Abstract: A code sequence based intelligent key code identification method includes extracting Smali code sequence by decompiling an application, vectorizing the extracted Smali code sequence to construct a training dataset, training a deep learning model with the vectorized Smali code sequence to generate a classifier, generating a category classification result using Smali code sequence of a target application as input of the classifier, and identifying and providing important Smali code sequence from which the classification result of the target application is derived. Accordingly, it is possible to objectively evaluate the application using Smali code sequence of the application being actually run.

Abstract: A method for detecting a mobile malicious application based on an implementation feature in a mobile malicious application detection apparatus based on an implementation feature and the method comprises decompiling a labeled application to remove preset information; extracting abstract syntax tree (AST) that is an implementation feature for each method; generating an AST node list; generating and vectorizing the generated AST node list as a learning dataset for deep learning; generating a classification model by learning a vectorized learning dataset; and outputting a classification result of a target application based on the classification model. This can reduce the false positive rate, extract many features from the obfuscated application, and detect malicious applications by classifying mobile applications as normal or malicious behaviors based on the behaviors performed by the application.

Abstract: Provided is a unit test case-based security design flaw detection method performed in a security design flaw detection apparatus for detecting a security design flaw of a software system, and the method comprises collecting a unit test case for the software system from an external device and preprocessing the unit test case; generating a first test case by testing whether the software system violates a security policy using the preprocessed unit test case; generating a second test case that is a data set for testing a function of the software system based on the first test case; and detecting a vulnerability of the software system by executing the second test case.

Abstract: A device for automatically identifying anti-analysis techniques by using the signature extraction, includes an extraction unit which extracts a DEX file and an ELF file from an application file after unpacking the application file, which is in an APK format and includes compressed execution code to be executed on Android, a detection unit which receives the acquired signature classified according to types of the signature, analytically compares the input signature with the signature stored in a database, and detects the signature used in anti-analysis techniques, and a determination unit which determines according to the detected signature what anti-analysis technique is applied to the application. According to the present invention, it is possible to enable an appropriate and quick response to damages due to malicious applications by shortening the time required for analysis and automatically recognizing the application to which the anti-analysis technique is applied.

Abstract: A method for evaluating the risk of data leakage in an application includes the steps of: extracting a DEX (Dalvik Executable) file and a so (Shared Object) file by decompressing an APK file of a mobile application; extracting DEX code information from the DEX file by parsing the DEX file; translating a content of the so file into IR (Intermediate Representation); extracting IR code information from the translated IR; generating a call-reference structure between the DEX file and the so file by processing the extracted DEX code information and the extracted IR code information; and outputting weakness information according to a risk designated in advance based on the generated call-reference structure. Accordingly, it is possible to extend the call-reference coverage of an android application.

Abstract: A process wrapping method for bypassing native code anti-analysis includes receiving an execution instruction intended to run in an application from an Android framework when the application starts, extracting metadata of string and method from a compiled OAT file using an oatdump tool in the Android framework, determining if anti-analysis techniques are applied by comparing with information of a database (DB) based on the transmitted execution instruction and the extracted metadata, modifying the execution instruction based on the determined information when the anti-analysis technique is applied, and sending the modified execution instruction back to the Android framework. Accordingly, it is possible to provide an environment in which malicious applications to which anti-analysis techniques are applied can be easily analyzed.

Abstract: A mobile malicious code classification method based on feature selection includes extracting Application Programming Interface (API) feature information including a package name, a class name, a method name and a description from a malicious application of a predefined category, vectorizing a training dataset generated using the package name, the class name and the method name in the API feature information for deep learning, learning the vectorized training dataset to generate a classifier, probabilistically classifying to fit a target malicious application into a category, and defining the category of the target malicious application using a result of the classification and outputting a classification important API. Accordingly, it is possible to deal with malicious behaviors of malicious applications quickly and prevent damage caused by the malicious behaviors.

Abstract: A mobile application malicious behavior pattern detection method based on Application Programming Interface (API) call graph extraction includes extracting an API Call Graph (ACG) representing an API call flow from benign applications and applications which perform malicious behavior, generating and vectorizing a training dataset for deep learning using the extracted ACG, generating a deep learning algorithm prediction model by training with the vectorized training dataset, extracting ACG features used in the malicious behavior from the generated prediction model and extracting a malicious behavior pattern from an intersection of the malicious applications, and classifying an application which performs malicious behavior through similarity comparison between the extracted malicious behavior pattern and a pattern extracted from the target application. Accordingly, it is possible to detect the malicious behavior itself using the ACG representing an API call flow.

Abstract: A method for evaluating the risk of data leakage in an application includes the steps of: extracting a DEX (Dalvik Executable) file and a so (Shared Object) file by decompressing an APK file of a mobile application; extracting DEX code information from the DEX file by parsing the DEX file; translating a content of the so file into IR (Intermediate Representation); extracting IR code information from the translated IR; generating a call-reference structure between the DEX file and the so file by processing the extracted DEX code information and the extracted IR code information; and outputting weakness information according to a risk designated in advance based on the generated call-reference structure. Accordingly, it is possible to extend the call-reference coverage of an android application.

Abstract: Provided is a method for bypassing an analysis evasion technique, which includes: loading a dummy DEX file; parsing a dummy method containing a dummy code from the dummy DEX file; a bypass point identifying step of determining whether a function to be currently called is a bypass target function to which the analysis evasion technique is applied; a branch target point changing step of changing information according to the determination result so that the dummy code is executed instead of the call target function; and a dummy code executing step of transmitting the dummy code to a framework of the application, so that a modulated framework is executed with a bypass code.

Abstract: A code sequence based intelligent key code identification method includes extracting Smali code sequence by decompiling an application, vectorizing the extracted Smali code sequence to construct a training dataset, training a deep learning model with the vectorized Smali code sequence to generate a classifier, generating a category classification result using Smali code sequence of a target application as input of the classifier, and identifying and providing important Smali code sequence from which the classification result of the target application is derived. Accordingly, it is possible to objectively evaluate the application using Smali code sequence of the application being actually run.

Abstract: A mobile malicious code classification method based on feature selection includes extracting Application Programming Interface (API) feature information including a package name, a class name, a method name and a description from a malicious application of a predefined category, vectorizing a training dataset generated using the package name, the class name and the method name in the API feature information for deep learning, learning the vectorized training dataset to generate a classifier, probabilistically classifying to fit a target malicious application into a category, and defining the category of the target malicious application using a result of the classification and outputting a classification important API. Accordingly, it is possible to deal with malicious behaviors of malicious applications quickly and prevent damage caused by the malicious behaviors.

Abstract: A mobile application malicious behavior pattern detection method based on Application Programming Interface (API) call graph extraction includes extracting an API Call Graph (ACG) representing an API call flow from benign applications and applications which perform malicious behavior, generating and vectorizing a training dataset for deep learning using the extracted ACG, generating a deep learning algorithm prediction model by training with the vectorized training dataset, extracting ACG features used in the malicious behavior from the generated prediction model and extracting a malicious behavior pattern from an intersection of the malicious applications, and classifying an application which performs malicious behavior through similarity comparison between the extracted malicious behavior pattern and a pattern extracted from the target application. Accordingly, it is possible to detect the malicious behavior itself using the ACG representing an API call flow.

Abstract: A process wrapping method for bypassing native code anti-analysis includes receiving an execution instruction intended to run in an application from an Android framework when the application starts, extracting metadata of string and method from a compiled OAT file using an oatdump tool in the Android framework, determining if anti-analysis techniques are applied by comparing with information of a database (DB) based on the transmitted execution instruction and the extracted metadata, modifying the execution instruction based on the determined information when the anti-analysis technique is applied, and sending the modified execution instruction back to the Android framework. Accordingly, it is possible to provide an environment in which malicious applications to which anti-analysis techniques are applied can be easily analyzed.

Abstract: An obfuscated identifier detection method based on natural language processing includes: converting an input obfuscated apk to smali code level, inspecting an obfuscated string in identifiers of the smali code acquired from a smali code converter, extracting information necessary for deobfuscation and frequency of the identifiers when there is the obfuscated string, storing frequency, type and name information of identifiers calculated from information extracted from an unobfuscated apk, and acquiring and deobfuscating an identifier type name having a most similar frequency in an identifier name database (DB) using information extracted from an obfuscated information extractor. Accordingly, it is possible to reduce delay in analysis and achieve faster analysis by automatically renaming the code that is difficult to understand due to identifier conversion obfuscation.

Abstract: Provided is a method of application malware detection based on dynamic Application Programming Interface (API) extraction, and a readable medium and an apparatus for performing the same. The method of application malware detection based on dynamic API extraction includes generating an API classifier which classifies an input API as malicious or benign using API used in a sample application classified as malicious application apps or benign application apps, and inputting a pre-stored target API into the API classifier to classify the target API as malicious or benign.

Abstract: A device for automatically identifying anti-analysis techniques by using the signature extraction, includes an extraction unit which extracts a DEX file and an ELF file from an application file after unpacking the application file, which is in an APK format and includes compressed execution code to be executed on Android, a detection unit which receives the acquired signature classified according to types of the signature, analytically compares the input signature with the signature stored in a database, and detects the signature used in anti-analysis techniques, and a determination unit which determines according to the detected signature what anti-analysis technique is applied to the application. According to the present invention, it is possible to enable an appropriate and quick response to damages due to malicious applications by shortening the time required for analysis and automatically recognizing the application to which the anti-analysis technique is applied.

Abstract: Provided is a method for bypassing an analysis evasion technique, which includes: loading a dummy DEX file; parsing a dummy method containing a dummy code from the dummy DEX file; a bypass point identifying step of determining whether a function to be currently called is a bypass target function to which the analysis evasion technique is applied; a branch target point changing step of changing information according to the determination result so that the dummy code is executed instead of the call target function; and a dummy code executing step of transmitting the dummy code to a framework of the application, so that a modulated framework is executed with a bypass code.

Abstract: A dynamic code extraction-based automatic anti-analysis evasion and code logic analysis apparatus, includes: a recognition module that extracts a DEX file and a SO file by unpacking an execution code of an application and recognizes an analysis avoidance technique by comparing a signature which is included in the extracted DEX file and SO file; a instrumentation module that extracts a code to be analyzed from a byte code configuring the DEX file and a native code configuring the SO file, compares the extracted code with the data stored in a database, and outputs a code excluding an anti-analysis technique as a log file; and a deobfuscation module that deobfuscates an obfuscated code which is included in the APK on the basis of the output log file and generates an APK file in which an obfuscation technique is released on the basis of the deobfuscated code.

Abstract: Provided is a method of application malware detection based on dynamic Application Programming Interface (API) extraction, and a readable medium and an apparatus for performing the same. The method of application malware detection based on dynamic API extraction includes generating an API classifier which classifies an input API as malicious or benign using API used in a sample application classified as malicious application apps or benign application apps, and inputting a pre-stored target API into the API classifier to classify the target API as malicious or benign.