• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.6A
• /
• pp.107-114
• /
• 2008

The Bot is a kind of worm/virus that can be used to launch the distributed denial-of-service(DDoS) attacks or send massive amount of spam e-mails, etc. A lot of organizations make an effort to counter the Botnet's attacks. In Korea, we use DNS sinkhole system to protect from the Botnet's attack, while in Japan "so called" CCC(Cyber Clean Center) has been developed to protect from the Botnet's attacks. But in case of DNS sinkhole system, there is a problem since it cannot cure the Bot infected PCs themselves and in case of CCC there is a problem since only 30% of users with the Botnet-infected PCs can cooperate to cure themself. In this paper we propose a new method that prevent the Botnet's attacks and cure the Bot-infected PCs at the same time.

• Journal of KIISE:Computing Practices and Letters
• /
• v.15 no.1
• /
• pp.47-55
• /
• 2009

Bot is a kind of worm/virus that is remotely controlled by a herder. Bot can be used to launch distributed denial-of-service(DDoS) attacks or send spam e-mails etc. Launching cyber attacks using malicious Bots is motivated by increased monetary gain which is not the objective of worm/virus. However, it is very difficult for infected user to detect this infection of Botnet which becomes more serious problems. This is why botnet is a dangerous, malicious program. The Bot DNS Sinkhole is a domestic bot mitigation scheme which will be proved in this paper as one of an efficient ways to prevent malicious activities caused by bots and command/control servers. In this paper, we analysis botnet activities over more than one-year period, including Bot's lifetime, Bot command/control server's characterizing. And we analysis more efficient ways to prevent botnet activities. We have showed that DNS sinkhole scheme is one of the most effective Bot mitigation schemes.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.6
• /
• pp.111-118
• /
• 2012

In this paper, a technique wherein the DHCP server has a restriction in providing the IP address to the computers that has no malicious bot curing vaccine is proposed, so that users will cooperate in the curing of malicious bot to avoid inconvenience. In order to provide restricted ip address periodically, the DHCP server makes a request of vaccine installation check for user's computer. Proposed technique is effective in the curing of malicious bot, because it does not depend on specific systems or organizations.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2008.11a
• /
• pp.1533-1536
• /
• 2008

악성 봇이 현대 인터넷 보안의 큰 위협으로 등장함에 따라, 이러한 봇을 탐지하기 위한 많은 연구가 진행되고 있다. 하지만 악성 봇은 꾸준히 진화하여 탐지방법을 무력화시키고 있으며, 최근 HTTP를 이용한 악성 봇의 등장으로 그 탐지와 대응이 더욱 어려워지고 있다. 게다가 웹기반 서비스들의 증가로 HTTP를 이용하는 패킷은 통신량의 대부분을 차지하고 있으며, 이들에 대한 분석은 큰 부하를 발생시키게 된다. 이러한 문제를 해결하기 위해서는 악성 봇넷을 효과적으로 탐지하기 위한 효율적인 매져들을 선택하여야 하며, 본 논문에서는 대표적인 HTTP 기반 악성 봇넷인 크라켄(Kraken) 봇넷의 특성을 분석하였다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2011.04a
• /
• pp.967-970
• /
• 2011

본 논문에서는 커널 모드에서 악성 봇이 호스트를 전염 시키는 순간 나타나는 일반적인 행동 특성들을 기반으로 효과적인 악성 봇 탐지가 가능한 프로그램을 구현하였다. 구현된 프로그램은 false-positive(오탐지)를 줄이기 위해서 악성 봇의 전염 과정에서 발생하는 복제 행동, 레지스트리 등록, uninstall 등록, 복제된 파일의 경로 정보 그리고 사용할 API 임포트 정보 등과 같은 악성 행위 탐지 기준 6가지를 고려한다.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.19 no.12
• /
• pp.2885-2891
• /
• 2015

Twitter, one of online social network services, is one of the most popular micro-blogs, which generates a large number of automated programs, known as tweet bots because of the open structure of Twitter. While these tweet bots are categorized to legitimate bots and malicious bots, it is important to detect tweet bots since malicious bots spread spam and malicious contents to human users. In the conventional work, temporal information was utilized for the classficiation of human and bot. In this paper, by utilizing geo-tagged tweets that provide high-precision location information of users, we first identify both Twitter users' exact location and the corresponding timestamp, and then propose an improved two-stage tweet bot detection algorithm by computing an entropy based on spatio-temporal information. As a main result, the proposed algorithm shows superior bot detection and false alarm probabilities over the conventional result which only uses temporal information.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2011.04a
• /
• pp.1528-1531
• /
• 2011

최근 악성봇은 해커에 의해 원격 조정되어 명령에 의해 스팸메일 발송, DDoS 공격 등의 악성행위를 수행하는 웜/바이러스이다[2]. 악성봇은 이전의 웜/바이러스와 달리 금전적인 이득을 목적으로 하는 것이 많아 작게는 일상생활의 불편함으로부터 크게는 사회적, 국가적으로 악영향을 주고 있다. 국내에서는 이러한 위험을 방어하기 위한 효과적인 대응 방법으로 DNS 싱크홀을 운영 하고 있다. 본 논문에서는 DNS 싱크홀 운영 중 수집한 봇 명령/제어 (Command and Control, C&C) 도메인을 Internet Service Provider (ISP) DNS 싱크홀 시스템에 적용하는 과정에서 나타나는 문제점을 효과적으로 해결 하기 위한 DNS Response Policy Zone(RPZ)을 이용한 DNS 싱크홀 운영 방안을 제시 하였다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2016.04a
• /
• pp.311-314
• /
• 2016

본 논문에서는 가상네트워크를 활용하여 네트워크를 통해 악성행위를 하는 악성코드에 대한 동적 분석 결과 중 네트워크 발현율을 보다 향상시키고자 한다. 제우스 봇(Zeus Bot)의 특징과 네트워크 행위에 대하여 이해하고 봇(Bot)이 원하는 응답패킷(Response Packet)을 가상네트워크를 통해 제공함으로써 일반 동적 분석시 발현되지 않는 악성 행위를 발현시키고 네트워크 발현율을 보다 향상시킨다. 최종적으로 코드 커버리지(Code Coverage)를 넓혀 악성코드 유무를 판단, 예방 및 치료 대책을 마련에 기여한다.

• Journal of Korea Game Society
• /
• v.15 no.4
• /
• pp.69-78
• /
• 2015

As the online game industry has been growing rapidly, more and more malicious activities to gain economic benefits have been reported as well. Game bot is one of the biggest problems in the online game industry. So we proposed a bot detection method based on the ERG theory of motivation for the first time. Most of the previous studies focused on behavior-based detection by monitoring patterns of the specific actions. In this paper, we applied the motivation theory to analyze user behaviors on a real game dataset. The result shows that normal users in the game followed the ERG theory of motivation in the same way as it works in real world. But in the case of game bots, the theory could not be applied because the game bot has specific reasons, unlike normal game users. We applied the ERG theory to users to distinguish game bot users from normal users. We detected the game bot with high accuracy of 99.78% by applying the theory.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.19 no.12
• /
• pp.2878-2884
• /
• 2015

Twitter, one of online social network services, is one of the most popular micro-blogs, which generates a large number of automated programs, known as tweet bots because of the open structure of Twitter. While these tweet bots are categorized to legitimate bots and malicious bots, it is important to detect tweet bots since malicious bots spread spam and malicious contents to human users. In the conventional work, temporal information was utilized for the classficiation of human and bot. In this paper, by utilizing geo-tagged tweets that provide high-precision location information of users, we first identify both Twitter users' exact location. Then, we propose a new tweet bot detection algorithm by using both an entropy based on geographic variable of each user and device information of each user. As a main result, the proposed algorithm shows superior bot detection and false alarm probabilities over the conventional result which only uses temporal information.