• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.1
• /
• pp.71-82
• /
• 2024

With the advancement of information and communication technology (ICT), the use of electronic document types such as PDF, MS Office, and HWP files has increased. Such trend has led the cyber attackers increasingly try to spread malicious documents through e-mails and messengers. To counter such attacks, AI-based methodologies have been actively employed in order to detect malicious document files. The main challenge in detecting malicious HWP(Hangul Word Processor) files is the lack of quality dataset due to its usage is limited in Korea, compared to PDF and MS-Office files that are highly being utilized worldwide. To address this limitation, data augmentation have been proposed to diversify training data by transforming existing dataset, but as the usefulness of the augmented data is not evaluated, augmented data could end up harming model's performance. In this paper, we propose an effective semi-supervised learning technique in detecting malicious HWP document files, which improves overall AI model performance via quantifying the utility of augmented data and filtering out useless training data.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.16 no.10
• /
• pp.7211-7218
• /
• 2015

Tens of thousands of malicious codes are generated on average in a day. New types of malicious codes are surging each year. Diverse methods are used to detect such codes including those based on signature, API flow, strings, etc. But most of them are limited in detecting new malicious codes due to bypass techniques. Therefore, a lot of researches have been performed for more efficient detection of malicious codes. Of them, visualization technique is one of the most actively researched areas these days. Since the method enables more intuitive recognition of malicious codes, it is useful in detecting and examining a large number of malicious codes efficiently. In this paper, we analyze the relationships between malicious codes and Native API functions. Also, by applying the word cloud with text mining technique, major Native APIs of malicious codes are visualized to assess their maliciousness. The proposed malicious code analysis method would be helpful in intuitively probing behaviors of malware.

• Proceedings of the Korean Information Science Society Conference
• /
• 2006.06c
• /
• pp.253-255
• /
• 2006

국방정보보호 통합관리 기술을 개발하기 위한 테스트베드 구축에서 중요한 부분 중에 하나인 정보보호 가상망 모델링 시뮬레이션 시스템을 개발하였다. 본 시스템은 실재 망과 유사한 정보보호 환경을 제공하기 위하여 정보보호 환경을 구성하는 정보보호 객체(호스트, 네트워크, IDS, IPS, FW, VW 등)를 모의하고 망의 트래픽(평상시, 사이버 공격 시)을 모의하는 등의 기능을 제공하고 외부의 보안관제 체계 및 모의 공격기와 연동하는 인터페이스를 제공하여 외부 침입탐지체계의 성능을 검증하거나 취약점 분석을 위한 환경을 제공한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.11a
• /
• pp.314-317
• /
• 2017

최근 ICT 기술이 발달함에 따라 전쟁의 양상이 물리적에서 사이버전으로 이동되고 있으며 이미 사이버 공간을 제 5의 전장으로 불리운다. 또한 오랜 기간 동안 단계적으로 준비 과정을 거쳐 공격하는 APT 사례가 증가함에 따라 공격 징후를 사전에 탐지해 선제 대응하는 사이버 킬 체인이라는 방안이 각광받고 있다. 이러한 사이버 킬 체인 중 가장 기초가 되는 감시/정찰을 수행하기 위한 방안을 연구하면서 적의 영역에 침투했다는 가정하에서 정보를 수집하는 프로그램을 설계 및 제작해 보았다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2019.10a
• /
• pp.391-393
• /
• 2019

한국과학기술정보연구원은 대용량 데이터를 초고속으로 생산·처리·활용할 수 있는 국가슈퍼컴퓨팅 시스템(누리온)을 구축·운영하여 사용자(대학, 연구소, 정부산하기관, 기업체 등)에게 서비스를 제공하고 있다. 본 논문에서는 누리온 시스템과 슈퍼컴퓨팅서비스 네트워크 구성에 대하여 간략히 소개하고 서비스를 시작한 2019년도 상반기 슈퍼컴퓨팅서비스 네트워크의 인바운드/아웃바운드 트래픽과 비정상행위(공격) 탐지 IP에 대한 시계열 및 상관도 분석을 수행한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.821-830
• /
• 2017

The internet is an important infra resource that it controls the economy and society of our country. Also, it is providing convenience and efficiency of the everyday life. But, a case of various are occurred through an using vulnerability of an internet infra resource. Recently various attacks of unknown to the user are an increasing trend. Also, currently system of security control is focussing on patterns for detecting attacks. However, internet threats are consistently increasing by intelligent and advanced various attacks. In recent, the darknet is received attention to research for detecting unknown attacks. Since the darknet means a set of unused IP addresses, no real systems connected to the darknet. In this paper, we proposed an algorithm for finding black IPs through collected the darknet traffic based on a statistics data of port information. The proposed method prepared 8,192 darknet space and collected the darknet traffic during 3 months. It collected total 827,254,121 during 3 months of 2016. Applied results of the proposed algorithm, black IPs are June 19, July 21, and August 17. In this paper, results by analysis identify to detect frequency of black IPs and find new black IPs of caused potential cyber threats.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.465-479
• /
• 2020

Regardless of the domestic and foreign governments/companies, SOC (Security Operation Center) has operated 24 hours a day for the entire year to ensure the security for their IT infrastructures. However, almost all SOCs have a critical limitation by nature, caused from heavily depending on the manual analysis of human agents with the text-based monitoring architecture. Even though, in order to overcome the drawback, technologies for a comprehensive visualization against complex cyber threats have been studying, most of them are inappropriate for the security monitoring in large-scale networks. In this paper, to solve the problem, we propose a novel visual approach for intuitive threats monitoring b detecting suspicious IP address, which is an ultimate challenge in cyber security monitoring. The approach particularly makes it possible to detect, trace and analysis of suspicious IPs statistically in real-time manner. As a result, the system implemented by the proposed method is suitably applied and utilized to the real-would environment. Moreover, the usability of the approach is verified by successful detecting and analyzing various attack IPs.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.20 no.4
• /
• pp.50-55
• /
• 2019

Recently Ransomware attacks are continuously increasing, and new Ransomware, which is difficult to detect just with a basic vaccine, continuously has its upward trend. Various solutions for Ransomware have been developed and applied. However, due to the disadvantages and limitations of existing solutions, damage caused by Ransomware has not been reduced. Ransomware is attacking various platforms no matter what platform it is, such as Windows, Linux, servers, IoT devices, and block chains. However, most existing solutions for Ransomware are difficult to apply to various platforms, and there is a limit that they are dependent on only some specific platforms while operating. This study analyzes the problems of existing Ransomware detection solutions and proposes the onboard module based Ransomware detection system; after the system defines the function of necessary elements through analyzing requirements that can actually reduce the damage caused by the Ransomware from the viewpoint of users, it supports various OS without pre-installation and is able to restore data even after being infected. We checked the feasibility of each function of the proposed system through the analysis of the existing technology and verified the suitability of the proposed techniques to meet the user's requirements through the questionnaire survey of a total of 264 users of personal and corporate PC users. As a result of statistical analysis of the questionnaire results, it was found that the score of intent to introduce the system was at 6.3 or more which appeared to be good, and the score of intent to change from existing solution to the proposed system was at 6.0 which appeared to be very high.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2003.05c
• /
• pp.1555-1558
• /
• 2003

침입탐지란 컴퓨터와 네트워크 자원에 대한 유해한 침입 행동을 식별하고 대응하는 과정이다. 점차적으로 시스템에 대한 침입의 유형들이 복잡해지고 전문적으로 이루어지면서 빠르고 정확한 대응을 필요로 하는 시스템이 요구되고 있다. 이에 대용량의 데이터를 분석하여 의미 있는 정보를 추출하는 데이터 마이닝 기법을 적용하여 지능적이고 자동화된 탐지 및 경보데이터 분석에 이용할 수 있다. 마이닝 기법중의 하나인 순차 패턴 탐사 방법은 일정한 시퀸스 내의 빈발한 항목을 추출하여 순차적으로 패턴을 탐사하는 방법이며 이를 이용하여 시퀸스의 행동을 예측하거나 기술할 수 있는 규칙들을 생성할 수 있다. 이 논문에서는 대량의 경보 데이터를 효율적으로 분석하고 반복적인 공격 패턴에 능동적인 대응을 위한 방법으로 확장된 순차패턴 알고리즘인 PrefixSpan 알고리즘에 대해 제안하였고 이를 적용하므로써 침입탐지 시스템의 자동화 및 성능의 향상을 얻을 수 있다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.04a
• /
• pp.395-397
• /
• 2014

국내에서 가장 폭넓게 사용되는 모바일 운영체제인 안드로이드는 수 많은 악성코드에 대한 위협 속에 있다. 그 중에서 가장 위협적인 공격은 루트 권한을 획득하는 악성코드이다. 따라서 본 연구는 가상화 환경을 통해 안드로이드 시스템에서 실존하는 루트 권한 획득을 탐지하는 시스템을 소개 하고 있다. 이를 위해 CPU 제조사에서 제공하는 가상화 기반 기술을 활용하였으며 결과적으로 시스템 상에서 루트 권한으로 동작하는 프로세스를 감지할 수 있었다.