Advances in artificial intelligence and internet of things technologies have rapidly increased the amount of data collected and generated in real time. The significance of cloud computing, which provides high-performance computation for storing and processing vast amounts of data, is increasing in the era of the Fourth Industrial Revolution when the number of devices connecting to cloud servers is increasing exponentially.
Traditional cloud computing, which operates centrally, causes network congestion and lowers data transmission speeds with increases in data volumes. Furthermore, cloud servers have limited traffic-handling capacities, resulting in longer service response times or even service interruptions.
To address these transmission and processing delays, fog computing, which adds a fog layer to the existing cloud computing environment, has been introduced. Fog computing uses distributed processing to reduce the computing load on cloud servers and minimize network delays by shortening the distance of data transmission.
The cloud computing environment, which interacts with various devices, holds sensitive data such as financial and personal information. Consequently, individual devices become targets for various attacks aimed at exploiting their security vulnerabilities.
Although there have been studies on detecting malware originating from various devices to protect the cloud computing environment from cyber threats, these studies often focus on detection in a specific layer or use the same detection model across multiple layers. This approach makes it difficult to quickly and accurately detect variant and obfuscated malware.
Therefore, this study proposes an active triple malware detection (AcTiM) model, which performs malware detection in various ways across multiple layers to ensure a secure cloud computing environment with low false negatives. First, in the device layer, the AcTiM model rapidly detects known malware based on the hash of the executable file. Based on the results of the primary malware detection, executable files, classified as unknown or benign, are sent to the fog layer, where the AcTiM model determines whether the file is obfuscated based on its entropy. Subsequently, the model extracts five types of static features from non-obfuscated executable files using a static analysis and detects variant malware with similar structural patterns. Finally, the cloud layer performs dynamic analysis on the executable predicted as benign by the fog layer and the obfuscated executable to extract dynamic features related to the behavior of the executable, and detects the obfuscated malware based on them.
The performance of the AcTiM model in malware detection achieved an accuracy of 94.78%, a recall of 0.9794, precision of 0.9535, and an f1-score of 0.9663. The AcTiM model accurately detected both known and variant or obfuscated malware through a sequential detection process across 3-layer, demonstrating superior performance compared to existing malware detection models. Additionally, comparative analyses with various anti-virus engines have confirmed the AcTiM model's effectiveness and its ability to generalize across different types of malware.

Artificial intelligence, internet of things 등의 기술 발전으로 인해 실시간으로 수집 및 생성되는 데이터의 양이 급격하게 증가하고 있다. 또한, cloud server로 연결되는 device의 수가 기하급수적으로 증가하는 4차 산업혁명 시대에서 방대한 양의 데이터를 저장하고 처리하기 위해 high-performance 연산을 제공하는 cloud computing의 중요성이 커지고 있다.
그러나 기존 cloud computing은 중앙 집중식으로 운영되기 때문에 데이터 전송량이 증가함에 따라 네트워크 트래픽이 혼잡해지고 데이터 전송 속도가 느려진다. 또한, cloud server는 트래픽 처리 용량이 제한되어 있어 서비스 응답 시간이 길어지거나 서비스가 중단된다.
이러한 전송 및 처리 지연 문제를 개선하기 위해 기존 cloud computing 환경에 fog layer를 추가하는 fog computing이 도입되었다. Fog computing은 분산 처리를 통해 cloud server의 computing 부하를 줄이고 데이터 전송 거리를 단축시켜 네트워크 지연을 최소화한다.
다양한 device들과 상호작용하는 cloud computing environment에는 금융 정보, 개인 정보 등 기밀 데이터가 저장되어 있다. 이에 따라, 개별 device들의 보안 취약점을 악용하여 cloud server로 접근하기 위한 다양한 공격이 수행되고 있다.
사이버 위협으로부터 cloud computing 환경을 보호하기 위해 다양한 디바이스에서 발생하는 malware를 탐지하는 연구들이 수행되고 있다. 그러나 기존 malware detection 연구들은 특정 layer에서만 malware detection을 수행하거나 다중 layer에서 동일한 detection model을 활용하기 때문에 변종 및 난독화 된 malware를 신속하고 정확하게 탐지하기 어렵다.
따라서 본 연구에서는 다중 layer에서 서로 다른 방식으로 malware detection을 수행하여 false negative가 낮고 안전한 cloud computing environment를 보장하는 active triple malware detection (AcTiM) model을 제안한다. 먼저, device layer에서 AcTiM model은 실행 파일의 hash를 기반으로 알려진 malware를 신속하게 탐지한다. 1차 malware detection 결과에 따라, unknown 및 benign으로 분류된 실행 파일은 fog layer로 전송되며, fog layer에서는 entropy를 기준으로 실행파일의 난독화 여부를 판단한다. 이후, AcTiM model은 static analysis를 통해 난독화되지 않은 실행 파일로부터 5종류의 static feature를 추출하고, 유사한 구조적 패턴을 가진 변종 malware를 탐지한다. 마지막으로, cloud layer에서는 난독화된 실행파일과 fog layer에서 benign으로 예측한 실행파일에 dynamic analysis를 수행하여 실행 파일의 행위와 관련된 dynamic feature를 추출하고, 이를 기반으로 난독화된 malware를 detection한다.
AcTiM model의 malware detection 성능을 평가한 결과, 94.78%의 accuracy, 0.9794의 recall, 0.9535의 precision, 0.9663의 f1-score로 산출되었다. 이러한 AcTiM model은 3개의 layer에서 순차적으로 malware detection을 수행하여 알려진 malware뿐만 아니라 변종 및 난독화된 malware를 정확하게 탐지함으로써 기존 malware detection model들보다 우수한 성능을 보여주었다. 또한, 여러 anti-virus engine들과의 성능 비교 분석을 통해 다양한 유형의 malware에 대한 AcTiM model의 효과성과 일반화 성능을 입증하였다.

• 1. Introduction = 1
• 1.1. Motivation = 1
• 1.2. Objectives = 17
• 1.3. Contribution = 21
• 1.4. Organization = 23
• 2. Background = 26
• 2.1. Malware Analysis Technique = 26
• 2.1.1. Static Analysis Technique = 26
• 2.1.2. Dynamic Analysis Technique = 27
• 2.1.3. Hybrid Analysis Technique = 27
• 2.1.4. Malware Feature = 28
• 2.1.4.1. Byte Sequence = 28
• 2.1.4.2. String = 28
• 2.1.4.3. DLL = 29
• 2.1.4.4. Hash = 29
• 2.1.4.5. Opcode = 30
• 2.1.4.6. API calls = 30
• 2.2. Malware Feature Preprocessing Technique = 31
• 2.2.1. N-gram Technique = 31
• 2.2.2. Graph Technique = 32
• 2.2.3. Vision Technique = 32
• 2.3. Malware Detection Technique = 33
• 2.3.1. Signature-based Malware Detection Technique = 34
• 2.3.2. Heuristic-based Malware Detection Technique = 34
• 2.3.3. Behavior-based Malware Detection Technique = 34
• 2.3.4. AI-based Malware Detection Technique = 35
• 2.4. Malware Detection Performance Metrics = 35
• 2.4.1. Confusion Matrix = 36
• 2.4.2. Performance Metrics = 36
• 2.4.2.1. Accuracy = 36
• 2.4.2.2. Recall = 37
• 2.4.2.3. Precision = 37
• 2.4.2.4. F1-score = 38
• 2.4.2.5. False Negative Rate (FNR) = 38
• 2.4.2.6. False Positive Rate (FPR) = 39
• 2.5. Public Malware Dataset = 39
• 2.5.1. Microsoft Malware Classification Challenge (BIG 2015) Dataset = 39
• 2.5.2. KISA-challenge2019-Malware Dataset = 41
• 2.5.3. VirusShare Malware Dataset = 41
• 2.5.4. BODMAS Dataset = 41
• 2.6. Related Works = 42
• 3. Static Multi Feature-Based Malware Detection using Multi SPP-Net in Smart IoT Environments = 47
• 3.1. Scheme of Mal3S = 47
• 3.1.1. Feature Extraction = 49
• 3.1.2. Feature-to-Image Generation = 49
• 3.1.3. Multi Feature Classification = 51
• 3.2. Mal3S Implementation = 54
• 3.2.1. Feature Extraction = 54
• 3.2.2. Feature-to-Image Generation = 55
• 3.2.3. Multi Feature Classification = 62
• 3.3. Performance Evaluation = 63
• 3.3.1. Malware Detection Performance of Mal3S = 63
• 3.3.1.1. KISA-challenge2019-Malware Dataset = 64
• 3.3.1.2. VirusShare_00387 Dataset = 69
• 3.3.2. Malware Classification Performance of Mal3S = 75
• 3.3.3. Discussion = 84
• 4. Hybrid Malware Detection Based on Bi-LSTM and SPP-Net for Smart IoT = 86
• 4.1. Scheme of HyMalD = 86
• 4.1.1. File Entropy Calculation = 88
• 4.1.2. Static Analysis with the Bi-LSTM Model = 89
• 4.1.2.1. Static Feature Extraction = 89
• 4.1.2.2. Static Feature2Vector = 89
• 4.1.2.3. Static Feature Classification = 90
• 4.1.3. Dynamic Analysis with the SPP-Net Model = 92
• 4.1.3.1. Dynamic Feature Extraction = 92
• 4.1.3.2. Dynamic Feature2Image = 92
• 4.1.3.3. Dynamic Feature Classification = 95
• 4.2. HyMalD Implementation = 96
• 4.2.1. HyMalD Design = 97
• 4.2.2. Static Analysis with the Bi-LSTM Model = 101
• 4.2.2.1. Static Feature Extraction = 101
• 4.2.2.2. Static Feature2Vector = 101
• 4.2.2.3. Static Feature Classification = 102
• 4.2.3. Dynamic Analysis with the SPP-Net Model = 102
• 4.2.3.1. Dynamic Feature Extraction = 103
• 4.2.3.2. Dynamic Feature2Image = 104
• 4.2.3.3. Dynamic Feature Classification = 105
• 4.3. Performance Evaluation = 106
• 4.3.1. Detection Performance for Shannon Entropy = 106
• 4.3.2. Static Feature Classification Performance = 108
• 4.3.3. Dynamic Feature Classification Performance = 110
• 4.3.4. Benchmarking for HyMalD = 113
• 4.3.5. Discussion = 114
• 5. Active Triple Malware Detection Model for Secure Cloud Computing = 115
• 5.1. Scheme of AcTiM = 117
• 5.1.1. Malware Detection of the Device Layer = 117
• 5.1.1.1. Signature Generation = 117
• 5.1.1.2. Signature Detection = 118
• 5.1.2. Malware Detection with Multi SPP-Net Model of the Fog Layer = 119
• 5.1.2.1. Obfuscation Determination = 119
• 5.1.2.2. Static Feature Extraction = 120
• 5.1.2.3. Static Feature Image Generation = 120
• 5.1.2.4. Static Feature Detection = 122
• 5.1.3. Dynamic Malware Detection of the Cloud Layer = 124
• 5.1.3.1. Dynamic Feature Extraction = 124
• 5.1.3.2. Dynamic Feature Image Generation = 124
• 5.1.3.3. Dynamic Feature Detection = 125
• 5.2. AcTiM Implementation = 127
• 5.2.1. Malware Detection of the Device Layer = 127
• 5.2.1.1. Signature Generation = 128
• 5.2.1.2. Signature Detection = 128
• 5.2.2. Malware Detection with Multi SPP-Net Model of the Fog Layer = 131
• 5.2.2.1. Obfuscation Determination = 132
• 5.2.2.2. Static Feature Extraction = 132
• 5.2.2.3. Static Feature Image Generation = 133
• 5.2.2.4. Static Feature Detection = 137
• 5.2.3. Dynamic Malware Detection of the Cloud Layer = 139
• 5.2.3.1. Dynamic Feature Extraction = 139
• 5.2.3.2. Dynamic Feature Image Generation = 140
• 5.2.3.3. Dynamic Feature Detection = 142
• 5.3. Performance Evaluation = 143
• 5.3.1. Detection Performance of AcTiM model = 143
• 5.3.1.1. Known Malware Detection Performance = 144
• 5.3.1.2. Variant Malware Detection Performance = 145
• 5.3.1.3. Obfuscated Malware Detection Performance = 147
• 5.3.2. Comparative Analysis with AcTiM model = 150
• 5.3.2.1. Conventional Malware Detection Models = 150
• 5.3.2.2. Standard Anti-Virus Engines = 151
• 5.3.3. Discussions = 157
• 6. Conclusions = 158
• REFERENCES = 160
• ABSTRACT (In Korean) = 168