• Convergence Security Journal
• /
• v.21 no.3
• /
• pp.13-23
• /
• 2021

The attacker's techniques and tools are becoming intelligent and sophisticated. Existing Anti-Virus cannot prevent security accident. So the security threats on the endpoint should also be considered. Recently, EDR security solutions to protect endpoints have emerged, but they focus on visibility. There is still a lack of detection and responsiveness. In this paper, we use real-world EDR event logs to aggregate knowledge-based MITRE ATT&CK and autoencoder-based anomaly detection techniques to detect anomalies in order to screen effective analysis and analysis targets from a security manager perspective. After that, detected anomaly attack signs show the security manager an alarm along with log information and can be connected to legacy systems. The experiment detected EDR event logs for 5 days, and verified them with hybrid analysis search. Therefore, it is expected to produce results on when, which IPs and processes is suspected based on the EDR event log and create a secure endpoint environment through measures on the suspicious IP/Process.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.26 no.8
• /
• pp.1205-1212
• /
• 2022

Cyber threat targeting ICS (Industrial Control System) has indicated drastic increases over the past decade and Cyber Incident in Critical Infrastructure such as Energy, Gas Terminal and Petrochemical industries can lead to disaster-level accidents including casualties and large-scale fires. In order to effectively respond to cyber attacks targeting ICS, a multi-layered defense-in-depth strategy considering Control System Architecture is necessary. In particular, the centralized security log system integrating OT (Operational Technology) and IT (Information Technology) plays an important role in the ICS incident response plan. The paper suggests the way of implementing centralized security log system that collects security events and logs using OPC Protocol from Level 0 to Level 5 based on IEC62443 Purdue Model to integrate ICS security logs with SIEM (Security Information Event Management) operated in IT environment.

• Korean Journal of Computational Design and Engineering
• /
• v.18 no.4
• /
• pp.250-257
• /
• 2013

This paper introduces a failure analysis procedure that underpins real-time fault prognosis. In the previous study, we developed a systematic eventization procedure which makes it possible to reduce the original data size into a manageable one in the form of event logs and eventually to extract failure patterns efficiently from the reduced data. Failure patterns are then extracted in the form of event sequences by sequence-mining algorithms, (e.g. FP-Tree algorithm). Extracted patterns are stored in a failure pattern library, and eventually, we use the stored failure pattern information to predict potential failures. The two practical case studies (marine diesel engine and SIRIUS-II car engine) provide empirical support for the performance of the proposed failure analysis procedure. This procedure can be easily extended for wide application fields of failure analysis such as vehicle and machine diagnostics. Furthermore, it can be applied to human health monitoring & prognosis, so that human body signals could be efficiently analyzed.

• Journal of the Korean Society for Railway
• /
• v.12 no.2
• /
• pp.190-198
• /
• 2009

This study shows the developing process of the risk assessment models for railway casualty accidents. To evaluate the risks of these accidents, the hazardous events and the hazardous factors were identified by the review of the accident history and engineering interpretation of the accident behavior. The frequency of each hazardous event was evaluated from the historical accident data and structured expert judgments by using the Fault Tree Analysis (FTA) technique. In addition, to assess the severity of each hazardous event, the ETA (Event Tree Analysis) technique and other safety techniques were applied. The risk assessment models developed can be effectively utilized in defining the risk reduction measures in connection with the option analysis.

• Journal of the Korean Society for Railway
• /
• v.11 no.6
• /
• pp.530-535
• /
• 2008

After train fire accident in Daegue, many research on train fire safety improvement have been carrying out. Since many alternative fire safety measures can be applied in our railway system, the effect of the each safety measure must be quantified prior to the safety investment. In order to estimate the effects of each safety measure quantitatively, fault trees and event trees are constructed in this study. Results can be applied for cost-benefit analysis or sensitivity analysis for safety measures in risk assessment process.

• Journal of the Society of Naval Architects of Korea
• /
• v.61 no.4
• /
• pp.278-288
• /
• 2024

According to International Association of Classification Societies (IACS) Unified Requirement (UR) E26, ships contracted for construction after July 1, 2024 should be designed, constructed, commissioned and operated taking into account of cyber security. In particular, ship network monitoring tools should be installed in accordance with requirement 4.3.1 in IACS UR E26. In this paper, we propose a Security Information and Event Management (SIEM) security policy model for ships as an effective threat detection method by analyzing the cyber security regulations and ship network status in the maritime domain. For this purpose, we derived the items managed in the SIEM from the maritime cyber security regulations such as those of International Maritime Organization (IMO) and IACS, and defined 14 detection policies considering the status of the ship network. We also presents the detection policy for non-expert crews to understand it, and occurrence conditions depending on the ship's network environment to minimize indiscriminate alarms. We expect that the results of this study will help improve the efficiency of ship SIEM to be installed in the future.

• Journal of Internet Computing and Services
• /
• v.11 no.6
• /
• pp.73-86
• /
• 2010

In proportion to the rapid increase in the number of Web users, web attack techniques are also getting more sophisticated. Therefore, we need not only to detect Web attack based on the log analysis but also to extract web attack events from audit information such as Web firewall, Web IDS and system logs for detecting abnormal Web behaviors. In this paper, web attack detection system was designed and implemented based on integrated web audit data for detecting diverse web attack by generating integrated log information generated from W3C form of IIS log and web firewall/IDS log. The proposed system analyzes multiple web sessions and determines its correlation between the sessions and web attack efficiently. Therefore, proposed system has advantages on extracting the latest web attack events efficiently by designing and implementing the multiple web session and log correlation analysis actively.

• Journal of Internet Computing and Services
• /
• v.20 no.1
• /
• pp.87-96
• /
• 2019

In this paper, we propose a MapReduce-supported clustering technique for collecting and classifying distributed workflow enactment event logs as a preprocessing tool. Especially, we would call the distributed workflow enactment event logs as Workflow BIG-Logs, because they are satisfied with as well as well-fitted to the 5V properties of BIG-Data like Volume, Velocity, Variety, Veracity and Value. The clustering technique we develop in this paper is intentionally devised for the preprocessing phase of a specific workflow process mining and analysis algorithm based upon the workflow BIG-Logs. In other words, It uses the Map-Reduce framework as a Workflow BIG-Logs processing platform, it supports the IEEE XES standard data format, and it is eventually dedicated for the preprocessing phase of the ${\rho}$-Algorithm that is a typical workflow process mining algorithm based on the structured information control nets. More precisely, The Workflow BIG-Logs can be classified into two types: of activity-based clustering patterns and performer-based clustering patterns, and we try to implement an activity-based clustering pattern algorithm based upon the Map-Reduce framework. Finally, we try to verify the proposed clustering technique by carrying out an experimental study on the workflow enactment event log dataset released by the BPI Challenges.

• Journal of Digital Convergence
• /
• v.10 no.5
• /
• pp.223-232
• /
• 2012

Recently, the leakage of personal information and privacy piracy increase. The victimized case of the malicious object rapidlies increase. Most of users use the windows operating system. Recently, the Windows 7 operating system was announced. Therefore, we need to study for the intrusion response technique at the next generation operate system circumstances. The accident response technique developed till now was mostly implemented around the Windows XP or the Windows Vista. However, a new vulnerability problem will be happen in the breach process of reaction as the Windows 7 operating system is announced. In the windows operating system, the system incident event needs to be efficiently analyzed. For this, the event information generated in a system needs to be visually analyzed around the time information or the security threat weight information. Therefore, in this research, we analyzed visually about the system event information generated in the Windows 7 operating system. And the system analyzing the system incident through the visual event information analysis process was designed and implemented. In case of using the system developed in this study the more efficient accident analysis is expected to be possible.

• The Journal of the Acoustical Society of Korea
• /
• v.39 no.6
• /
• pp.600-605
• /
• 2020

In this paper, we propose a sound event detection method using a multi-channel multi-scale neural networks for sound sensing home monitoring for the hearing impaired. In the proposed system, two channels with high signal quality are selected from several wireless microphone sensors in home. The three features (time difference of arrival, pitch range, and outputs obtained by applying multi-scale convolutional neural network to log mel spectrogram) extracted from the sensor signals are applied to a classifier based on a bidirectional gated recurrent neural network to further improve the performance of sound event detection. The detected sound event result is converted into text along with the sensor position of the selected channel and provided to the hearing impaired. The experimental results show that the sound event detection method of the proposed system is superior to the existing method and can effectively deliver sound information to the hearing impaired.