• Journal of Korea Society of Digital Industry and Information Management
• /
• v.17 no.4
• /
• pp.77-83
• /
• 2021

As Open Source Software(OSS) recently invigorates, many companies actively use the OSSes in their business software. With such OSS invigoration, our web application is developed in order to provide the safety in using the OSSes, and update the information on the new vulnerabilities and the patches at all times by crawling the web pages of the relevant OSS home pages and the managing organizations of the vulnerabilities. By providing the updated information, our application helps the OSS users and developers to be aware of such security issues, and gives them to work in the safer environment from security risks. In addition, our application can be used as a security platform to greatly contribute to preventing potential security incidents not only for companies but also for individual developers.

• Journal of Information Processing Systems
• /
• v.18 no.4
• /
• pp.489-499
• /
• 2022

Recently, the number of Internet of Things (IoT) devices has been increasing exponentially. These IoT devices are directly connected to the internet to exchange information. IoT devices are becoming smaller and lighter. However, security measures are not taken in a timely manner compared to the security vulnerabilities of IoT devices. This is often the case when the security patches cannot be applied to the device because the security patches are not adequately applied or there is no patch function. Thus, security vulnerabilities continue to exist, and security incidents continue to increase. In this study, we classified and analyzed the most common security vulnerabilities for IoT devices and identify the essential vulnerabilities of IoT devices that should be considered for security when producing IoT devices. This paper will contribute to reducing the occurrence of security vulnerabilities in companies that produce IoT devices. Additionally, companies can identify vulnerabilities that frequently occur in IoT devices and take preemptive measures.

• SUVANNABHUMI
• /
• v.15 no.1
• /
• pp.205-227
• /
• 2023

This study seeks to examine how the West, particularly United States (US), influences the narratives about terrorism, radicalism, and combating violent extremism (CVE) in Muslim majority nations such as Malaysia. We contend that some local institutions and researchers in Malaysia may have assumed the Faustian bargain by agreeing with the Western narrative that Islam's teachings promote violence and extremism in order to meet the demands of survival, whether it be funding for everyday operations or meeting the demands of universities or research institutions to sustain themselves and meet their performance indicators. We conducted a systematic literature review (SLR) from 2001 to 2021 and used Foucauldian Critical Discourse Analysis (CDA) to understand the role of the US in purposefully supporting workshops and research activities of particular institutions with the intent to influence national discourse on securitization and prospective policy implications. More importantly, we wish to alert Malaysian policymakers to pay particular attention and scrutinize ongoing programs such as the "Building Community Resilience" as these may inadvertently foster Islamophobia.

• Proceedings of the Korean Institute of Navigation and Port Research Conference
• /
• 2022.06a
• /
• pp.350-352
• /
• 2022

자율운항선박을 IMO 자율화등급 3단계 이상으로 운용하기 위해서는 내·외부 통신시스템의 사이버보안뿐만 아니라 실시간으로 데이터를 교환하는 데이터 및 시스템 사이버안전에 대한 고려가 필수적으로 요구된다. 본 연구에서는 자율운항선박 사이버안전체계 구축방안에 대해서 살펴본다. 자율운항선박 사이버안전체계 구축을 위해서는 선박 내 사이버위협을 실시간으로 탐지하고 영향을 모니터링하는 통합 보안 시스템 구축이 필요하며, 선박 사이버안전 설계 타당성을 검증하는 사이버리스크평가 기술, 사이버안전체계를 검증하기 위한 CVE(Common Vulnerabilities Enumeration)기반 취약성 진단 및 침투테스트 기술, V-Model을 활용한 통합 소프트웨어 품질인증 기술, ISO 25024 기반 데이터 무결성 검증 기술 적용이 필요하다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2024.05a
• /
• pp.101-104
• /
• 2024

최근 클라우드가 전 산업에 도입되면서 클라우드 네이티브 환경에 관한 관심이 증가하고 있다. 클라우드 서비스 개발자는 도커 (Docker) 이미지를 활용하여 개발 환경을 구축하고 배포한다. 그러나 종래의 이미지 스캐닝 도구들은 해시값 기반의 시그니처 탐지 방법론을 사용하기 때문에 제로데이 취약점을 탐지하지 못하거나, 이미 저장된 CVE DB에 있는 취약점만 탐지할 수 있었다. 본 논문은 도커 이미지의 계층성을 활용하여 다형성 도커 이미지 공격을 탐지할 수 있는 기법을 제안한다. 실험결과에 따르면 제안한 방법은 종래 방법 대비 다형성 도커 이미지 공격 탐지율을 28.6% 개선할 수 있었다.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.18 no.11
• /
• pp.94-103
• /
• 2017

As automatic hacking tools and techniques have been improved, the number of new vulnerabilities has increased. The CVE registered from 2010 to 2015 numbered about 80,000, and it is expected that more vulnerabilities will be reported. In most cases, patching a vulnerability depends on the developers' capability, and most patching techniques are based on manual analysis, which requires nine months, on average. The techniques are composed of finding the vulnerability, conducting the analysis based on the source code, and writing new code for the patch. Zero-day is critical because the time gap between the first discovery and taking action is too long, as mentioned. To solve the problem, techniques for automatically detecting and analyzing software (SW) vulnerabilities have been proposed recently. Cyber Grand Challenge (CGC) held in 2016 was the first competition to create automatic defensive systems capable of reasoning over flaws in binary and formulating patches without experts' direct analysis. Darktrace and Cylance are similar projects for managing SW automatically with artificial intelligence and machine learning. Though many foreign commercial institutions and academies run their projects for automatic binary analysis, the domestic level of technology is much lower. This paper is to study developing automatic detection of SW vulnerabilities and defenses against them. We analyzed and compared relative works and tools as additional elements, and optimal techniques for automatic analysis are suggested.

• The KIPS Transactions:PartC
• /
• v.13C no.4 s.107
• /
• pp.427-434
• /
• 2006

Broadband Convergence Network(BcN) is a critical infrastructure to provide wired-and-wireless high-quality multimedia services by converging communication and broadcasting systems, However, there exist possible danger to spread the damage of an intrusion incident within an individual network to the whole network due to the convergence and newly generated threats according to the advent of various services roaming vertically and horizontally. In order to cope with these new threats, we need to analyze the vulnerabilities of BcN in a system architecture aspect and classify them in a systematic way and to make the results to be utilized in preparing proper countermeasures, In this paper, we propose a new classification of vulnerabilities which has been extended from the ITU-T recommendation X.805, which defines the security related architectural elements. This new classification includes system elements to be protected for each service, possible attack strategies, resulting damage and its criticalness, and effective countermeasures. The new classification method is compared with the existing methods of CVE(Common Vulnerabilities and Exposures) and CERT/CC(Computer Emergency Response Team/Coordination Center), and the result of an application to one of typical services, VoIP(Voice over IP) and the development of vulnerability database and its management software tool are presented in the paper. The consequence of the research presented in the paper is expected to contribute to the integration of security knowledge and to the identification of newly required security techniques.

• 한국HCI학회:학술대회논문집
• /
• 2008.02b
• /
• pp.634-639
• /
• 2008

사회적 컴퓨팅(social computing)의 현상이 Web 2.0 공급사슬(supply chain)의 변화관점에서 새로운 변화의 단계를 맞이하고 있다. Web 2.0 플랫폼을 어떤 형태로 기업 활동에 활용할 것인가 하는 문제제기에 대하여 다양한 기업 활동의 변화사례가 발견되고 있다. 본 논문은 그와 같은 다양한 Web 2.0 환경 확산에 대한 기업 활동의 변화현상 중에서 Web 2.0 플랫폼을 기반으로 한 신제품개발(New Product Development) 사례연구를 통하여 진행한 결과를 반영하였다. 신제품 개발을 위한 플랫폼으로서 Web 2.0 의 협업적 환경을 설계하게 될 경우, 고객의 내재적 요구사항(latent requirement)이 제품개발에 효과적으로 반영될 수 있도록 하는 절차(process)가 기존의 제품개발방법론과 연관되어, 어떤 형태로 적용되고 개선되어 발전될 수 있는가에 대한 경험적 사례를 사례연구방법의 탐험적 경향을 활용하여 살펴보았다. 본 논문에서 다루어졌던 사례는 Web 2.0 플랫폼을 기반으로 사용자 창작 콘텐츠(User Created Content)를 생산하고 증가된 연세대학교 UCC의 양적 팽창에 의해서 수익모델이 발생하는 전형적인 Web 2.0 비즈니스 모델의 구조를 보여주는 경우였다. 본 연구를 통해서 사용자의 내재적 요구사향을 Web 2.0 기술특성을 통해서 참여적 사용자, 혹은 사용자 디자이너들의 적극적인 활동에 의해서 개선 및 구현해 가는 과정을 구체적 개발방법론의 틀로서 정착하려는 시도를 하였다.

• KIISE Transactions on Computing Practices
• /
• v.21 no.11
• /
• pp.721-726
• /
• 2015

This paper shows secure coding rules for PHP programs. Programmers should comply with these rules during development of their programs. The rules are crafted to restrain 28 weaknesses that are composed of 22 corresponding to reported CVEs of PHP, the children of CWE-661 for PHP, and the top 5 weaknesses according to OWASP. The rule set consists of 28 detailed rules under 14 categories. This paper also demonstrates through examples that programs complying with these rules can curb weaknesses. The rules can also serve as a guideline in developing analysis tools for security purposes.

• Journal of Platform Technology
• /
• v.9 no.2
• /
• pp.10-25
• /
• 2021

Although many studies have been conducted on risk analysis and evaluation in the on-premises environment in information security, studies on effective methodologies of risk analysis and evaluation for cloud computing systems are lacking. In 2015, the Cloud Computing Development Act was enacted, which served as an opportunity to promote the introduction of cloud computing. However, due to the increase in security incidents in the cloud computing system, activation is insufficient. In addition, the cloud computing system is not being actively introduced because of the difficulty in understanding the cloud computing system technology of the person in charge who intends to introduce the cloud computing system. In this regard, this study presented an effective risk analysis and evaluation method by examining the characteristics, concepts, and models of cloud computing systems and analyzing how these characteristics affect risk analysis and evaluation.