• Title/Summary/Keyword: 행위 기반 공격 탐지

Search Result 148, Processing Time 0.035 seconds

Macroscopic Treatment to Unknown Malicious Mobile Codes (알려지지 않은 악성 이동 코드에 대한 거시적 대응)

  • Lee, Kang-San;Kim, Chol-Min;Lee, Seong-Uck;Hong, Man-Pyo
    • Journal of KIISE:Computing Practices and Letters
    • /
    • v.12 no.6
    • /
    • pp.339-348
    • /
    • 2006
  • Recently, many researches on detecting and responding worms due to the fatal infrastructural damages explosively damaged by automated attack tools, particularly worms. Network service vulnerability exploiting worms have high propagation velocity, exhaust network bandwidth and even disrupt the Internet. Previous worm researches focused on signature-based approaches however these days, approaches based on behavioral features of worms are more highlighted because of their low false positive rate and the attainability of early detection. In this paper, we propose a Distributed Worm Detection Model based on packet marking. The proposed model detects Worm Cycle and Infection Chain among which the behavior features of worms. Moreover, it supports high scalability and feasibility because of its distributed reacting mechanism and low processing overhead. We virtually implement worm propagation environment and evaluate the effectiveness of detecting and responding worm propagation.

An Improved Detection Performance for the Intrusion Detection System based on Windows Kernel (윈도우즈 커널 기반 침입탐지시스템의 탐지 성능 개선)

  • Kim, Eui-Tak;Ryu, Keun Ho
    • Journal of Digital Contents Society
    • /
    • v.19 no.4
    • /
    • pp.711-717
    • /
    • 2018
  • The breakthrough in computer and network has facilitated a variety of information exchange. However, at the same time, malicious users and groups are attacking vulnerable systems. Intrusion Detection System(IDS) detects malicious behaviors through network packet analysis. However, it has a burden of processing a large amount of packets in a short time. Therefore, in order to solve these problem, we propose a network intrusion detection system that operates at kernel level to improve detection performance at user level. In fact, we confirmed that the network intrusion detection system implemented at kernel level improves packet analysis and detection performance.

A Study of Logical Network Partition and Behavior-based Detection System Using FTS (FTS를 이용한 논리적 망 분리와 행위기반 탐지 시스템에 관한 연구)

  • Kim, MinSu;Shin, SangIl;Ahn, ChungJoon;Kim, Kuinam J.
    • Convergence Security Journal
    • /
    • v.13 no.4
    • /
    • pp.109-115
    • /
    • 2013
  • Security threats through e-mail service, a representative tool to convey information on the internet, are on the sharp rise. The security threats are made in the path where malicious codes are inserted into documents files attached and infect users' systems by taking advantage of the weak points of relevant application programs. Therefore, to block infection of camouflaged malicious codes in the course of file transfer, this work proposed an integrity-checking and behavior-based detection system using File Transfer System (FTS), logical network partition, and conducted a comparison analysis with the conventional security techniques.

A Study of Program Execution Control based on Whitelist (화이트리스트 기반 프로그램 실행 통제 방안 연구)

  • Kim, Chang-hong;Choi, Dae-young;Yi, Jeong-hyun;Kim, Jong-bae
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2014.10a
    • /
    • pp.346-349
    • /
    • 2014
  • Currently, the growing cyber threat continues, the damage caused by the evolution of malicious code incidents become more bigger. Such advanced attacks as APT using 'zero-day vulnerability' bring easy way to steal sensitive data or personal information. However it has a lot of limitation that the traditional ways of defense like 'access control' with blocking of application ports or signature base detection mechanism. This study is suggesting a way of controlling application activities focusing on keeping integrity of applications, authorization to running programs and changes of files of operating system by hardening of legitimate resources and programs based on 'white-listing' technology which analysis applications' behavior and its usage.

  • PDF

A Study on Distributed Cooperation Intrusion Detection Technique based on Region (영역 기반 분산협력 침입탐지 기법에 관한 연구)

  • Yang, Hwan Seok;Yoo, Seung Jae
    • Convergence Security Journal
    • /
    • v.14 no.7
    • /
    • pp.53-58
    • /
    • 2014
  • MANET can quickly build a network because it is configured with only the mobile node and it is very popular today due to its various application range. However, MANET should solve vulnerable security problem that dynamic topology, limited resources of each nodes, and wireless communication by the frequent movement of nodes have. In this paper, we propose a domain-based distributed cooperative intrusion detection techniques that can perform accurate intrusion detection by reducing overhead. In the proposed intrusion detection techniques, the local detection and global detection is performed after network is divided into certain size. The local detection performs on all the nodes to detect abnormal behavior of the nodes and the global detection performs signature-based attack detection on gateway node. Signature DB managed by the gateway node accomplishes periodic update by configuring neighboring gateway node and honeynet and maintains the reliability of nodes in the domain by the trust management module. The excellent performance is confirmed through comparative experiments of a multi-layer cluster technique and proposed technique in order to confirm intrusion detection performance of the proposed technique.

Collaboration Model Design to Improve Malicious Node Detection Rate in MANET (MANET에서 악의적 노드 탐지율 향상을 위한 협업모델 설계)

  • Shin, Eon-Seok;Jeon, Seo-In;Park, Gun-Woo;Ryu, Keun-Ho
    • Journal of the Korea Society of Computer and Information
    • /
    • v.18 no.3
    • /
    • pp.35-45
    • /
    • 2013
  • MANET has a weak point because it allows access from not only legal nodes but also illegal nodes. Most of the MANET researches had been focused on attack on routing path or packet forwarding. Nevertheless, there are insuffcient studies on a comprehensive approach to detect various attacks on malicious nodes at packet forwarding processes. In this paper, we propose a technique, named DTecBC (detection technique of malicious node behaviors based on collaboration), which can handle more effciently various types of malicious node attacks on MANET environment. The DTecBC is designed to detect malicious nodes by communication between neighboring nodes, and manage malicious nodes using a maintain table. OPNET tool was used to compare with Watchdog, CONFIDANT, SRRPPnT for verifying effectiveness of our approach. As a result, DTecBC detects various behaviors of malicious nodes more effectively than other techniques.

Behavior based Malware Profiling System Prototype (행위기반 악성코드 프로파일링 시스템 프로토타입)

  • Kang, Hong-Koo;Yoo, Dae-Hoon;Choi, Bo-Min
    • Annual Conference of KIPS
    • /
    • 2017.04a
    • /
    • pp.376-379
    • /
    • 2017
  • 전 세계적으로 악성코드는 하루 100만개 이상이 새롭게 발견되고 있으며, 악성코드 발생량은 해마다 증가하고 있는 추세이다. 공격자는 보안장비에서 악성코드가 탐지되는 것을 우회하기 위해 기존 악성코드를 변형한 변종 악성코드를 주로 이용한다. 변종 악성코드는 자동화된 제작도구나 기존 악성코드의 코드를 재사용하므로 비교적 손쉽게 생성될 수 있어 최근 악성코드 급증의 주요 원인으로 지목되고 있다. 본 논문에서는 대량으로 발생하는 악성코드의 효과적인 대응을 위한 행위기반 악성코드 프로파일링 시스템 프로토타입을 제안한다. 동일한 변종 악성코드들은 실제 행위가 유사한 특징을 고려하여 악성코드가 실행되는 과정에서 호출되는 API 시퀀스 정보를 이용하여 악성코드 간 유사도 분석을 수행하였다. 유사도 결과를 기반으로 대량의 악성코드를 자동으로 그룹분류 해주는 시스템 프로토타입을 구현하였다. 악성코드 그룹별로 멤버들 간의 유사도를 전수 비교하므로 그룹의 분류 정확도를 객관적으로 제시할 수 있다. 실제 유포된 악성코드를 대상으로 악성코드 그룹분류 기능과 정확도를 측정한 실험에서는 평균 92.76%의 분류 성능을 보였으며, 외부 전문가 의뢰에서도 84.13%로 비교적 높은 분류 정확도를 보였다.

Design of a Ransomware Detection System Utilizing Data Analytics (데이터 분석을 활용한 랜섬웨어 탐지 시스템 설계)

  • Jinwook Kim;Youngjae Lee;Jeonghoon Yoon;Kyungroul Lee
    • Proceedings of the Korean Society of Computer Information Conference
    • /
    • 2024.01a
    • /
    • pp.105-108
    • /
    • 2024
  • 랜섬웨어는 Ransom(몸값)과 Software(소프트웨어)의 합성어로, 데이터를 암호화하여 이를 인질로 금전을 요구하는 악성 프로그램이다. 블랙캣(BlackCat)과 같은 랜섬웨어가 스위스 항공 서비스 기업의 시스템을 마비시키는 공격을 시도하였으며, 이와 같은 랜섬웨어로 인한 피해는 지속적으로 발생하고 있다. 랜섬웨어에 의한 피해 감소 및 방지를 위하여, 다양한 랜섬웨어 탐지방안이 등장하였으며, 최근 행위 기반 침입탐지 시스템에 인공지능 기술을 결합하여 랜섬웨어를 탐지하는 방안이 연구되는 실정이다. 인공지능 기술은 딥러닝 및 하드웨어의 발전으로 데이터를 처리할 수 있는 범위가 넓어지면서, 다양한 분야와 접목하여 랜섬웨어 탐지를 위한 시스템에 적용되고 있지만, 국내는 국외만큼 활발하게 연구되지 않고 연구 개발 단계에 머물러 있다. 따라서 본 논문에서는 랜섬웨어에 감염된 파일에서 나타나는 특징 중 하나인 엔트로피를 데이터 분석에 활용함으로써, 랜섬웨어를 탐지하는 시스템을 제안하고 설계하였다.

  • PDF

Study of Snort Intrusion Detection Rules for Recognition of Intelligent Threats and Response of Active Detection (지능형 위협인지 및 능동적 탐지대응을 위한 Snort 침입탐지규칙 연구)

  • Han, Dong-hee;Lee, Sang-jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.5
    • /
    • pp.1043-1057
    • /
    • 2015
  • In order to recognize intelligent threats quickly and detect and respond to them actively, major public bodies and private institutions operate and administer an Intrusion Detection Systems (IDS), which plays a very important role in finding and detecting attacks. However, most IDS alerts have a problem that they generate false positives. In addition, in order to detect unknown malicious codes and recognize and respond to their threats in advance, APT response solutions or actions based systems are introduced and operated. These execute malicious codes directly using virtual technology and detect abnormal activities in virtual environments or unknown attacks with other methods. However, these, too, have weaknesses such as the avoidance of the virtual environments, the problem of performance about total inspection of traffic and errors in policy. Accordingly, for the effective detection of intrusion, it is very important to enhance security monitoring, consequentially. This study discusses a plan for the reduction of false positives as a plan for the enhancement of security monitoring. As a result of an experiment based on the empirical data of G, rules were drawn in three types and 11 kinds. As a result of a test following these rules, it was verified that the overall detection rate decreased by 30% to 50%, and the performance was improved by over 30%.

A Practical Feature Extraction for Improving Accuracy and Speed of IDS Alerts Classification Models Based on Machine Learning (기계학습 기반 IDS 보안이벤트 분류 모델의 정확도 및 신속도 향상을 위한 실용적 feature 추출 연구)

  • Shin, Iksoo;Song, Jungsuk;Choi, Jangwon;Kwon, Taewoong
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.2
    • /
    • pp.385-395
    • /
    • 2018
  • With the development of Internet, cyber attack has become a major threat. To detect cyber attacks, intrusion detection system(IDS) has been widely deployed. But IDS has a critical weakness which is that it generates a large number of false alarms. One of the promising techniques that reduce the false alarms in real time is machine learning. However, there are problems that must be solved to use machine learning. So, many machine learning approaches have been applied to this field. But so far, researchers have not focused on features. Despite the features of IDS alerts are important for performance of model, the approach to feature is ignored. In this paper, we propose new feature set which can improve the performance of model and can be extracted from a single alarm. New features are motivated from security analyst's know-how. We trained and tested the proposed model applied new feature set with real IDS alerts. Experimental results indicate the proposed model can achieve better accuracy and false positive rate than SVM model with ordinary features.