• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.4
• /
• pp.807-816
• /
• 2015

During the last decade most of coordinated security breaches are performed by the means of botnets, which is a large overlay network of compromised computers being controlled by remote botmaster. Due to high volumes of traffic to be analyzed, the challenge is posed by managing tradeoff between system scalability and accuracy. We propose a novel Hadoop-based P2P botnet detection method solving the problem of scalability and having high accuracy. Moreover, our approach is characterized not to require labeled data and applicable to encrypted traffic as well.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.18 no.6
• /
• pp.1249-1254
• /
• 2014

As ICT ecosystem changes, security-related threat on individuals and corporations has increased. With the recent sophistication of hacking strategy, hacking serves commerce and its scale becomes larger than ever. Accordingly, the analysis on cyber intrusion is required. As a number one electronic government around the world, the government's role for security solution for realization of safe electronic government. This manuscript analyzes cyber intrusion cases, speculates the government's measures and suggests political recommendation for the current phenomena.

• KIPS Transactions on Computer and Communication Systems
• /
• v.1 no.1
• /
• pp.55-60
• /
• 2012

Recent botnets are widely using the DNS services at the connection of C&C server in order to evade botnet's detection. It is necessary to study on DNS analysis in order to counteract anomaly-based technique using the DNS. This paper studies collection of DNS traffic for experimental data and supervised learning for DNS traffic-based malicious domain classification such as query of domain name corresponding to C&C server from zombies. Especially, this paper would aim to determine significant features of DNS-based classification system for malicious domain extraction by the Principal Component Analysis(PCA).

• Proceedings of the Korea Information Processing Society Conference
• /
• 2011.04a
• /
• pp.924-926
• /
• 2011

악성코드의 지속적인 진화와 확대로 인해 악성코드 자체의 은닉 및 봇넷의 구성, C&C 서버의 구조뿐만 아니라 좀비 PC 를 이용한 DDoS 공격 방식에도 변화가 지속되고 있으며, 이에 대한 대등이 서비스 제공자에게 있어 가장 중요한 보호 이슈 중 하나로 대두되고 있다. 최근 이러한 DDoS 공격의 가장 일반적인 형태인 GET flooding 공격의 경우 리다이렉션 방법을 이용하여 회피하였지만, 최근들어 공격자가 일부 좀비 PC 를 이용하여 공격을 수행한 후 리다이렉션 페이지의 주소를 확보, C&C 서버를 통해 리다이렉션된 실제 응답페이지를 직접 공격하게 함으로써 이를 무력화 시키는 방법을 사용하고 있다. 본 논문은 호스트이름 변경, 페이지 주소 변경 등을 상황에 맞게 지속적으로 변경 적용하는 다이내믹 리다이렉션(Dynamic Redirection) 기법을 사용하여 효과적으로 리다이렉션 무력화 공격에 대응하는 방법을 제안한다.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.15 no.1
• /
• pp.61-68
• /
• 2015

Recently, with increasing use of smartphones, the security threats also have increased rapidly. Especially, the compromised smartphone is very dangerous because it could be exploited in a DDOS attacks such as cyberterrorism as well as in the leakage of personal information. However, most bot detection mechanisms are still unsuitable for smartphone with its lower computing capability and limited battery capacity because they incur additional computational overheads or require pre-defined signatures. In this paper, we present an efficient bot detection mechanism in smartphones. Our mechanism detects effectively bots in outgoing traffic by using a correlation between user events and network traffic. We have implemented its prototype in Android smartphone and measured its performance. The evaluation results show that our mechanism provides low overhead to detect bots in smartphones.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.4
• /
• pp.695-707
• /
• 2013

DHT(Distributed Hash Table) networks such as Kademlia are vulnerable to the ID mapping attack caused by the voluntary DHT mapping structure where the location of a node is solely determined by itself on the network topology. This causes security problems such as eclipse, DRDoS and botnet C&C on DHT networks. To prevent ID mapping attacks, we propose a non-voluntary DHT mapping scheme and perform analysis on NAT compatibility, attack resistance, and network dynamicity. Analysis results show that our approach may have an equivalent level of attack resistance comparing with other defense mechanisms and overcome their limitations including NAT compatibility and network dynamicity.

• Journal of KIISE:Computing Practices and Letters
• /
• v.15 no.1
• /
• pp.47-55
• /
• 2009

Bot is a kind of worm/virus that is remotely controlled by a herder. Bot can be used to launch distributed denial-of-service(DDoS) attacks or send spam e-mails etc. Launching cyber attacks using malicious Bots is motivated by increased monetary gain which is not the objective of worm/virus. However, it is very difficult for infected user to detect this infection of Botnet which becomes more serious problems. This is why botnet is a dangerous, malicious program. The Bot DNS Sinkhole is a domestic bot mitigation scheme which will be proved in this paper as one of an efficient ways to prevent malicious activities caused by bots and command/control servers. In this paper, we analysis botnet activities over more than one-year period, including Bot's lifetime, Bot command/control server's characterizing. And we analysis more efficient ways to prevent botnet activities. We have showed that DNS sinkhole scheme is one of the most effective Bot mitigation schemes.

• Journal of Advanced Navigation Technology
• /
• v.17 no.6
• /
• pp.816-822
• /
• 2013

In modern networks, data rate is getting faster and transferred data is extremely increased. At this point, the malicious codes are evolving to various types very fast, and the frequency of occurring new malicious code is very short. So, it is hard to collect/analyze data using general networks with the techniques like traditional intrusion detection or anormaly detection. In this paper, we collect and analyze the data more effectively with cloud environment than general simple networks. Also we analyze the malicious code which is similar to real network's malware, using botnet server/client includes DNS Spoofing attack.

• Journal of Convergence for Information Technology
• /
• v.8 no.6
• /
• pp.231-236
• /
• 2018

Recently, a wide variety of IoT environment is being created due to the rapid development of information and communication technology. And accordingly in a variety of network structures, a countless number of attack techniques and new types of vulnerabilities are producing a social disturbance. In May of 2018, Talos Intelligence, the Cisco threat intelligence team has newly discovered 'VPN-Filter', which constitutes a large-scale IoT-based botnet, is infecting consumer routers in over 54 countries around the world. In this paper, types of IoT-based botnets and the attack techniques utilizing botnet will be examined and the countermeasure technique through EXIF metadata removal method which is the cause of connection method of C & C Server will be proposed by examining the characteristics of attack vulnerabilities and attack scenarios of VPN-Filter.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.1
• /
• pp.45-50
• /
• 2023

Roblox, the world's No. 1 metaverse platform, has more than 3 billion subscription accounts and more than 150 millionmonthly active users (MAU). Despite such high interest in metaverse, existing studies on analyzing the risk of cyberattacks and security in the metaverse environment is insufficient. Therefore, in this paper, we propose a new steganography-basedcovert communication method in Roblox. In our proposed method, a secret message is hidden into an image by using a function provided in the Roblox Experience environment and then the image is automatically stored in the RobloxExperience participants' devices (PC or Smartphone) so that a malicious software can extract the hidden message fromthe image. By our experiments in the Roblox metaverse environment, we validated our proposed method works and thus want to inform our proposed method can be used in various cyberattacks and crimes such as the spread of secret commands, the establishment of a steganography botnet, and the mass distribution of malicious malware in metaverse platforms.