• Journal of Internet Computing and Services
• /
• v.21 no.2
• /
• pp.1-8
• /
• 2020

Recently, the number of APT(Advanced Persistent Threats) attack using malware has been increasing, and research is underway to prevent and detect them. While it is important to detect and block attacks before they occur, it is also important to make an effective response through an accurate analysis for attack case and attack type, these respond which can be determined by analyzing the attack group of such attacks. Therefore, this paper propose a framework based on genetic algorithm for analyzing malware and understanding attacker group's features. The framework uses decompiler and disassembler to extract related code in collected malware, and analyzes information related to author through code analysis. Malware has unique characteristics that only it has, which can be said to be features that can identify the author or attacker groups of that malware. So, we select specific features only having attack group among the various features extracted from binary and source code through the authorship clustering method, and apply genetic algorithm to accurate clustering to infer specific features. Also, we find features which based on characteristics each group of malware authors has that can express each group, and create profiles to verify that the group of authors is correctly clustered. In this paper, we do experiment about author classification using genetic algorithm and finding specific features to express author characteristic. In experiment result, we identified an author classification accuracy of 86% and selected features to be used for authorship analysis among the information extracted through genetic algorithm.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.1
• /
• pp.260-280
• /
• 2020

Cyber-attacks emerge in a more intelligent way, and various security technologies are applied to respond to such attacks. Still, more and more people agree that individual response to each intelligent infringement attack has a fundamental limit. Accordingly, the cyber threat intelligence analysis technology is drawing attention in analyzing the attacker group, interpreting the attack trend, and obtaining decision making information by collecting a large quantity of cyber-attack information and performing relation analysis. In this study, we proposed relation analysis factors and developed a system for establishing cyber threat intelligence, based on malicious code as a key means of cyber-attacks. As a result of collecting more than 36 million kinds of infringement information and conducting relation analysis, various implications that cannot be obtained by simple searches were derived. We expect actionable intelligence to be established in the true sense of the word if relation analysis logic is developed later.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2003.07a
• /
• pp.43-46
• /
• 2003

At SIC 2001, Popescu proposed m efficient group signature scheme for large groups［1］. However, this paper shows that his scheme is to be insecure by presenting a signature forgery. Using our attack, anyone (not necessarily a group member) can forge a signature on a message m, and sine the attacker doesn't have to be the group member, the revocation manager cannot reveal the identity of the signer. Additionally, we modify Popescue's scheme to prevent the forgeary.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.7
• /
• pp.3678-3698
• /
• 2017

With the rapid development of vehicular ad hoc Network (VANET), it has gained significant popularity and received increasing attentions from both academics and industry communities in aspects of security and efficiency. To address the security and efficiency issues, a self-authentication and deniable efficient group key agreement protocol is proposed in this paper. The scheme establishes a group between road side units (RSUs) and vehicles by using self-authentication without certification authority, and improves certification efficiency by using group key (GK) transmission method. At the same time, to avoid the attacker attacking the legal vehicle by RSUs, we adopt deniable group key agreement method to negotiation session key (sk) and use it to transmit GK between RSUs. In addition, vehicles not only broadcast messages to other vehicles, but also communicate with other members in the same group. Therefore, group communication is necessary in VANET. Finally, the performance analysis shows superiority of our scheme in security problems, meanwhile the verification delay, transmission overheard and message delay get significant improvement than other related schemes.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.75-88
• /
• 2011

Messages need to transmit to the neighbors securely in wireless sensor network, because a sensor node is deployed in hostile area. Thus it is necessary to support secure communication. One of the most important communication part is secure multicast. Especially, group rekeying is a big problem for multicast key management. So, group rekeying must be proceed securely when secrete information is exposed by attacker. Many group rekeying schemes have been studied for ad hoc networks. However, these schemes are Ill1desirable in WSNs. In this paper, we proposed a novel group rekeying scheme in WSNs that it has very powerful security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.1
• /
• pp.67-80
• /
• 2007

Nateon Messenger, which has the most number of users in Korea, supports many services such as E-mail, note, Cyworld, SMS, etc. In this paper, we will analyse the authentication traffic which is transmitted and received by the Nateon Messenger. Through performing the replay attack with the authentication information, we will show that an attacker can be authenticated illegally. Furthermore, we will show that other domestic messengers have similar security problems.

• International Journal of Internet, Broadcasting and Communication
• /
• v.8 no.4
• /
• pp.11-18
• /
• 2016

Due to open source policy, Android systems are exposed to a variety of security problems. In particular, app reuse attacks are detrimental threat to the Android system security. This is because attacker can create core malign components and quickly generate a bunch of malicious apps by reusing these components. Hence, it is very imperative to discern whether Android apps contain reused components. To meet this need, we propose an Android app reuse analysis technique based on the Sequential Hypothesis Testing. This technique quickly makes a decision with a few number of samples whether a set of Android apps is made through app reuse. We performed experimental study with 6 malicious app groups, 1 google and 1 third-party app group such that each group consists of 100 Android apps. Experimental results demonstrate that our proposed analysis technique efficiently judges Android app groups with reused components.

• Journal of KIISE
• /
• v.45 no.2
• /
• pp.106-112
• /
• 2018

Recently, the number of cyber attacks using malicious code has increased. Various types of malicious code detection techniques have been researched for several years as the damage has increased. In recent years, profiling techniques have been used to identify attack groups. This paper focuses on the identification of attack groups using a detection technique that does not involve malicious code detection. The attacker is identified by using a string or a code signature of the malicious code. In addition, the detection rate is increased by adding a technique to confirm the packing file. We use Yara as a detection technique. We have research about RAT (remote access tool) that is mainly used in attack groups. Further, this paper develops a ruleset using malicious code and packer main feature signatures for RAT which is mainly used by the attack groups. It is possible to detect the attacker by detecting RAT based on the newly created ruleset.

• Journal of Internet Computing and Services
• /
• v.23 no.6
• /
• pp.15-26
• /
• 2022

Various subjects are carrying out cyberattacks using a variety of tactics and techniques. Additionally, cyberattacks for political and economic purposes are also being carried out by groups which is sponsored by its nation. To deal with cyberattacks, researchers used to classify the malware family and the subjects of the attack based on malware signature. Unfortunately, attackers can easily masquerade as other group. Also, as the attack varies with subject, techniques, and purpose, it is more effective for defenders to identify the attacker's purpose and goal to respond appropriately. The essential goal of cyberattacks is to threaten the information security of the target assets. Information security is achieved by preserving the confidentiality, integrity, and availability of the assets. In this paper, we relabel the attacker's goal based on MITRE ATT&CK® in the point of CIA triad as well as classifying cyber security reports to verify the labeling method. Experimental results show that the model classified the proposed CIA label with at most 80% probability.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.6 no.1
• /
• pp.115-129
• /
• 2010

As the fixed mobile communication tools using the internet are developed, the off-line services are serviced through on-line on the internet. our society is divided into the real world and the cyber world. In the cyber world, the authentication to the user is absolutely required. The authentication is divided into the real-name authentication and the anonymous authentication by the kind of the internet service provider. There are some ISPs needed the real-name authentication and there are others ISPs needed the anonymity authentication. The research about the anonymity authentication is steadily established to these days. In this paper, we analyze the problem about blind signature, group signature, ring signature, and traceable signature. And we propose a method of anonymity authentication using the public certificate. In the proposal, the anonymity certificate have the new structure and management. Certificate Authority issues several anonymity certificates to a user through the real-name authentication. Several anonymity certificates give non-linked and non-traceability to the attacker.