• The KIPS Transactions:PartC
• /
• v.10C no.6
• /
• pp.665-674
• /
• 2003

In this paper, we propose an approach to correlate alerts using a clustering analysis of data mining techniques in order to support intrusion detection system. Intrusion detection techniques are still far from perfect. Current intrusion detection systems cannot fully detect novel attacks. However, intrucsion detection techniques are still far from perfect. Current intrusion detection systems cannot fully detect novel attacks or variations of known attacks without generating a large amount of false alerts. In addition, all the current intrusion detection systems focus on low-level attacks or anomalies. Consequently, the intrusion detection systems to underatand the intrusion behind the alerts and take appropriate actions. The clustering analysis groups data objects into clusters such that objects belonging to the same cluster are similar, while those belonging to different ones are dissimilar. As using clustering technique, we can analyze alert data efficiently and extract high-level knowledgy about attacks. Namely, it is possible to classify new type of alert as well as existed. And it helps to understand logical steps and strategies behind series of attacks using sequences of clusters, and can potentially be applied to predict attacks in progress.

• Journal of Internet Computing and Services
• /
• v.21 no.2
• /
• pp.91-97
• /
• 2020

Recently, phishing attacks targeting those involved in defense, security and unification have been on the rise. In particular, hacking attack organization Kimsuky has been engaged in activities to collect important information from public organizations through phishing attacks since 2013. In this paper, profiling analysis of phishing mail attack organization was performed. Through this process, we estimated the purpose of the attack group and suggested countermeasures.

• Review of KIISC
• /
• v.29 no.1
• /
• pp.13-19
• /
• 2019

나날이 발전하고 있는 ICT 기술과 차량과의 융합은 차량을 대상으로 하는 사이버 위협과 공격을 더욱 증대시킨다. 그러나 차량 보안을 연구하는 산업계, 학계 연구 그룹들 또한 다양한 접근 방법을 통해 이러한 위협과 공격을 앞서 예방하고 탐지하기 위해 노력하고 있다. 2018 정보보호 R&D 데이터 챌린지에서는 차량주행 데이터기반 도난탐지 트랙을 마련하였다. 이는 운전자별 주행 데이터에 대한 분석을 통해 현재 주행 중인 운전자를 식별하는 챌린지로써 국내 및 해외에서 처음으로 진행된 트랙이다. 이번 2018 정보보호 R&D 데이터 챌린지 중 차량주행 데이터기반 도난탐지 트랙에 참가한 참가자들은 주행 데이터를 통계적 기반으로 분석하여 모델링 하였으며, 분석하는 과정에 있어 의미 있는 분류 결과를 도출해 내었다. 일반적으로, 한 가정이 보유하고 있는 차량이 가족들 이외 다른 이들에게는 잘 공유되지 않는다는 점을 고려한다면, 비록 소수의 운전 참가자이지만 5명을 대상으로 하는 본 실험이 의미가 있다고 본다. 이번 정보보호 R&D 데이터 챌린지를 통해, 운전자 주행 데이터가 도난 탐지를 위한 운전자 분류뿐만 아니라, 운전자에게 특화된 의료와 보험과 같은 맞춤형 서비스를 제공할 수 있는 가능성을 확인할 수 있었다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.6A
• /
• pp.115-127
• /
• 2008

The Native API is a system call which can only be accessed with the authentication of the administrator. It can be used to detect a variety of malicious codes which can only be executed with the administrator's authority. Therefore, much research is being done on detection methods using the characteristics of the Native API. Most of these researches are being done by using supervised learning methods of machine learning. However, the classification standards of Anti-Virus companies do not reflect the characteristics of the Native API. As a result the population data used in the supervised learning methods are not accurate. Therefore, more research is needed on the topic of classification standards using the Native API for detection. This paper proposes a method for re-grouping malicious codes using fuzzy clustering methods with the Native API standard. The accuracy of the proposed re-grouping method uses machine learning to compare detection rates with previous classifying methods for evaluation.

• Annual Conference of KIPS
• /
• 2005.05a
• /
• pp.1119-1122
• /
• 2005

기계학습 방법을 이용한 네트워크 기반 침입탐지 시스템은 어떤 학습알고리즘을 사용하여 구현되었느냐에 따라 그 결과가 매우 달라진다. 학습을 위한 전처리를 많이 하면 비례하여 성능이 개선되지만, 실제 사용의 유용성면에서는 성능이 떨어지게 된다. 따라서 최소한의 전처리를 하여 침입탐지의 탐지율을 보장하는 방법이 필요 하다. 본 논문에서는 네트워크기반 침입탐지 문제를 기계학습을 이용하여 해결하는 방법을 제안 하였다. 제안된 모델은 탐지 속도와 각종 공격들의 패킷 분포를 고려하여 관련된 그룹으로 분류하고, 이것을 학습하는 시스템이다. 실험을 통하여 제안된 모델의 유용성을 검증 하였다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.559-571
• /
• 2021

Along with the increase prevalence of computers, the number of malware distributions by attackers to ordinary users has also increased. Research to detect malware continues to this day, and in recent years, research on malware detection and analysis using AI is focused. However, the AI algorithm has a disadvantage that it cannot explain why it detects and classifies malware. XAI techniques have emerged to overcome these limitations of AI and make it practical. With XAI, it is possible to provide a basis for judgment on the final outcome of the AI. In this paper, we conducted malware group classification using XGBoost and Random Forest, and interpreted the results through SHAP. Both classification models showed a high classification accuracy of about 99%, and when comparing the top 20 API features derived through XAI with the main APIs of malware, it was possible to interpret and understand more than a certain level. In the future, based on this, a direct AI reliability improvement study will be conducted.

• Journal of Internet Computing and Services
• /
• v.21 no.1
• /
• pp.45-55
• /
• 2020

Due to the development of information and communication technology, the number of new / variant malicious codes is increasing rapidly every year, and various types of malicious codes are spreading due to the development of Internet of things and cloud computing technology. In this paper, we propose a malware analysis method based on string information that can be used regardless of operating system environment and represents library call information related to malicious behavior. Attackers can easily create malware using existing code or by using automated authoring tools, and the generated malware operates in a similar way to existing malware. Since most of the strings that can be extracted from malicious code are composed of information closely related to malicious behavior, it is processed by weighting data features using text mining based method to extract them as effective features for malware analysis. Based on the processed data, a model is constructed using various machine learning algorithms to perform experiments on detection of malicious status and classification of malicious groups. Data has been compared and verified against all files used on Windows and Linux operating systems. The accuracy of malicious detection is about 93.5%, the accuracy of group classification is about 90%. The proposed technique has a wide range of applications because it is relatively simple, fast, and operating system independent as a single model because it is not necessary to build a model for each group when classifying malicious groups. In addition, since the string information is extracted through static analysis, it can be processed faster than the analysis method that directly executes the code.

• Journal of Industrial Convergence
• /
• v.21 no.9
• /
• pp.41-48
• /
• 2023

Recently, there has been a sharp increase in the damages caused by ransomware across various sectors of society, including individuals, businesses, and nations. Ransomware is a malicious software that infiltrates user computer systems, encrypts important files, and demands a ransom in exchange for restoring access to the files. Due to its diverse and sophisticated attack techniques, ransomware is more challenging to detect than other types of malware, and its impact is significant. Therefore, there is a critical need for accurate detection and mitigation methods. To achieve precise ransomware detection, an inference engine of a detection system must possess knowledge of ransomware features. In this paper, we propose a model to extract and classify the characteristics of ransomware for accurate detection of ransomware, calculate the similarity of the extracted characteristics, reduce the dimension of the characteristics, group the reduced characteristics, and classify the characteristics of ransomware into attack tools, inflow paths, installation files, command and control, executable files, acquisition rights, circumvention techniques, collected information, leakage techniques, and state changes of the target system. The classified characteristics were applied to the existing ransomware to prove the validity of the classification, and later, if the inference engine learned using this classification technique is installed in the detection system, most of the newly emerging and variant ransomware can be detected.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.12 no.1
• /
• pp.459-466
• /
• 2011

In this paper, we proposed a data mining framework for the management of alerts in order to improve the performance of the intrusion detection systems. The proposed alert data mining framework performs alert correlation analysis by using mining tasks such as axis-based association rule, axis-based frequent episodes and order-based clustering. It also provides the capability of classify false alarms in order to reduce false alarms. We also analyzed the characteristics of the proposed system through the implementation and evaluation of the proposed system. The proposed alert data mining framework performs not only the alert correlation analysis but also the false alarm classification. The alert data mining framework can find out the unknown patterns of the alerts. It also can be applied to predict attacks in progress and to understand logical steps and strategies behind series of attacks using sequences of clusters and to classify false alerts from intrusion detection system. The final rules that were generated by alert data mining framework can be used to the real time response of the intrusion detection system.

• The Journal of the Korea Contents Association
• /
• v.17 no.3
• /
• pp.231-237
• /
• 2017

Threat intelligences collected from cyber incident sharing system and security events collected from Security Information & Event Management system are analyzed and coped with expanding malicious code rapidly with the advent of big data. Analytical classification of the threat intelligence in cyber incidents requires various features of cyber observable. Therefore it is necessary to improve classification accuracy of the similarity by using multi-profile which is classified as the same features of cyber observables. We propose a multi-profile ensemble model performed similarity analysis on cyber incident of threat intelligence based on both attack types and cyber observables that can enhance the accuracy of the classification. We see a potential improvement of the cyber incident analysis system, which enhance the accuracy of the classification. Implementation of our suggested technique in a computer network offers the ability to classify and detect similar cyber incident of those not detected by other mechanisms.