• Title/Summary/Keyword: attack group classification

Search Result 12, Processing Time 0.023 seconds

Cyber attack group classification based on MITRE ATT&CK model (MITRE ATT&CK 모델을 이용한 사이버 공격 그룹 분류)

  • Choi, Chang-hee;Shin, Chan-ho;Shin, Sung-uk
    • Journal of Internet Computing and Services
    • /
    • v.23 no.6
    • /
    • pp.1-13
    • /
    • 2022
  • As the information and communication environment develops, the environment of military facilities is also development remarkably. In proportion to this, cyber threats are also increasing, and in particular, APT attacks, which are difficult to prevent with existing signature-based cyber defense systems, are frequently targeting military and national infrastructure. It is important to identify attack groups for appropriate response, but it is very difficult to identify them due to the nature of cyber attacks conducted in secret using methods such as anti-forensics. In the past, after an attack was detected, a security expert had to perform high-level analysis for a long time based on the large amount of evidence collected to get a clue about the attack group. To solve this problem, in this paper, we proposed an automation technique that can classify an attack group within a short time after detection. In case of APT attacks, compared to general cyber attacks, the number of attacks is small, there is not much known data, and it is designed to bypass signature-based cyber defense techniques. As an attack model, we used MITRE ATT&CK® which modeled many parts of cyber attacks. We design an impact score considering the versatility of the attack techniques and proposed a group similarity score based on this. Experimental results show that the proposed method classified the attack group with a 72.62% probability based on Top-5 accuracy.

The attacker group feature extraction framework : Authorship Clustering based on Genetic Algorithm for Malware Authorship Group Identification (공격자 그룹 특징 추출 프레임워크 : 악성코드 저자 그룹 식별을 위한 유전 알고리즘 기반 저자 클러스터링)

  • Shin, Gun-Yoon;Kim, Dong-Wook;Han, Myung-Mook
    • Journal of Internet Computing and Services
    • /
    • v.21 no.2
    • /
    • pp.1-8
    • /
    • 2020
  • Recently, the number of APT(Advanced Persistent Threats) attack using malware has been increasing, and research is underway to prevent and detect them. While it is important to detect and block attacks before they occur, it is also important to make an effective response through an accurate analysis for attack case and attack type, these respond which can be determined by analyzing the attack group of such attacks. Therefore, this paper propose a framework based on genetic algorithm for analyzing malware and understanding attacker group's features. The framework uses decompiler and disassembler to extract related code in collected malware, and analyzes information related to author through code analysis. Malware has unique characteristics that only it has, which can be said to be features that can identify the author or attacker groups of that malware. So, we select specific features only having attack group among the various features extracted from binary and source code through the authorship clustering method, and apply genetic algorithm to accurate clustering to infer specific features. Also, we find features which based on characteristics each group of malware authors has that can express each group, and create profiles to verify that the group of authors is correctly clustered. In this paper, we do experiment about author classification using genetic algorithm and finding specific features to express author characteristic. In experiment result, we identified an author classification accuracy of 86% and selected features to be used for authorship analysis among the information extracted through genetic algorithm.

A Multiple Instance Learning Problem Approach Model to Anomaly Network Intrusion Detection

  • Weon, Ill-Young;Song, Doo-Heon;Ko, Sung-Bum;Lee, Chang-Hoon
    • Journal of Information Processing Systems
    • /
    • v.1 no.1 s.1
    • /
    • pp.14-21
    • /
    • 2005
  • Even though mainly statistical methods have been used in anomaly network intrusion detection, to detect various attack types, machine learning based anomaly detection was introduced. Machine learning based anomaly detection started from research applying traditional learning algorithms of artificial intelligence to intrusion detection. However, detection rates of these methods are not satisfactory. Especially, high false positive and repeated alarms about the same attack are problems. The main reason for this is that one packet is used as a basic learning unit. Most attacks consist of more than one packet. In addition, an attack does not lead to a consecutive packet stream. Therefore, with grouping of related packets, a new approach of group-based learning and detection is needed. This type of approach is similar to that of multiple-instance problems in the artificial intelligence community, which cannot clearly classify one instance, but classification of a group is possible. We suggest group generation algorithm grouping related packets, and a learning algorithm based on a unit of such group. To verify the usefulness of the suggested algorithm, 1998 DARPA data was used and the results show that our approach is quite useful.

Clasification of Cyber Attack Group using Scikit Learn and Cyber Treat Datasets (싸이킷런과 사이버위협 데이터셋을 이용한 사이버 공격 그룹의 분류)

  • Kim, Kyungshin;Lee, Hojun;Kim, Sunghee;Kim, Byungik;Na, Wonshik;Kim, Donguk;Lee, Jeongwhan
    • Journal of Convergence for Information Technology
    • /
    • v.8 no.6
    • /
    • pp.165-171
    • /
    • 2018
  • The most threatening attack that has become a hot topic of recent IT security is APT Attack.. So far, there is no way to respond to APT attacks except by using artificial intelligence techniques. Here, we have implemented a machine learning algorithm for analyzing cyber threat data using machine learning method, using a data set that collects cyber attack cases using Scikit Learn, a big data machine learning framework. The result showed an attack classification accuracy close to 70%. This result can be developed into the algorithm of the security control system in the future.

Cross-sectional and Comparative Study between First Attack and Reattack Groups in Acute Stroke Patients - Multi-Center Trials (급성기 중풍환자의 재발군과 초발군에 대한 단면조사연구 - 다기관 임상연구)

  • Lee, In-Whan;Gwak, Ja-Young;Cho, Seung-Yeon;Shin, Ae-Sook;Kim, Na-Hee;Kim, Hye-Mi;Na, Byung-Jo;Park, Seong-Uk;Jung, Woo-Sang;Moon, Sang-Kwan;Park, Jung-Mi;Ko, Chang-Nam;Cho, Ki-Ho;Kim, Young-Suk;Bae, Hyung-Sup
    • The Journal of Internal Korean Medicine
    • /
    • v.30 no.4
    • /
    • pp.696-707
    • /
    • 2009
  • Objective : We designed this study to investigate differences between stroke reattack and stroke first attack group to establish fundamental data and prevent a secondary stroke. Methods : 826 subjects were recruited from the patients admitted to the department of internal medicine at Kyung Hee University Oriental Medical Center, Kyung Hee University East-West Neo Medical Center, Kyungwon University Incheon Oriental Medical Center, Kyungwon University Songpa Oriental Medical Center and Dongguk University Ilsan Oriental Medical Center from 1 April 2007 to 31 August 2009. We compared general characteristics, classification of diagnosis, subtypes of cerebral infarction, risk factors, Sasang constitution, diagnostic classifications between stroke reattck and stroke first attack groups. Results : 1. In general characteristics, age differed significantly between the reattck and first attack groups. 2. Classification of diagnosis differed significantly between reattck and first attack groups. 3. In risk factors, hypertension, diabetes mellitus, alcohol drinking, and stress were significantly different between reattck and first attack groups. 4. Diagnostic classifications were significantly different between reattck and first attack groups. Conclusion : To prevent recurrence of stroke, education on stroke risk factors associated with recurrence is needed. In addition, those who are diagnosed as Dampness-Phlegm need to be well-controlled.

  • PDF

Thymectomy in Patients with Myasthenia Gravis (흉선절제로 치료한 중증 근무력증)

  • 조광현
    • Journal of Chest Surgery
    • /
    • v.18 no.4
    • /
    • pp.872-880
    • /
    • 1985
  • Myasthenia gravis is a neuromuscular transmission disorder characterized by fatigue and weakness of voluntary muscles. Although the pathogenesis is known as reduction of available acetylcholine receptors at neuromuscular junctions by autoimmune attack, the thymic role in myasthenia gravis is still unclear and under investigation. But thymectomy in the management of myasthenia gravis has become increasingly important since the first successful operation with remission of symptoms in 1939 by Blalock. From January 1983 to June 1985, authors performed 17 thymectomies for patients with myasthenia gravis. Among them, 12 patients were free from thymoma [Croup A] and 5 were coupled with thymoma [Group B]. The results were as follows: 1] Sex distribution was 11 females and 6 males. Mean age of the patients was 32.2 year old. Sex and age distribution by the Group A and B are shown Table 1. 2] Clinical manifestations of ocular symptoms were seen in 5 patients [88.2%], extremity weakness in 13 patients, bulbar weakness in 12 patients and dyspnea in 6 patients. According to the Osserman`s classification, 5 patients were in group IIA, 6 in IIB and 6 in IIC. 3] Pre-operatively, all patients were positive response to the anti-cholinesterase test and 12 patients [92.3%] revealed positive findings in electromyography [EMC] which was done in 13 patients. 4] The postoperative complications were respiratory distress in 3 patients, myasthenic crisis in 2 patients and wound disruption in one patients. 5] Pathologic examination of the thymus showed hyperplasia in 10 patients [90%] and thymoma in 5 patients, of which 4 were mixed type with invasion to the adjacent tissues and one lymphocytic type without invasion. Normal thymus was noticed in only 2 patients. 6] In postoperative evaluations, among the 12 patients c free from thymoma [Group A], complete remission of symptoms was noticed in 3 patients and improvement in 7 patients. But among the 5 patients coupled with thymoma [Group B], only one patients showed improvement [Table 8]. Therefore, remission and clinical improvement were noticed in 11 patients [64.7%] of the all and complete remission was noticed in 3 patients [17.6%].

  • PDF

Secure Key Exchange Protocols against Leakage of Long-tenn Private Keys for Financial Security Servers (금융 보안 서버의 개인키 유출 사고에 안전한 키 교환 프로토콜)

  • Kim, Seon-Jong;Kwon, Jeong-Ok
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.19 no.3
    • /
    • pp.119-131
    • /
    • 2009
  • The world's widely used key exchange protocols are open cryptographic communication protocols, such as TLS/SSL, whereas in the financial field in Korea, key exchange protocols developed by industrial classification group have been used that are based on PKI(Public Key Infrastructure) which is suitable for the financial environments of Korea. However, the key exchange protocols are not only vulnerable to client impersonation attacks and known-key attacks, but also do not provide forward secrecy. Especially, an attacker with the private keys of the financial security server can easily get an old session-key that can decrypt the encrypted messages between the clients and the server. The exposure of the server's private keys by internal management problems, etc, results in a huge problem, such as exposure of a lot of private information and financial information of clients. In this paper, we analyze the weaknesses of the cryptographic communication protocols in use in Korea. We then propose two key exchange protocols which reduce the replacement cost of protocols and are also secure against client impersonation attacks and session-key and private key reveal attacks. The forward secrecy of the second protocol is reduced to the HDH(Hash Diffie-Hellman) problem.

Cyberattack Goal Classification Based on MITRE ATT&CK: CIA Labeling (MITRE ATT&CK 기반 사이버 공격 목표 분류 : CIA 라벨링)

  • Shin, Chan Ho;Choi, Chang-hee
    • Journal of Internet Computing and Services
    • /
    • v.23 no.6
    • /
    • pp.15-26
    • /
    • 2022
  • Various subjects are carrying out cyberattacks using a variety of tactics and techniques. Additionally, cyberattacks for political and economic purposes are also being carried out by groups which is sponsored by its nation. To deal with cyberattacks, researchers used to classify the malware family and the subjects of the attack based on malware signature. Unfortunately, attackers can easily masquerade as other group. Also, as the attack varies with subject, techniques, and purpose, it is more effective for defenders to identify the attacker's purpose and goal to respond appropriately. The essential goal of cyberattacks is to threaten the information security of the target assets. Information security is achieved by preserving the confidentiality, integrity, and availability of the assets. In this paper, we relabel the attacker's goal based on MITRE ATT&CK® in the point of CIA triad as well as classifying cyber security reports to verify the labeling method. Experimental results show that the model classified the proposed CIA label with at most 80% probability.

Extraction and Taxonomy of Ransomware Features for Proactive Detection and Prevention (사전 탐지와 예방을 위한 랜섬웨어 특성 추출 및 분류)

  • Yoon-Cheol Hwang
    • Journal of Industrial Convergence
    • /
    • v.21 no.9
    • /
    • pp.41-48
    • /
    • 2023
  • Recently, there has been a sharp increase in the damages caused by ransomware across various sectors of society, including individuals, businesses, and nations. Ransomware is a malicious software that infiltrates user computer systems, encrypts important files, and demands a ransom in exchange for restoring access to the files. Due to its diverse and sophisticated attack techniques, ransomware is more challenging to detect than other types of malware, and its impact is significant. Therefore, there is a critical need for accurate detection and mitigation methods. To achieve precise ransomware detection, an inference engine of a detection system must possess knowledge of ransomware features. In this paper, we propose a model to extract and classify the characteristics of ransomware for accurate detection of ransomware, calculate the similarity of the extracted characteristics, reduce the dimension of the characteristics, group the reduced characteristics, and classify the characteristics of ransomware into attack tools, inflow paths, installation files, command and control, executable files, acquisition rights, circumvention techniques, collected information, leakage techniques, and state changes of the target system. The classified characteristics were applied to the existing ransomware to prove the validity of the classification, and later, if the inference engine learned using this classification technique is installed in the detection system, most of the newly emerging and variant ransomware can be detected.

A Clinical Study of Insomnia in 33 Admission Cases (불면증(不眠症)을 주소(主訴)로 입원(入院)한 환자(患者) 33례(例)에 대(對)한 임상적(臨床的) 고찰(考察))

  • Choi Byung-Man;Lee Sang-Ryong;Kim Myung-Jin
    • Journal of Oriental Neuropsychiatry
    • /
    • v.12 no.1
    • /
    • pp.169-182
    • /
    • 2001
  • The clinical study was carried out the 33 patients with insomnia who were treated in Daejeon University Oriental Hospital from 17 March 1997 to 12 May 2001. The results were summarized as follows. 1. The ratio of male and female was 10:23 and sleep initiation insomnia and sleep maintenance insomnia were the highest frequence(97%), the beginning of insomnia was frequent at 30s(27.3%). 2. Living accident by mental attack was the most inducing factor and many patients came to our hospital by way of west-neuropsychiatry(55.6%). 3. In admission period most of the patients were within 15 days(78.8%) and Liver-Qi- depression was the main cause and in classification of Four Human coporeal constitution the number of patients Sho-Eum-In(少陰人) was remarked mostly and in distribution of the prescription drugs of growing heart and warming gall bladder such as GUIBIONDAMTANG(歸脾溫膽湯) and ONDAMTANGGAMI (溫膽湯加味) were many, 4. Relatively most patients were well treated(69.7%) and insomnia was mainly caused by Anxiety Disorder and Depression and Hwabyoung and in the age distribution the highest frequence was 30s but we know insomnia appeared at all ages. 5. In distribution of the period of the clinical history was various and within 15 days were all improved and the treatments group of drug and acupuncture and aid treatments etc. and hypnotics was more improved than not used hypnotics treatments group but using hypnotics was temporal. I.

  • PDF