• Journal of KIISE:Information Networking
• /
• v.29 no.6
• /
• pp.674-684
• /
• 2002

Anomaly detection techniques have teen devised to address the limitations of misuse detection approach for intrusion detection. An HMM is a useful tool to model sequence information whose generation mechanism is not observable and is an optimal modeling technique to minimize false-positive error and to maximize detection rate, However, HMM has the short-coming of login training time. This paper proposes an effective HMM-based IDS that improves the modeling time and performance by only considering the events of privilege flows based on the domain knowledge of attacks. Experimental results show that training with the proposed method is significantly faster than the conventional method trained with all data, as well as no loss of recognition performance.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1219-1230
• /
• 2012

Recently, lots of users are using wireless LAN providing authentication and confidentiality with security mechanism such as WEP, WPA. But, weakness of each security mechanism was discovered and attack methods that user's information was exposed or modified to the third parties with it and abused by them were suggested. In this paper, we analyzed architecture of security mechanisms in wireless LAN and performed PSK cracking attack and cookie session hijacking attack with the known vulnerability. And, an improved 4-way handshake mechanism which can counter PSK cracking attack and a cookie replay detection mechanism which can prevent cookie session hijacking attack were proposed. Proposed mechanisms are expected to apply to establish more secure wireless LAN environment by countering existing vulnerability.

• The Journal of the Korea Contents Association
• /
• v.18 no.4
• /
• pp.305-313
• /
• 2018

With the explosive growth of smart phones and efficiency, the Android of an open mobile operating system is gradually increasing in the use and the availability. Android systems has proven its availability and stability in the mobile devices, the home appliances's operating systems, the IoT products, and the mechatronics. However, as the usability increases, the malicious code based on Android also increases exponentially. Unlike ordinary PCs, if malicious codes are infiltrated into mobile products, mobile devices can not be used as a lock and can be leaked a large number of personal contacts, and can be lead to unnecessary billing, and can be cause a huge loss of financial services. Therefore, we proposed a method to detect and delete malicious files in real time in order to solve this problem. In this paper, we also designed a method to detect and delete malicious codes in a more effective manner through the process of installing Android-based applications and signature-based malicious code detection method. The method we proposed and designed can effectively detect malicious code in a limited resource environment, such as mobile environments.

• Journal of Convergence for Information Technology
• /
• v.8 no.6
• /
• pp.209-215
• /
• 2018

In this paper, we propose a method to detect and block Meltdown malicious code which is increasing rapidly using dynamic sandbox tool. Although some patches are available for the vulnerability of Meltdown attack, patches are not applied intentionally due to the performance degradation of the system. Therefore, we propose a method to overcome the limitation of existing signature detection method by using machine learning method for infrastructures without active patches. First, to understand the principle of meltdown, we analyze operating system driving methods such as virtual memory, memory privilege check, pipelining and guessing execution, and CPU cache. And then, we extracted data by using Linux strace tool for detecting Meltdown malware. Finally, we implemented a decision tree based dynamic detection mechanism to identify the meltdown malicious code efficiently.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.5
• /
• pp.1069-1078
• /
• 2012

It is known that memory has been frequently a target threatening the computer system's security while attacks on the system utilizing the memory's weakness are actually increasing. Accordingly, various memory protection mechanisms have been studied on OS while new attack techniques bypassing the protection systems have been developed. Especially, buffer overflow attacks have been developed as attacks of Return to Library or Return-Oriented Programing and recently, a technique bypassing the countermeasure against Return-Oriented Programming proposed. Therefore, this paper is intended to suggest a detection mechanism at binary level by analyzing the procedure and features of Jump-Oriented Programming. In addition, we have implemented the proposed detection mechanism and experimented it may efficiently detect Jump-Oriented Programming attack.

• Journal of Internet of Things and Convergence
• /
• v.9 no.1
• /
• pp.1-7
• /
• 2023

Cases in which personal terminals or servers are infected by ransomware are rapidly increasing. Ransomware uses a self-developed encryption module or combines existing symmetric key/public key encryption modules to illegally encrypt files stored in the victim system using a key known only to the attacker. Therefore, in order to decrypt it, it is necessary to know the value of the key used, and since the process of finding the decryption key takes a lot of time, financial costs are eventually paid. At this time, most of the ransomware malware is included in a hidden form in binary files, so when the program is executed, the user is infected with the malicious code without even knowing it. Therefore, in order to respond to ransomware attacks in the form of binary files, it is necessary to identify the encryption module used. Therefore, in this study, we developed a mechanism that can detect and identify by reverse analyzing the encryption module applied to the malicious code hidden in the binary file.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.16 no.1
• /
• pp.98-106
• /
• 2012

CSD(Container Security Device) is a security device with sensors that can detect the abnormal behavior such as illegal opening of a container door. Since the CSD provides security and safety of the container, CSD should not only provide security services such as confidentiality and integrity but also cloning detection. If we can not detect the cloned CSD, an adversary can use the cloned CSD for many illegal purposes. In this paper, we propose a policy based cloned CSD detection mechanism. To evaluate proposed clone detection mechanism, we have implemented the proposed scheme and evaluated the results.

• Proceedings of the Korean Information Science Society Conference
• /
• 2003.04a
• /
• pp.287-289
• /
• 2003

최근 인터넷을 통한 사이버 공격의 형태가 다양해지고 복잡해지면서 효과적인 탐지 및 대응이 어려워지고 있다. 특히 UDP 계열의 DoS. DDoS 공격에서 IP 패킷 내의 근원지 IP 주소를 타인의 IP 주소로 위조하여 공격하는 경우 패킷의 실제 송신자를 추적하고 고립화 시키는 것은 불가능하다. 본 논문에서는 이러한 공격에 쉽게 대응할 수 있는 보안 구조로서 액티브 네트워크를 이용한 보안 관리 프레임워크를 설계하고, 위조 IP 공격에 보다 능동적인 대응이 가능한 메커니즘을 제안한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2016.04a
• /
• pp.265-266
• /
• 2016

VANET은 짧은 거리 이동 통신을 이용한 MANET의 일종으로 노드들이 차량들로 이루어져 있다. 차량들은 차량들 사이에 메시지 교환과 도로 측면의 인프라와 메시지를 교환한다. VANET을 실세계에 적용 시에 가장 주요한 요소는 보안 문제이다. 다양한 보안 문제가 있지만 이상 행동을 하는 차량은 가장 위협적인 위험이 되고 있다. 비인증된 공격은 PKI 보안 메커니즘으로 탐지하고 제거될 수 있지만 인증된 노드의 이상 행동은 주요한 문제가 되고 있다. 본 논문에서는 이러한 이기적인 행동이나 감염되어 이상적인 행동을 하는 노드들을 탐지하는 기법을 제안한다. 이를 위해 TPM 기능을 활용하여 비콘 메시지 교환을 통해 차량들 간의 신뢰관계를 형성하며 알람 메시지를 신뢰관계가 형성된 차량들과 인프라를 이용하여 부정 행위를 하는 노드를 탐지한다.

• Review of KIISC
• /
• v.18 no.3
• /
• pp.60-73
• /
• 2008

인터넷에서 발생하고 있는 심각한 문제의 대부분이 멀웨어(Malware)로 인하여 발생하고 있으며, 전 세계적으로 전파되고 그 영향은 점점 악화되고 있다. 이 악성소프트웨어는 점점 더 복잡하여 지고 있으며, 이에 따라 멀웨어에 대한 분석도 어렵게 되고 있다. 그러므로 멀웨어 탐지 기술 및 그 특징에 대한 분석이 절실히 요구된다. 본 논문에서는 효과적인 멀웨어에 대한 탐지 및 대응기법 수립을 위하여 인터넷 멀웨어를 분류하기 위한 방법과 탐지 기법에 대하여 분석 및 고찰하고자한다. 또한 제로-데이 공격에 대응하고자 개발된 ZASMIN(N(Zero-day Attack Signature Manufacture Infrastructure) 시스템의 특징에 대하여도 간략히 기술한다.