• Journal of the Institute of Electronics and Information Engineers
• /
• v.51 no.11
• /
• pp.127-133
• /
• 2014

In order to protect information asset from various malicious code, Honeypot system is implemented. Honeypot system is designed to elicit attacks so that internal system is not attacked or it is designed to collect malicious code information. However, existing honeypot system is designed for the purpose of collecting information, so it is designed to induce inflows of attackers positively by establishing disguised server or disguised client server and by providing disguised contents. In case of establishing disguised server, it should reinstall hardware in a cycle of one year because of frequent disk input and output. In case of establishing disguised client server, it has operating problem such as procuring professional labor force because it has a limit to automize the analysis of acquired information. To solve and supplement operating problem and previous problem of honeypot's hardware, this thesis suggested hybrid honeypot. Suggested hybrid honeypot has honeywall, analyzed server and combined console and it processes by categorizing attacking types into two types. It is designed that disguise (inducement) and false response (emulation) are connected to common switch area to operate high level interaction server, which is type 1 and low level interaction server, which is type 2. This hybrid honeypot operates low level honeypot and high level honeypot. Analysis server converts hacking types into hash value and separates it into correlation analysis algorithm and sends it to honeywall. Integrated monitoring console implements continuous monitoring, so it is expected that not only analyzing information about recent hacking method and attacking tool but also it provides effects of anticipative security response.

• Convergence Security Journal
• /
• v.5 no.2
• /
• pp.43-50
• /
• 2005

This paper is about the method that chases the Linux kernel backdoor intruder and copes with the kernel backdoor attack. We have a limit to trace the hacker with the current log analysing method because the hacker generally removes the log file and use the forge IP information. I propose the solution to solve the problem with the DeFor system. Through the restoration of the deleted log file, analysis of it and full HDD image, promptly quick response, it is possible to trace hacker spot and reduce hacking damage.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.31-40
• /
• 2008

Recently, network forensic research which analyzes intrusion-related information for tracing of attackers, has been becoming more popular than disk forensic which analyzes remaining evidences in a system. Analysis and correlation of logs from firewall, IDS(Intrusion Detect System) and web server are important part in network forensic procedures. This work suggests integrated graphical user interface of network forensic for private information leakage detection. This paper shows the necessity of various log information for network forensic and a design of graphical user interface for security managers who need to monitor the leakage of private information.

• Proceedings of the Korean Information Science Society Conference
• /
• 2004.10a
• /
• pp.382-384
• /
• 2004

최근 가파른 증가세를 보이며 그 기법 또한 다양해지고 있는 공격에 대한 사후처리와 동일 침입 방지를 위해, 네트워크 포렌직에 대한 관심이 커지고 있다. 포렌직을 위해서는 정보의 손실 없는 네트워크 트래픽을 수집하여 보존하는 것이 필요하지만, 그 양이 막대하며, 이는 더 큰 용량의 디스크를 필요로 한다. 이를 해결하기 위해서는 압축을 수행하는 것이 필요하며, 또한 IP와 같이 필요로 하는 몇몇 정보를 압축해제 없이 접근할 수 있게 한다면, 간단한 작업을 위해서도 압축을 풀기 위해 컴퓨팅 파워와 시간을 줄일 수 있을 것이다. 따라서, 이 논문에서는 수집한 패킷마다 압축을 수행할 부분과 수행하지 않을 부분으로 나누고, 압축을 수행한 뒤, 해당 정보를 4바이트의 헤더로 만들어 덧붙임으로써, 기존 트래픽을 압축함과 동시에 패킷들에 대한 간단한 정보들을 압축해제 없이 접근할 수 있는 모델을 제안하였다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2007.11a
• /
• pp.1115-1118
• /
• 2007

BitLocker는 2006년에 Microsoft가 새롭게 출시한 운영체제인 Windows Vista에서 처음 사용되는 보안 메커니즘이다. 기존의 다양한 운영체제에서 사용되는 보안 메커니즘은 기본적으로 사용자가 로그인한 후 로그인한 사용자의 데이터를 바탕으로 파일에 대한 암호화, 데이터에 접근에 관한 권한 확인과 같은 방법을 사용하여 데이터를 보호했다. 하지만 이러한 보안 메커니즘은 물리적으로 접근하는 공격방법에는 취약하고, 플랫폼 자체에 대한 신뢰성이 부족하기 때문에 새롭게 Microsoft에서 새롭게 제안하는 보안 메커니즘인 BitLocker는 디스크 자체를 암호화 해서 보호하는 새로운 메커니즘이다. 본 논문에서는 Windows Vista에서 사용되는 새로운 보안 메커니즘인 BitLocker의 운영 메커니즘에 대해서 분석하고 이를 바탕으로 Windows 보안 메커니즘에 대한 취약점을 검증하기 위한 기존 자료로 활용하였다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.5
• /
• pp.1013-1022
• /
• 2017

Windows hibernation is a function that stores data of physical memory on a non-volatile media and then restores the memory data from the non-volatile media to the physical memory when the system is powered on. Since the hibernation file has memory data in a static state, when the attacker collects it, key information in the system's physical memory may be leaked. Because Windows does not support protection for hibernation files only, we need to protect the memory that is written to the hibernate file. In this paper, we propose a method to encrypt the physical memory data in the hibernation file to protect the memory data of the processes recorded in the hibernation file. Hibernating procedure is analyzed to encrypt the memory data at the hibernating and the encryption process for hibernation memory is implemented to operate transparently for each process. Experimental results show that the hibernation process memory encryption tool showed about 2.7 times overhead due to the crypt cost. This overhead is necessary to prevent the attacker from exposing the plaintext memory data of the process.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.16 no.9
• /
• pp.6282-6289
• /
• 2015

Today, there is an increasing number of cases in which certificate information is leak, and accordingly, electronic finance frauds are prevailing. As certificate and private key a file-based medium, are easily accessible and duplicated, they are vulnerable to information leaking crimes by cyber-attack using malignant codes such as pharming, phishing and smishing. Therefore, the use of security token and storage toke' has been encouraged as they are much safer medium, but the actual users are only minimal due to the reasons such as the risk of loss, high costs and so on. This thesis, in an effort to solve above-mentioned problems and to complement the shortcomings, proposes a system in which digital signature for Internet banking can be made with a simply bio-authentication process. In conclusion, it was found that the newly proposed system showed a better capability in handling financial transitions in terms of safety and convenience.

• KIISE Transactions on Computing Practices
• /
• v.24 no.2
• /
• pp.99-104
• /
• 2018

Recently, there are increasing damages by ransomware in the world. Ransomware is a malicious software that infects computer systems and restricts user's access to them by locking the system or encrypting user's files saved in the hard drive. Victims are forced to pay the 'ransom' to recover from the damage and regain access to their personal files. Strong countermeasure is needed due to the extremely vicious way of attack with enormous damage. Malware analysis method can be divided into two approaches: static analysis and dynamic analysis. Recent malwares are usually equipped with elaborate packing techniques which are main obstacles for static analysis of malware. Therefore, this paper suggests a dynamic analysis method to monitor activities of ransomware. The proposed method can analyze ransomwares more accurately. The suggested method is comprised of extracting signatures of benign program, malware, and ransomware, and selecting the most appropriate signatures for ransomware detection.

• The Journal of the Korea Contents Association
• /
• v.17 no.6
• /
• pp.32-38
• /
• 2017

Despite the opinion that certificate is useless, half of the population in Korea (approx. 35 million) get an certificate, and use it for internet banking, internet shopping, stock trading, and so on. Most users store their certificates on a usb memory or smartphone, and certificates or passwords stored on such storage media can be easily attacked and used to disguise as legitimate users. Due to these security problem of certificate, a various authentication technologies has been proposed such as smartphone owner authentication using SMS, and a personal authentication using biometric authentication. However, a safe technique is not presented yet without user password, and certificate. In this paper, I proposed a method to secure certificate/private key without a user password using a combination of USIM card and smartphone's information. Even if a hacker gets the user password, the certificate, and the private key, he can not use the certificate. User do not need to remember complex password which is a combination of alphabetic / numeric / special characters, and use his certificate safely.

• Smart Media Journal
• /
• v.8 no.1
• /
• pp.19-26
• /
• 2019

At the opening ceremony of 2018 Winter Olympics in PyeongChang, an unknown cyber-attack occurred. The malicious code used in the attack is based on in-memory malware, which differs from other malicious code in its concealed location and is spreading rapidly to be found in more than 140 banks, telecommunications and government agencies. In-memory malware accounts for more than 15% of all malicious codes, and it does not store its own information in a non-volatile storage device such as a disk but resides in a RAM, a volatile storage device and penetrates into well-known processes (explorer.exe, iexplore.exe, javaw.exe). Such characteristics make it difficult to analyze it. The most recently released in-memory malicious code bypasses the endpoint protection and detection tools and hides from the user recognition. In this paper, we propose a method to efficiently extract the payload by unpacking injection through IDA Pro debugger for Dorkbot and Erger, which are in-memory malicious codes.