Malware Visualization and Similarity via Tracking Binary Execution Path

Today, computer systems are widely and importantly used throughout society, and malicious codes to take over the system and perform malicious actions are continuously being created and developed. These malicious codes are sometimes found in new forms, but in many cases they are modified from existing malicious codes. Since there are too many threatening malicious codes that are being continuously generated for human analysis, various studies to efficiently detect, classify, and analyze are essential. There are two main ways to analyze malicious code. First, static analysis is a technique to identify malicious behaviors by analyzing the structure of malicious codes or specific binary patterns at the code level. The second is a dynamic analysis technique that uses virtualization tools to build an environment in a virtual machine and executes malicious code to analyze malicious behavior. The method used to analyze malicious codes in this paper is a static analysis technique. Although there is a lot of information that can be obtained from dynamic analysis, there is a disadvantage that it can be analyzed normally only when the environment in which each malicious code is executed is matched. However, since the method proposed in this paper tracks and analyzes the execution stream of the code, static analysis is performed, but the effect of dynamic analysis can be expected.The core idea of this paper is to express the malicious code as a 25 25 pixel image using 25 API categories selected. The interaction and frequency of the API is made into a 25 25 pixel image based on a matrix using RGB values. When analyzing the malicious code, the Euclidean distance algorithm is applied to the generated image to measure the color similarity, and the similarity of the mutual malicious behavior is calculated based on the final Euclidean distance value. As a result, as a result of comparing the similarity calculated by the proposed method with the similarity calculated by the existing similarity calculation method, the similarity was calculated to be 5-10% higher on average. The method proposed in this study spends a lot of time deriving results because it analyzes, visualizes, and calculates the similarity of the visualized sample. Therefore, it takes a lot of time to analyze a huge number of malicious codes. A large amount of malware can be analyzed through follow-up studies, and improvements are needed to study the accuracy according to the size of the data set

Active illumination using a digital micromirror device for quantitative phase imaging

We present a powerful and cost-effective method for active illumination using a digital micromirror device (DMD) for quantitative phase imaging techniques. Displaying binary illumination patterns on a DMD with appropriate spatial filtering, plane waves with various illumination angles are generated and impinged onto a sample. Complex optical fields of the sample obtained with various incident angles are then measured via Mach-Zehnder interferometry, from which a high-resolution two-dimensional synthetic aperture phase image and a three-dimensional refractive index tomogram of the sample are reconstructed. We demonstrate the fast and stable illumination control capability of the proposed method by imaging colloidal spheres and biological cells, including a human red blood cell and a HeLa cell

Isolation and characterization of NgRLK1, a receptor-like kinase of Nicotiana glutinosa that interacts with the elicitin of Phytophthora capsici

Elicitins, extracellular proteins from Phytophthora fungi, elicit a hypersensitivity response (HR), including systemic acquired resistance, in some plants. The elicitin capsicein (~10 kDa) was purified by FPLC from culture filtrates of P. capsici. Purified native and recombinant capsicein induced a hypersensitive response in leaves of the non-host plants Nicotiana glutinosa and Brassica rapa subsp. pekinensis. To search for candidate capsicein-interacting proteins from N. glutinosa, a yeast two-hybrid assay was used. We identified a protein interactor that is homologous to a serine/threonine kinase of the plant receptor-like kinase (RLK) group and designated it NgRLK1. The ORF of NgRLK1 encodes a polypeptide of 832 amino acids (93,490 Da). A conserved domain analysis revealed that NgRLK1 has structural features typical of a plant RLK. NgRLK1 was autophosphorylated, with higher activity in the presence of Mn2+ than Mg2+