Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.1.107

Hacking Mail Profiling by Applying Case Based Reasoning  

Park, Hyong-Su (Korea University)
Kim, Huy-Kang (Korea University)
Kim, Eun-Jin (Kyonggi University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.1, 2015 , pp. 107-122 More about this Journal
Abstract
Many defensive mechanisms have been evolved as new attack methods are developed. However, APT attacks using e-mail are still hard to detect and prevent. Recently, many organizations in the government sector or private sector have been hacked by malicious e-mail based APT attacks. In this paper, first, we built hacking e-mail database based on the real e-mail data which were used in attacks on the Korean government organizations in recent years. Then, we extracted features from the hacking e-mails for profiling them. We design a case vector that can describe the specific characteristics of hacking e-mails well. Finally, based on case based reasoning, we made an algorithm for retrieving the most similar case from the hacking e-mail database when a new hacking e-mail is found. As a result, hacking e-mails have common characteristics in several features such as geo-location information, and these features can be used for classifying benign e-mails and malicious e-mails. Furthermore, this proposed case based reasoning algorithm can be useful for making a decision to analyze suspicious e-mails.
Keywords
Hacking Mail; CBR; Profiling;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 KISA, "2013 National Information Security White Pater," Apr. 2013.
2 Mee Lan Han, Deok Jin Kim and Kim Huy Kang Kim, "Applying CBR algorithm for cyber infringement profiling system," Journal of The Korea Institute of information Security & Cryptology, 23(6), pp. 1069-1086, Dec. 2013.   DOI
3 Wanju Kim, Changwook Park, Soojin Lee and Jaesung Lim, "Methods for Classification and Attack Prediction of Attack Groups based on Framework of Cyber Defense Operations," The Korean Institute of Information Scientists and Engineers, 20(6), pp. 317-328, Dec. 2013.
4 Z. Yin, Y. Gao and B. Chen, "On Development of Supplementary Criminal analysis System Based on CBR and Ontology," Computer Application and System Modeling (ICCASM), 2010 International Conference on, pp, V14-653-V14-655, Oct. 2010.
5 Changwook Park, Hyunji Chung, Kwangseok Seo and Sangjin Lee, "Research on the Classification Model of Similarity Malware using fuzzy Hash," Journal of The Korea Institute of information Security & Cryptology, 22(6), pp. 1325-1336, Dec. 2012.
6 US Army, "Open Source Intelligence", Field Manual Interim No. 2-22.9 HQ. Dept. Army, Dec. 2006.
7 MANDIANT, "APT1 : Exposing One of China's Cyber Espionage Units", http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf, Jan. 2013.
8 Dmitry Tarakanov, "The "Kimsuky" Operation: A North Korean APT?", http://www.securelist.com/en/analysis/204792305/The_Kimsuky_Operation_A_North_Korean_APT, Sep. 2013.
9 FireEye, Inc. "Digital Bread Crumbs: Seven Clues To Identifying Who's Behind Advanced Cyber Attacks", http://www.fireeye.com/resources/pdfs/digital-bread-crumbs.pdf, July. 2013.
10 Daren Kindlund, "CFR Watering Hole Attack Details", FireEye Blog, Jan. 2012.
11 Joel Yonts, "Building a Malware Zoo," SANS Institute InfoSec Reading Room, Dec. 2010.
12 Q.Miao, Y.Wang, Y.Cao, X.Zhang, Z.Liu, "APICapture - a Tool for Monitoring the Behavior of Malware," Proceedings of the 3rd International Conference on Advanced Computer Theory and Engineering, pp. 390-394, Aug. 2010.