• 정보보호학회논문지
• /
• 제31권4호
• /
• pp.779-791
• /
• 2021

보통의 웹 서비스는 불특정 다수에게 허용을 해야하는 접근 통제 정책으로 인하여, 지속적으로 해커들의 공격 대상이 되어 왔다. 이러한 상황에 대응하고자 기업들은 주기적으로 웹 취약점 점검을 실시하고, 발견된 취약점의 위험도에 따라 조치를 취하고 있다. 이러한 웹 취약점 위험도는 국내외 유관기관의 사전 통계 및 자체적인 평가를 통해 산정되어 있다. 하지만 웹 취약점 점검은 보안설정 및 소스코드 등의 정적 진단과는 달리 동적 진단으로 이루어진다. 동일한 취약점 항목일지라도 다양한 공격 결과를 도출할 수 있으며, 진단 대상 및 환경에 따라 위험도가 달라질 수 있다. 이러한 점에서 사전 정의된 위험도는 실제 존재하는 취약점의 위험도와는 상이할 수 있다. 본 논문에서는 이러한 점을 개선하고자 사이버 킬체인 중심으로 공격 결과 기반의 웹 취약점 위험도 평가 모델을 제시한다.

• International journal of advanced smart convergence
• /
• 제13권2호
• /
• pp.48-60
• /
• 2024

With the exponential growth of satellite data utilization, machine learning has become pivotal in enhancing innovation and cybersecurity in satellite systems. This paper investigates the role of machine learning techniques in identifying and mitigating vulnerabilities and code smells within satellite software. We explore satellite system architecture and survey applications like vulnerability analysis, source code refactoring, and security flaw detection, emphasizing feature extraction methodologies such as Abstract Syntax Trees (AST) and Control Flow Graphs (CFG). We present practical examples of feature extraction and training models using machine learning techniques like Random Forests, Support Vector Machines, and Gradient Boosting. Additionally, we review open-access satellite datasets and address prevalent code smells through systematic refactoring solutions. By integrating continuous code review and refactoring into satellite software development, this research aims to improve maintainability, scalability, and cybersecurity, providing novel insights for the advancement of satellite software development and security. The value of this paper lies in its focus on addressing the identification of vulnerabilities and resolution of code smells in satellite software. In terms of the authors' contributions, we detail methods for applying machine learning to identify potential vulnerabilities and code smells in satellite software. Furthermore, the study presents techniques for feature extraction and model training, utilizing Abstract Syntax Trees (AST) and Control Flow Graphs (CFG) to extract relevant features for machine learning training. Regarding the results, we discuss the analysis of vulnerabilities, the identification of code smells, maintenance, and security enhancement through practical examples. This underscores the significant improvement in the maintainability and scalability of satellite software through continuous code review and refactoring.

• Journal of Information Processing Systems
• /
• 제17권4호
• /
• pp.834-850
• /
• 2021

IT security companies have been releasing file system filter driver security solutions based on the whitelist, which are being used by several enterprises in the relevant industries. However, in February 2019, a whitelist vulnerability was discovered in Microsoft Edge browser, which allows malicious code to be executed unknown to users. If a hacker had inserted a program that executed malicious code into the whitelist, it would have resulted in considerable damage. File system filter driver security solutions based on the whitelist are discretionary access control (DAC) models. Hence, the whitelist is vulnerable because it only considers the target subject to be accessed, without taking into account the access rights of the file target object. In this study, we propose an industrial device security system for Windows to address this vulnerability, which improves the security of the security policy by determining not only the access rights of the subject but also those of the object through the application of the mandatory access control (MAC) policy in the Windows industrial operating system. The access control method does not base the security policy on the whitelist; instead, by investigating the setting of the security policy not only for the subject but also the object, we propose a method that provides improved stability, compared to the conventional whitelist method.

• 융합보안논문지
• /
• 제10권4호
• /
• pp.21-30
• /
• 2010

2010년 가장 중요한 보안 이슈 중 하나는 무선 네트워크이었다. 스마트폰의 보급이 본격화되면서 무선 인터넷 사용자가 급증하였고 무선 AP가 전국에 우후죽순으로 설치되었다. 그러나 대부분의 무선 AP가 보안적인 관점에서 제대로 관리되지 않고 있고 무선랜 이용자 또한 보안의 중요성을 인식하지 못하고 있다. 이러한 상황은 심각한 보안위협을 초래할 수 있다. 본 논문에서는 QR 코드를 통해 악성코드를 유포, 모바일 AP 기능 활성화를 통해 대량 과금을 유발하는 새로운 방식의 사이버 공격 기법을 설계하고 분석하였다. 제안한 새로운 취약점은 안드로이드폰의 모바일 AP 기능을 강제로 활성화시킨 후 주변에서 발생하는 모든 Probe Request에 대해서 응답하게 하여 과금 유발 및 통신 장애를 유발한다.

• Earthquakes and Structures
• /
• 제11권2호
• /
• pp.371-386
• /
• 2016

During the last decades, many destructive earthquakes occurred in Algeria, particularly in the northern part of the country (Chlef (1980), Constantine (1985), Tipaza (1989), Mascara (1994), Ain-Benian (1996), Ain Temouchent (1999), Beni Ourtilane (2000), and recently $Boumerd{\acute{e}}s$ (2003), causing enormous losses in human lives, buildings and equipments. In order to reduce this risk and avoid serious damages to the strategic existing buildings, the authorities of the country, aware of this risk and in order to have the necessary elements that let them to know and estimate the potential losses in advance, with an acceptable error, and to take the necessary countermeasures, decided to invest into seismic upgrade, strengthening and retrofitting of those buildings. To do so, seismic vulnerability study of this category of buildings has been considered. Structural analysis is performed based on the site investigation (inspection of the building, collecting data, materials characteristics, general conditions of the building, etc.), and existing drawings (architectural plans, structural design, etc.). The aim of these seismic vulnerability studies is to develop guidelines and a methodology for rehabilitation of existing buildings. This paper presents the methodology, based on non linear and seismic analysis of existing buildings, followed in this study and summarizes the vulnerability assessment and strengthening of one of the strategic buildings according to the new Algerian code RPA 99/version 2003. As a direct application of this methodology, both, static equivalent method and non linear dynamic analysis, of composite concrete masonry existing building in the city of "CONSTANTINE", located in the east side of ALGERIA, are presented in this paper.

• Structural Engineering and Mechanics
• /
• 제78권3호
• /
• pp.351-368
• /
• 2021

This paper, by applying a reliability-based framework, develops seismic vulnerability macrozonation maps for Tehran, the capital and one of the most earthquake-vulnerable city of Iran. Seismic performance assessment of 3-, 4- and 5-story steel moment resisting frames (SMRFs), designed according to ASCE/SEI 41-17 and Iranian Code of Practice for Seismic Resistant Design of Buildings (2800 Standard), is investigated in terms of overall maximum inter-story drift ratio (MIDR) and unit repair cost ratio which is hereafter known as "damage ratio". To this end, Tehran city is first meshed into a network of 66 points to numerically locate low- to mid-rise SMRFs. Active faults around Tehran are next modeled explicitly. Two different combination of faults, based on available seismological data, are then developed to explore the impact of choosing a proper seismic scenario. In addition, soil effect is exclusively addressed. After building analytical models, reliability methods in combination with structure-specific probabilistic models are applied to predict demand and damage ratio of structures in a cost-effective paradigm. Due to capability of proposed methodology incorporating both aleatory and epistemic uncertainties explicitly, this framework which is centered on the regional demand and damage ratio estimation via structure-specific characteristics can efficiently pave the way for decision makers to find the most vulnerable area in a regional scale. This technical basis can also be adapted to any other structures which the demand and/or damage ratio prediction models are developed.

• 정보보호학회논문지
• /
• 제32권5호
• /
• pp.845-853
• /
• 2022

스마트폰의 메모리 용량이 증가하면서 스마트폰에 저장된 개인 정보의 종류와 양도 증가하고 있다. 하지만 최근 악의적인 공격자의 악성 앱이나 수리기사 등의 타인으로 인해 스마트폰의 사진, 동영상 등의 다양한 개인 정보가 유출될 가능성이 증가하고 있기 때문에, 사용자의 이러한 개인 정보를 보호할 수 있는 다양한 정보 은닉 앱이 출시되고 있다. 본 논문은 이러한 정보 은닉 앱의 암호 알고리즘 및 데이터 보호 기능을 분석하여 안전성 및 취약점을 분석 및 연구했다. 이를 위해 우리는 Google Play에 등록된 정보 은닉 앱 중에서 전 세계적으로 가장 많이 다운로드된 AppLock 3.3.2 버전(December 30, 2020)과, 5.3.7 버전(June 13, 2022)을 분석했다. 접근 제어 기능의 경우, 사용자가 입력한 패턴을 암호화하기 위한 값들이 소스 코드에 평문으로 하드코딩 되어있으며 암호 알고리즘이 적용된 패턴 값은 xml 파일에 저장한다는 취약점이 존재했다. 또한 금고 기능의 경우 금고에 저장하기 위한 파일과 로그 파일을 암호화하지 않는 취약점이 존재했다.

• Earthquakes and Structures
• /
• 제15권6호
• /
• pp.701-713
• /
• 2018

Many bridges in Algeria were constructed without taking into account the seismic effect in the design. The implantation of a new regulation code RPOA-2008 requires a higher reinforcement ratio than with the seismic coefficient method, which is a common feature of the existing bridges. For better perception of the performance bridge piers and evaluation of the risk assessment of existing bridges, fragility analysis is an interesting tool to assess the vulnerability study of these structures. This paper presents a comparative performance of bridge piers designed with the seismic coefficient method and the new RPOA-2008. The performances of the designed bridge piers are assessed using thirty ground motion records and incremental dynamic analysis. Fragility curves for the bridge piers are plotted using probabilistic seismic demand model to perform the seismic vulnerability analysis. The impact of changing the reinforcement strength on the seismic behavior of the designed bridge piers is checked by fragility analysis. The fragility results reveal that the probability of damage with the RPOA-2008 is less and perform well comparing to the conventional design pier.

• Structural Monitoring and Maintenance
• /
• 제2권2호
• /
• pp.115-132
• /
• 2015

This paper presents a new method for seismic vulnerability assessment of buildings with reference to their operational limit state. The importance of this kind of evaluation arises from the civil protection necessity that some buildings, considered strategic for seismic emergency management, should retain their functionality also after a destructive earthquake. The method is based on the identification of experimental modal parameters from ambient vibrations measurements. The knowledge of the experimental modes allows to perform a linear spectral analysis computing the maximum structural drifts of the building caused by an assigned earthquake. Operational condition is then evaluated by comparing the maximum building drifts with the reference value assigned by the Italian Technical Code for the operational limit state. The uncertainty about the actual building seismic frequencies, typically significantly lower than the ambient ones, is explicitly taken into account through a probabilistic approach that allows to define for the building the Operational Index together with the Operational Probability Curve. The method is validated with experimental seismic data from a permanently monitored public building: by comparing the probabilistic prediction and the building experimental drifts, resulting from three weak earthquakes, the reliability of the method is confirmed. Finally an application of the method to a strategic building in Italy is presented: all the procedure, from ambient vibrations measurement, to seismic input definition, up to the computation of the Operational Probability Curve is illustrated.

• 한국정보통신학회:학술대회논문집
• /
• 한국정보통신학회 2014년도 춘계학술대회
• /
• pp.595-598
• /
• 2014

최근의 사이버 공격은 보안패치가 발표되기 이전의 보안취약점을 악용하는 제로 데이(Zero Day) 공격, 웹 사이트를 대상으로 한 공격이 주를 이루고 있다. 이러한 공격은 소프트웨어 자체에 내장된 보안취약점을 이용하는 것이 대부분으로, 특히나 소스코드의 보안취약점을 이용한 사이버 공격은 보안장비로는 대응이 어려운 특성을 가진다. 따라서 이러한 공격을 예방하기 위해 소프트웨어를 구현하는 단계에서부터 보안취약점을 배제 시켜야한다. 본 논문에서는 구현단계에서부터 보안위협을 해소하는 Secure Coding 가이드 지원 도구를 설계하고자 한다.