• Journal of KIISE
• /
• v.43 no.5
• /
• pp.596-605
• /
• 2016

Since the Denial of Service Attack against multiple targets in the Korean network in private and public sectors in 2009, Korea has spent a great amount of its budget to build strong Internet infrastructure against DDoS attacks. As a result of the investments, many major governments and corporations installed dedicated DDoS defense systems. However, even organizations equipped with the product based defense system often showed incompetency in dealing with DDoS attacks with little variations from known attack types. In contrast, by following a capacity centric DDoS detection method, defense personnel can identify various types of DDoS attacks and abnormality of the system through checking availability of service resources, regardless of the types of specific attack techniques. Thus, the defense personnel can easily derive proper response methods according to the attacks. Deviating from the existing DDoS defense framework, this research study introduces a capacity centric DDoS detection methodology and provides methods to mitigate DDoS attacks by applying the methodology.

• Journal of Internet Computing and Services
• /
• v.7 no.5
• /
• pp.59-69
• /
• 2006

Generally, network attacks are based on a scenario composed of a series of single-attacks, scenario attacks are launched over a wide network environment and their targets are not apparent. it is required to analyze entire packets captured on the network. This method makes it difficult to detect accurate patterns of attacks because it unnecessarily analyzes even packets unrelated to attacks. In this paper, we design and implement a simulation system for attacks scenario, which helps packet classification connected with attacks. The proposed system constitutes a target network for analysis in a virtual simulation environment, and it simulates dumping TCPDUMP packets including scenario attacks under the constructed virtual environment, We believe that our proposed simulation system will be a useful tool when security administrators perform the analysis of patterns of attack scenarios.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2006.06a
• /
• pp.791-794
• /
• 2006

컴퓨터의 정상적인 활동을 방해하는 공격행위는 네트워크로 연결된 컴퓨터를 기반으로 하는 사회 활동이 증가함에 따라 심각한 문제를 유발하고 있다. 하지만 기존의 네트워크 및 시스템공격에 대한 분류기법은 주로 공격자 입장에서 연구되어서 피해를 입은 시스템이 사용하기에는 부족하였다. 그래서 피해시스템 입장에서 공격을 정확히 분류하고 탐지할 수 있는 분류기법을 개발하는 것은 중요하다. 본 논문에서는 기존의 공격 분류방식을 분석하여 문제점을 발견한 후, 공격 분류방식이 가져야할 요구사항을 도출한다. 공격 분류기법의 요구사항을 만족하면서, 피해 시스템의 관리자가 공격에 대한 대책수립에 도움이 되는 공격 분류기법을 제안한다. 제안하는 분류기법은 공격방식에 따라 확장이 가능하므로 복합적 공격을 보다 정확하게 분류할 수 있다.

• Journal of Internet Computing and Services
• /
• v.12 no.2
• /
• pp.85-101
• /
• 2011

The recommender system analyzes users' preference and predicts the users' preference to items in order to recommend various items such as book, movie and music for the users. The collaborative filtering method is used most widely in the recommender system. The method uses rating information of similar users when recommending items for the target users. Performance of the collaborative filtering-based recommendation is lowered when attacker maliciously manipulates the rating information on items. This kind of malicious act on a recommender system is called 'Recommendation Attack'. When the evaluation data that are in continuous change are analyzed in the perspective of data stream, it is possible to predict attack on the recommender system. In this paper, we will suggest the method to detect attack on the recommender system by using the stream trend of the item evaluation in the collaborative filtering-based recommender system. Since the information on item evaluation included in the evaluation data tends to change frequently according to passage of time, the measurement of changes in item evaluation in a fixed period of time can enable detection of attack on the recommender system. The method suggested in this paper is to compare the evaluation stream that is entered continuously with the normal stream trend in the test cycle for attack detection with a view to detecting the abnormal stream trend. The proposed method can enhance operability of the recommender system and re-usability of the evaluation data. The effectiveness of the method was verified in various experiments.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2013.11a
• /
• pp.771-773
• /
• 2013

모바일 단말은 다양한 서비스와 컨텐츠를 지원하지만, 최근 모바일 악성코드의 급증으로 인하여 사용자에게 개인 정보 유출, 요금 과다 등의 피해를 초래하고 있다. 특히, 안드로이드 플랫폼은 오픈 플랫폼으로서 공격자들이 악성코드를 배포하기에 유리한 환경을 가지고 있어 시그니처/행위기반 분석방법을 통한 악성코드 탐지 연구가 활발히 진행되고 있다. 본 논문에서는 안드로이드 플랫폼에서 악성코드를 탐지하기 위한 Feature를 선정하였다. 또한 SVM(Support Vector Machine) 기계학습 알고리즘을 통하여 악성코드 탐지성능을 분석하고 우수성을 검증하였다.

• The KIPS Transactions:PartC
• /
• v.10C no.5
• /
• pp.525-532
• /
• 2003

This paper describes intrusion detection rule management using mobile agents. Intrusion detection can be divided into anomaly detection and misuse detection. Misuse detection is best suited for reliably detecting known use patterns. Misuse detection systems can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods. Therefore, the introduction of mobile agents to provide computational security by constantly moving around the Internet and propagating rules is presented as a solution to misuse detection. This work presents a new approach for detecting intrusions, in which mobile agent mechanisms are used for security rules propagation. To evaluate the proposed approach, we compared the workload data between a rules propagation method using a mobile agent and a conventional method. Also, we simulated a rules management using NS-2 (Network Simulator) with respect to time.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1185-1195
• /
• 2014

Domestic and international CERTs are carrying out security monitoring and response services based on security devices for intrusion incident prevention and damage minimization of the organizations. However, the security monitoring and response service has a fatal limitation in that it is unable to detect unknown attacks that are not matched to the predefined signatures. In recent, many approaches have adopted the darknet technique in order to overcome the limitation. Since the darknet means a set of unused IP addresses, no real systems connected to the darknet. Thus, all the incoming traffic to the darknet can be regarded as attack activities. In this paper, we present a collection and analysis method of malicious URLs based on darkent traffic for advanced security monitoring and response service. The proposed method prepared 8,192 darknet space and extracted all of URLs from the darknet traffic, and carried out in-depth analysis for the extracted URLs. The analysis results can contribute to the emergence response of large-scale cyber threats and it is able to improve the performance of the security monitoring and response if we apply the malicious URLs into the security devices, DNS sinkhole service, etc.

• Journal of the Korea Computer Industry Society
• /
• v.5 no.8
• /
• pp.781-790
• /
• 2004

This paper describes intrusion detection rule mangement using mobile agents. Intrusion detection can be divided into anomaly detection and misuse detection. Misuse detection is best suited for reliably detecting known use patterns. Misuse detection systems can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods. Therefore, the introduction of mobile agents to provide computational security by constantly moving around the Internet and propagating rules is presented as a solution to misuse detection. This work presents a new approach for detecting intrusions, in which mobile agent mechanisms are used for security rules propagation. To evaluate the proposed appraoch, we compared the workload data between a rules propagation method using a mobile agent and a conventional method. Also, we simulated a rules management using NS-2(Network Simulator) with respect to time.

• Journal of IKEEE
• /
• v.26 no.3
• /
• pp.380-388
• /
• 2022

The traditional malware detection technologies collect known malicious programs and analyze their characteristics. Then such a detection technology makes a blacklist based on the analyzed malicious characteristics and checks programs in the user's system based on the blacklist to determine whether each program is malware. However, such an approach can detect known malicious programs, but responding to unknown or variant malware is challenging. In addition, since such detection technologies generally monitor all programs in the system in real-time, there is a disadvantage that they can degrade the system performance. In order to solve such problems, various methods have been proposed to analyze major behaviors of malicious programs and to respond to them. The main characteristic of ransomware is to access and encrypt the user's file. So, a new approach is to produce the whitelist of programs installed in the user's system and allow the only programs listed on the whitelist to access the user's files. However, although it applies such an approach, attackers can still perform malicious behavior by performing a DLL(Dynamic-Link Library) injection attack on a regular program registered on the whitelist. This paper proposes a method to respond effectively to attacks using DLL injection.

• Journal of Internet Computing and Services
• /
• v.17 no.3
• /
• pp.11-18
• /
• 2016

Accessing unauthorized rogue APs in WiFi environments is a very dangerous behavior which may lead WiFi users to be exposed to the various cyber attacks such as sniffing, phishing, and pharming attacks. Therefore, prompt and precise detection of rogue APs and properly alarming to the corresponding users has become one of most essential requirements for the WiFi security. This paper proposes a new rogue AP detection method which is mainly using the installation information of authorized APs and the DHCP snooping information of the corresponding switches. The proposed method detects rogue APs promptly and precisely, and notify in realtime to the corresponding users. Since the proposed method is simple and does not require any special devices, it is very cost-effective comparing to the wireless intrusion prevention systems which are normally based on a number of detection sensors and servers. And it is highly precise and prompt in rogue AP detection and flexible in deployment comparing to the existing rogue AP detection methods based on the timing information, location information, and white list information.