• The Journal of the Korea Contents Association
• /
• v.19 no.1
• /
• pp.108-116
• /
• 2019

In this paper, we propose a method to apply artificial intelligence technology efficiently to integrated security control technology. In other words, by applying machine learning learning to artificial intelligence based on big data collected in integrated security control system, cyber attacks are detected and appropriately responded. As technology develops, many large capacity Is limited to analyzing individual logs. The analysis method should also be applied to the integrated security control more quickly because it needs to correlate the logs of various heterogeneous security devices rather than one log. We have newly proposed an integrated security service model based on artificial intelligence, which analyzes and responds to these behaviors gradually evolves and matures through effective learning methods. We sought a solution to the key problems expected in the proposed model. And we developed a learning method based on normal behavior based learning model to strengthen the response ability against unidentified abnormal behavior threat. In addition, future research directions for security management that can efficiently support analysis and correspondence of security personnel through proposed security service model are suggested.

• Journal of the Korea Society of Computer and Information
• /
• v.18 no.3
• /
• pp.35-45
• /
• 2013

MANET has a weak point because it allows access from not only legal nodes but also illegal nodes. Most of the MANET researches had been focused on attack on routing path or packet forwarding. Nevertheless, there are insuffcient studies on a comprehensive approach to detect various attacks on malicious nodes at packet forwarding processes. In this paper, we propose a technique, named DTecBC (detection technique of malicious node behaviors based on collaboration), which can handle more effciently various types of malicious node attacks on MANET environment. The DTecBC is designed to detect malicious nodes by communication between neighboring nodes, and manage malicious nodes using a maintain table. OPNET tool was used to compare with Watchdog, CONFIDANT, SRRPPnT for verifying effectiveness of our approach. As a result, DTecBC detects various behaviors of malicious nodes more effectively than other techniques.

• Journal of the Korea Society of Computer and Information
• /
• v.27 no.5
• /
• pp.157-163
• /
• 2022

As the online game market grows, the use of game bots is causing the most serious problem for game services. We propose a harvest coordinate analysis model to detect harvesting bots among game bots of the Massively Multiplayer Online Role-Playing Games(MMORPGs) genre. The proposed model analyzes the player's harvesting behavior using the coordinate data. Game bots can obtain in-game goods and items more easily than normal players and are not affected by realistic restrictions such as sleep time and character manipulation fatigue. As a result, there is a difference in harvesting coordinates between normal players and game bots. We divided the coordinate zones and used these coordinate zone differences to distinguish between game bot players and normal players. We created a dataset with NCSoft's AION log and applied it to a random forest model to detect game bots, and as a result, we derived performance with a recall of 0.72 and a precision of 0.92.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.785-796
• /
• 2012

In this paper, we propose an effective Behavior-based detection technique using the frequency of system calls to detect malicious code, when the number of training data is fewer than the number of properties on system calls. In this study, we collect the Native APIs which are Windows kernel data generated by running program code. Then we adopt the normalized freqeuncy of Native APIs as the basic properties. In addition, the basic properties are transformed to new properties by GLDA(Generalized Linear Discriminant Analysis) that is an effective method to discriminate between malicious code and normal code, although the number of training data is fewer than the number of properties. To detect the malicious code, kNN(k-Nearest Neighbor) classification, one of the bayesian classification technique, was used in this paper. We compared the proposed detection method with the other methods on collected Native APIs to verify efficiency of proposed method. It is presented that proposed detection method has a lower false positive rate than other methods on the threshold value when detection rate is 100%.

• Journal of the Korea Society for Simulation
• /
• v.19 no.2
• /
• pp.63-72
• /
• 2010

In the future warfare, the importance of the counter-fire operation is increasing. The counter-fire operation is divided into offensive counter-fire operation and defensive counter-fire operation. Reviewing the researches done so far, the detection asset of offensive counter-fire operation called UAV(Unmanned Aerial Vehicle) and its operational effectiveness analysis is continually progressing. However, the analysis of the detection asset of defensive counterfire called Target Acquisition Radar(TAR) and its quantitative operational effectiveness are not studied yet. Therefore, in this paper, we studied operational effectiveness of TAR using C2 Theory & MANA Simulation model, and showed clear quantitative analysis results by comparing both cases of using TAR and not using TAR.

• Proceedings of the Korean Information Science Society Conference
• /
• 2007.06d
• /
• pp.25-28
• /
• 2007

최근 인터넷에서는 붓넷을 기반으로 한 스팸 발송, 분산 서비스 거부 공격 등이 급증하고 있으며 이는 인터넷 기반 서비스에 큰 위협이 되고 있다. 간접 통신 메커니즘을 사용하는 봇넷 공격에 대한 근본적인 대응을 지원하는 역추적 기술의 개발이 필요하다. 본 논문에서는 메모리 감시 기반의 봇넷 역추적 기술을 제안한다. 이 기술은 메모리 감시 기술을 이용하여 봇 서버의 행위를 감시하며, 네트워크 감시를 통하여 봇 서버로 감염된 허니팟이 오용될 위험성을 낮춘다. 또한 봇 서버 정보에 대한 자동분석기능을 제공하여 공격탐지와 동시에 봇넷의 C&C 서버를 빠르게 추적한다.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.3B
• /
• pp.408-420
• /
• 2010

On a Mobile Ad hoc NETwork(MANET), it is difficult to detect and prevent misbehaviors nodes existing between end nodes, as communication between remote nodes is made through multiple hop routes due to lack of a fixed networked structure. Therefore, to maintain MANET's performance and security, a technique to identify misbehaving middle nodes and nodes that are compromise by such nodes is required. However, previously proposed techniques assumed that nodes comprising MANET are in a friendly and cooperative relationship, and suggested only methods to identify misbehaving nodes. When these methods are applied to a larger-scale MANET, large overhead is induced. As such, this paper suggests a system model called Secure Cluster-based MANET(SecCBM) to provide secure communication between components aperANET and to ensure eed. As such, this pand managems suapemisbehavior nodes. SecCBM consists apetwo stages. The first is the preventis pstage, whereemisbehavior nodes are identified when rANET is comprised by using a cluster-based hierarchical control structure through dynamic authentication. The second is the post-preventis pstage, whereemisbehavior nodes created during the course apecommunication amongst nodes comprising the network are dh, thed by using FC and MN tables. Through this, MANET's communication safety and efficiency were improved and the proposed method was confirmed to be suitable for MANET through simulation performance evaluation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.2
• /
• pp.267-280
• /
• 2023

With development of computing and communications technologies, IoT environments based on high-speed networks have been extending rapidly. Especially, from home to an office or a factory, applications of IoT devices with sensing environment and performing computations are increasing. Unfortunately, IoT devices which have limited hardware resources can be vulnerable to cyber attacks. Hence, there is a concern that an IoT botnet can give rise to information leakage as a national cyber security crisis arising from abuse as a malicious waypoint or propagation through connected networks. In order to response in advance from unknown cyber threats in IoT networks, in this paper, We firstly define four types of We firstly define four types of characteristics by analyzing darknet traffic accessed from an IoT botnet. Using the characteristic, a suspicious IP address is filtered quickly. Secondly, the filtered address is identified by Cyber Threat Intelligence (CTI) or Open Source INTelligence (OSINT) in terms of an unknown suspicious host. The identified IP address is finally fingerprinted to determine whether the IP is a malicious host or not. To verify a validation of the proposed method, we apply to a Darknet on real-world SOC. As a result, about 1,000 hosts who are detected and blocked preemptively by the proposed method are confirmed as real IoT botnets.

• KIPS Transactions on Software and Data Engineering
• /
• v.10 no.11
• /
• pp.449-456
• /
• 2021

An intrusion detection system is a technology that detects abnormal behaviors that violate security, and detects abnormal operations and prevents system attacks. Existing intrusion detection systems have been designed using statistical analysis or anomaly detection techniques for traffic patterns, but modern systems generate a variety of traffic different from existing systems due to rapidly growing technologies, so the existing methods have limitations. In order to overcome this limitation, study on intrusion detection methods applying various machine learning techniques is being actively conducted. In this study, a comparative study was conducted on data preprocessing techniques that can improve the accuracy of anomaly detection using NGIDS-DS (Next Generation IDS Database) generated by simulation equipment for traffic in various network environments. Padding and sliding window were used as data preprocessing, and an oversampling technique with Adversarial Auto-Encoder (AAE) was applied to solve the problem of imbalance between the normal data rate and the abnormal data rate. In addition, the performance improvement of detection accuracy was confirmed by using Skip-gram among the Word2Vec techniques that can extract feature vectors of preprocessed sequence data. PCA-SVM and GRU were used as models for comparative experiments, and the experimental results showed better performance when sliding window, skip-gram, AAE, and GRU were applied.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1347-1359
• /
• 2017

SQLite database is a file-based DBMS(Database Management System) that provides transactions, and it is loaded on smartphone because it is appropriate for lightweight platform. AS the usage of smartphone increased, SQLite-related crimes can occur. In this paper, we proposed a new concealing method for SQLite db file and a detection method against it. As a result of concealing experiments, it is possible to intentionally conceal 70bytes in the DB file header and conceal original data by inserting artificial pages. But it can be detected by parsing 70bytes based on SQLite structure or using the number of record and index. After that, we proposed detection algorithm for concealed data.