• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1217-1224
• /
• 2015

Web application security problems are addressed by the web vulnerability analysis which in turn supports companies to understand those problems and to establish their own solutions. Ministry of Science, ICT and Future Planning (MSIP) has released its guidelines for analysis and assessment of the web vulnerability. Although it is possible to distinguish vulnerability items in a manner suggested in the MSIP's guidelines, MSIP's factors and criteria proposed in the guidelines are neither sufficient nor efficient in analyzing specific vulnerability entries' risks. This study discusses analysis of the domestic and international Vulnerability Scoring system and proposes an appropriate evaluating method for web vulnerability analysis.

• Proceedings of the Korea Water Resources Association Conference
• /
• 2022.05a
• /
• pp.32-32
• /
• 2022

본 연구는 농경지가 주로 분포되어있는 영산강 유역(3,371.4 km²)을 대상으로 농업용수 건전성 및 취약성 평가를 수행하였다. 먼저, 농업용수 건전성은 관개 기간에 농업용수 확보를 위한 유역 환경 요소(하천, 토지이용, 수문, 수질, 수생태, 서식지)로 정의하였으며, 취약성은 용수공급에 영향을 주는 인위적인 변화 요소(기후변화, 불투수층 변화, 농업용수 수요량 변화, 토지피복 변화)로 구분하였다. 각 요소의 sub-index는 1개의 지수로 정규화하여 평가하였으며 Percentile rank 방법으로 계산하였다. 분석결과 영산강 하류의 나주시(5004) 유역의 건전성 및 취약성 지수가 각각 0.33, 0.92로 농업용수 공급에 취약한 것으로 분석되었다. 이에 따른 회복력 및 유지·조치 우선순위 분석결과 또한 농업용 수리시설(저수지, 양수장, 취입보, 집수암거, 관정)을 이용한 농업용수 확보가 시급한 것으로 분석되었다. 최종적으로 본 연구에서 제시한 농업용수 건전성 및 취약성 지수는 장기간에 걸친 유역 변화분석이 가능하고, 농업용수 공급 상황을 예측함으로써 향후 농업용수 확보를 위한 시설물 설치계획 수립에 근거자료로 활용할 수 있을 것으로 판단된다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.5
• /
• pp.131-139
• /
• 2007

Vulnerability analysis helps to remove discriminating vulnerabilities that exist in various equipment that composes operating information system. It is possible to explain representation and exclusion method about vulnerabilities of each equipment by vulnerability analysis. But it is difficult to display the weakness of whole information system. To do this, analyst synthesizes several information that achieved by vulnerability analysis. But the existing method does not provide fair evaluation because operators' personal opinion. In this paper, we explain about method that unites discriminatively vulnerable point and expresses whole weakness degree in numerical value by equipment, by system class, or by overall system.

• Convergence Security Journal
• /
• v.22 no.1
• /
• pp.11-17
• /
• 2022

Cyber attacks on national infrastructure, including large-scale power outages in Ukraine, have continued in recent years. As a result, ICS-CERT vulnerabilities have doubled compared to last year, and vulnerabilities to industrial control systems are increasing day by day. Most control system operators develop vulnerability countermeasures based on the vulnerability information sources provided by ICS-CERT in the United States. However, it is not applicable to the security of domestic control systems because it does not provide weaknesses in Korean manufacturers' products. Therefore, this study presents a vulnerability analysis framework that integrates CVE, CWE, CAPE, and CPE information related to the vulnerability based on ICS-CERT information (1843 cases). It also identifies assets of nuclear facilities by using CPE information and analyzes vulnerabilities using CVE and ICS-CERT. In the past, only 8% of ICS-CERT's vulnerability information was searched for information on any domestic nuclear facility during vulnerability analysis, but more than 70% of the vulnerability information could be searched using the proposed methodology.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2024.01a
• /
• pp.473-474
• /
• 2024

대표적인 분만 취약지 중 경상북도와 경상남도, 전라남도의 의료, 교육, 교통, 출산 지원 데이터를 분석하여 '육아가능인구'에게 유용한 정보를 제공하고 저출산과 지역별 육아 인프라 격차에 대한 긍정적인 해결책을 제안하는 것을 목표로 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.4
• /
• pp.687-699
• /
• 2021

When a vulnerability occurs in a program, it is documented and published through CVE. However, some vulnerabilities do not disclose the details of the vulnerability and in many cases the source code is not published. In the absence of such information, in order to find a vulnerability, you must find the vulnerability at the binary level. This paper aims to find out-of-bounds read vulnerability that occur very frequently among vulnerability. In this paper, we design a memory area using memory access information appearing in binary code. Out-of-bounds Read vulnerability is detected through the designed memory structure. The proposed tool showed better in code coverage and detection efficiency than the existing tools.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.969-974
• /
• 2014

CC (Common Criteria) requires collecting vulnerability information and analyzing them by using penetration testing for evaluating IT security products. Under the time limited circumstance, developers cannot help but apply vulnerability analysis at random to the products. Without the systematic vulnerability analysis, it is inevitable to get the diverse vulnerability analysis results depending on competence in vulnerability analysis of developers. It causes that the security quality of the products are different despite of the same level of security assurance. It is even worse for the other IT products that are not obliged to get the CC evaluation to be applied the vulnerability analysis. This study describes not only how to apply vulnerability taxonomy to IT security vulnerability but also how to manage security quality of IT security products practically.

• Journal of the Korean Association of Geographic Information Studies
• /
• v.18 no.3
• /
• pp.35-51
• /
• 2015

The purpose of this study is to improve the previous groundwater contamination vulnerability assessment method, apply it to the study area, and select priority areas for groundwater management based on the quantitative analysis of groundwater contamination vulnerability. For this purpose, first, the previous 'potential contamination' based on groundwater contamination vulnerability assessment method was upgraded to the methodology considering 'adaptation capacity' which reduced contamination. Second, the weight of groundwater contamination vulnerability assessment factors was calculated based on the analytical hierarchy process(AHP) and the result of survey targeting groundwater experts. Third, Gyeonggi-do was selected as the study area and the improved methodology and weight were implemented with GIS and actual groundwater contamination vulnerability assessment was carried out. Fourth, the priority area for groundwater contamination management was selected based on the quantitative groundwater contamination vulnerability assessment diagram. The improved detailed groundwater contamination vulnerability assessment factors in this study were a total of 15 factors, and 15 factors were analyzed as new and improved weight with higher 'adaptation capacity' than the assessment factor corresponding to the previous 'potential contamination' in the weight calculation result using AHP. Also, the result of groundwater contamination vulnerability assessment in Gyeonggi Province using GIS showed that Goyang and Gwangmyeong which were adjacent to Seoul had a high groundwater contamination vulnerability and Pocheon and Yangpyeong County had a relatively low groundwater contamination vulnerability. In this study, the previous groundwater contamination vulnerability assessment was improved and applied to study areas actually. The result of this study can be utilized both directly and indirectly for the groundwater management master plan at national and local government level in the future.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.20 no.6
• /
• pp.541-547
• /
• 2019

Recent developments in hacking technology are continuing to increase the number of new security vulnerabilities. Approximately 80,000 new vulnerabilities have been registered in the Common Vulnerability Enumeration (CVE) database, which is a representative vulnerability database, from 2010 to 2015, and the trend is gradually increasing in recent years. While security vulnerabilities are growing at a rapid pace, responses to security vulnerabilities are slow to respond because they rely on manual analysis. To solve this problem, there is a need for a technology that can automatically detect and patch security vulnerabilities and respond to security vulnerabilities in advance. In this paper, we propose the technology to extract the features of the vulnerability-discovery target binary through complexity analysis, and select a vulnerability-discovery strategy suitable for the feature and automatically explore the vulnerability. The proposed technology was compared to the AFL, ANGR, and Driller tools, with about 6% improvement in code coverage, about 2.4 times increase in crash count, and about 11% improvement in crash incidence.

• Convergence Security Journal
• /
• v.12 no.4
• /
• pp.71-76
• /
• 2012

As the use of Mashups, web3.0, JavaScript and AJAX(Asynchronous JavaScript XML) widely increases, the new security threats for web vulnerability also increases when the web application services are provided. In order to previously diagnose the vulnerability and prepare the threats, in this paper, the classification of security threats and requirements are presented, and the web vulnerability is analyzed for the domestic web sites using WVS(Web Vulnerability Scanner) automatic evaluation tool. From the results of vulnerability such as XSS(Cross Site Scripting) and SQL Injection, the total alerts are distributed from 0 to 31,177, mean of 411, and standard deviation of 2,563. The results also show that the web sites of 22.5% for total web sites has web vulnerability, and the previous defenses for the security threats are required.