• IEIE Transactions on Smart Processing and Computing
• /
• v.5 no.2
• /
• pp.94-99
• /
• 2016

Application layer attacks have for years posed an ever-serious threat to network security, since they always come after a technically legitimate connection has been established. In recent years, cyber criminals have turned to fully exploiting the web as a medium of communication to launch a variety of forbidden or illicit activities by spreading malicious automated software (auto-ware) such as adware, spyware, or bots. When this malicious auto-ware infects a network, it will act like a robot, mimic normal behavior of web access, and bypass the network firewall or intrusion detection system. Besides that, in a private and large network, with huge Hypertext Transfer Protocol (HTTP) traffic generated each day, communication behavior identification and classification of auto-ware is a challenge. In this paper, based on a previous study, analysis of auto-ware communication behavior, and with the addition of new features, a method for classification of HTTP auto-ware communication is proposed. For that, a Not Only Structured Query Language (NoSQL) database is applied to handle large volumes of unstructured HTTP requests captured every day. The method is tested with real HTTP traffic data collected through a proxy server of a private network, providing good results in the classification and detection of suspicious auto-ware web access.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.3
• /
• pp.21-28
• /
• 2016

File Time information has a significant meaning in digital forensic investigation. File time information in Linux Ext4 (Extended File System 4) environment is the Access Time, Modification Time, Inode Change Time, Deletion Time and Creation Time. File time is variously changed by user manipulations such as creation, copy and edit. And, the study of file time change is necessary for evidence analysis. This study analyzes the change in time information of files or folders resulting from user manipulations in Linux operating system and analyzes ways to determine real time of malware infection and whether the file was modulation.

• Convergence Security Journal
• /
• v.7 no.3
• /
• pp.95-100
• /
• 2007

Alternate Data Streams (ADS) in NTFS originally has developed to provide compatibility with Macintosh Hierarchical File System. However, it is being used by the malware writers in order to support hiding malwares or data for the purpose of anti-forensics. Therefore identifying if hidden ADSs exist and extracting them became one of the most important component in computer forensics. This paper proposes a method to detect ADSs using MFT information. Experiment reveals that proposed method is better in performance and detection rate then others. This method supports not only identification of ADSs which are being used by the operating systems but also investigation of both live systems and evidence images. Therefore it is appropriate for using forensic purpose.

• Convergence Security Journal
• /
• v.15 no.1
• /
• pp.69-82
• /
• 2015

This dissertation introduce how to react against the cybercrime and analysis of malware detection. Also this dissertation emphasize the importance about efficient control of correspond process for the information security. Cybercrime and cyber breach are becoming increasingly intelligent and sophisticated. To correspond those crimes, the strategy of defense need change soft kill to hard kill. So this dissertation includes the study of weak point about OS, Application system. Also this dissertation suggest that API structure for handling and analyzing big data forensic.

• Convergence Security Journal
• /
• v.15 no.1
• /
• pp.3-9
• /
• 2015

In this paper, a detection technique of smishing using a TaintDroid is suggested. Suggesting system detects malicious acts by transmitting a URL to the TaintDroid server and installing a relevant application to a virtual device of the TaintDroid server, when a smartphone user receives a text message including the URL suspected as a smishing. Through this we want to distinguish an application that can not install because of suspicion of a smishing in an actual smartphone whether said application is malicious application or not by testing with the virtual device of said system. The detection technique of a smishing using the TaintDroid suggested in this paper is possible to detect in a new form a smishing with a text message and to identifying which application it is through analysis of results from a user.

• Convergence Security Journal
• /
• v.15 no.4
• /
• pp.83-90
• /
• 2015

Recent, Cyber attacks such as hacking and malicious code techniques are evolving very rapidly changing cyber a ttacks are increasing, the number of malicious code techniques vary accordingly become intelligent. In the case of m alware because of the ambiguity in the number of malware have increased rapidly by name or classified as maliciou s code may have difficulty coping with. This paper investigated the naming convention of the vaccine manufacturer s in Korea to solve this problem, the analysis and offers a naming convention for security control event detection r ule analysis to compare the pattern of the detection rule out based on this current.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37 no.3B
• /
• pp.212-218
• /
• 2012

An Internet worm is a self-replicating malware program which uses a computer network. As the network connectivity among computers increases, Internet worms have become widespread and are still big threats. There are many approaches to model the propagation of Internet worms such as Code Red, Nimda, and Slammer to get the insight of their behaviors and to devise possible defense methods to suppress worms' propagation activities. The influence of the network characteristics on the worm propagation has usually been modeled by medical epidemic model, named SI model, due to its simplicity and the similarity of propagation patterns. So far, SI model is still dominant and new variations of the SI model, called SI-style models, are being proposed for the modeling of new Internet worms. In this paper, we elaborate the problems of SI-style models and then propose a new accurate stochastic model using an occupancy problem.

• Journal of KIISE
• /
• v.45 no.1
• /
• pp.1-8
• /
• 2018

Recently, distribution of malicious codes using the Internet has been one of the most serious cyber threats. Technology of malicious code distribution with detection bypass techniques has been also developing and the research has focused on how to detect and analyze them. However, obfuscated malicious JavaScript is almost impossible to detect, because the existing malicious code distributed web page detection system is based on signature and another limitation is that it requires constant updates of the detection patterns. We propose to overcome these limitations by means of an intelligent malicious code distributed web page detection system using a real browser that can analyze and detect intelligent malicious code distributed web sites effectively.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.12 no.1
• /
• pp.89-95
• /
• 2016

Recent growth of hacking threats and development in software and technology put Network security under threat, In addition, intrusion, malware and worm virus have been increased due to the existence of variety of sophisticated hacking methods. The goal of this study is to compare Snort Alpha version with Suricata 2.0.11 version whereas previous study focuses on comparison between snort 2. x version under thread environment and Suricata under multi-threading environment. This thesis' experiment environment is set as followed. Intel (R) Core (TM) i5-4690 3. 50GHz (4threads) of CPU, 16GB of RAM, 3TB of Seagate HDD, Ubuntu 14.04 are used. According to the result, Snort Alpha version is superior to Suricata in performance, but Snort Alpha had some glitches when executing pcap files which created core dump errors. Therefore this experiment seeks to analyze which performs better between Snort Alpha version that supports multi packet processing threads and Suricata that supports multi-threading. Through this experiment, one can expect the better performance of beta and formal version of Snort in the future.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.2
• /
• pp.766-783
• /
• 2012

Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.