• The KIPS Transactions:PartC
• /
• v.13C no.1 s.104
• /
• pp.11-18
• /
• 2006

In the field of network defense, a lot of researches are directed toward locating the source of network attacks. When an intruder launches attack not from their own computer but from intermediate hosts that they previously compromised, and these intermediate hosts are called stepping-stones. There we two kinds of traceback technologies : IP packet traceback and connection traceback. We focused on connection traceback in this paper This paper classifies process structures of detoured attack type in stepping stone, designs an algorithm for traceback agent, and implements the traceback system based on the agent

• Proceedings of the Korea Information Assurance Society Conference
• /
• 2004.05a
• /
• pp.233-239
• /
• 2004

In this paper, we describe a defense mechanism to cope with stepping stones attacks in high-speed networks. (Stepping stones Attacker launches attacks not from their own computer but from intermediary hosts that they previously compromised.) We aim at tracing origin hacker system, which attack target system via stepping stones. There are two kind of traceback technology ; IP packet traceback, or connection traceback. We are concerned with connection traceback in this paper. We propose a new host-based traceback. The purpose of this paper is that distinguish between origin hacker system and stepping stones by using process structure of OS(Operating System).

• Proceedings of the Korea Information Processing Society Conference
• /
• 2003.05c
• /
• pp.2249-2252
• /
• 2003

역추적 기술은 해킹이 발생했을 때 해커의 실제적인 위치를 추적하는 기술이다. 해커의 위치를 추적하기 위해 현재 가장 널리 사용되는 방법은 시스템 관리자의 시스템 로그 분석과 시스템 관리자 사이의 상호 정보 교환을 통한 수동적인 역추적 방법이다. 그러나 수동적인 역추적 방법은 수작업으로 수행되는 시스템 로그 분석과 관리자의 개입으로 인하여 땀은 비용이 요구되고 추적 시간의 지연이 발생하기 때문에 이러한 수동적인 방법으로는 해커의 위치를 실시간으로 추적할 수 없다. 만약, 네트워크의 특정 패킷을 식별 가능한 형태로 가공할 수 있다면, 특정 패킷의 이동 경로를 효과적으로 추적할 수 있어 공격자의 위치를 실시간 역추적 하는데 활용될 수 있다. 본 논문에서는 네트워크의 특정 패킷에 의미적인 워터마크를 삽입하여 워터마크 패킷을 생성하는 워터마크 패킷 생성 시스템을 설계하고 구현한다. 이 시스템은 중간 경유지를 활용하여 우회 공격하는 공격자의 실제 위치를 실시간 역추적 하는 ACT 역추적 기법의 구현에 활용되었다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2002.10c
• /
• pp.487-489
• /
• 2002

본 논문에서는 액티브코드를 이용한 실시간 역추적시스템에 대하여 논한다. 본 시스템은 우회공격의 연결특성을 이용하여 TCP 응용프로그램의 응답메시지에 액티브코드를 덧붙였다. 덧붙여진 액티브코드는 침입자의 근원지 소스측으로 실시간 이동하면서 네트워크 중간노드에서 침입자의 공격에 유연하게 대응한다. 또한, 본 시스템에서는 데이터은닉기법을 적용하여 중간 경유호스트에서 별도의 역추적 시스템을 도입할 필요가 없도록 기존의 환경에 투명성을 부여하였다. 이러한 방법을 통해, 기존의 호스트기반역추적 시스템의 신뢰성문제와 deployment문제를 해결하였다. 본 시스템을 통하여 기존의 네트워크환경에 최소한의 변경으로 침입자의 공격에 실시간적이며 능동적인 대응을 할 수 있다.

• KSCI Review
• /
• v.15 no.1
• /
• pp.53-64
• /
• 2007

Avoid at damage systems in order to avoid own IP address exposure, and an invader does not attack directly a system in recent hacking accidents at these papers, and use Stepping stone and carry out a roundabout attack. Use network audit Policy and use a CIS, AIAA technique and algorithm, the Sleep Watermark Tracking technique that used Thumbprints Algorithm, Timing based Algorithm, TCP Sequence number at network bases, and Presented a traceback system at TCP bases at log bases, and be at these papers Use the existing algorithm that is not one module in a system one harm for responding to invasion technology develop day by day in order to supplement the disadvantage where is physical logical complexity of configuration of present Internet network is large, and to have a fast technology development speed, and presentation will do an effective traceback system.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.3
• /
• pp.87-96
• /
• 2014

Hackers try to achieve their purpose in a variety of ways, such as operating own website and hacking a website. Hackers seize a large amount of private information after they have made a zombie PC by using malicious code to upload the website and it would be used another hacking. Almost detection technique is the use Snort rule. When unknown code and the patterns in IDS/IPS devices are matching on network, it detects unknown code as malicious code. However, if unknown code is not matching, unknown code would be normal and it would attack system. Hackers try to find patterns and make shellcode to avoid patterns. So, new method is needed to detect that kinds of shellcode. In this paper, we proposed a noble method to detect the shellcode by using Shannon's information entropy.

• Journal of the Korea Society of Computer and Information
• /
• v.11 no.4 s.42
• /
• pp.231-241
• /
• 2006

When current cyber attacks to information and communication facilities are examined, technologies such as chase evasion technology and defense deviation technology have been rapidly advanced and many weak systems worldwide are often used as passages. And when newly-developed cyber attack instruments are examined, technologies for prefect crimes such as weakness attack, chase evasion and evidence destruction have been developed and distributed in packages. Therefore, there is a limit to simple prevention technology and according to cases, special procedures such as real-time chase are required to overcome cyber crimes. Further, cyber crimes beyond national boundaries require to be treated in international cooperation and relevant procedural arrangements through which the world can fight against them together. However, in current laws, there are only regulations such as substantial laws including simple regulations on Punishment against violation. In procedure, they are treated based on the same procedure as that of general criminal cases which are offline crimes. In respect to international cooperation system, international criminal private law cooperation is applied based on general criminals, which brings many problems. Therefore, this study speculates the procedural law on cyber crimes and presents actual problems of our country and its countermeasures.

• Journal of KIISE:Information Networking
• /
• v.32 no.1
• /
• pp.1-11
• /
• 2005

Internet has become an essential part of our daily lives. Many of the day to day activities can already be carried out over Internet, and its convenience has greatly increased the number of Internet users. Hut as Internet gains its popularity, the illicit incidents over Internet has also proliferated. The intruder trace-back technology is the one that enables real time tracking the position of the hacker who attempts to invade the system through the various bypass routes. In this paper, the RTS algorithm which is the TCP connection trace-back system using the watermarking technology on Internet is proposed. Furthermore, the trace-bark elements are modeled by analyzing the Proposed trace-back algorithm, and the results of the simulation under the virtual topology network using ns-2, the network simulation tool are presented.