• Proceedings of the Korean Society of Broadcast Engineers Conference
• /
• 2007.02a
• /
• pp.75-78
• /
• 2007

인터넷 사용의 대중화에는 웹 서비스의 힘이 컸다고 할 수 있다 지금까지도 웹 기반의 서비스가 점차 확대되고 있고 이에 따라 웹 공격과 웹 보안이 이슈가 되고 있다. 웹 서비스를 이용하는 어플리케이션은 기존 보안도구를 통한 분석 작업과 모니터링에 관리자의 개입이 많이 요구되었고, 자동화된 방법 중의 하나인 로그를 이용한 분석 방법들은 실시간으로 확인하고 대응 할 수 없는 단점이 있다. 본 논문에서는 기존의 웹 공격 탐지 방법과 시각화 방법들의 개선사항들을 제안한다.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.23 no.10
• /
• pp.1311-1319
• /
• 2019

Currently, the web environment is a commonly used area for sharing information and conducting business. It is becoming an attack point for external hacking targeting on personal information leakage or system failure. Conventional signature-based detection is used in cyber threat but signature-based detection has a limitation that it is difficult to detect the pattern when it is changed like polymorphism. In particular, injection attack is known to the most critical security risks based on web vulnerabilities and various variants are possible at any time. In this paper, we propose a novelty detection technique to detect abnormal state that deviates from the normal state on web-server log dataset(WSLD). The proposed method is a machine learning-based technique to detect a minor anomalous data that tends to be different from a large number of normal data after replacing strings in web-server log dataset with vectors using machine learning-based embedding algorithm.

• Review of KIISC
• /
• v.25 no.5
• /
• pp.74-80
• /
• 2015

HTML5가 발표되고, 웹상에서 HTML5 신요소와 자바스크립트를 이용한 다양한 기능 구현이 가능하게 되었다. 기존 웹에서는 외부 플러그인을 이용하여야 가능했던 기능들이 웹의 자체 기능으로 구현이 가능해졌다. 하지만 이로 인해 기존에 플러그인인 ActiveX, Flash를 이용했던 공격 대신 HTML5와 자바스크립트를 이용한 공격이 주목 받고 있다. 본 논문에서는 HTML5와 자바스크립트를 이용한 공격들을 살피고, 공격의 파급력과 대책의 중요성을 확인한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2020.11a
• /
• pp.397-400
• /
• 2020

SDN(Software Defined Networking)은 효율적인 방법과 저렴한 비용으로 네트워크를 직접 프로그램 하여 즉각적인 제어를 할 수 있다. 본 논문에서는 SDN 의 특성을 활용, SDN 구성요소인 컨트롤러와 스위치를 활용하여 공격 정보를 수집하고 이를 기반으로 공격을 탐지하는 위협 레벨 관리 모듈, 공격 탐지 모듈, 패킷 통계 모듈 등을 설계하여 프로그래밍하고 허니팟을 적용하여 서비스 거부(DoS, Denial of Services)공격을 차단하는 방법을 제시한다.

• The KIPS Transactions:PartA
• /
• v.15A no.3
• /
• pp.181-188
• /
• 2008

Nowadays, most web sites are developed using dynamic web pages where web pages are generated and transmitted by web application programs. Therefore, the ratio of attacks injecting malevolent strings to vulnerable web applications is increasing. In this paper, we present a static program analyzer which analyzes whether a web application program has vulnerabilities to the SQL injection attack and the cross site scripting(XSS) attack. To analyze programs using abstract interpretation framework, we designed an abstract domain which models potential string set along with excluded strings and developed an abstract interpreter for the PHP language. Also, based on them, we implemented a static analyzer. According to our experiments, our analyzer has competitive analysis speed and accuracy compared with related research results.

• Journal of Korea Multimedia Society
• /
• v.11 no.11
• /
• pp.1601-1614
• /
• 2008

The number of web service users has been increased rapidly as existing services are changed into the web-based internet applications. Therefore, it is necessary for us to use web log pre-processing technique to detect attacks on diverse web service transactions and it is also possible to extract web mining information. However, existing mechanisms did not provide efficient pre-processing procedures for a huge volume of web log data. In this paper, we proposed both a field based parsing and a high-speed log indexing mechanism based on the suggested B-tree Index Vector structure for performance enhancement. In experiments, the proposed mechanism provides an efficient web log pre-processing and search functions with a session classification. Therefore it is useful to enhance web attack detection function.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.5
• /
• pp.33-40
• /
• 2012

In this paper we propose an anomaly detection scheme to detect new attack paths or new attack methods without false positives by monitoring HTTP Outbound Traffic after efficient training. Our proposed scheme detects web-based attacks by comparing tags or javascripts of HTTP Outbound Traffic with normal behavioral models which apply HMM(Hidden Markov Model). Through the verification analysis under the real-attacked environment, we show that our scheme has superior detection capability of 0.0001% false positive and 96% detection rate.

• Convergence Security Journal
• /
• v.18 no.3
• /
• pp.37-44
• /
• 2018

Today we live in a flood of web sites and access numerous websites through the Internet to obtain various information. However, unless the security of the Web site is secured, Web site security can not be secured from various malicious attacks. Hacking attacks, which exploit Web site security vulnerabilities for various reasons, such as financial and political purposes, are increasing. Various attack techniques such as SQL-injection, Cross-Site Scripting(XSS), and Drive-By-Download are being used, and the technology is also evolving. In order to defend against these various hacking attacks, it is necessary to remove the vulnerabilities from the development stage of the website, but it is not possible due to various problems such as time and cost. In order to compensate for this, it is important to identify vulnerabilities in Web sites through web vulnerability checking and take action. In this paper, we investigate web vulnerabilities and diagnostic techniques and try to understand the priorities of vulnerabilities in the development stage according to the actual status of each case through cases of actual web vulnerability diagnosis.

• Convergence Security Journal
• /
• v.4 no.2
• /
• pp.17-25
• /
• 2004

As Internet and Internet users are rapidly increasing and getting popularized in the world the existing firewall has limitations to detect attacks which exploit vulnerability of web server. And these attacks are increasing. Most of all, intrusions using web application's programming error are occupying for the most part. In this paper, we introduced real-time web-server agent which analyze web-server based log and detect web-based attacks after the analysis of the web-application's vulnerability. We propose the method using real-time agent which remove Process ID(pid) and block out attacker's If if it detects the intrusion through the decision stage after judging attack types and patterns.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2005.05a
• /
• pp.1327-1330
• /
• 2005

서비스 거부공격(Denial of Sevice)이란 서버의 자원을 고갈시켜 더이상 정상적인 서비스를 할 수 없도록 하는 공격이다. DoS 공격 중에서 SYN Flooding DoS Attack을 받은 웹 서버는 외부로부터 들어온 공격 패킷에 의해 back log를 소모하게 된다. 그 결과 정상적인 연결 요청에 대해 서비스를 제공하지 못하게 된다. Dos 공격에 관한 다양한 연구가 진행되고 있지만, 본 논문에서는 서비스 거부공격이 TCP 상태 전이에 미치는 영향에 관한 연구를 하였다. 웹 서버의 Tcp 상태정보를 얻기 위해 GetTcpinfo 프로세스를 실행한 후 정상적인 접속을 시도해 보고 정상적인 접속이 진행되고 있는 상태에서 DoS 공격을 시도한다. GetTcpinfo 프로세스에 의해 파일로 저장된 TCP 상태전이 값을 분석하여 DoS 공격이 TCP 상태 전이에 미치는 영향에 대해 알아본다.