• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1087-1101
• /
• 2020

Various security devices are used to protect internal networks and valuable information from rapidly evolving cyber attacks. Firewall, which is the most commonly used security device, tries to prevent malicious attacks based on a text-based filtering rule (i.e., access control policy), by allowing or blocking access to communicate between inside and outside environments. However, in order to protect a valuable internal network from large networks, it has no choice but to increase the number of access control policy. Moreover, the text-based policy requires time-consuming and labor cost to analyze various types of vulnerabilities in firewall. To solve these problems, this paper proposes a 3D-based hierarchical visualization method, for intuitive analysis and management of access control policy. In particular, by providing a drill-down user interface through hierarchical architecture, Can support the access policy analysis for not only comprehensive understanding of large-scale networks, but also sophisticated investigation of anomalies. Finally, we implement the proposed system architecture's to verify the practicality and validity of the hierarchical visualization methodology, and then attempt to identify the applicability of firewall data analysis in the real-world network environment.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2022.05a
• /
• pp.358-360
• /
• 2022

Modern society is developing rapidly and technologies that provide convenience in living are developing day by day. On the other hand, the development of cyber attacks that threaten cybersecurity is developing faster, and it still adversely affects the industrial environment, and industrial damage is steadily occurring every year. Industrial security is an activity that safely protects major assets or technologies of companies and organizations from these attacks. Therefore, it is a situation that requires professional manpower for security. Currently, the manpower situation for security is staffed, but knowledge of the understanding and concept of industrial security jobs is insufficient. In other words, there is a lack of professional manpower for industrial security. It is the NCS that came out to solve this problem. NCS is the state standardized ability (knowledge, attitude, skills, etc.) necessary to perform duties in the industrial field. NCS can systematically design the curriculum using NCS as well as help in hiring personnel, and NCS can be applied to the national qualification system. However, in the field of industrial security, NCS has not yet been developed and is still having difficulties in hiring personnel and curriculum. Although the NCS system in the field of industrial security has not been developed, this paper proposes the industrial security NCS to solve the problem of hiring professionals later and to help the field of industrial security NCS to be established later.

• KIPS Transactions on Computer and Communication Systems
• /
• v.12 no.3
• /
• pp.111-118
• /
• 2023

Cyber attacks are increasing worldwide, and attacks on personal privacy such as CCTV and IP camera hacking are also increasing. If you search for IP camera hacking methods in spaces such as YouTube, SNS, and the dark web, you can easily get data and hacking programs are also on sale. If you use an IP camera that has vulnerabilities used by hacking programs, you easily get hacked even if you change your password regularly or use a complex password including special characters, uppercase and lowercase letters, and numbers. Although news and media have raised concerns about the security of IP cameras and suggested measures to prevent damage, hacking incidents continue to occur. In order to prevent such hacking damage, it is necessary to identify the cause of the hacking incident and take concrete measures. First, we analyzed weak account settings and web server vulnerabilities of IP cameras, which are the causes of IP camera hacking, and suggested solutions. In addition, as a specific countermeasure against hacking, it is proposed to add a function to receive a notification when an IP camera is connected and a function to save the connection history. If there is such a function, the fact of damage can be recognized immediately, and important data can be left in arresting criminals. Therefore, in this paper, we propose a method to increase the safety from hacking by using the connection notification function and logging function of the IP camera.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.6
• /
• pp.863-871
• /
• 2013

Recently application of open protocols and external network linkage to the national critical infrastructure has been growing with the development of information and communication technologies. This trend could mean that the national critical infrastructure is exposed to cyber attacks and can be seriously jeopardized when it gets remotely operated or controlled by viruses, crackers, or cyber terrorists. In this paper virtual Honeynet model which can reduce installation and operation resource problems of Honeynet system is proposed. It maintains the merits of Honeynet system and adapts the virtualization technology. Also, virtual Honeynet model that can minimize operating cost is proposed with data analysis and collecting technique based on the verification of attack intention and focus-oriented analysis technique. With the proposed model, new type of attack detection system based on virtual Honeynet, that is Cybertrap, is designed and implemented with the host and data collecting technique based on the verification of attack intention and the network attack pattern visualization technique. To test proposed system we establish test-bed and evaluate the functionality and performance through series of experiments.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.385-395
• /
• 2018

With the development of Internet, cyber attack has become a major threat. To detect cyber attacks, intrusion detection system(IDS) has been widely deployed. But IDS has a critical weakness which is that it generates a large number of false alarms. One of the promising techniques that reduce the false alarms in real time is machine learning. However, there are problems that must be solved to use machine learning. So, many machine learning approaches have been applied to this field. But so far, researchers have not focused on features. Despite the features of IDS alerts are important for performance of model, the approach to feature is ignored. In this paper, we propose new feature set which can improve the performance of model and can be extracted from a single alarm. New features are motivated from security analyst's know-how. We trained and tested the proposed model applied new feature set with real IDS alerts. Experimental results indicate the proposed model can achieve better accuracy and false positive rate than SVM model with ordinary features.

• Journal of Internet Computing and Services
• /
• v.18 no.1
• /
• pp.65-75
• /
• 2017

The Detection Model is the model to find the result of a certain purpose using artificial intelligent, data mining, intelligent algorithms In Cyber Security, it usually uses to detect intrusion, malwares, cyber incident, and attacks etc. There are an amount of unlabeled data that are collected in a real environment such as security data. Since the most of data are not defined the class labels, it is difficult to know type of data. Therefore, the label determination process is required to detect and analysis with accuracy. In this paper, we proposed a KDFL(K-means and D-S Fusion based Labeling) method using D-S inference and k-means(unsupervised) algorithms to decide label of data records by fusion, and a detection model architecture using a proposed labeling method. A proposed method has shown better performance on detection rate, accuracy, F1-measure index than other methods. In addition, since it has shown the improved results in error rate, we have verified good performance of our proposed method.

• Journal of the Institute of Electronics and Information Engineers
• /
• v.50 no.9
• /
• pp.92-99
• /
• 2013

As a recent cyber attack has a characteristic that is intellectual, advanced, and complicated attack against precise purpose and specified object, it becomes extremely hard to recognize or respond when accidents happen. Since a scale of damage is very large, a corresponding system about this situation is urgent in national aspect. Existing data center or integration security framework of computer lab is evaluated to be a behind system when it corresponds to cyber attack. Therefore, this study suggests a better sophisticated next generation convergence security framework in order to prevent from attacks based on advanced persistent threat. Suggested next generation convergence security framework is designed to have preemptive responses possibly against APT attack consisting of five hierarchical steps in domain security layer, domain connection layer, action visibility layer, action control layer and convergence correspondence layer. In domain connection layer suggests security instruction and direction in domain of administration, physical and technical security. Domain security layer have consistency of status information among security domain. A visibility layer of Intellectual attack action consists of data gathering, comparison, decision, lifespan cycle. Action visibility layer is a layer to control visibility action. Lastly, convergence correspond layer suggests a corresponding system of before and after APT attack. An introduction of suggested next generation convergence security framework will execute a better improved security control about continuous, intellectual security threat.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.871-883
• /
• 2014

New types of attacks that mainly compromise the public, portal and financial websites for the purpose of economic profit or national confusion are being emerged and evolved. In addition, in case of 'drive by download' attack, if a host just visits the compromised websites, then the host is infected by a malware. Website falsification detection system is one of the most powerful solutions to cope with such cyber threats that try to attack the websites. Many domestic CERTs including NCSC (National Cyber Security Center) that carry out security monitoring and response service deploy it into the target organizations. However, the existing techniques for the website falsification detection system have practical problems in that their time complexity is high and the detection accuracy is not high. In this paper, we propose website falsification detection system based on image and code analysis for improving the performance of the security monitoring and response service in CERTs. The proposed system focuses on improvement of the accuracy as well as the rapidity in detecting falsification of the target websites.

• KIPS Transactions on Software and Data Engineering
• /
• v.12 no.8
• /
• pp.355-364
• /
• 2023

As advanced cyber threats continue to increase in recent years, it is difficult to detect new types of cyber attacks with existing pattern or signature-based intrusion detection method. Therefore, research on anomaly detection methods using data learning-based artificial intelligence technology is increasing. In addition, supervised learning-based anomaly detection methods are difficult to use in real environments because they require sufficient labeled data for learning. Research on an unsupervised learning-based method that learns from normal data and detects an anomaly by finding a pattern in the data itself has been actively conducted. Therefore, this study aims to extract a latent vector that preserves useful sequence information from sequence log data and develop an anomaly detection learning model using the extracted latent vector. Word2Vec was used to create a dense vector representation corresponding to the characteristics of each sequence, and an unsupervised autoencoder was developed to extract latent vectors from sequence data expressed as dense vectors. The developed autoencoder model is a recurrent neural network GRU (Gated Recurrent Unit) based denoising autoencoder suitable for sequence data, a one-dimensional convolutional neural network-based autoencoder to solve the limited short-term memory problem that GRU can have, and an autoencoder combining GRU and one-dimensional convolution was used. The data used in the experiment is time-series-based NGIDS (Next Generation IDS Dataset) data, and as a result of the experiment, an autoencoder that combines GRU and one-dimensional convolution is better than a model using a GRU-based autoencoder or a one-dimensional convolution-based autoencoder. It was efficient in terms of learning time for extracting useful latent patterns from training data, and showed stable performance with smaller fluctuations in anomaly detection performance.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.5
• /
• pp.827-846
• /
• 2023

Recently, various information technologies such as network communication and sensors have begun to be integrated into weapon systems that were previously operated in stand-alone. This helps the operators of the weapon system to make quick and accurate decisions, thereby allowing for effective operation of the weapon system. However, as the involvement of the cyber domain in weapon systems increases, it is expected that the potential for damage from cyber attacks will also increase. To develop a secure weapon system, it is necessary to implement built-in security, which helps considering security from the requirement stage of the software development process. The U.S. Department of Defense is implementing the Risk Management Framework Assessment and Authorization (RMF A&A) process, along with the introduction of the concept of cybersecurity, for the evaluation and acquisition of weapon systems. Similarly, South Korea is also continuously making efforts to implement the Korea Risk Management Framework (K-RMF). However, so far, there are no cases where K-RMF has been applied from the development stage, and most of the data and documents related to the U.S. RMF A&A are not disclosed for confidentiality reasons. In this study, we propose the method for inferring the composition of the K-RMF based on systematic threat analysis method and the publicly released documents and data related to RMF. Furthermore, we demonstrate the effectiveness of our inferring method by applying it to the naval battleship system.