Signature Generation to Detect HWP Malware Based on Threat Factors and Attack Patterns

Minji Choe, Dongjae Jung, Homook Cho, YooJae Won

http://doi.org/10.5626/JOK.2023.50.6.451

A recent increase in telecommuting due to the coronavirus disease 2019 (COVID-19) pandemic has caused ever-increasing incidents of document-type malicious code attacks that insert malicious codes into electronic documents mainly used at work. A Malicious document that spreads through various routes such as messengers, e-mails, and websites can easily bypass existing behavior-based security solutions and internal e-mail monitoring systems because it encodes or obfuscates to conceal the malicious code within documents. In this paper, we identify and classify five core threat factors by analyzing the structure of HWP documents. Furthermore, we generate signatures capable of detecting malicious HWP documents by conducting attack code pattern analysis of the threat factors. Furthermore, we propose a signature generation method to detect the latest malicious HWP documents effectively. In the future, we plan to further expand our research by applying statistical learning techniques to generate signatures automatically.