• Proceedings of the Korea Information Processing Society Conference
• /
• 2004.05a
• /
• pp.1177-1180
• /
• 2004

최근 침입의 형태는 기존 공격자의 직접적인 시스템 침입 및 악의적 행위들의 행사와는 달리 침입 자동화 도구들을 사용하는 형태로 변모해 가고 있다. 알려지지 않은 공격의 유형 또한 변형된 이들 도구들의 사용이 대부분이다. 이들 공격도구들 대부분은 기존 형태에서 크게 벗어나지 않으며, 침입 도구의 산출물 또한 공통적인 형태로 존재한다. 본 논문에서는 알려지지 않은 다양한 공격 유형 또한 기존 유사한 공격군으로 분류하기 위한 침입 분석 알고리즘으로 SOM(self-Organizing Maps)을 적용하고, 침입 구체화 분석 단계에서 공격도구들의 패턴을 정형화한 지식베이스를 기반으로 분석하는 시스템을 제안한다.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.3
• /
• pp.87-96
• /
• 2014

Hackers try to achieve their purpose in a variety of ways, such as operating own website and hacking a website. Hackers seize a large amount of private information after they have made a zombie PC by using malicious code to upload the website and it would be used another hacking. Almost detection technique is the use Snort rule. When unknown code and the patterns in IDS/IPS devices are matching on network, it detects unknown code as malicious code. However, if unknown code is not matching, unknown code would be normal and it would attack system. Hackers try to find patterns and make shellcode to avoid patterns. So, new method is needed to detect that kinds of shellcode. In this paper, we proposed a noble method to detect the shellcode by using Shannon's information entropy.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.357-367
• /
• 2018

As information technology of modern society develops, various malicious codes with the purpose of seizing or destroying important system information are developing together. Among them, ransomware is a typical malicious code that prevents access to user's resources. Although researches on detecting ransomware performing encryption have been conducted a lot in recent years, no additional methods have been proposed to recover damaged files after an attack. Also, because the similarity comparison technique was used without considering the repeated encryption, it is highly likely to be recognized as a normal behavior. Therefore, this paper implements a filter driver to control the file system and performs a similarity comparison method that is verified based on the analysis of the encryption pattern of the ransomware. We propose a system to detect the malicious process of the accessed process and recover the damaged file based on the cloud storage.

• Journal of KIISE:Computing Practices and Letters
• /
• v.11 no.3
• /
• pp.235-245
• /
• 2005

The rapid development of computer network technology has brought the Internet as the major infrastructure to our society. But the rapid increase in malicious computer intrusions using such technology causes urgent problems of protecting our information society. The recent trends of the intrusions reflect that the intruders do not break into victim host directly and do some malicious behaviors. Rather, they tend to use some automated intrusion tools to penetrate systems. Most of the unknown types of the intrusions are caused by using such tools, with some minor modifications. These tools are mostly similar to the Previous ones, and the results of using such tools remain the same as in common patterns. In this paper, we are describing design and implementation of attacker-traceback system, which traces the intruder based on the multi-agent architecture. The system first applied SOM to classify the unknown types of the intrusion into previous similar intrusion classes. And during the intrusion analysis stage, we formalized the patterns of the tools as a knowledge base. Based on the patterns, the agent system gets activated, and the automatic tracing of the intrusion routes begins through the previous attacked host, by finding some intrusion evidences on the attacked system.