A Study of Intelligent Cyber Threat Response Technology

R&D A Study of Intelligent Cyber Threat Response Technology

Purpose of research

  • Study of technology to respond to the threat of intelligent malignant codes that are used as the major tool of cyber attack
  • Providing information about the source and spreader of malignant webpages or codes for security services for the general public

Research topics

  • Study of technology to respond to intelligent cyber threats

    - MDN analysis by developing SIMon (Suspicious Information Monitoring system in website)

    - Target of analysis : Real-time monitoring of more than 400,000 websites

    - Method of analysis : Analysis of malignancy of webpages based on script emulation

    - Results of analysis : Published and disseminated weekly malignant code trend report based on the results of SIMon monitoring analysis
    Started online service in February '15 (online weekly trend report)

    - Advancement of SIMon by improving detection technology step by step according to the change of attach technology

    · SIMon V2 : Automated analysis of weakness of malignant codes and application of flash weakness detection technology

    · SIMon V3 : Application of technology to detect hidden malignant code spreading websites based on Human Web Cralwer

    Currently monitoring about 2,100,000 websites (diversifying detection conditions through grouping by country, field, etc.)

  • Study of real sandbox for autonomous status monitoring and control based on machine-running for the analysis of intelligent malignant code

    - Diversion response to analysis environment, such as hardware and running environment

    - Static analysis of PE files for the classification of malignant code type

    - Automatically setting the running environment according to the classification of malignant code type

    - Anti-Anti-VM for analysis diversion intelligent malignant code analysis

    - Learning malignant code action status using malignant code data set

    - GUI-type malignant code action status autonomous control based on machine-running

    - Malignant action collection and correlation analysis

    Real-time classification and analysis of about 2,500,000 malignant codes

Expected outcomes

  • Analysis of intelligent malignant code that divert analysis based on real machine and active binary handling technology
  • Data set collection and real sandbox technology to monitor and control malignant actions based on machine running
  • Industrialization of developed technology and technology transfer through industrial-academic cooperation
  • Safe cyber environment by analyzing (detecting) malignant code spreading websites and intelligent malignant codes
  • National cyber security through open service

Major accomplishments

  • 2017

    - Registration and patent of abnormal action monitoring-based DBD detection system S/W

    - Study of real sandbox for autonomous status monitoring and controlling based on machine-running

    - Building sandbox (~Dec '17) and expanding open service (~Dec '18)

    - Study of hidden malignant code spreading website detecting technology based on [SIMonV3.0] real analysis environment

  • 2016

    - Study of technology for malignant binary classification by analyzing WorkingSet Memory

    - Study of API pattern extraction technology of malignant binary using DynamoRio.

  • 2015

    - Study of malignant code detection technology using real web browser.

    - Study of automated analysis based on HIEH for UI malignant code analysis.

    - SecureSurf(http://securitylab.kr) opened: Feb '15

  • 2014

    - Patented SIMon (No. 10-1481910)

    - Study of technology for automated analysis (CVE classification) of [SIMonV2.0] spreading weaknesses

    - SIMon technology transferred to government offices and private businesses

  • 2013

    - Publication/distribution of KAIST weekly malignant code trend analysis report
      (major government offices, officers, and private sector)

    - Registration of webpage abnormal information detection system S/W

  • 2012

    - Study of [SIMonV1.0] webpage abnormal information detection system (SIMon) technology
      (real-time monitoring of 420,000 Homepages in Korea to detect malignant code disseminating/spreading sites)