Toward detecting advanced persistent threat using malicious non-executable files

Young Han Choi, Hyoung Chun Kim, Dong Hoon Lee

Research output: Contribution to journalArticle

Abstract

Advanced Persistent Threat (APT) attacks vulnerable applications in client PC using social engineering and steals its information secretly. Most of APT controls the client's system by executing malicious code in non-executable file that the applications read and parse. In this paper, we propose a novel technique to detect a malicious non-executable file regardless of file format By regarding all nonexecutable files as byte sequences and executing the sequences forcibly from beginning to end, we target on detecting only an executable code in the byte sequences. Because it takes a long time to execute all bytes, we select suspicious bytes in a file using patterns of invalid instructions. We implement a tool to evaluate our idea using a debugger engine to change flow of execution freely. The experimental results show mat our idea is effective. Our idea can prevent APT by detecting malicious files in Honeynet or an email server beforehand.

Original languageEnglish
Pages (from-to)1735-1740
Number of pages6
JournalInformation (Japan)
Volume17
Issue number5
Publication statusPublished - 2014 Jan 1

Fingerprint

Electronic mail
Servers
Engines

ASJC Scopus subject areas

  • General

Cite this

Toward detecting advanced persistent threat using malicious non-executable files. / Choi, Young Han; Kim, Hyoung Chun; Lee, Dong Hoon.

In: Information (Japan), Vol. 17, No. 5, 01.01.2014, p. 1735-1740.

Research output: Contribution to journalArticle

Choi, Young Han ; Kim, Hyoung Chun ; Lee, Dong Hoon. / Toward detecting advanced persistent threat using malicious non-executable files. In: Information (Japan). 2014 ; Vol. 17, No. 5. pp. 1735-1740.
@article{8e1ea4c46e2a46a29986da818f8b2e6d,
title = "Toward detecting advanced persistent threat using malicious non-executable files",
abstract = "Advanced Persistent Threat (APT) attacks vulnerable applications in client PC using social engineering and steals its information secretly. Most of APT controls the client's system by executing malicious code in non-executable file that the applications read and parse. In this paper, we propose a novel technique to detect a malicious non-executable file regardless of file format By regarding all nonexecutable files as byte sequences and executing the sequences forcibly from beginning to end, we target on detecting only an executable code in the byte sequences. Because it takes a long time to execute all bytes, we select suspicious bytes in a file using patterns of invalid instructions. We implement a tool to evaluate our idea using a debugger engine to change flow of execution freely. The experimental results show mat our idea is effective. Our idea can prevent APT by detecting malicious files in Honeynet or an email server beforehand.",
keywords = "Advanced Persistent Threats (APT), Exploit Code, Honeynet, Malicious File",
author = "Choi, {Young Han} and Kim, {Hyoung Chun} and Lee, {Dong Hoon}",
year = "2014",
month = "1",
day = "1",
language = "English",
volume = "17",
pages = "1735--1740",
journal = "Information (Japan)",
issn = "1343-4500",
publisher = "International Information Institute",
number = "5",

}

TY - JOUR

T1 - Toward detecting advanced persistent threat using malicious non-executable files

AU - Choi, Young Han

AU - Kim, Hyoung Chun

AU - Lee, Dong Hoon

PY - 2014/1/1

Y1 - 2014/1/1

N2 - Advanced Persistent Threat (APT) attacks vulnerable applications in client PC using social engineering and steals its information secretly. Most of APT controls the client's system by executing malicious code in non-executable file that the applications read and parse. In this paper, we propose a novel technique to detect a malicious non-executable file regardless of file format By regarding all nonexecutable files as byte sequences and executing the sequences forcibly from beginning to end, we target on detecting only an executable code in the byte sequences. Because it takes a long time to execute all bytes, we select suspicious bytes in a file using patterns of invalid instructions. We implement a tool to evaluate our idea using a debugger engine to change flow of execution freely. The experimental results show mat our idea is effective. Our idea can prevent APT by detecting malicious files in Honeynet or an email server beforehand.

AB - Advanced Persistent Threat (APT) attacks vulnerable applications in client PC using social engineering and steals its information secretly. Most of APT controls the client's system by executing malicious code in non-executable file that the applications read and parse. In this paper, we propose a novel technique to detect a malicious non-executable file regardless of file format By regarding all nonexecutable files as byte sequences and executing the sequences forcibly from beginning to end, we target on detecting only an executable code in the byte sequences. Because it takes a long time to execute all bytes, we select suspicious bytes in a file using patterns of invalid instructions. We implement a tool to evaluate our idea using a debugger engine to change flow of execution freely. The experimental results show mat our idea is effective. Our idea can prevent APT by detecting malicious files in Honeynet or an email server beforehand.

KW - Advanced Persistent Threats (APT)

KW - Exploit Code

KW - Honeynet

KW - Malicious File

UR - http://www.scopus.com/inward/record.url?scp=84903975835&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84903975835&partnerID=8YFLogxK

M3 - Article

VL - 17

SP - 1735

EP - 1740

JO - Information (Japan)

JF - Information (Japan)

SN - 1343-4500

IS - 5

ER -