• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.2
• /
• pp.267-280
• /
• 2023

With development of computing and communications technologies, IoT environments based on high-speed networks have been extending rapidly. Especially, from home to an office or a factory, applications of IoT devices with sensing environment and performing computations are increasing. Unfortunately, IoT devices which have limited hardware resources can be vulnerable to cyber attacks. Hence, there is a concern that an IoT botnet can give rise to information leakage as a national cyber security crisis arising from abuse as a malicious waypoint or propagation through connected networks. In order to response in advance from unknown cyber threats in IoT networks, in this paper, We firstly define four types of We firstly define four types of characteristics by analyzing darknet traffic accessed from an IoT botnet. Using the characteristic, a suspicious IP address is filtered quickly. Secondly, the filtered address is identified by Cyber Threat Intelligence (CTI) or Open Source INTelligence (OSINT) in terms of an unknown suspicious host. The identified IP address is finally fingerprinted to determine whether the IP is a malicious host or not. To verify a validation of the proposed method, we apply to a Darknet on real-world SOC. As a result, about 1,000 hosts who are detected and blocked preemptively by the proposed method are confirmed as real IoT botnets.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.16 no.12
• /
• pp.8908-8914
• /
• 2015

The Internet continues to grow and develop, but there are going to generate a variety of Internet attacks that exploit it. In the initial Internet environment, the attackers maliciously exploited Internet environments for ostentations and hobbies. but these days many malicious attempts purpose the financial gain so systematic and sophisticated attacks that are associated with various crimes are occurred. The structures, such as viruses and worms were present in the form of one source multi-target before. but recently, APT(Advanced Persistent Threat, intelligent continuous attacks) in the form of multi-source single target is dealing massive damage. The performance evaluation analyzed whether to generate audit data and detect integrity infringement, and false positives for normal traffic, process detecting and blocking functions, and Agent policy capabilities with respect to the application availability.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.4
• /
• pp.829-838
• /
• 2015

As the number of smartphone users have increased, many kinds of malwares have emerged. Unlike existing malwares, spyware can be installed normally after user authentication and agreement according to security policy. For this reason, it is not easy to catch spywares involving harmful functionalities to users by using existing malware detection system. Therefore, our paper focuses on study about detecting mainly wiretapping spywares among them by developing a new wiretapping detection model and application. Specifically, this study conducts to find out power consumption on each application and modular and network consumption to detect voice wiretapping so Open Source Project Power Tutor is used to do this. The risk assessment of wiretapping is measured by gathered all power consumption data from Open Source Project Power Tutor. In addition, developed application in our study can detect at-risk wiretapping spyware through collecting and analyzing data. After we install the application to the smartphone, we collect needed data and measure it.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.3
• /
• pp.545-552
• /
• 2012

The rapid development of information technology is making large changes in our lives today. Also the infrastructure and services are combinding with information technology which predicts another huge change in our environment. However, the development of information technology brings various types of side effects and these side effects not only cause financial loss but also can develop into a nationwide crisis. Therefore, the detection and quick reaction towards these side effects is critical and much research is being done. Intrusion detection systems can be an example of such research. However, intrusion detection systems mostly tend to focus on judging whether particular traffic or files are malicious or not. Also it is difficult for intrusion detection systems to detect newly developed malicious codes. Therefore, this paper proposes a method which determines whether the present network model is normal or abnormal by comparing it with past network situations.

• Journal of Digital Contents Society
• /
• v.8 no.2
• /
• pp.165-171
• /
• 2007

The penetration of malicious code and the function of security blocking are performed on the same course of traffic pathway. The security domain is the concept to distinguish the domain from the group handling with the traffic on the structure of network which is performed with the function of penetration and security. The security domain could be different from the criterion of its realm and function, which requires the development and the application of security mechanism for every domain. For the establishment of security domain it is needed to show what criterion of net work should be set up. This study is to research the criterion for topology factor, security domain. structure map selection, and blocking location and disinfection net. It is shown to increase the effective rate blocking the virus with the proposed method in this paper rather than the traditional network architecture. The purpose of this paper is to suggest the necessity of development of security mechanism and the distinguished blocking function according to the level of security domain.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.5
• /
• pp.1169-1177
• /
• 2018

Modern society is a period of rapid digital transformation. This digital-centric business proliferation offers convenience and efficiency to businesses and individuals, but cyber threats are increasing. In particular, cyber attacks are becoming more and more intelligent and precise, and various attempts have been made to prevent these attacks from being discovered. Therefore, it is increasingly difficult to respond to such attacks. According to the cyber kill chain concept, the attacker penetrates to achieve the goal in several stages. We aim to detect one of these stages and neutralize the attack. In this paper, we propose a method to detect anomalous traffic caused by an agent attacking an external attacker, assuming that an agent executing a malicious action has been introduced in advance due to various reasons such as a system error or a user's mistake.

• Convergence Security Journal
• /
• v.11 no.3
• /
• pp.91-98
• /
• 2011

Medical information system based on ad hoc network designed for general information systems and information networks have different security requirements. Malicious code infiltration and security features are performed on same medical information network architecture along the route. Security domain of medical information systems is the ground of penetration and defense performed over the network architecture and it is also the traffic handling areas separated by a concept of differentiated group. Ad hoc-based medical information systems in the network security domain, set some standards about what should be the methodology of this study. In this paper, medical information system network configuration, the determining factor based on the security domain, the structure selection criteria and blocking positionings are presented according to the traffic route configuration. If you apply this methodology designed to increase security, efficiency can be possible. Health information systems in accordance with the security domain areas requires differentiated protection needs of the security mechanism that is proposed by this study.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.4
• /
• pp.51-61
• /
• 2009

Recently, the cyber-attacks using botnets are being increased, Because these attacks pursue the money, the criminal aspect is also being increased, There are spreading of spam mail, DDoS(Distributed Denial of Service) attacks, propagations of malicious codes and malwares, phishings. leaks of sensitive informations as cyber-attacks that used botnets. There are many studies about detection and mitigation techniques against centralized botnets, namely IRC and HITP botnets. However, P2P botnets are still in an early stage of their studies. In this paper, we analyzed the traffics of the Peacomm bot that is one of P2P-based storm bot by using honeynet which is utilized in active analysis of network attacks. As a result, we could see that the Peacomm bot sends a large number of UDP packets to the zombies in wide network through P2P. Furthermore, we could know that the Peacomm bot makes the scale of botnet maintained and extended through these results. We expect that these results are used as a basis of detection and mitigation techniques against P2P botnets.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.9 no.7
• /
• pp.773-778
• /
• 2014

IDS(Intrusion Detection System) can be used as a countermeasure for blackhole attacks which cause degrade of transmission performance by causing of malicious intrusion to routing function of networks. In this paper, effects of IDS for transmission performance based on mobility patterns is analyzed for MANET(Mobile Ad-hoc Networks), a suggestion for effective countermeasure is considered. Computer simulation based on NS-2 is used in performance analysis, VoIP(Voice over Internet Protocol) as an application service is chosen for performance measure. MOS(Mean Opinion Score), call connection ratio and end-to-end delay is used as performance parameter.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.2
• /
• pp.279-292
• /
• 2015

In this study, we propose an effective network managed security services model that can detect a presence of potential malicious codes inside the energy-based SCADA Systems. Especially, by analyzing the data obtained in the same environment of SCADA Systems, we develop detection factors to applicable to the managed security services and propose the method for the network managed security services. Finally, the proposed network managed security services model through simulation proved possibility to detect malicious traffic in SCADA systems effectively.