• Review of KIISC
• /
• v.15 no.1
• /
• pp.50-60
• /
• 2005

본 논문에서는 최근 인터넷 환경에서 증가하고 있는 대규모 컴퓨터 바이러스/웜에 의한 침해사고 발생 시 네트워크 포렌식 등에서 정의되어야할 정보와 이를 활용한 대량 트래픽을 발생시키는 시스템을 탐지하는 방안을 제안하였다. 이에 따라 종합 침해사고 대응 시스템에서의 자동화된 역추적 절차를 제시한다.

• 정보보호뉴스
• /
• s.128
• /
• pp.24-25
• /
• 2008

기자의 학창시절 중 가장 큰 고통(?)을 안겨 준 수업 시간은 화학시간이었다. 눈에는 보이지 않는, 하지만 여러 개의 분자와 원자로 구성된 성분을 어떻게 구분해야할지, 또 눈에 보이지 않는 성분이 도무지 이해되지 않았던 탓이었다. 악성코드나 웜.바이러스를 대하는 일반인들의 심정도 그러하지 않았을까. 같아 보이지만 서로 다른 악성코드와 웜.바이러스. 분석대응팀은 그 미세한 차이를 구별하고 분석하는 일을 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.15 no.6
• /
• pp.37-47
• /
• 2005

Recently, the malicious e-mail worm-viruses have been widely spreaded over the Internet. If the recipient opens the e-mail attachment or an e-mail itself that contains the worm-virus, the worm-virus can be activated and then cause a tremendous damage to the system by propagating itself to everyone on the mailing list in the user's e-mail package. In this paper, we have designed and implemented two methods blocking e-mail worm-viruses. In the fist method, each e-mail is transmitted only by sender activity such as the click of button on a mail client application. In the second one, we insert the two modules into the sender side, where the one module transforms a recipient's address depending on a predefined rule only in time of pushing button and the other converts the address reversely with the former module whenever an e-mail is sent. The lader method also supports a polymorphism model in order to cope with the new types of e-mail worm-virus attacks. The two methods are designed not to work for the e-mail viruses. There is no additional fraction on the receiver's side of the e-mail system. Experimental results show that the proposed methods can screen the e-mail worm-viruses efficiently with a low overhead.

• The KIPS Transactions:PartC
• /
• v.12C no.6 s.102
• /
• pp.847-854
• /
• 2005

Since the propagation speed of the Internet worms is quite fast, worm detection in early propagation stage is very important for reducing the damage. Virus throttling technique, one of many early worm detection techniques, detects the Internet worm propagation by limiting the connection requests within a certain ratio.[6, 7] The typical throttling technique increases the possibility of false detection by treating destination IP addresses independently in their delay queue managements. In addition, it uses a simple decision strategy that determines a worn intrusion if the delay queue is overflown. This paper proposes a two dimensional delay queue management technique in which the sessions with the same destination IP are linked and thus a IP is not stored more than once. The virus throttling technique with the proposed delay queue management can reduce the possibility of false worm detection, compared with the typical throttling since the proposed technique never counts the number of a IP more than once when it chicks the length of delay queue. Moreover, this paper proposes a worm detection algorithm based on weighted average queue length for reducing worm detection time and the number of worm packets, without increasing the length of delay queue. Through deep experiments, it is verified that the proposed technique taking account of the length of past delay queue as well as current delay queue forecasts the worn propagation earlier than the typical iuぉ throttling techniques do.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.3
• /
• pp.53-64
• /
• 2006

Worm analysis report currently produced by anti-virus companies closely resemble those of virus report and do not properly characterize the specific attributes of worms. In this paper, we propose formalized presentation method based on time-based behavioral sequences to more accurately characterize worms. we define a format based on the behavior and communication patterns that occur between an infected host and a target host. we also propose a method for presently worm analysis data with that format. We also compare our framework with analysis data provided by Symantec.

• Proceedings of the Korea Information Assurance Society Conference
• /
• 2004.05a
• /
• pp.333-337
• /
• 2004

The Internet worm is changed rapidly and virus vaccine can not defense the whole Internet worm. To prevent them form spreading into network and analysis specifications, we design and implement the Internet Worm Traffic Generator. In this research, we offer the real worm propagation environment through protocol and scenario specification.

• Journal of the Korea Society for Simulation
• /
• v.15 no.4
• /
• pp.1-10
• /
• 2006

Computer virus modeling and simulation research has conducted with focus on the network vulnerability analysis. But computer virus shows the biological virus characters such as proliferation, reproduction and evolution. Therefore it is necessary to research the computer virus modeling and simulation using the Artificial life technique. The approach of computer modeling and simulation using Artificial life provides the analysis method about the effects on the network by computer virus and the behavior mechanism of computer virus. Hence this paper proposes the methodology of computer virus modeling and simulation using Artificial life, which is effected to contribute the research on the computer virus vaccine.

• Proceedings of the Korean Information Science Society Conference
• /
• 2003.10a
• /
• pp.796-798
• /
• 2003

바이러스로 시작된 악성 코드는 웜이라는 형태로 발전하였다. 인터넷 망의 고속화와 확장에 의해 웜의 전파 속도와 감염 범위는 증가하였지만, 아직까지 웜을 차단할 수 있는 획기적인 방법은 개발되지 않았고, 웜에 의한 피해는 갈수록 치명적인 결과를 낳고 있다. 본고에서는 Bloom Filter［1］를 이용한 content filtering 방법을 제안한다. 실험을 통해, 이미 알려진 웜에 대한 Bloom Filter의 성능을 검증하였으며, 알려지지 않은 웜에 대한 Bloom Filter의 적용 방법도 제안한다.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2004.05b
• /
• pp.776-779
• /
• 2004

With the rapid progress of information technique, it is getting more difficult to protect information systems from cyber terrorism, because of bugs and vulnerabilities of software and the properties of cyberspace such as anonymity. furthermore cyber terror techniques are highly developed and complicated and their use for a malicious intent and a military purpose are increasing recently. Therefore a study of warfare attack technology on the cyber space is necessary for establishing trusted society and further national security. Specially, worms/viruses are becoming a more common occurrence on the cyber space. Also, The worm caused a great deal of damage to the large number of networks around the world in a very short period of time. Therefore, we will describe worms/viruses in the warfare attack technique in this paper.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2001.11a
• /
• pp.96-101
• /
• 2001

본 논문에서는 컴퓨터 바이러스(이하 바이러스) 및 웜 그리고 트로이목마와 같은 악성코드의 정의와 개념에 대해 기술하고, 2000년 11월부터 2001년 10월까지, 바이러스를 중심으로 한 악성 코드의 주요 기법을 분석하고 전반적인 바이러스 발견 동향 및 향후 전망에 대해 기술하고 향후 악성코드 대응 방법에 관한 연구 방향을 제시하고 논문을 맺는다.