• Proceedings of the Korea Information Processing Society Conference
• /
• 2009.04a
• /
• pp.1210-1213
• /
• 2009

네트워크 트래픽의 응용 별 분류는 최근 학계의 중요한 이슈 중 하나이다. 기존의 전통적인 트래픽 분류 방법으로 대표되는 well-known 포트 기반 분류 방법 및 페이로드 시그니쳐 기반 분류 방법의 구조적 한계점을 극복하기 위한 새로운 대안으로써, 트래픽의 상관관계를 통한 분류 방법이 제안되었다. 본 논문에서는 트래픽 상관관계에 대한 정형화된 식이나 룰을 찾는데 유용한 정보를 제공하기 위해 인터넷 응용 별 트래픽을 동작형태의 관점에서 분석하였다. 학내 망에서 자주 사용되는 인터넷 응용을 선정하고, 이들이 실행 초기에 발생시키는 트래픽을 플로우와 패킷 단위로 분석한 내용을 기술하였다. 특히, 인터넷 응용이 발생시키는 플로우 중 페이로드가 존재하는 첫 플로우를 first talk 라 정의하였으며, 이에 대한 상세한 분석 내용을 기술하였다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2020.05a
• /
• pp.254-257
• /
• 2020

최근 악성코드에 의한 피해사례가 매년 증가하고 있다. 전통적인 시그니처 기반 안티바이러스 솔루션은 제로데이 공격이나 랜섬웨어처럼 전례가 없는 새로운 위협에 속수무책일 정도로 취약하다. 그럼에도 불구하고 많은 기업이 다중 엔드포인트 보안 전략의 일환으로 시그니처 기반 안티바이러스 솔루션을 유지하고 있다. 이에 응하고자 다양한 악성코드 분석기술이 출현해왔으며, 최근의 연구들은 부분 머신러닝을 이용하여 기존에 진행했던 시그니쳐 기반의 한계를 보완하고 노력하고 있다. 본 논문은 머신러닝을 이용한 바이러스 분석 모델과 머신러닝 알고리즘 중 GRU를 이용한 솔루션 시스템을 제안한다. 기존 DB Server를 통해 머신러닝을 학습 시키며 다양한 샘플과 형식을 이용하여 머신러닝을 학습하고 이를 이용해 새로운 악성코드, 변조된 악성코드의 탐지율을 높일 수 있다.

• The KIPS Transactions:PartB
• /
• v.12B no.1 s.97
• /
• pp.47-56
• /
• 2005

A moving object has a various features that its spatial location, shape, and size are changed as time goes. In addition, the moving object has both temporal feature and spatial feature. It is one of the highly interested feature information in video data. In this paper, we propose an efficient content-based multimedia information retrieval system, so tailed ECoMOT which enables user to retrieve video data by using a trajectory information of moving objects in video data. The ECoMOT includes several novel techniques to achieve content-based retrieval using moving objects' trajectories : (1) Muitiple trajectory modeling technique to model the multiple trajectories composed of several moving objects; (2) Multiple similar trajectory retrieval technique to retrieve more similar trajectories by measuring similarity between a given two trajectories composed of several moving objects; (3) Superimposed signature-based trajectory indexing technique to effectively search corresponding trajectories from a large trajectory databases; (4) convenient trajectory extraction, query generation, and retrieval interface based on graphic user interface

• The KIPS Transactions:PartD
• /
• v.10D no.1
• /
• pp.1-12
• /
• 2003

Recently, there have been many indexing schemes for multimedia data such as image, video data. But recent database applications, for example data mining and multimedia database, are required to support multi-user environment. In order for indexing schemes to be useful in multi-user environment, a concurrency control algorithm is required to handle it. So we propose a concurrency control algorithm that can be applied to CBF (cell-based filtering method), which uses the signature of the cell for alleviating the dimensional curse problem. In addition, we extend the SHORE storage system of Wisconsin university in order to handle high-dimensional data. This extended SHORE storage system provides conventional storage manager functions, guarantees the integrity of high-dimensional data and is flexible to the large scale of feature vectors for preventing the usage of large main memory. Finally, we implement the web-based image retrieval system by using the extended SHORE storage system. The key feature of this system is platform-independent access to the high-dimensional data as well as functionality of efficient content-based queries. Lastly. We evaluate an average response time of point query, range query and k-nearest query in terms of the number of threads.

• The KIPS Transactions:PartC
• /
• v.13C no.7 s.110
• /
• pp.821-830
• /
• 2006

As internet worms are spread out worldwide, the detection and filtering of worms becomes one of hot issues in the internet security. As one of implementation methods to detect worms, the Linux Netfilter kernel module can be used. Its basic operation for worm detection is a string matching where coming packet(s) on the network is/are compared with predefined worm signatures(patterns). A worm can appear in a packet or in two (or more) succeeding packets where some part of worm is in the first packet and its remaining part is in its succeeding packet(s). Assuming that the maximum length of a worm pattern is less than 1024 bytes, we need to perform a string matching up to two succeeding packets of 2048 bytes. To do so, Linux Netfilter keeps the previous packet in buffer and performs matching with a combined 2048 byte string of the buffered packet and current packet. As the number of concurrent connections to be handled in the worm detection system increases, the total size of buffer (memory) increases and string matching speed becomes low In this paper, to reduce the memory buffer size and get higher speed of string matching, we propose a string matching scheme without using buffer. The proposed scheme keeps the partial matching result of the previous packet with signatures and has no buffering for previous packet. The partial matching information is used to detect a worm in the two succeeding packets. We implemented the proposed scheme by modifying the Linux Netfilter. Then we compared the modified Linux Netfilter module with the original Linux Netfilter module. Experimental results show that the proposed scheme has 25% lower memory usage and 54% higher speed compared to the original scheme.

• The KIPS Transactions:PartA
• /
• v.8A no.4
• /
• pp.509-516
• /
• 2001

As results of many genome projects, genomic sequences of many organisms are revealed. Various methods such as global alignment, local alignment are used to analyze the sequences of the organisms, and k -mer analysis is one of the methods for analyzing the genomic sequences. The k -mer analysis explores the frequencies of all k-mers or the symmetry of them where the k -mer is the sequenced base with the length of k. However, existing on-memory algorithms are not applicable to the k -mer analysis because a whole genomic sequence is usually a large text. Therefore, efficient data structures and algorithms are needed. String B-tree is a good data structure that supports external memory and fits into pattern matching. In this paper, we improve the string B-tree in order to efficiently apply the data structure to k -mer analysis, and the results of k -mer analysis for C. elegans and other 30 genomic sequences are shown. We present a visualization system which enables users to investigate the distribution and symmetry of the frequencies of all k -mers using CGR (Chaotic Game Representation). We also describe the method to find the signature which is the part of the sequence that is similar to the whole genomic sequence.

• Journal of Korea Spatial Information System Society
• /
• v.9 no.1
• /
• pp.59-77
• /
• 2007

Advances in mobile techknowledges and supporting techniques require an effective representation and analysis of moving objects. Similarity search of moving object trajectories is an active research area in data mining. In this paper, we propose a trajectory search algorithm for spatio-temporal similarity of moving objects on road network. For this, we define spatio-temporal distance between two trajectories of moving objects on road networks, and propose a new method to measure spatio-temporal similarity based on the real road network distance. In addition, we propose a similar trajectory search algorithm that retrieves spatio-temporal similar trajectories in the road network. The algorithm uses a signature file in order to retrieve candidate trajectories efficiently. Finally, we provide performance analysis to show the efficiency of the proposed algorithm.

• Journal of the Korea Society of Computer and Information
• /
• v.14 no.9
• /
• pp.47-54
• /
• 2009

Malicious codes, which are spread through WWW are now evolved with various hacking technologies However, detecting technologies for them are seemingly not able to keep up with the improvement of hacking and newly generated malicious codes. In this paper, we define the requirements of detecting systems based on the analysis of malicious codes and their spreading characteristics, and propose an improved detection scheme which monitors HTTP Outbound traffic and detects spreading malicious codes in real time. Our proposed scheme sets up signatures in IDS with confirmed HTML tags and Java scripts which spread malicious codes. Through the verification analysis under the real-attacked environment, we show that our scheme is superior to the existing schemes in satisfying the defined requirements and has a higher detection rate for malicious codes.

• The Journal of Society for e-Business Studies
• /
• v.21 no.1
• /
• pp.105-118
• /
• 2016

Game companies are frequently attacked by attackers while the companies are servicing their own games. This paper analyzes the limit of the Signature detection method, which is a way of detecting hacking modules in online games, and then this paper proposes the Scoring Signature detection scheme to make up for these problems derived from the limits. The Scoring Signature detection scheme enabled us to detect unknown hacking attacks, and this new scheme turned out to have more than twenty times of success than the existing signature detection methods. If we apply this Scoring Signature detection scheme and the existing detection methods at the same time, it seems to minimize the inconvenient situations to collect hacking modules. And also it is expected to greatly reduce the amount of using hacking modules in games which had not been detected yet.

• Journal of Internet Computing and Services
• /
• v.16 no.4
• /
• pp.51-59
• /
• 2015

JavaScript is a popular technique for activating static HTML. JavaScript has drawn more attention following the introduction of HTML5 Standard. In proportion to JavaScript's growing importance, attacks (ex. DDos, Information leak using its function) become more dangerous. Since these attacks do not create a trail, whether the JavaScript code is malicious or not must be decided. The real attack action is completed while the browser runs the JavaScript code. For these reasons, there is a need for a real-time classification and determination technique for malicious JavaScript. This paper proposes the Analysis Engine for detecting malicious JavaScript by adopting the requirements above. The analysis engine performs static analysis using signature-based detection and dynamic analysis using behavior-based detection. Static analysis can detect malicious JavaScript code, whereas dynamic analysis can detect the action of the JavaScript code.