용한 악성코드 탐지 방법··················································10
A. 시스템 구성도·······································································································10
B. API 함수 기반 속성 추출··················································································12
C. 악성 행위 API 함수 패턴···················································································13
D. 악성행위 탐지를 위한 프로세스마이닝 적용·················································14
Ⅳ. 실험 평가 방법 및 결과 분석 ··················································································22
A. 실험 데이터 셋·····································································································22
B. 성능 평가················································································································23
Ⅴ. 결론 및 제언 ················································································································28
참고문헌 ·······························································································································29
조선대학교 산업기술융합대학원
한지훈. (2017). 프로세스 마이닝을 이용한 변종 악성코드 탐지 기법
Appears in Collections:
Engineering > Theses(Master)(산업기술창업대학원)
Authorize & License
  • AuthorizeOpen
Files in This Item:

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.