• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.449-456
• /
• 2018

Many organizations divide the network to manage the network in order to prevent the leakage of internal data between separate organizations / departments by sending and receiving unnecessary traffic. The most fundamental network separation method is based on physically separate equipment. However, there is a case where a network is divided and operated logically by utilizing a virtual LAN (VLAN) network access control function that can be constructed at a lower cost. In this study, we first examined the possibility of bypassing the logical network separation through VLAN ID scanning and double encapsulation VLAN hopping attack. Then, we showed and implemented a data leak scenario by utilizing the acquired VLAN ID. Furthermore, we proposed a simple and effective technique to detect and prevent the double encapsulation VLAN hopping attack, which is also implemented for validation. We hope that this study improves security of organizations that use the VLAN-based logical network separation by preventing internal data leakage or external cyber attack exploiting double encapsulation VLAN vulnerability.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.22 no.5
• /
• pp.805-811
• /
• 2018

Recently, Format-Preserving-Encryption (FEA) was suggested by the National Security Research institute (NSR) as an encryption method while maintaining the format without a distortion to the intended information to be encrypted. In this paper, we propose a scheme to solve conventional cyber security problems by using FEA scheme. First, we present the method to encrypt signatures and extensions with FEA in order to effectively defend against Ransomeware attacks. This technique can mitigate the exposure to the Ransomeware by encrypting the minimum information. Second, in order to reduce the secret information for Steganography, we introduce a new way to minimize the secret information with FEA. Finally, we compare the operation speed by encryption with FEA and Lightweight Encryption Algorithm (LEA), furthermore when we optimize FEA we want to compare with the performance improvement accompanying with it.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.27 no.8C
• /
• pp.748-757
• /
• 2002

Cyber-terror trials are increased in nowadays and these attacks are commonly using security vulnerability and information gathering method by variable services grew by the continuous development of Internet Technology. IDS's application environment is affected by this increasing Cyber Terror. General Network based IDS detects intrusion by signature based Intrusion Detection module about inflowing packet through network devices. Up to now security in network is commonly secure host, an regional issue adopted in special security system but these system is vulnerable intrusion about the attack in globally connected Internet systems. Security mechanism should be produced to expand the security in whole networks. In this paper, we analyzer the DARPA's program and study Infusion Detection related Technology. We design policy security framework for policy enforcing in whole network and look at the modules's function. Enforcement of security policy is acted by Intrusion Detection system on gateway system which is located in network packet's inflow point. Additional security policy is operated on-line. We can design and execute central security policy in managed domain in this method.

• Convergence Security Journal
• /
• v.6 no.4
• /
• pp.161-169
• /
• 2006

According to the development of information system, many information system and application soft-ware are develop. However, cyber attack and incident have more increased to the development of them. To defend from cyber attack and incident, many organizations has run information security systems, such as Intrusion Detection System, Firewall, VPN etc, and employed information Security person till now But they have many difficulty in operating these information security component because of the lack of organizational management and analysis of each role. In this paper, We propose the formal Cause-Effect Model related with the information security system and administrative mission per each security. In this model, we regard information system and information system operator as one information component. It is possible to compose the most suitable information component, such as information system, human resource etc., according to the analysis of Cause-Effect Model in this paper. These analysis and approaching methodology can make effective operation of each limited resource in organization and effective defense mechanism against many malicious cyber attack and incident.

• Journal of Digital Contents Society
• /
• v.11 no.1
• /
• pp.79-89
• /
• 2010

The government and companies build a DDoS correspondence system hastily to protect assets from cyber threats. It has become more and more intelligent and advanced such as DDoS attack. However, when outbreaks of the social incidents such as 7.7 DDoS attack(2009.7.7) or cases of the direct damage occurred, information security systems(ISS) only become the issue in the short term. As usual, sustained investment about ISS is a negative recognition. Since the characteristic of ISS is hard to recognize the effectiveness of them before incidents occurs. Also, results of incidents occurred classify attack and detection. Detailed and objective measurement criterion to measure effectiveness and efficiency of ISS is not existed. Recently, it is progress that evaluation and certification about for the information security management system(ISMS). Since these works propose only a general guideline, it is difficult to utilize as a result of ISMS improvement for organization. Therefore, this paper proposes a framework to develop main criteria by a correspondence strategy and process. It is able to detailed and objective measurements.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.839-850
• /
• 2014

As the social and financial damages caused by APT attack such as 3.20 cyber terror are increased, the technical solution against APT attack is required. It is, however, difficult to protect APT attack with existing security equipments because the attack use a zero-day malware persistingly. In this paper, we propose a host based anomaly detection method to overcome the limitation of the conventional signature-based intrusion detection system. First, we defined 39 features to identify between normal and abnormal behavior, and then collected 8.7 million feature data set that are occurred during running both malware and normal executable file. Further, each process is represented as 83-dimensional vector that profiles the frequency of appearance of features. the vector also includes the frequency of features generated in the child processes of each process. Therefore, it is possible to represent the whole behavior information of the process while the process is running. In the experimental results which is applying C4.5 decision tree algorithm, we have confirmed 2.0% and 5.8% for the false positive and the false negative, respectively.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.2
• /
• pp.347-363
• /
• 2019

Malware has its own unique behavior characteristics, like DNA for living things. To respond APT (Advanced Persistent Threat) attacks in advance, it needs to extract behavioral characteristics from malware. To this end, it needs to do classification for each malware based on its behavioral similarity. In this paper, various similarity of Windows malware is estimated; and based on these similarity values, malware's family is predicted. The similarity measures used in this paper are as follows: 'TF-IDF cosine similarity', 'Nilsimsa similarity', 'malware function cosine similarity' and 'Jaccard similarity'. As a result, we find the prediction rate for each similarity measure is widely different. Although, there is no similarity measure which can be applied to malware classification with high accuracy, this result can be helpful to select a similarity measure to classify specific malware family.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1489-1497
• /
• 2018

Web application services have diversified. At the same time, research on intrusion detection is continuing due to the surge of cyber threats. Also, As a single-defense system evolves into multi-level security, we are responding to specific intrusions by correlating security events that have become vast. However, it is difficult to check the OS, service, web application type and version of the target system in real time, and intrusion detection events occurring in network-based security devices can not confirm vulnerability of the target system and success of the attack A blind spot can occur for threats that are not analyzed for problems and associativity. In this paper, we propose the validation of effectiveness for intrusion detection events using TF-IDF. The proposed scheme extracts the response traffics by mapping the response of the target system corresponding to the attack. Then, Response traffics are divided into lines and weights each line with an TF-IDF weight. we checked the valid intrusion detection events by sequentially examining the lines with high weights.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.6
• /
• pp.125-134
• /
• 2004

When cryptosystem designers implement devices that computing power or memory is limited such as smart cards, PDAs and so on, not only he/she has to be careful side channel attacks(SCA) but also the cryptographic algorithms within the device has to be efficient using small memory. For this purpose, countermeasures such as Moiler's method, Okeya-Takagi's one and overlapping window method, based on window method to prevent SCA were proposed. However, Moiler's method and Okeya-Talngi's one require additional cost to prevent other SCA such as DPA, Second-Order DPA, Address-DPA, and so on since they are immune to only SPA. Also, overlapping window method has a drawback that requires big memory. In this paper, we analyze existing countermeasures and propose an efficient and secure countermeasure that is immune to all existing SCA using advantages of each countermeasure. Moreover, the proposed countermeasure can enhance the efficiency using mixed coordinate systems.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.5
• /
• pp.73-86
• /
• 2007

Numerous types of models have been developed in recent years in response to the cyber threat posed by worms in order to analyze their propagation and predict their spread. Some of the most important ones involve mathematical modeling techniques such as Epidemic, AAWP (Analytical Active Worm Propagation Modeling) and LAAWP (Local AAWP). However, most models have several inherent limitations. For instance, they target worms that employ random scanning in the entire nv4 network and fail to consider the effects of countermeasures, making it difficult to analyze the extent of damage done by them and the effects of countermeasures in a specific network. This paper extends the equations and parameters of AAWP and LAAWP and suggests ALAAWP (Advanced LAAWP), a new worm simulation technique that rectifies the drawbacks of existing models.