• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.5
• /
• pp.35-45
• /
• 2011

The Salsa20/12 stream cipher selected for the final eSTREAM portfolio has a better performance than software implementation of AES using an 8-bit microprocessor with restricted memory space, In the theoretical approach, the evaluation of exploitable timing vulnerability was 'none' and the complexity of side-channel analysis was 'low', but there is no literature of the practical result of power analysis attack. Thus we propose the correlation power analysis attack method and prove the feasibility of our proposed method by practical experiments, We used an 8-bit RISC AVR microprocessor (ATmegal128L chip) to implement Salsa20/12 stream cipher without any countermeasures, and performed the experiments of power analysis based on Hamming weight model.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.6
• /
• pp.1021-1031
• /
• 2023

State-sponsored cyber attacks are highly impactful because they are carried out to achieve pre-planned goals. As a defender, it is difficult to respond to them because of the large scale of the attack and the possibility that unknown vulnerabilities may be exploited. In addition, overreacting can reduce the availability of users and cause business disruption. Therefore, there is a need for a response policy that can effectively defend against attacks while ensuring user availability. To solve this problem, this paper proposes a method to collect the number of processes and sessions of defense assets in real time and use them for learning. Using this method to learn reinforcement learning-based policies on a cyber attack simulator, the attack duration based on 100 time-steps was reduced by 27.9 time-steps and 3.1 time-steps for two attacker models, respectively, and the number of "restore" actions that impede user availability during the defense process was also reduced, resulting in an overall better policy.

• Journal of the Korea Society of Computer and Information
• /
• v.29 no.6
• /
• pp.39-51
• /
• 2024

This paper proposes a novel approach to enhance the security of container-based systems by analyzing system calls to dynamically detect race conditions without modifying the kernel. Container escape attacks allow attackers to break out of a container's isolation and access other systems, utilizing vulnerabilities such as race conditions that can occur in parallel computing environments. To effectively detect and defend against such attacks, this study utilizes eBPF to observe system call patterns during attack attempts and employs a AdaBoost model to detect them. For this purpose, system calls invoked during the attacks such as Dirty COW and Dirty Cred from popular applications such as MongoDB, PostgreSQL, and Redis, were used as training data. The experimental results show that this method achieved a precision of 99.55%, a recall of 99.68%, and an F1-score of 99.62%, with the system overhead of 8%.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.5
• /
• pp.993-1006
• /
• 2024

The recent increase in public cloud usage has led to various security issues. In response, CPU manufacturers have introduced Trusted Execution Environment (TEE) technology, allowing secure service usage even with potentially untrustworthy cloud service providers. For instance, AMD offers VM-level TEE through SEV(Secure Encrypted Virtualization). However, it has been raised that confidential information can be leaked via page fault-based side-channel attacks on VMs protected by SEV. To address this, this paper proposes a method for real-time detection of such attacks in SEV environments. Nonetheless, since attackers can have hypervisor-level privileges under the SEV threat model, realizing this is challenging. To overcome this, we propose two approaches. First, using VMPL(Virtual Machine Privileged Level) to protect the detection program from untrusted hypervisors. Second, utilizing vPMU(virtual Performance Monitoring Unit) to derive new features for detecting page side-channel attacks. The designed and implemented detection program achieved a 95.38% accuracy in detecting page fault side-channel attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.6
• /
• pp.69-78
• /
• 2004

During the last decade, security models have been defined for two- and three-parity key exchange protocols. Currently there is a growing research interest in security models for group key management schemes. While various security models and provably secure protocols have been proposed for distributed group key exchange schemes, no results are hewn for centralized group key distribution schemes in spite of their theoretical and practical importance. We describe security requirements and a formal security model for centralized group key distribution scheme: we define the model on the channel controlled by adversaries with the ability of strong user corruption. In the security model, we propose a conversion module which can transform centralized tree-based group key distribution schemes in the literature to provably secure centralized tree-based group key distribution schemes.

• Journal of the Korea Society for Simulation
• /
• v.15 no.4
• /
• pp.69-77
• /
• 2006

In most positioning and allocation practices, many mathematical models are proposed in various fields. The set covering (SC) problem has many practical applications of modeling not only real world problem but also in military. As our air defense weapon systems are getting older and declining the performance, new plans far acquisition of high-tech air defense weapon system are being conducted. In this paper we established simulation model for optimal allocation of KDX which carries new missile defense weapon system by using partial set covering considering both attacker and defender side. By implementating simulation model, we assess the available scenarios and show the optimal pre-positioning of KDX and interceptor's allocation. Furthermore, we provide a variety of experiments and extensive scale sized situations for Korea Indigenous Missile Defense (KIMD) and support decision-making for efficient positioning of unit.

• KIISE Transactions on Computing Practices
• /
• v.21 no.10
• /
• pp.670-679
• /
• 2015

With a rapid development of internet, many users these days refer to various recommender sites when buying items, movies, music and more. However, there are malicious users (Sybil) who raise or lower item ratings intentionally in these recommender sites. And as a result, a recommender system (RS) may recommend incomplete or inaccurate results to normal users. We suggest a recommender algorithm to separate ratings generated by users into normal ratings and outlier ratings, and to minimize the effects of malicious users. Specifically, our algorithm first ensures a stable RS against three kinds of attack models (Random attack, Average attack, and Bandwagon attack) which are the main recent security issues in RS. To prove the performance of the method of suggestion, we conducted performance analysis on real world data that we crawled. The performance analysis demonstrated that the suggested method performs well regardless of Sybil size and type when compared to existing algorithms.

• Journal of the Korea Convergence Society
• /
• v.10 no.6
• /
• pp.33-39
• /
• 2019

As cyber attack methods are becoming more intelligent, incidents such as security breaches and international crimes are increasing. In order to predict and respond to these cyber attacks, the characteristics, methods, and types of attack techniques should be identified. To this end, many security companies are publishing security intelligence reports to quickly identify various attack patterns and prevent further damage. However, the reports that each company distributes are not structured, yet, the number of published intelligence reports are ever-increasing. In this paper, we propose a method to extract structured data from unstructured security intelligence reports. We also propose an automatic intelligence report analysis system that divides a large volume of reports into sub-groups based on their topics, making the report analysis process more effective and efficient.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.779-791
• /
• 2021

Common web services have been continuously targeted by hackers due to an access control policy that must be allowed to an unspecified number of people. In order to cope with this situation, companies regularly check web vulnerabilities and take measures according to the risk of discovered vulnerabilities. The risk of these web vulnerabilities is calculated through preliminary statistics and self-evaluation of domestic and foreign related organizations. However, unlike static diagnosis such as security setting and source code, web vulnerability check is performed through dynamic diagnosis. Even with the same vulnerability item, various attack results can be derived, and the degree of risk may vary depending on the subject of diagnosis and the environment. In this respect, the predefined risk level may be different from that of the actual vulnerability. In this paper, to improve this point, we present a web vulnerability risk assessment model based on the attack result centering on the cyber kill chain.

• The Journal of the Korea Contents Association
• /
• v.21 no.1
• /
• pp.284-291
• /
• 2021

As the current security monitoring system is operated as a passive system only for response after an attacker's attack, it is common to respond to intrusion incidents after an attack occurs. In particular, when new assets are added and actual services are performed, there is a limit to vulnerability testing and pre-defense from the point of view of an actual hacker. In this paper, a new security monitoring model has been proposed that uses multiple hacking-related search engines to add proactive vulnerability response functions of protected assets. In other words, using multiple search engines with general purpose or special purpose, special vulnerabilities of the assets to be protected are checked in advance, and the vulnerabilities of the assets that have appeared as a result of the check are removed in advance. In addition, the function of pre-checking the objective attack vulnerabilities of the protected assets recognized from the point of view of the actual hacker, and the function of discovering and removing a wide range of system-related vulnerabilities located in the IP band in advance were additionally presented.