• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.3B
• /
• pp.431-439
• /
• 2010

The security systems using signatures cannot protect servers from new types of Internet worms. To protect servers from Internet worms, this paper proposes a system removing malicious processes and executable files without using signatures. The proposed system consists of control servers which offer the same services as those on protected servers, and agents which are installed on the protected servers. When a control server detects multicasting attacks of Internet worm, it sends information about the attacks to an agent. The agent kills malicious processes and removes executable files with this information. Because the proposed system do not use signatures, it can respond to new types of Internet worms effectively. When the proposed system is integrated with legacy security systems, the security of the protected server will be further enhanced.

• Journal of Convergence Society for SMB
• /
• v.5 no.4
• /
• pp.37-42
• /
• 2015

Due to the advance of ICT, a variety of attacks have been developing and active. Recently, APT attacks using malicious codes have frequently occurred. Advanced Persistent Threat means that a hacker makes different security threats to attack a certain network of a company or an organization. Exploiting malicious codes or weaknesses, the hacker occupies an insider's PC of the company or the organization and accesses a server or a database through the PC to collect secrets or to destroy them. The paper suggested a countermeasure to cope with APT attacks through an APT attack process. It sought a countermeasure to delay the time to attack taken by the hacker and suggested the countermeasure able to detect and remove APT attacks.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.14 no.12
• /
• pp.2716-2723
• /
• 2010

An Ad-hoc network will operate properly and provide smooth communication when nodes cooperate mutually with each of them having equal authority. Although it is possible to form a network consisting only of authenticated nodes in order to ensure reliability, authentication by itself is not sufficient to remove malicious nodes and their activities jeopardizing the whole network. Detection and prevention of such activities are vital for maintaining a safe and reliable network, but research on this matter is relatively lacking. Hence a suggestion is made on how to detect and prevent malicious or uncooperative ones among the nodes forming a network by a relationship of mutual trust, thereby maintaining safety and stability of the network and improving its processing abilities

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.1-8
• /
• 2008

Not only the recent hacking techniques are becoming more malicious with the sophisticated technology but also its consequences are bringing more damages as the broadband Internet is growing rapidly. These may include invasion of information leakage, or identity theft over the internet. Its intent is very destructive which can result in invasion of information leakage, hacking, one of the most disturbing problems on the net. This thesis describes the technology of how you can effectively analyze and detect these kind of E-Mail malicious codes. This research explains how we can cope with malicious code more efficiently by detection method.

• Journal of Communications and Networks
• /
• v.15 no.2
• /
• pp.164-172
• /
• 2013

We consider the problem of secure and robust clustering for quantized target tracking in wireless sensor networks (WSN) where the observed system is assumed to evolve according to a probabilistic state space model. We propose a new method for jointly activating the best group of candidate sensors that participate in data aggregation, detecting the malicious sensors and estimating the target position. Firstly, we select the appropriate group in order to balance the energy dissipation and to provide the required data of the target in the WSN. This selection is also based on the transmission power between a sensor node and a cluster head. Secondly, we detect the malicious sensor nodes based on the information relevance of their measurements. Then, we estimate the target position using quantized variational filtering (QVF) algorithm. The selection of the candidate sensors group is based on multi-criteria function, which is computed by using the predicted target position provided by the QVF algorithm, while the malicious sensor nodes detection is based on Kullback-Leibler distance between the current target position distribution and the predicted sensor observation. The performance of the proposed method is validated by simulation results in target tracking for WSN.

• Annual Conference of KIPS
• /
• 2018.10a
• /
• pp.438-441
• /
• 2018

In this paper, we propose a finite impulse response (FIR) filter under malicious cyber attacks. The FIR filter shows the robust performance against the malicious cyber attacks. The Kalman filter (KF), one of the widely used filters, is introduced as a comparison of robust performance of the proposed method. The robust performance of the proposed method under malicious cyber attacks is demonstrated through experimental results.

• Journal of IKEEE
• /
• v.25 no.3
• /
• pp.451-461
• /
• 2021

As various smart devices spread and the damage caused by malicious codes becomes more serious, malicious code detection technology using machine learning technology is attracting attention. However, if the training data of machine learning is constructed based on only the fragmentary characteristics of the code, it is still easy to create variants and new malicious codes that avoid it. To solve such a problem, a research using the function call relationship of malicious code as training data is attracting attention. In particular, it is expected that more advanced malware detection will be possible by measuring the similarity of graphs using GNN. This paper proposes an efficient method to generate a function call graph from binary code to utilize GNN for malware detection.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.2
• /
• pp.431-438
• /
• 2019

Fileless malware uses memory injection attacks to hide traces of payloads to perform malicious works. During the memory injection attack, an attack named "process hollowing" is a method of creating paused benign process like system processes. And then injecting a malicious payload into the benign process allows malicious behavior by pretending to be a normal process. In this paper, we propose a method to detect the memory injection regardless of whether or not the malicious action is actually performed when a process hollowing attack occurs. The replication process having same execution condition as the process of suspending the memory injection is executed, the data set belonging to each process virtual memory area is compared using the fuzzy hash, and the similarity is calculated.

• Journal of the Korea Society of Computer and Information
• /
• v.23 no.11
• /
• pp.85-93
• /
• 2018

In recent years, there has been an increasing number of ways to distribute document-based malicious code using vulnerabilities in document files. Because document type malware is not an executable file itself, it is easy to bypass existing security programs, so research on a model to detect it is necessary. In this study, we extract main features from the document structure and the JavaScript contained in the stream object In addition, when JavaScript is inserted, keywords with high occurrence frequency in malicious code such as function name, reserved word and the readable string in the script are extracted. Then, we generate a machine learning model that can distinguish between normal and malicious. In order to make it difficult to bypass, we try to achieve good performance in a black box type algorithm. For an experiment, a large amount of documents compared to previous studies is analyzed. Experimental results show 98.9% detection rate from three different type algorithms. SVM, which is a black box type algorithm and makes obfuscation difficult, shows much higher performance than in previous studies.

• Convergence Security Journal
• /
• v.18 no.3
• /
• pp.27-35
• /
• 2018

The certificate is electronic information issued by an accredited certification body to certify an individual or to prevent forgery and alteration between communications. Certified certificates are stored in PCs and smart phones in the form of encrypted files and are used to prove individuals when using Internet banking and smart banking services. Among the rapidly growing Android-based malicious applications are malicious apps that leak personal information, especially certificates that exist in the form of files. This paper proposes a method for judging whether malicious codes leak certificates by using DroidBox, an Android-based dynamic analysis tool.