• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.5
• /
• pp.1141-1151
• /
• 2018

In an APT attack, the communication stage between infected hosts and C&C(Command and Control) server is the key stage for intrusion into the attack target. Attackers can control multiple infected hosts by the C&C Server and direct intrusion and exploitation. If the C&C Server is exposed at this stage, the attack will fail. Therefore, in recent years, the Domain Generation Algorithm (DGA) has replaced DNS in C&C Server with a short time interval for making detection difficult. In particular, it is very difficult to verify and detect all the newly registered DNS more than 5 million times a day. To solve these problems, this paper proposes a model to judge DGA-DNS detection by the morphological similarity analysis of normal DNS and DGA-DNS, and to determine the sign of APT attack through it, then we verify its validity.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1431-1439
• /
• 2017

In the security field, log analysis is important to detect malware or abnormal behavior. Recently, image visualization techniques for malware dectection becomes to a major part of security. These techniques can also be used in online games. Users can leave a game when they felt bad experience from game bot, automatic hunting programs, malicious code, etc. This churning can damage online game's profit and longevity of service if game operators cannot detect this kind of events in time. In this paper, we propose a new technique of PNG image conversion based churn prediction to improve the efficiency of data analysis for the first. By using this log compression technique, we can reduce the size of log files by 52,849 times smaller and increase the analysis speed without features analysis. Second, we apply data mining technique to predict user's churn with a real dataset from Blade & Soul developed by NCSoft. As a result, we can identify potential churners with a high accuracy of 97%.

• Journal of Intelligence and Information Systems
• /
• v.25 no.3
• /
• pp.43-62
• /
• 2019

At one time, the anomaly detection sector dominated the method of determining whether there was an abnormality based on the statistics derived from specific data. This methodology was possible because the dimension of the data was simple in the past, so the classical statistical method could work effectively. However, as the characteristics of data have changed complexly in the era of big data, it has become more difficult to accurately analyze and predict the data that occurs throughout the industry in the conventional way. Therefore, SVM and Decision Tree based supervised learning algorithms were used. However, there is peculiarity that supervised learning based model can only accurately predict the test data, when the number of classes is equal to the number of normal classes and most of the data generated in the industry has unbalanced data class. Therefore, the predicted results are not always valid when supervised learning model is applied. In order to overcome these drawbacks, many studies now use the unsupervised learning-based model that is not influenced by class distribution, such as autoencoder or generative adversarial networks. In this paper, we propose a method to detect anomalies using generative adversarial networks. AnoGAN, introduced in the study of Thomas et al (2017), is a classification model that performs abnormal detection of medical images. It was composed of a Convolution Neural Net and was used in the field of detection. On the other hand, sequencing data abnormality detection using generative adversarial network is a lack of research papers compared to image data. Of course, in Li et al (2018), a study by Li et al (LSTM), a type of recurrent neural network, has proposed a model to classify the abnormities of numerical sequence data, but it has not been used for categorical sequence data, as well as feature matching method applied by salans et al.(2016). So it suggests that there are a number of studies to be tried on in the ideal classification of sequence data through a generative adversarial Network. In order to learn the sequence data, the structure of the generative adversarial networks is composed of LSTM, and the 2 stacked-LSTM of the generator is composed of 32-dim hidden unit layers and 64-dim hidden unit layers. The LSTM of the discriminator consists of 64-dim hidden unit layer were used. In the process of deriving abnormal scores from existing paper of Anomaly Detection for Sequence data, entropy values of probability of actual data are used in the process of deriving abnormal scores. but in this paper, as mentioned earlier, abnormal scores have been derived by using feature matching techniques. In addition, the process of optimizing latent variables was designed with LSTM to improve model performance. The modified form of generative adversarial model was more accurate in all experiments than the autoencoder in terms of precision and was approximately 7% higher in accuracy. In terms of Robustness, Generative adversarial networks also performed better than autoencoder. Because generative adversarial networks can learn data distribution from real categorical sequence data, Unaffected by a single normal data. But autoencoder is not. Result of Robustness test showed that he accuracy of the autocoder was 92%, the accuracy of the hostile neural network was 96%, and in terms of sensitivity, the autocoder was 40% and the hostile neural network was 51%. In this paper, experiments have also been conducted to show how much performance changes due to differences in the optimization structure of potential variables. As a result, the level of 1% was improved in terms of sensitivity. These results suggest that it presented a new perspective on optimizing latent variable that were relatively insignificant.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2015.04a
• /
• pp.404-405
• /
• 2015

최근 IT기술과 인터넷의 발전으로 시간과 공간에 제한을 두지 않고 업무를 처리해야 하는 상황으로 업무환경이 급격히 변화되고 있다. 특히 기업에서는 외부 네트워크와 정보교환의 필요성이 증가되었고, 구성원들의 잦은 외근, 출장 등 사무실 밖에서 업무를 처리하는 비중이 높아져, 내부뿐만 아니라 외부와의 정보공유를 하는데 있어 안전한 네트워크 구조를 요구하고 있다. 외부에서 효율적이고 안전하게 내부시스템에 접속할 수 있게 사용되는 것이 VPN(가상사설망: Virtual Private Network)으로, 기관 및 기업에서 VPN을 지속적으로 도입하여 운영하고 있다. 하지만 VPN에 인증이 성공되면 다양한 업무시스템에 접근이 용이하기 때문에, 악의적인 사용자로부터 정보유출이 손쉽게 이루어질 수 있다. 따라서 본 연구에서는 사용되고 있는 VPN에 대해 관리가 잘 이루어지는지 확인하는 실태점검 리스트를 제시하고, VPN에 대한 정보유출방지 모니터링을 위해 VPN의 접속로그를 분석하여 정보유출 보안위협행위를 탐지할 수 있는 시나리오를 도출하고자 한다.

• Journal of Intelligence and Information Systems
• /
• v.20 no.3
• /
• pp.93-108
• /
• 2014

To support business decision making, interests and efforts to analyze and use transaction data in different perspectives are increasing. Such efforts are not only limited to customer management or marketing, but also used for monitoring and detecting fraud transactions. Fraud transactions are evolving into various patterns by taking advantage of information technology. To reflect the evolution of fraud transactions, there are many efforts on fraud detection methods and advanced application systems in order to improve the accuracy and ease of fraud detection. As a case of fraud detection, this study aims to provide effective fraud detection methods for auction exception agricultural products in the largest Korean agricultural wholesale market. Auction exception products policy exists to complement auction-based trades in agricultural wholesale market. That is, most trades on agricultural products are performed by auction; however, specific products are assigned as auction exception products when total volumes of products are relatively small, the number of wholesalers is small, or there are difficulties for wholesalers to purchase the products. However, auction exception products policy makes several problems on fairness and transparency of transaction, which requires help of fraud detection. In this study, to generate fraud detection rules, real huge agricultural products trade transaction data from 2008 to 2010 in the market are analyzed, which increase more than 1 million transactions and 1 billion US dollar in transaction volume. Agricultural transaction data has unique characteristics such as frequent changes in supply volumes and turbulent time-dependent changes in price. Since this was the first trial to identify fraud transactions in this domain, there was no training data set for supervised learning. So, fraud detection rules are generated using outlier detection approach. We assume that outlier transactions have more possibility of fraud transactions than normal transactions. The outlier transactions are identified to compare daily average unit price, weekly average unit price, and quarterly average unit price of product items. Also quarterly averages unit price of product items of the specific wholesalers are used to identify outlier transactions. The reliability of generated fraud detection rules are confirmed by domain experts. To determine whether a transaction is fraudulent or not, normal distribution and normalized Z-value concept are applied. That is, a unit price of a transaction is transformed to Z-value to calculate the occurrence probability when we approximate the distribution of unit prices to normal distribution. The modified Z-value of the unit price in the transaction is used rather than using the original Z-value of it. The reason is that in the case of auction exception agricultural products, Z-values are influenced by outlier fraud transactions themselves because the number of wholesalers is small. The modified Z-values are called Self-Eliminated Z-scores because they are calculated excluding the unit price of the specific transaction which is subject to check whether it is fraud transaction or not. To show the usefulness of the proposed approach, a prototype of fraud transaction detection system is developed using Delphi. The system consists of five main menus and related submenus. First functionalities of the system is to import transaction databases. Next important functions are to set up fraud detection parameters. By changing fraud detection parameters, system users can control the number of potential fraud transactions. Execution functions provide fraud detection results which are found based on fraud detection parameters. The potential fraud transactions can be viewed on screen or exported as files. The study is an initial trial to identify fraud transactions in Auction Exception Agricultural Products. There are still many remained research topics of the issue. First, the scope of analysis data was limited due to the availability of data. It is necessary to include more data on transactions, wholesalers, and producers to detect fraud transactions more accurately. Next, we need to extend the scope of fraud transaction detection to fishery products. Also there are many possibilities to apply different data mining techniques for fraud detection. For example, time series approach is a potential technique to apply the problem. Even though outlier transactions are detected based on unit prices of transactions, however it is possible to derive fraud detection rules based on transaction volumes.

• Journal of Internet Computing and Services
• /
• v.19 no.6
• /
• pp.41-51
• /
• 2018

Recently, in the field of video surveillance, deep learning based learning method is applied to intelligent video surveillance system, and various events such as crime, fire, and abnormal phenomenon can be robustly detected. However, since occlusion occurs due to the loss of 3d information generated by projecting the 3d real-world in 2d image, it is need to consider the occlusion problem in order to accurately detect the object and to estimate the pose. Therefore, in this paper, we detect moving objects by solving the occlusion problem of object detection process by adding depth information to existing RGB information. Then, using the convolution neural network in the detected region, the positions of the 14 keypoints of the human joint region can be predicted. Finally, in order to solve the self-occlusion problem occurring in the pose estimation process, the method for 3d human pose estimation is described by extending the range of estimation to the 3d space using the predicted result of 2d keypoint and the deep neural network. In the future, the result of 2d and 3d pose estimation of this research can be used as easy data for future human behavior recognition and contribute to the development of industrial technology.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.3
• /
• pp.499-510
• /
• 2023

Recently, an intelligent and advanced cyber attack attacks a computer network of a public institution using a file containing malicious code or leaks information, and the damage is increasing. Even in public institutions with various information protection systems, known attacks can be detected, but unknown dynamic and encryption attacks can be detected when existing signature-based or static analysis-based malware and ransomware file detection methods are used. vulnerable to The detection method proposed in this study extracts the detection result data of the system that can detect malicious code and ransomware among the information protection systems actually used by public institutions, derives various attributes by combining them, and uses a machine learning classification algorithm. Results are derived through experiments on how the derived properties are classified and which properties have a significant effect on the classification result and accuracy improvement. In the experimental results of this paper, although it is different for each algorithm when a specific attribute is included or not, the learning with a specific attribute shows an increase in accuracy, and later detects malicious code and ransomware files and abnormal behavior in the information protection system. It is expected that it can be used for property selection when creating algorithms.

• The Transactions of the Korea Information Processing Society
• /
• v.7 no.2
• /
• pp.392-400
• /
• 2000

In this paper, we propose an electronic election protocol based on VIOT protocol which utilizes public key cryptographic system and blind signature method to meet the seccurity requirement in election systems. Our proposed electronic election protocol provide voter's privacy and non-repudiation functionality which detect any misdemeanors of voters or relevant personnels.

• Proceedings of the Korean Society of Disaster Information Conference
• /
• 2023.11a
• /
• pp.45-46
• /
• 2023

본 논문은 국제민간항공기구(ICAO)의 안전 정의를 기반으로, 항공안전을 유지하기 위해 체계적인 안전관리시스템(Safety Management System, SMS)이 필요함을 강조한다. 특히, COVID-19 이후의 항공 환경 변화에 빠르게 대응할 수 있는 안전관리체계의 필요성을 제기하였으며, 또한, 기존의 하인리히의 법칙을 확장한 Bird의 신도미노 이론을 활용하여 '안전하지 않은 행위'를 세부적으로 분석하고 데이터를 기반으로 이를 탐지하고 관리할 수 있는 방안을 제시한다. 이를 통해 사고나 사건 발생 이전에 이상 경향을 파악하는 중요성을 강조하며, 이를 위해 항공안전데이터를 수집하고 전처리하여 분석의 기반을 마련하고자 한다. 본 논문은 데이터 분석 기술을 활용하여 항공안전을 향상시키는 방법을 탐구하고, 이를 통해 예방적 안전관리의 기반을 제공할 수 있을 것으로 기대하며, 더불어, 데이터 분석 기술의 중요성을 강조하며, 이를 적극적으로 도입하여 안전성을 높이는데 핵심 역할을 할 것을 희망한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2023.11a
• /
• pp.170-172
• /
• 2023

최근 자동차는 자율주행차 혹은 스마트카로 진화하며 다양한 외부 통신 인터페이스를 포함하고 있습니다. 각 기능 통제를 위해 차량 소프트웨어의 복잡성과 자동차 기술 발전에 따라 통신 인터페이스의 증가로 인하여 자동차에 대한 사이버 공격 가능성 및 위험성이 꾸준히 증가하고 있습니다. 특히, 커넥티드카의 안전을 위한 V2X(Vehicle to Everything)통신이 보안 취약점을 가질 경우, 이는 탑승자의 생명에 직접적인 위협을 초래할 수 있습니다. 그러나, 지능형 교통 시스템에서는 익명성을 위해 일정 시간이 지나면 차량의 식별정보를 변경해 공격자를 찾는데 어려움이 있다. 따라서 본 논문에서는 지능형 교통 시스템 내에서 이상행위를 유발하는 차량을 탐지하기 위해 V2X에 활용되는 표준 메시지 정보를 통해 식별하여 추적하는 기술을 제안하고자 한다.