• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.871-883
• /
• 2014

New types of attacks that mainly compromise the public, portal and financial websites for the purpose of economic profit or national confusion are being emerged and evolved. In addition, in case of 'drive by download' attack, if a host just visits the compromised websites, then the host is infected by a malware. Website falsification detection system is one of the most powerful solutions to cope with such cyber threats that try to attack the websites. Many domestic CERTs including NCSC (National Cyber Security Center) that carry out security monitoring and response service deploy it into the target organizations. However, the existing techniques for the website falsification detection system have practical problems in that their time complexity is high and the detection accuracy is not high. In this paper, we propose website falsification detection system based on image and code analysis for improving the performance of the security monitoring and response service in CERTs. The proposed system focuses on improvement of the accuracy as well as the rapidity in detecting falsification of the target websites.

• KIPS Transactions on Software and Data Engineering
• /
• v.12 no.8
• /
• pp.355-364
• /
• 2023

As advanced cyber threats continue to increase in recent years, it is difficult to detect new types of cyber attacks with existing pattern or signature-based intrusion detection method. Therefore, research on anomaly detection methods using data learning-based artificial intelligence technology is increasing. In addition, supervised learning-based anomaly detection methods are difficult to use in real environments because they require sufficient labeled data for learning. Research on an unsupervised learning-based method that learns from normal data and detects an anomaly by finding a pattern in the data itself has been actively conducted. Therefore, this study aims to extract a latent vector that preserves useful sequence information from sequence log data and develop an anomaly detection learning model using the extracted latent vector. Word2Vec was used to create a dense vector representation corresponding to the characteristics of each sequence, and an unsupervised autoencoder was developed to extract latent vectors from sequence data expressed as dense vectors. The developed autoencoder model is a recurrent neural network GRU (Gated Recurrent Unit) based denoising autoencoder suitable for sequence data, a one-dimensional convolutional neural network-based autoencoder to solve the limited short-term memory problem that GRU can have, and an autoencoder combining GRU and one-dimensional convolution was used. The data used in the experiment is time-series-based NGIDS (Next Generation IDS Dataset) data, and as a result of the experiment, an autoencoder that combines GRU and one-dimensional convolution is better than a model using a GRU-based autoencoder or a one-dimensional convolution-based autoencoder. It was efficient in terms of learning time for extracting useful latent patterns from training data, and showed stable performance with smaller fluctuations in anomaly detection performance.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.5
• /
• pp.827-846
• /
• 2023

Recently, various information technologies such as network communication and sensors have begun to be integrated into weapon systems that were previously operated in stand-alone. This helps the operators of the weapon system to make quick and accurate decisions, thereby allowing for effective operation of the weapon system. However, as the involvement of the cyber domain in weapon systems increases, it is expected that the potential for damage from cyber attacks will also increase. To develop a secure weapon system, it is necessary to implement built-in security, which helps considering security from the requirement stage of the software development process. The U.S. Department of Defense is implementing the Risk Management Framework Assessment and Authorization (RMF A&A) process, along with the introduction of the concept of cybersecurity, for the evaluation and acquisition of weapon systems. Similarly, South Korea is also continuously making efforts to implement the Korea Risk Management Framework (K-RMF). However, so far, there are no cases where K-RMF has been applied from the development stage, and most of the data and documents related to the U.S. RMF A&A are not disclosed for confidentiality reasons. In this study, we propose the method for inferring the composition of the K-RMF based on systematic threat analysis method and the publicly released documents and data related to RMF. Furthermore, we demonstrate the effectiveness of our inferring method by applying it to the naval battleship system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.195-205
• /
• 2014

These days cyber attacks are increasing all over the world, and the national critical infrastructure and information network protection has become important. For this reason, the concentrated investment in information security and development of professional human resource are essential, but there is a shortage of information security workforce in Korea. Currently, departments of information security in domestic universities make efforts to develop human resource of information security and have a increasing interest in the curriculum design. So this paper investigates the curriculums of information security in domestic universities and graduate schools. And then, it compares with the needs of industry knowledge and skills by using SPSS. Through this analysis, we will get implications about curriculum design of Information security.

• Convergence Security Journal
• /
• v.12 no.1
• /
• pp.71-77
• /
• 2012

Along with the development of Internet services such as Social Network Service (SNS) and blog Service, the privacy is very important in these services. But personal data is not safety from exposure to internet service. If personal data is leak out, the privacy is disclosed to hacker or illegal person and the personal information can be used in a cyber crime as phishing attacks. Therefore, the model and method that protects to disclose privacy is requested in SNS and blog services. The model must evaluate degree of exposure to protect privacy and the method protects personal information from Internet services. This paper proposes a model to evaluate risk for privacy with property of personal data and exposure level of internet service such as bulletin board. Also, we show a method using degree of risk to evaluate with a proposed model at bulletin board.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.22 no.2
• /
• pp.382-389
• /
• 2018

Recently cyber attacks can cause serious damage on various information systems. Log data analysis would be able to resolve this problem. Security log analysis system allows to cope with security risk properly by collecting, storing, and analyzing log data information. In this paper, a security log analysis system is designed and implemented in order to analyze security log data using the Logstash in the Elasticsearch, a distributed search engine which enables to collect and process various types of log data. The Kibana, an open source data visualization plugin for Elasticsearch, is used to generate log statistics and search report, and visualize the results. The performance of Elasticsearch-based security log analysis system is compared to the existing log analysis system which uses the Flume log collector, Flume HDFS sink and HBase. The experimental results show that the proposed system tremendously reduces both database query processing time and log data analysis time compared to the existing Hadoop-based log analysis system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.4
• /
• pp.693-704
• /
• 2020

As a company's network structure is getting bigger and the number of security system is increasing, it is not easy to quickly detect abnormal traffic from huge amounts of security system events. In this paper, We propose traffic visualization analysis system(FDANT-PCSV) that can detect and analyze security events of information security systems such as firewalls in real time. FDANT-PCSV consists of Parallel Coordinates visualization using five factors(source IP, destination IP, destination port, packet length, processing status) and Sankey visualization using four factors(source IP, destination IP, number of events, data size) among security events. In addition, the use of big data-based SIEM enables real-time detection of network attacks and network failure traffic from the internet and intranet. FDANT-PCSV enables cyber security officers and network administrators to quickly and easily detect network abnormal traffic and respond quickly to network threats.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.22 no.5
• /
• pp.805-811
• /
• 2018

Recently, Format-Preserving-Encryption (FEA) was suggested by the National Security Research institute (NSR) as an encryption method while maintaining the format without a distortion to the intended information to be encrypted. In this paper, we propose a scheme to solve conventional cyber security problems by using FEA scheme. First, we present the method to encrypt signatures and extensions with FEA in order to effectively defend against Ransomeware attacks. This technique can mitigate the exposure to the Ransomeware by encrypting the minimum information. Second, in order to reduce the secret information for Steganography, we introduce a new way to minimize the secret information with FEA. Finally, we compare the operation speed by encryption with FEA and Lightweight Encryption Algorithm (LEA), furthermore when we optimize FEA we want to compare with the performance improvement accompanying with it.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.1
• /
• pp.103-109
• /
• 2016

The information security industry is technology-intensive, high value-added industries. South Korea's response has excellent ICT skills and experience and skills in a variety of cyber attacks, has become a benchmark in the world. However, the small size of the domestic information security company, supporting infrastructure is lacking. Domestic information security industry is the primary condition to activate the export. For the export of high value-added enterprise information security products and services, it is necessary the establishment of the domestic IT information security infrastructure of the industrial promotion is based overseas. Come to analyze the domestic information security industry, capital of this small, market reclamation of overseas expansion, information, manpower shortage was a problem. This fact, combined losses caused by cost-free period AS. Therefore, the study on information security in the infrastructure industry overseas bases is necessary. How to select and analyze the causes of infrastructure in selected overseas offices. By utilizing the infrastructure of overseas bases, can raise the added value of the products and services of the Information Security company, we can enable the export of small and medium Information Security company from overseas offices.

• The KIPS Transactions:PartC
• /
• v.12C no.4 s.100
• /
• pp.503-510
• /
• 2005

With the increasing importance of network protection from cyber threats, it is requested to develop a multi-gigabit rate pattern matching method for protecting against malicious attacks in high-speed network. This paper devises a high-speed pattern matching algorithm with TCAM by using an m-byte jumping window pattern matching scheme. The proposed algorithm significantly reduces the number of TCAM lookups per payload by m times with the marginally enlarged TCAM size which can be implemented by cascading multiple TCAMs. Due to the reduced number of TCAM lookups, we can easily achieve multi-gigabit rate for scanning the packet payload. It is shown by simulation that for the Snort nile with 2,247 patterns, our proposed algorithm supports more than 10 Gbps rate with a 9Mbit TCAM.