• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.25-38
• /
• 2017

Many security threats are occurring around the world due to the characteristics of industrial control systems that can cause serious damage in the event of a security incident including major national infrastructure. Therefore, the industrial control system network traffic should be analyzed so that it can identify the attack in advance or perform incident response after the accident. In this paper, we research the visualization technique as network forensics to enable reasonable suspicion of all possible attacks on DNP3 control system protocol, and define normal action based rules and derive visualization requirements. As a result, we developed a visualization tool that can detect sudden network traffic changes such as DDoS and attacks that contain anormal behavior from captured packet files on industrial control system network. The suspicious behavior in the industrial control system network can be found using visualization tool with Digital Bond packet.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.1
• /
• pp.167-177
• /
• 2018

As the number of attacks on vehicles has increased, studies on CAN-based security technologies are actively being carried out. However, since the upper layer protocol of CAN differs for each vehicle manufacturer and model, there is a great difficulty in researches such as developing anomaly detection for CAN or finding vulnerabilities of ECUs. In this paper, we propose a method to infer the detailed structure of the data field of CAN frame by analyzing CAN trace to mitigate this problem. In the existing Internet environment, many researches for reverse engineering proprietary protocols have already been carried out. However, CAN bus has a structure difficult to apply the existing protocol reverse engineering technology as it is. In this paper, we propose new field classification methods with low computation-cost based on the characteristics of data in CAN frame and existing field classification method. The proposed methods are verified through implementation that analyze CAN traces generated by simulations of CAN communication and actual vehicles. They show higher accuracy of field classification with lower computational cost compared to the existing method.

• Database Research
• /
• v.34 no.3
• /
• pp.58-68
• /
• 2018

Distributed computing helps to efficiently store and process large data on a cluster of multiple machines. The performance of distributed computing is greatly influenced depending on the state of the servers constituting the distributed system. In this paper, we propose a self-diagnosis system that collects log data in a distributed system, detects anomalies and visualizes the results in real time. First, we divide the self-diagnosis process into five stages: collecting, delivering, analyzing, storing, and visualizing stages. Next, we design a real-time self-diagnosis system that meets the goals of real-time, scalability, and high availability. The proposed system is based on Apache Flume, Apache Kafka, and Apache Storm, which are representative real-time distributed techniques. In addition, we use simple but effective moving average and 3-sigma based anomaly detection technique to minimize the delay of log data processing during the self-diagnosis process. Through the results of this paper, we can construct a distributed real-time self-diagnosis solution that can diagnose server status in real time in a complicated distributed system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.851-868
• /
• 2012

After the financial crisis in 2008, the financial market still seems to be unstable with expanding the insolvency of the financial companies' real estate project financing loan in the aftermath of the lasted real estate recession. Especially after the illegal actions of people's financial institutions disclosed, while increased the anxiety of economic subjects about financial markets and weighted in the confusion of financial markets, the potential risk for the overall national economy is increasing. Thus as economic recession prolongs, the people's financial institutions having a weak profit structure and financing ability commit illegal acts in a variety of ways in order to conceal insolvent assets. Especially it is hard to find the loans of shareholder and the same borrower sharing credit risk in advance because most of them usually use a third-party's name bank account. Therefore, in order to effectively detect the fraud under other's name, it is necessary to analyze by clustering the borrowers high-related to a particular borrower through an analysis of association between the whole borrowers. In this paper, we introduce Analysis Techniques for detecting financial loan frauds in advance through an analysis of association between the whole borrowers by extending SNA(social network analysis) which is being studied by focused on sociology recently to the forensic accounting field of the financial frauds. Also this technique introduced in this pager will be very useful to regulatory authorities or law enforcement agencies at the field inspection or investigation.

• The Sea:JOURNAL OF THE KOREAN SOCIETY OF OCEANOGRAPHY
• /
• v.26 no.4
• /
• pp.307-326
• /
• 2021

Real-time sea level observations from tide gauges include missing and erroneous values. Classification as abnormal values can be done for the latter by the quality control procedure. Although the 3𝜎 (three standard deviations) rule has been applied in general to eliminate them, it is difficult to apply it to the sea-level data where extreme values can exist due to weather events, etc., or where erroneous values can exist even within the 3𝜎 range. An artificial intelligence model set designed in this study consists of non-annotated recurrent neural networks and ensemble techniques that do not require pre-labeling of the abnormal values. The developed model can identify an erroneous value less than 20 minutes of tide gauge recording an abnormal sea level. The validated model well separates normal and abnormal values during normal times and weather events. It was also confirmed that abnormal values can be detected even in the period of years when the sea level data have not been used for training. The artificial neural network algorithm utilized in this study is not limited to the coastal sea level, and hence it can be extended to the detection model of erroneous values in various oceanic and atmospheric data.

• The Transactions of the Korea Information Processing Society
• /
• v.13 no.9
• /
• pp.395-403
• /
• 2024

Recently, with the advancement of technology, the automotive industry has seen an increase in network connectivity. CAN (Controller Area Network) bus technology enables fast and efficient data communication between various electronic devices and systems within a vehicle, providing a platform that integrates and manages a wide range of functions, from core systems to auxiliary features. However, this increased connectivity raises concerns about network security, as external attackers could potentially gain access to the automotive network, taking control of the vehicle or stealing personal information. This paper analyzed abnormal messages occurring in CAN and confirmed that message occurrence periodicity, frequency, and data changes are important factors in the detection of abnormal messages. Through DBC decoding, the specific meanings of CAN messages were interpreted. Based on this, a model for classifying abnormalities was proposed using the GRU model to analyze the periodicity and trend of message occurrences by measuring the difference (residual) between the predicted and actual messages occurring within a certain period as an abnormality metric. Additionally, for multi-class classification of attack techniques on abnormal messages, a Random Forest model was introduced as a multi-classifier using message occurrence frequency, periodicity, and residuals, achieving improved performance. This model achieved a high accuracy of over 99% in detecting abnormal messages and demonstrated superior performance compared to other existing models.

• Proceedings of the KSRS Conference
• /
• 2005.10a
• /
• pp.149-152
• /
• 2005

A new methodology to detect forest fire burnt scars at near real time using MODIS (Moderate-resolution Imaging Spectroradiometer) data is presented here with a goal of introducing a new and improved capability to detect forest fire burnt scars in Thailand. This new technology is expected to increase the efficiency and effectiveness of the forest fire tackling resources distribution and management of the country. Using MODIS data in burnt scars detection has two major advantages - high availability of data and high resolution per performance ratio. Results prove the near real time algorithm suitable and working well in order to monitor the forest fire dynamic movement. The algorithm is based on the threshold separated linear equation of burnt and un-burnt. A ground truth experiment confirms the burnt and un-burnt? areas characteristics (temperature and NDVI). A threshold line on a scatter plot of Band I and Band 2 is determined to separate the burnt from un-burnt pixels. The different threshold values of NDVI and temperature use to identify pixels' anomaly, abnormal low NDVI and high temperature. The overlay (superimpose) method is used to verify burnt pixels. Since forest fire is a dynamic phenomenon, MODIS burnt scars information is suiting well to fill in the missing temporal information of LANDSAT for the forest fire control managing strategy in Thailand. This study was conducted in the Huai-Kha-Kaeng (HKK) Wildlife Sanctuary, Thailand

• Proceedings of the Korean Institute of Navigation and Port Research Conference
• /
• 2015.07a
• /
• pp.310-311
• /
• 2015

Ships' tracking data are being monitored and collected by vessel traffic service center in real time. In this paper, we intend to contribute to vessel traffic service operators' decision making through extracting ships' tracking patterns and models based on these data. Support Vector Machine algorithm was used for vessel track modeling to handle and process the data sets and k-fold cross validation was used to select the proper parameters. Proposed data processing methods could support vessel traffic service operators' decision making on case of anomaly detection, calculation ships' dead reckoning positions and etc.

• Journal of Biomedical Engineering Research
• /
• v.28 no.1
• /
• pp.84-94
• /
• 2007

In order to collect information on local distribution of conductivity and permittivity underneath a scan probe, we developed a multi-frequency trans-admittance scanner (TAS). Applying a sinusoidal voltage with variable frequency on a chosen distal part of a human body, we measure exit currents from 320 grounded electrodes placed on a chosen surface of the subject. The electrodes are packaged inside a small and light scan probe. The system includes one voltage source and 17 digital ammeters. Front-end of each ammeter is a current-to-voltage converter with virtual grounding of a chosen electrode. The rest of the ammeter is a voltmeter performing digital phase-sensitive demodulation. Using resistor loads, we calibrate the system including the scan probe to compensate frequency-dependent variability of current measurements and also inter-channel variability among multiple. We found that SNR of each ammeter is about 85dB and the minimal measurable current is 5nA. Using saline phantoms with objects made from TX-151, we verified the performance of the lesion estimation algorithm. The error rate of the depth estimation was about 19.7%. For the size estimate, the error rate was about 15.3%. The results suggest improvement in lesion estimation algorithm based on multi-frequency trans-admittance data.

• The Journal of the Korea Contents Association
• /
• v.7 no.3
• /
• pp.93-100
• /
• 2007

Internet had spread in all fields with the fast speed during the last 10 years. Lately, wireless network is also spreading rapidly. Also, number of times that succeed attack attempt and invasion for wireless network is increasing rapidly TMS system was developed to overcome these threat on wireless network. Existing TMS system supplies active confrontation mechanism on these threats. However, existent TMS has limitation that new form of attack do not filtered efficiently. Therefor this paper proposes a new method that it automatically compute the threat from the imput packets with vector space model and detect anomaly detection of wireless network. Proposed mechanism in this research analyzes similarity degree between packets, and detect something wrong symptom of wireless network and then classify these threats automatically.