본문 바로가기
  • Home

Malicious Code Neutralizing Method Using Image Format Transforming Based on Nonlinear Transfer Function

  • Journal of Knowledge Information Technology and Systems
  • Abbr : JKITS
  • 2019, 14(3), pp.211-219
  • DOI : 10.34163/jkits.2019.14.3.001
  • Publisher : Korea Knowledge Information Technology Society
  • Research Area : Interdisciplinary Studies > Interdisciplinary Research
  • Received : March 15, 2019
  • Accepted : June 7, 2019
  • Published : June 30, 2019

Dong-Seob Jung 1 Lee Sang Joon 2

1㈜휴네시온
2전남대학교

Accredited

ABSTRACT

Various bypass techniques have been developed to hide malicious code in image files among non-executable files. It is difficult to detect by reputation or signature-based antivirus methods when unknown malware is hidden. In this paper, we proposed a neutralizing method of hidden malicious code to analyze the structure of the original image file format and disable the malicious code through image data area conversion even if there is no prior information about the signatures or characteristics of malicious codes. The proposed method consists of image file extraction phase, file format analysis phase, file transformation phase, and management phase of transformation image file. In the image file transformation phase, header information transformation, specific string filtering transformation for additional information, and image pixel data transformation using nonlinear transfer function are performed. In order to prove the effectiveness of the proposed method, 10 malicious code - hidden image files among 48,220 of the latest malicious code (paid API) purchased from Virus Total Company were used in the experiment. After the file extraction phase, the format analysis phase, and the image file conversion phase for the neutralizing method, the experimental results show that the virus detection amount is reduced quantitatively and thus the effectiveness of the proposed method is verified. In addition, by using the non-linear transfer function, the converted image file was able to neutralize the malicious code while maintaining the same quality as the original image, which could not be distinguished by the naked eye.

Citation status

* References for papers published after 2023 are currently being built.