• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.661-674
• /
• 2021

Malware, such as a rootkit that modifies the kernel, can adversely affect the analyst's judgment, making the analysis difficult or impossible if a mechanism to evade memory analysis is added. Therefore, we plan to preemptively respond to malware such as rootkits that bypass detection through advanced kernel modulation in the future. To this end, the main structure used in the Windows kernel was analyzed from the attacker's point of view, and a method capable of modulating the kernel object was applied to modulate the memory dump file. The result of tampering is confirmed through experimentation that it cannot be detected by memory analysis tool widely used worldwide. Then, from the analyst's point of view, using the concept of tamper resistance, it is made in the form of software that can detect tampering and shows that it is possible to detect areas that are not detected by existing memory analysis tools. Through this study, it is judged that it is meaningful in that it preemptively attempted to modulate the kernel area and derived insights to enable precise analysis. However, there is a limitation in that the necessary detection rules need to be manually created in software implementation for precise analysis.

• Journal of Internet of Things and Convergence
• /
• v.9 no.6
• /
• pp.23-28
• /
• 2023

Windows operating system generates various logs with timestamps. Timestamp tampering is an act of anti-forensics in which a suspect manipulates the timestamps of data related to a crime to conceal traces, making it difficult for analysts to reconstruct the situation of the incident. This can delay investigations or lead to the failure of obtaining crucial digital evidence. Therefore, various techniques have been developed to detect timestamp tampering. However, there is a limitation in detection if a suspect is aware of timestamp patterns and manipulates timestamps skillfully or alters system artifacts used in timestamp tampering detection. In this paper, a method is designed to detect changes in timestamps, even if a suspect alters the timestamp of a file on a storage device, it is challenging to do so with precision beyond millisecond order. In the proposed detection method, the first step involves verifying the timestamp of a file suspected of tampering to determine its write time. Subsequently, the confirmed time is compared with the file size recorded within that time, taking into consideration the performance of the storage device. Finally, the total capacity of files written at a specific time is calculated, and this is compared with the maximum input and output performance of the storage device to detect any potential file tampering.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.871-883
• /
• 2014

New types of attacks that mainly compromise the public, portal and financial websites for the purpose of economic profit or national confusion are being emerged and evolved. In addition, in case of 'drive by download' attack, if a host just visits the compromised websites, then the host is infected by a malware. Website falsification detection system is one of the most powerful solutions to cope with such cyber threats that try to attack the websites. Many domestic CERTs including NCSC (National Cyber Security Center) that carry out security monitoring and response service deploy it into the target organizations. However, the existing techniques for the website falsification detection system have practical problems in that their time complexity is high and the detection accuracy is not high. In this paper, we propose website falsification detection system based on image and code analysis for improving the performance of the security monitoring and response service in CERTs. The proposed system focuses on improvement of the accuracy as well as the rapidity in detecting falsification of the target websites.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.1
• /
• pp.105-111
• /
• 2010

This paper proposes the algorithm which addresses the problem of detecting leak of defaced confidential documents from original confidential document. Generally, a confidential document is defaced into various forms by insiders and then they are trying to leak these defaced documents to outside. Traditional algorithms detecting leak of documents have low accuracy because they are based on similarity of two documents, which do not reflect various forms of defaced documents in detection. In order to overcome this problem, this paper proposes a novel v-SVDD algorithm which is based on SVDD, the novelty detection algorithm. The result of experiment shows that there is significant improvement m the accuracy of the v-SVDD in comparison with the traditional algorithms.

• Convergence Security Journal
• /
• v.16 no.1
• /
• pp.81-87
• /
• 2016

In this paper, we propose a forgery/falsification detection technique of web site using the images. The proposed system captures images of the web site when a user accesses to the forgery/falsification web site that has the financial information deodorizing purpose. The captured images are compared with those of normal web site images to detect forgery/falsification. The proposed system calculates similarity factor of normal site image with captured one to detect whether the site is normal or not. If it is determined as normal, analysis procedure is finished. But if it is determined as abnormal, a message informs the user to prevent additional financial information spill and further accidents from the forgery web site.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2011.11a
• /
• pp.714-717
• /
• 2011

스마트그리드(Smart Grid)는 기존의 단방향 전력망인 자동화 검침 장치(Automated Meter Reading, AMR)에서 발전하여 양방향으로 실시간 정보를 교환하는 '지능형 전력망'이다. 스마트그리드 환경에서는 수요 반응(Demand Response) 서비스를 이용하여 전력 사용을 효과적으로 분산 할 수 있다. 하지만 보안에 대한 대비가 충분하지 않을 시에는 데이터의 삽입, 변조에 의해 시스템이 오용될 수 있다. 본 논문에서는 스마트 미터의 검침 값이 네트워크를 통해 전력정보처리시스템(Meter Data Management System, MDMS)까지 전달되는 과정에서 데이터 변조의 발생여부를 탐지할 수 있는 방법을 제안한다. 본 논문의 탐지 방법을 통해 신뢰성 있는 수요 반응 서비스를 제공할 수 있으며, 이는 효율적인 전력 사용을 유도할 것으로 기대된다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.429-436
• /
• 2018

Electronic documents are efficient to be created and managed, but they are liable to lose their originality because copies are created during distribution and delivery. For this reason, various security technologies for electronic documents have been applied. However, most security technologies currently used are for document management such as file access privilege control, file version and history management, and therefore can not be used in environments where authenticity is absolutely required, such as confidential documents. In this paper, we propose a method to detect document forgery and tampering through analysis of file system without installing an agent inside the instance operating system in cloud computing environment. BubbleDoc monitors the minimum amount of virtual volume storage in an instance, so it can efficiently detect forgery and tampering of documents. Experimental results show that the proposed technique has 0.16% disk read operation overhead when it is set to 1,000ms cycle for monitoring for document falsification and modulation detection.

• Journal of KIISE
• /
• v.45 no.3
• /
• pp.311-320
• /
• 2018

Recently, the use of digital audio and video as proof in criminal and all kinds of litigation is increasing, and scientific investigation using digital forensic technique is developing. With the development of computing and file editing technologies, anyone can simply manipulate video files, and the number of cases of manipulating digital data is increasing. As a result, the integrity of the evidence and the reliability of the evidence Is required. In this paper, we propose a technique for extracting the Electrical Network Frequency (ENF) through a grid of power grids according to the geographical environment for power supply, and then performing signal processing for peak detection using QIFFT. Through the detection algorithm using the standard deviation, it was confirmed that the video file was falsified with 73% accuracy and the forgery point was found.

• Journal of Convergence Society for SMB
• /
• v.5 no.3
• /
• pp.27-31
• /
• 2015

As the number of smartphone users is increasing with the development of mobile devices, the range of monetary transaction from the individual use is increasing. Therefore, hacking methods are diversified and the information forgery of mobile devices has been a current issue. The forgery via apps in mobile devices is a hacking method that creates an app similar to well-known apps to deceive the users. The forgery attack corresponds to the violation of integrity, one of three elements of security. Due to the forgery, the value and credibility of an app decreases with the risk increased. With the forgery in app, private information and data can be stolen and the financial losses can occur. This paper examined the forgery, and suggested a way to detect it, and sought the countermeasure to the forgery.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.6
• /
• pp.1449-1453
• /
• 2015

Constrained IoT devices cannot achieve full coverage of software attestation even though the integrity of software is critical. The limited modification attacks on control flow of software aim at the shadow area uncovered in software attestation processes. In this paper, we propose a light-weight protection system that detects modification by injecting markers to program code.