• Journal of Internet Computing and Services
• /
• v.22 no.3
• /
• pp.27-35
• /
• 2021

With the development of the Internet, various IT technologies such as IoT, Cloud, etc. have been developed, and various systems have been built in countries and companies. Because these systems generate and share vast amounts of data, they needed a variety of systems that could detect threats to protect the critical data contained in the system, which has been actively studied to date. Typical techniques include anomaly detection and misuse detection, and these techniques detect threats that are known or exhibit behavior different from normal. However, as IT technology advances, so do technologies that threaten systems, and these methods of detection. Advanced Persistent Threat (APT) attacks national or companies systems to steal important information and perform attacks such as system down. These threats apply previously unknown malware and attack technologies. Therefore, in this paper, we propose a hybrid intrusion detection system that combines anomaly detection and misuse detection to detect unknown threats. Two detection techniques have been applied to enable the detection of known and unknown threats, and by applying machine learning, more accurate threat detection is possible. In misuse detection, we applied Classification based on Association Rule(CBA) to generate rules for known threats, and in anomaly detection, we used One-Class SVM(OCSVM) to detect unknown threats. Experiments show that unknown threat detection accuracy is about 94%, and we confirm that unknown threats can be detected.

• Journal of the Society of Disaster Information
• /
• v.17 no.1
• /
• pp.176-183
• /
• 2021

Purpose: The introduction of smart factories that reflect the 4th industrial revolution technologies such as AI, IoT, and VR, has been actively promoted in Korea. However, in order to solve various problems arising from existing file-based operating systems, this research will focus on identifying and verifying non-file system-based data protection technology. Method: The research will measure security storage that cannot be identified or controlled by the operating system. How to activate secure storage based on the input of digital key values. Establish a control unit that provides input and output information based on BIOS activation. Observe non-file-type structure so that mapping behavior using second meta-data can be performed according to the activation of the secure storage. Result: First, the creation of non-file system-based secure storage's data input/output were found to match the hash function value of the sample data with the hash function value of the normal storage and data. Second, the data protection performance experiments in secure storage were compared to the hash function value of the original file with the hash function value of the secure storage after ransomware activity to verify data protection performance against malicious ransomware. Conclusion: Smart factory technology is a nationally promoted technology that is being introduced to the public and this research implemented and experimented on a new concept of data protection technology to protect crucial data within the information system. In order to protect sensitive data, implementation of non-file-type secure storage technology that is non-dependent on file system is highly recommended. This research has proven the security and safety of such technology and verified its purpose.

• Asia-pacific Journal of Multimedia Services Convergent with Art, Humanities, and Sociology
• /
• v.8 no.4
• /
• pp.285-296
• /
• 2018

Among many hacking attempts carried out in the past few years, the cyber-attacks that could have caused a national-level disaster were the attacks against nuclear facilities including nuclear power plants. The most typical one was the Stuxnet attack against Iranian nuclear facility and the cyber threat targeting one of the facilities operated by Korea Hydro and Nuclear Power Co., Ltd (Republic of Korea; ROK). Although the latter was just a threat, it made many Korean people anxious while the former showed that the operation of nuclear plant can be actually stopped by direct cyber-attacks. After these incidents, the possibility of cyber-attacks against industrial control systems has become a reality and the security for these systems has been tightened based on the idea that the operations by network-isolated systems are no longer safe from the cyber terrorism. The ROK government has established a realistic control systems defense concept and in the US, the relevant authorities have set up several security frameworks to prepare for the threats. This paper presented various cyber security attack cases and their scenarios against control systems, along with the analysis of countermeasures for them. Though this task, we attempt to identify the items that need to be considered when designing a domestic security framework to improve security and secure stability.

• Journal of Advanced Navigation Technology
• /
• v.11 no.3
• /
• pp.259-265
• /
• 2007

Systematic components for implementing ubiquitous computing, for example, electronic devices, electric home appliances, and controllers, etc, are consist of not only circuits but also softwares expected to do some special system-controlling functions, and these softwares used to be called like as embedded software. Because embedded software is a core component controlling systems, the codes or control flows should be protected from being opened to the public or modified. Embedded software security can be divided into 2 parts: first is the unauthorized access to development site and embedded software, second is the unauthorized disclosure or modification. And this research is related to the first aspect of them.This paper proposes some security check requirements related to embedded software development site by analyzing the ALC_DVS.1 of the ISO/IEC 15408 and Base Practices (BPs) of the ISO/IEC 21827. By applying this research, we expect to protect unauthorized modification of embedded software indirectly.

• Journal of KIISE:Computing Practices and Letters
• /
• v.12 no.6
• /
• pp.339-348
• /
• 2006

Recently, many researches on detecting and responding worms due to the fatal infrastructural damages explosively damaged by automated attack tools, particularly worms. Network service vulnerability exploiting worms have high propagation velocity, exhaust network bandwidth and even disrupt the Internet. Previous worm researches focused on signature-based approaches however these days, approaches based on behavioral features of worms are more highlighted because of their low false positive rate and the attainability of early detection. In this paper, we propose a Distributed Worm Detection Model based on packet marking. The proposed model detects Worm Cycle and Infection Chain among which the behavior features of worms. Moreover, it supports high scalability and feasibility because of its distributed reacting mechanism and low processing overhead. We virtually implement worm propagation environment and evaluate the effectiveness of detecting and responding worm propagation.

• Convergence Security Journal
• /
• v.6 no.3
• /
• pp.21-28
• /
• 2006

Beginning flag security it was limited in Firewall but currently many information security solutions like Anti-virus, IDS, Firewall are come to be many. For efficiently managing different kinds of information security products ESM (Enterprise Security management) are developed and operated. Recently over the integrated security management system, TMS (Threat Management System) is rising in new area of interest. It follows in change of like this information security product and also collection information is being turning out diversification. For managing cyber threats, we have to analysis qualitative information (like vulnerabilities and malware codes, security news) as well as the quantity event logs which are from information security products of past. Information Threats and Vulnerability Auto Collector raises the accuracy of cyber threat judgement and can be utilized to respond the cyber threat which does not occur still by gathering qualitative information as well as quantity information.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2012.10a
• /
• pp.744-748
• /
• 2012

Botnet is a network that consists of bot hosts infected by malware. The C&C server of centralized botnet, which is being used widely, is relatively easy to detect, while detecting P2P botnet is not a trivial problem because of the existence of many avoiding techniques. In this paper, we separate the network into inner and outer sub-network at the location of the router, and analyze the method of detecting botnet using path of packet and infection probability. We have extended Dye-Pumping algorithm in order to detect P2P botnet members more accurately, and we expect that the analysis of the results can be used as a basis of techniques that detect and block P2P botnet in the networks.

• The KIPS Transactions:PartC
• /
• v.12C no.6 s.102
• /
• pp.855-864
• /
• 2005

In this paper, we propose an intrusion detection system(IDS) architecture which can detect and respond against the generation of abnormal traffic such as malicious code and Internet worms. We model the system, design and implement a simulator using OPNET Modeller, for the performance analysis on the response capacity of alert information in the proposed system. At first, we model the arrival process of alert information resulted from abnormal traffic. In order to model the situation in which alert information is intensively produced, we apply the IBP(Interrupted Bernoulli Process) which may represent well the burstiness of traffic. Then we perform the simulation in order to gain some quantitative understanding of the system for our performance parameters. Based on the results of the performance analysis, we analyze factors which may hinder in accelerating the speed of security node, and would like to present some methods to enhance performance.

• The Journal of the Korea Contents Association
• /
• v.18 no.6
• /
• pp.434-442
• /
• 2018

Recently, the threat to the security and damage of important data leaked by devices of intranet infected by malicious code through the Internet have been increasing. Therefore, the partitioned intranet model that blocks access to the server for business use by implementing authentication of devices connected to the intranet is required. For this, logical net partition with the VDI(Virtual Desktop Infrastructure) method is no information exchange between physical devices connected to the intranet and the virtual device so that it could prevent data leakage and improve security but it is vulnerable to the attack to expose internal data, which has access to the server for business connecting a nonregistered device into the intranet. In order to protect the server for business, we suggest a blockchain based network partition model applying blockchain technology to VDI. It contributes to decrease in threat to expose internal data by improving not only capability to verify forgery of devices, which is the vulnerability of the VDI based logical net partition, but also the integrity of the devices.

• Smart Media Journal
• /
• v.8 no.1
• /
• pp.27-34
• /
• 2019

Ransomware is a malicious program code evolved into various forms of attack. Unlike traditional Ransomware that is being spread out using email attachments or infected websites, a new type of Ransomware, such as WannaCryptor, may corrupt files just for being connected to the Internet. Due to global Ransomware damage, there are many studies conducted to detect and defense Ransomware. However, existing research on Ransomware detection only uses Ransomware signature database or monitors specific behavior of process. Additionally, existing Ransomware detection methods hardly detect and defense a new Ransomware that behaves differently from the traditional ones. In this paper, we propose a method to detect Ransomware by arranging decoy files and analyzing the method how Ransomware accesses and operates files in the file system. Also, we conduct experiments using proposed method and provide the results of detection and defense of Ransomware in this paper.