• Proceedings of the Korean Society of Broadcast Engineers Conference
• /
• 2007.02a
• /
• pp.138-141
• /
• 2007

네트워크 상에서 활동하는 윔을 모델링하는 연구는 특정 윔에 한정되어 있다. 따라서 기존에 발표된 웜의 확산 모델링 연구는 그 범위를 다른 수많은 윔으로 확장하기에 어려움이 따르며, 이를 위한 표준화 연구도 부족한 실정이다 따라서 본 연구에서는 Non-fuction requrirement(NFR)의 개념을 이용하여 웜의 속성을 정의하고 이 정의를 바탕으로 자체 전파되는 웜의 표현 기법을 제안한다. 현재로서는 사용자의 추가적인 작동을 요구하지 않는 자체 전파 웜에 대하여 한정하고 있으나, 이를 확장하면 다양한 형태의 웜을 표현할 수 있는 도구가 될 수 있다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2001.10b
• /
• pp.1013-1016
• /
• 2001

최근 인터넷의 전자 메일 서비스 사용의 증가로 인해 스크립트형 웜 바이러스에 대한 피해가 확산되고 있다. 전자 메일을 통하여 유포되는 스크립트형 웜 바이러스는 지속적으로 새로운 형태로 변이되어 나타나고 있지만, 이에 대한 예방 방법은 새로운 패턴이 분석된 후 이를 토대로 탐지하기 때문에 적극적인 대응을 하지 못하는 실정이다. 이에 본 논문에서는 스크립트형 웜 바이러스의 행위를 추출하여 일정한 패턴을 정의한 후 이를 기반으로 스크립트형 웜 바이러스 탐지 시스템을 설계하고, 기존의 패턴에 유전자 알고리즘을 적용하여 알려지지 않은 새로운 패턴을 생성한 후 바이러스 탐지에 활용할 수 있는 방안을 연구한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.3
• /
• pp.165-172
• /
• 2006

There are various threats as side effects against the growth of information technology, and malicious codes such as Internet worms may bring about confusions to upset a national backbone network. In this paper, we examine the existed spreading models and propose a new worm spreading model on Internet environment. We also predict and analyze the spreading effects of high-speed Internet worms. The proposed model leads to a better prediction of the worm spreading since various factors are considered.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2009.04a
• /
• pp.1482-1485
• /
• 2009

DDoS 공격은 네트워크 보안에 큰 피해를 미치는 공격기법의 하나로써, 국내외로 많은 피해를 유발하고 있으며, 최근에도 DDoS 공격에 의한 피해는 빈번하게 보고되고 있다. DDoS 공격은 실제 공격에 앞서 웜과 악성 BOT을 이용하여 공격을 직접 수행할 호스트를 감염시킨다. 웜과 악성 BOT이 타깃 호스트를 감염시키기 전에 반드시 수행하는 것이 취약점에 대한 스캐닝이다. 본 논문에서는 웜과 악성 BOT의 스캐닝 행위에 초점을 맞추어 DDoS 공격으로부터 안전한 네트워크를 구축하기 위한 역 IP spoofing을 이용한 DDoS 웜 스캐닝 트래픽의 처리기법을 제안한다.

• Journal of Korea Multimedia Society
• /
• v.9 no.3
• /
• pp.333-341
• /
• 2006

Recently, Random Constant worm is increasing The worm retards the availability of the overall network by exhausting resources such as CPU resource and network bandwidth, and damages to an uninfected system as well as an infected system. This paper analyzes the Power-Law network which possesses the preferential characteristics to restrain the worm from spreading. Moreover, this paper suggests the model which dynamically controls the spread of the worm using information about depth distribution of the delivery node which can be seen commonly in such network. It has also verified that the load for each node was minimized at the optimal depth to effectively restrain the spread of the worm by a simulation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.1
• /
• pp.57-66
• /
• 2007

Scanning worms increase network traffic load because they randomly scan network addresses to find hosts that are susceptible to infection. Since propagation speed is faster than human reaction, scanning worms cause severe network congestion. So we need to build an early detection system which can automatically detect and quarantine such attacks. We propose algorithms to detect scanning worms using network traffic characteristics such as variance, variance to mean ratio(VMR) and correlation coefficient. The proposed algorithm have been verified by computer simulation. Compared to existing algorithm, the proposed algorithm not only reduced computational complexity but also improved detection accuracy.

• Journal of KIISE:Information Networking
• /
• v.35 no.6
• /
• pp.474-481
• /
• 2008

Scanning worm increases network traffic load and result in severe network congestion because it is a self-replicating worm and send copies of itself to a number of hosts through the Internet. So an early detection system which can automatically detect scanning worms is needed to protect network from those attacks. Although many studies are conducted to detect scanning worms, most of them are focusing on the method using packet header information. The method using packet header information has long detection delay since it must examine the header information of all packets entering or leaving the network. Therefore we propose an algorithm to detect scanning worms using network traffic characteristics such as variance of traffic volume, differentiated traffic volume, mean of differentiated traffic volume, and product of mean traffic volume and mean of differentiated traffic volume. We verified the proposed algorithm by analyzing the normal traffic captured in the real network and the worm traffic generated by simulator. The proposed algorithm can detect CodeRed and Slammer which are not detected by existing algorithm. In addition, all worms were detected in early stage: Slammer was detected in 4 seconds and CodeRed and Witty were detected in 11 seconds.

• Korean journal of applied entomology
• /
• v.48 no.1
• /
• pp.95-100
• /
• 2009

This study was conducted to develop environmentally friendly control techniques to reduce chestnut insect pests. The study sites were selected in intensive chestnut orchards of Jinju city, Gyeongnam province. In early and middle-ripening cultivars of chestnut tree, the damage of chestnut fruits by Dichocrocis punctiferalis was significantly lower in wromstop than other treatment such as wromstop+wood vinegar, Capture-machine (p<0.05), While there was no significant difference among treatments in late-ripening cultivars. The hight control effect for D. punctiferalis was showed the highest in wromstop treanment with 40.49% and 41.89% in early and late-ripening cultivars. The control effects for Curculio sikkimensis in late-ripening cultivars of chestnut tree were 34.59% in wromstop imidacloprid treatment and 28.94% in air control treatment.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.32 no.1C
• /
• pp.67-77
• /
• 2007

Virus throttling technique, one of many early worm detection techniques, detects Internet worm propagation by limiting connect requests within a certain ratio. The typical virus throttling controls the period of rate limiter autonomically by utilizing weighted average delay queue length to reduce connection delay time without hanving a large effect on worm detection time. In the existing virus throttling research, a minimum period of variable rate limiter is fired and a turning point which is a point that the period of rate limiter has been being decreased and starts to be increased is also fixed. However, these two performance factors have different effects on worm detection time and connection delay. In this paper, we analyze the effect of minimum period and turning point of variable rate limiter, and then propose an algorithm which determines values of performance factors by referencing current traffic pattern. Through deep experiments, it is verified that the proposed technique is more efficient in respect of reducing worm detection time and connection delay than the existing virus throttling which fixed the performance factors.

• The KIPS Transactions:PartC
• /
• v.12C no.2 s.98
• /
• pp.191-200
• /
• 2005

The brilliant achievements in computers and the internet technology make it easy for users to get useful information. But at the same time, the damages caused by intrusions and denial of service attacks are getting more worse. Specially because denial of service attacks by internet worm incapacitate computers and networks, we should draw up a disposal plan against it. So far many rule-based intrusion detection systems have been developed, but these have the limits of these ability to detect new internet worms. In this paper, we propose a system to detect intrusion and generate detection rule against scan-based internet worm, paying attention to the fact that internet worms scan network to infect hosts. The system detects internet worms using detection rule. And if it detects traffic causing by a new scan-based internet worm, it generates new detection nile using traffic information that is gathered. Therefore it can response to new internet worms early. Because the system gathers packet payload, when it is being necessary only, it can reduce system's overhead and disk space that is required.