• The KIPS Transactions:PartC
• /
• v.12C no.6 s.102
• /
• pp.855-864
• /
• 2005

In this paper, we propose an intrusion detection system(IDS) architecture which can detect and respond against the generation of abnormal traffic such as malicious code and Internet worms. We model the system, design and implement a simulator using OPNET Modeller, for the performance analysis on the response capacity of alert information in the proposed system. At first, we model the arrival process of alert information resulted from abnormal traffic. In order to model the situation in which alert information is intensively produced, we apply the IBP(Interrupted Bernoulli Process) which may represent well the burstiness of traffic. Then we perform the simulation in order to gain some quantitative understanding of the system for our performance parameters. Based on the results of the performance analysis, we analyze factors which may hinder in accelerating the speed of security node, and would like to present some methods to enhance performance.

• Journal of Internet of Things and Convergence
• /
• v.8 no.1
• /
• pp.65-72
• /
• 2022

The Internet of Things (IoT) provides data convergence and sharing functions, and IoT technology is the most fundamental core technology in creating new services by convergence of various cutting-edge technologies. However, there are different classification systems for the Internet of Things, and when it is limited to the domestic public sector, it is difficult to properly grasp the current status of which devices are installed and operated with what share, and systematic data or research The results are very difficult to find. Therefore, in this study, the relevance of the classification system for IoT devices was analyzed according to reality based on sales, shipments, and growth rate, and based on this, the actual share of IoT devices among domestic public institutions was analyzed in detail. The derived detailed analysis results are expected to be efficiently utilized in the process of selecting IoT devices for research and analysis to advance information protection technology such as responding to malicious code attacks on IoT devices, analyzing incidents, and strengthening security vulnerabilities.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.753-761
• /
• 2017

Recently, malicious code infiltration and leakage of confidential documents using external USB medium are frequently occurring in each field. We investigate the media to investigate incidents using external USB media, but there are many difficulties in that they can be lost or damaged. Ultimately, in order to investigate cases of external USB media, it is necessary to conduct a direct analysis of the external USB media as well as the system to which the media is connected. This paper describes an analysis of the artifacts of Windows systems to which external USB media is connected, and how to check the job history on the media. Therefore, it is expected that the system can be used to analyze the job history of the USB medium even if the external USB medium is not secured.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.67-77
• /
• 2017

A protector is a software for protecting core technologies by using compression and encryption. Nowadays malwares use the protector to conceal the malicious code from the analysis. For detailed analysis of packed program, unpacking the protector is a necessary procedure. Lately, most studies focused on finding OEP to unpack the program. However, in this case, it would be difficult to analyze the program because of the limits to remove protecting functions by finding OEP. In this paper, we studied about the protecting functions in the Themida and propose an unpacking technique for it.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.4
• /
• pp.905-914
• /
• 2015

Once information security solution is implemented, it requires many services other than just general user management, such as malicious code analysis and security updated for consistent security against external threats or attacks, analysis of threat and attack, effectivity management of obtained security assurance, and advisory activities of security technical professionals. However, even if information security solutions provide those extra services, they are not properly treated in real market. Thus, for the security sustainable services, this study analyzes the service status of domestic information security, and suggest policy measure of price which could reflected the characteristics of information security solutions.

• The Journal of the Korea Contents Association
• /
• v.17 no.3
• /
• pp.231-237
• /
• 2017

Threat intelligences collected from cyber incident sharing system and security events collected from Security Information & Event Management system are analyzed and coped with expanding malicious code rapidly with the advent of big data. Analytical classification of the threat intelligence in cyber incidents requires various features of cyber observable. Therefore it is necessary to improve classification accuracy of the similarity by using multi-profile which is classified as the same features of cyber observables. We propose a multi-profile ensemble model performed similarity analysis on cyber incident of threat intelligence based on both attack types and cyber observables that can enhance the accuracy of the classification. We see a potential improvement of the cyber incident analysis system, which enhance the accuracy of the classification. Implementation of our suggested technique in a computer network offers the ability to classify and detect similar cyber incident of those not detected by other mechanisms.

• Journal of Internet Computing and Services
• /
• v.20 no.4
• /
• pp.13-19
• /
• 2019

In order to register an application with Apple's App Store, it must pass a rigorous verification process through the Apple verification center. That's why spyware applications are difficult to get into the App Store. However, malicious code can also be executed through normal application vulnerabilities. To prevent such attacks, research is needed to detect and analyze early to patch potential vulnerabilities in applications. To prove a potential vulnerability, it is necessary to identify the root cause of the vulnerability and analyze the exploitability. A tool for analyzing iOS applications is the debugger named LLDB, which is built into Xcode, the development tool. There are various functions in the LLDB, and these functions are also available as APIs and are also available in Python. Therefore, in this paper, we propose a method to efficiently analyze potential vulnerabilities of iOS application by using LLDB API.

• Journal of the Korea Convergence Society
• /
• v.10 no.5
• /
• pp.9-16
• /
• 2019

In this paper, it will analyze security problems, so technology's potential can apply to business security area. First, in order to deep learning do security tasks sufficiently in the business area, deep learning requires repetitive learning with large amounts of data. In this paper, to acquire learning ability to do stable business tasks, it must detect abnormal IP packets and attack such as normal software with malicious code. Therefore, this paper will analyze whether deep learning has the cognitive ability to detect various attack. In this paper, to deep learning to reach the system and reliably execute the business model which has problem, this paper will develop deep learning technology which is equipped with security engine to analyze new IP about Session and do log analysis and solve the problem of mathematical role which can extract abnormal data and distinguish infringement of system data. Then it will apply to business model to drop the vulnerability and improve the business performance.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.4
• /
• pp.537-544
• /
• 2020

Advances in detection techniques, such as mutation and obfuscation, are being advanced with the development of malware technology. In the malware detection technology, unknown malware detection technology is important, and a method for Malware Authorship Attribution that detects an unknown malicious code by identifying the author through distributed malware is being studied. In this paper, we try to extract the compiler information affecting the binary-based author identification method and to investigate the sensitivity of feature selection, probability and non-probability models, and optimization to classification efficiency between studies. In the experiment, the feature selection method through information gain and the support vector machine, which is a non-probability model, showed high efficiency. Among the optimization studies, high classification accuracy was obtained through feature selection and model optimization through the proposed framework, and resulted in 48% feature reduction and 53 faster execution speed. Through this study, we can confirm the sensitivity of feature selection, model, and optimization methods to classification efficiency.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.11 no.1
• /
• pp.130-140
• /
• 2010

SIP (Session Initiation Protocol) is a signaling protocol to provide IP-based VoIP (Voice over IP) service. However, many security vulnerabilities exist as the SIP protocol utilizes the existing IP based network. The SIP Malformed message attacks may cause malfunction on VoIP services by changing the transmitted SIP header information. Additionally, there are several threats such that an attacker can extract personal information on SIP client system by inserting malicious code into SIP header. Therefore, the alternative measures should be required. In this study, we analyzed the existing research on the SIP anomaly message detection mechanism against SIP attack. And then, we proposed a Co-occurrence based SIP packet analysis mechanism, which has been used on language processing techniques. We proposed a association rule generation and an attack detection technique by using the actual SIP session state. Experimental results showed that the average detection rate was 87% on SIP attacks in case of using the proposed technique.