• Journal of the Korea Convergence Society
• /
• v.9 no.7
• /
• pp.55-62
• /
• 2018

Recently, as the threat of cyber crime increases, the importance of security control to cope with cyber attacks on the information systems in the first place such as real-time detection is increasing. In the name of security control center, cyber terror response center and infringement response center, institutional control personnel are making efforts to prevent cyber attacks. Especially, we are detecting infringement accident by using network security equipment or utilizing control system, but it's not enough to prevent infringement accident by just controlling based on device-driven simple patterns. Therefore, the security control system is continuously being upgraded, and the development and research on the detection method are being actively carried out by the prevention activity against the threat of infringement. In this paper, we have defined the method of detecting infringement of major component module in order to improve the problem of existing infringement detection method. Through the performance tests for each module, we propose measures for effective security control and study effective infringement threat detection method by upgrading the control system using Security Information Event Management (SIEM).

• Journal of Convergence for Information Technology
• /
• v.8 no.6
• /
• pp.149-157
• /
• 2018

In this paper, we propose an attack detection technology using SDN Controller to study security threats in IoT environment. The research methodology has been developed by applying IoT security threat management technology to the IoT layer and analyzing the research trend of applied security technology. The study results show that the effectiveness of the detection method using the sampling method is studied by adding OpenFlow based SDN Controller to the network switch equipment of the existing IoT network. This method can detect the monitoring and attack of the whole network by interworking with IDS and IPS without affecting the performance of existing IoT devices. By applying such improved security threat countermeasure technology, we expect to be able to relieve anxiety of IoT security threat and increase service reliability.

• Annual Conference of KIPS
• /
• 2007.11a
• /
• pp.1230-1233
• /
• 2007

DDoS 공격은 인터넷 환경에서 네트워크나 개인 호스트를 위협하는 대표적인 공격 트래픽이다. DDoS 공격은 간단한 Tool 로 공격이 가능하면서 네트워크 기반 구조에 큰 피해를 입힐 수 있기 때문에 그 심각성이 크다. DDoS 공격의 효과적인 방어와 대응을 위해서는 DDoS 공격 트래픽에 대한 정확한 분석과 탐지가 선행되어야 한다. 본 논문에서는 DDoS 공격 징후를 신속하게 탐지해 낼 수 있는 효율적인 트래픽 비율 분석법(ETAM)을 제안하고, ETAM 기법을 통해 공격을 빠르고 신속하게 탐지할 수 있음을 보인다.

• Convergence Security Journal
• /
• v.18 no.3
• /
• pp.77-85
• /
• 2018

With the convergence of communications network between control system and public network, such threats like information leakage/falsification could be fully shown in control system through diverse routes. Due to the recent diversification of security issues and violation cases of new attack techniques, the security system based on the information database that simply blocks and identifies, is not good enough to cope with the new types of threat. The current control system operates its security system focusing on the outside threats to the inside, and it is insufficient to detect the security threats by insiders with　the authority of security access. Thus, this study conducted the importance analysis based on the main event log list of "Spotting the Adversary with Windows Event Log Monitoring" announced by NSA. In the results, the matter of importance of event log for the detection of insider threats to control system was understood, and the results of this study could be contributing to researches in this area.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2008.05a
• /
• pp.647-650
• /
• 2008

네트워크 환경이 컨버젼스(convergence)되면서 하나의 단말에서 제공하는 서비스 역시 다양화되고 있다. 개인용 휴대 단말들도 기존에 개별 기능만을 주로 다루던 형태에서 다양한 융복합 서비스를 하나의 단말에서 제공하는 형태로 발전하고 있다. 따라서 본 논문에서는 컨버젼스 네트워크 환경에서 제공되는 여러 서비스를 동시에 지원하는 단말을 "복합단말(All-in-one Mobile Device)"이라 정의한다. 복합단말은 기능, 성능, 네트워크 인터페이스 측면에서 다양한 컨버젼스가 제공되고 있는데, 이 중에서 다양한 네트워크 인터페이스의 제공으로 인터페이스간 교차로 인해 기존에 존재하지 않았던 새로운 형태의 보안 위협인 Cross-service 공격이 등장하고 있다. 기존 모바일 디바이스와는 달리 복합단말에서의 Cross-service 공격은 사용자에게 과금이나 배터리 소모와 같은 치명적인 문제점을 발생시킨다. 본 논문에서는 Cross-service 공격으로부터 복합단말을 보호하기 위한 탐지 메커니즘 및 보안 요구사항을 제시한다.

• The KIPS Transactions:PartC
• /
• v.10C no.5
• /
• pp.565-574
• /
• 2003

This paper implements an intrusion detection message exchange protocol library (IDMEPL) for SDMS-RTIR, which Korea Information Security Agency (KISA) has developed to hierarchically detect and respond to network vulnerability scan attacks. The IDMEPL, based on the IDMEF and the IAP of the IDWG, enables SDMS-RTIR to interact with other intrusion detection systems (IDS) in realtime, and supports the TLS protocol to prevent security threats in exchanging messages between its server and its agents. Especially, with the protocol selection stage, the IDMEPL can support various protocols such as the IDXP besides the IAP. Furthermore, it can allow for agents to choose an appropriate security protocol for their own network, achieving security stronger than mutual authentication. With the IDMEPL, SDMS-RTIR can receive massive intrusion detection messages from heterogeneous IDSes in large-scale networks and analyze them.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.12 no.11
• /
• pp.5238-5244
• /
• 2011

Recently, wireless sensor networks have become increasingly interesting areas over extensive application fields such as military, ecological, and health-related areas. Almost sensor networks have mission-critical tasks that requires very high security. Therefore, extensive work has been done for securing sensor networks from outside attackers, efficient cryptographic systems, secure key management and authorization, but little work has yet been done to protect these networks from inside threats. This paper proposed an method to select which nodes should activate their idle nodes as detectors to be able to watch all packets in the sensor network. Suggested method is modeled as optimization equation, and heuristic Greedy algorithm based simulation results are presented to verify my approach.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.5
• /
• pp.71-80
• /
• 2009

Ad-hoc network consists f mobile nodes, which they are together in the communication. However, if some misbehaving nodes are in network, it is faced to many threats. Therefore, detection and management of misbehaving node are necessary to make confident in Ad-hoc networks. To solve this problem, we use Node Weight Management Server(NWMS), which it manage each node's weight in local area. When NWMS detect misbehaving node, it adds the node's weight and if the node's weight exceeds threshold then NWMS broadcasts the node's information to isolate in network. These mechanisms show that they are highly effective and can reliably detect a multitude of misbehaving node.

• Annual Conference of KIPS
• /
• 2006.05a
• /
• pp.1109-1112
• /
• 2006

DDoS(Distributed Denial-of-Service) 공격은 인터넷 침해가운데 가장 위협적인 공격들 중 하나이며 이러한 공격을 실시간으로 탐지하기 위한 연구는 활발히 이루어져 왔다. 하지만 기존의 탐지 메커니즘이 가지고 있는 높은 오탐지율은 여전히 보완해야할 과제로 남아 있다. 따라서 본 논문에서는 DDoS공격 탐지의 근거로 사용된 기존의 트래픽 볼륨(traffic volume), 엔트로피(entropy), 그리고 카이제곱(chi-square)을 이용한 비정상 행위탐지(Anomaly detection)방식의 침임탐지시스템이 가지는 오탐지율(false alarm rate)을 개선할 수 있는 방안을 제안한다. 또한 공격 탐지 시 프로토콜, TCP 플래그(flag), 그리고 포트 번호를 이용하여 네트워크 관리자에게 보다 자세한 공격 정보를 제공함으로써 효율적으로 공격에 대처할 수 있는 시스템을 설계한다.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.6
• /
• pp.43-54
• /
• 2016

The occurrence of cyber crime is on the rise every year, and the security control center, which should play a crucial role in monitoring and early response against the cyber attacks targeting various information systems, its importance has increased accordingly. Every endeavors to prevent cyber attacks is being attempted by information security personnel of government and financial sector's security control center, threat response Center, cyber terror response center, Cert Team, SOC(Security Operator Center) and else. The ordinary method to monitor cyber attacks consists of utilizing the security system or the network security device. It is anticipated, however, to be insufficient since this is simply one dimensional way of monitoring them based on signatures. There has been considerable improvement of the security control system and researchers also have conducted a number of studies on monitoring methods to prevent threats to security. In accordance with the environment changes from ESM to SIEM, the security control system is able to be provided with more input data as well as generate the correlation analysis which integrates the processed data, by extraction and parsing, into the potential scenarios of attack or threat. This article shows case studies how to detect the threat to security in effective ways, from the initial phase of the security control system to current SIEM circumstances. Furthermore, scenarios based security control systems rather than simple monitoring is introduced, and finally methods of producing the correlation analysis and its verification methods are presented. It is expected that this result contributes to the development of cyber attack monitoring system in other security centers.