• Convergence Security Journal
• /
• v.22 no.5
• /
• pp.145-154
• /
• 2022

Recently, the widespread proliferation and high sophistication of botnets are having serious consequences not only for enterprises and users, but also for cyber warfare between countries. Therefore, research to detect botnets is steadily progressing. However, the DGA-based botnet has a high detection rate with the existing signature and statistics-based technology, but also has a high limit in the false positive rate. Therefore, in this paper, we propose a detection model using text-based n-gram to detect DGA-based botnets. Through the proposed model, the detection rate, which is the limit of the existing detection technology, can be increased and the false positive rate can also be minimized. Through experiments on large-scale domain datasets and normal domains used in various DGA botnets, it was confirmed that the performance was superior to that of the existing model. It was confirmed that the false positive rate of the proposed model is less than 2 to 4%, and the overall detection accuracy and F1 score are both 97.5%. As such, it is expected that the detection and response capabilities of DGA-based botnets will be improved through the model proposed in this paper.

• International Journal of Computer Science & Network Security
• /
• v.23 no.11
• /
• pp.133-141
• /
• 2023

This work take deeper analysis of Adaptive Moment Estimation (Adam) and Adam with Weight Decay (AdamW) implementation in real world text classification problem (DGA Malware Detection). AdamW is introduced by decoupling weight decay from L2 regularization and implemented as improved optimizer. This work introduces a novel implementation of AdamW variant as AdamW+ by further simplifying weight decay implementation in AdamW. DGA malware detection LSTM models results for Adam, AdamW and AdamW+ are evaluated on various DGA families/ groups as multiclass text classification. Proposed AdamW+ optimizer results has shown improvement in all standard performance metrics over Adam and AdamW. Analysis of outcome has shown that novel optimizer has outperformed both Adam and AdamW text classification based problems.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.5
• /
• pp.1141-1151
• /
• 2018

In an APT attack, the communication stage between infected hosts and C&C(Command and Control) server is the key stage for intrusion into the attack target. Attackers can control multiple infected hosts by the C&C Server and direct intrusion and exploitation. If the C&C Server is exposed at this stage, the attack will fail. Therefore, in recent years, the Domain Generation Algorithm (DGA) has replaced DNS in C&C Server with a short time interval for making detection difficult. In particular, it is very difficult to verify and detect all the newly registered DNS more than 5 million times a day. To solve these problems, this paper proposes a model to judge DGA-DNS detection by the morphological similarity analysis of normal DNS and DGA-DNS, and to determine the sign of APT attack through it, then we verify its validity.

• Journal of Electrical Engineering and Technology
• /
• v.9 no.2
• /
• pp.615-621
• /
• 2014

Power transformer is one of the most important equipments in electrical power system. The detection of certain gases generated in transformer is the first indication of a malfunction that may lead to failure if not detected. Dissolved gas analysis (DGA) of transformer oil has been one of the most reliable techniques to detect the incipient faults. Many conventional DGA methods have been developed to interpret DGA results obtained from gas chromatography. Although these methods are widely used in the world, they sometimes fail to diagnose, especially when DGA results falls outside conventional method codes or when more than one fault exist in transformer. To overcome these limitations, fuzzy inference system (FIS) is proposed. 250 different cases are used to test the accuracy of various DGA methods in interpreting the transformer condition.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2024.05a
• /
• pp.196-198
• /
• 2024

DGA(Domain Generation Algorithms)로 생성된 도메인을 탐지하기 위한 다양한 연구 결과가 선행되었다. 기존 연구 상에서는 딥러닝 모델인 LSTM을 이용한 DGA 도메인 탐지가 가장 효과적인 방법으로 대두되었다. 하지만 본 논문 실험 결과, TCN 모델을 이용한 탐지 결과가 LSTM 모델보다 우수한 탐지 정확도를 나타내는 것을 확인하였다. 또한, 탐지 모델을 대규모 도메인 처리가 필요한 현업에서 사용될 것을 고려하여, LSTM과 TCN 모델보다 빠른 결과를 도출할 수 있는 XGBoost 모델을 확인하였다. TCN과 XGBoost 모델을 활용하여 현업에서 DGA 도메인을 탐지하는데 효과적으로 사용될 수 있을 것이다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2023.11a
• /
• pp.543-546
• /
• 2023

봇넷은 지속적으로 사이버 범죄에 이용되고 있으며 네트워크 환경에 큰 위협이 되고 있다. 기존에는 봇들이 C&C 서버와 통신하는 것을 방지하기 위해 블랙리스트를 기반으로 DNS 서버에서 봇넷 도메인을 탐지하는 방식을 주로 사용하였다. 그러나 도메인 생성 알고리즘(DGA)을 이용하는 봇넷이 증가하면서 기존에 사용하던 블랙리스트 기반의 도메인 차단 방식으로는 더 이상 봇넷 도메인을 효율적으로 차단하기 어려워졌다. 이에 따라 봇넷 도메인 생성 알고리즘을 통해 생성되는 도메인의 특성을 분석하고 이를 토대로 봇넷 도메인을 식별하고 차단하고자 하는 시도가 계속되고 있다. 특히 연속적인 데이터 처리에 주로 사용되는 딥러닝 알고리즘을 이용하여 봇넷 도메인의 특징을 효과적으로 추출하고 정확도가 높은 탐지 모델을 구축하고자 하는 연구가 주를 이루고 있으며, 탐지뿐만 아니라 봇넷 그룹(Family) 분류까지 연구가 확장되고 있다. 이에 본 논문에서는 봇넷 도메인 생성 알고리즘에 의해 생성되는 봇넷 도메인을 식별 및 분류하기 위해 딥러닝 기술을 적용한 최근 연구 동향을 조사하고 앞으로의 연구 방향성을 논의하고자 한다.

• Convergence Security Journal
• /
• v.23 no.5
• /
• pp.65-72
• /
• 2023

This paper proposes a method for detecting malicious domains considering human habitual characteristics by building a Deep Learning model based on LSTM (Long Short-Term Memory). DGA (Domain Generation Algorithm) malicious domains exploit human habitual errors, resulting in severe security threats. The objective is to swiftly and accurately respond to changes in malicious domains and their evasion techniques through typosquatting to minimize security threats. The LSTM-based Deep Learning model automatically analyzes and categorizes generated domains as malicious or benign based on malware-specific features. As a result of evaluating the model's performance based on ROC curve and AUC accuracy, it demonstrated 99.21% superior detection accuracy. Not only can this model detect malicious domains in real-time, but it also holds potential applications across various cyber security domains. This paper proposes and explores a novel approach aimed at safeguarding users and fostering a secure cyber environment against cyber attacks.

• The Transactions of the Korean Institute of Electrical Engineers P
• /
• v.59 no.2
• /
• pp.212-217
• /
• 2010

When paper which was applied as insulation in oil-filled transformer was aged by thermal, its electrical, mechanical and chemical characteristics were changed and deteriorated. Therefore operating temperature was more higher, damage of paper was more quicker. Insulating paper which was generally made with cellulose was degraded, polymer of long length chain was decomposed as a monomer and CO, $CO_2$ gas and/or by-product such as furfural was produced from paper at the same time. In according with detection these gas and furfural by dissolved gas analysis(DGA) and high performance liquid chromatography(HPLC), we have investigated effects of CO, $CO_2$ gas and furfural on insulation of paper. Also we have analyzed for correlation between furfural and CO, $CO_2$ gas using linear regression method that was known as useful, credible statistical analysis.

• Journal of Internet Computing and Services
• /
• v.24 no.5
• /
• pp.17-27
• /
• 2023

Today, as AI (Artificial Intelligence) technology develops and its practicality increases, it is widely used in various application fields in real life. At this time, the AI model is basically learned based on various statistical properties of the learning data and then distributed to the system, but unexpected changes in the data in a rapidly changing data situation cause a decrease in the model's performance. In particular, as it becomes important to find drift signals of deployed models in order to respond to new and unknown attacks that are constantly created in the security field, the need for lifecycle management of the entire model is gradually emerging. In general, it can be detected through performance changes in the model's accuracy and error rate (loss), but there are limitations in the usage environment in that an actual label for the model prediction result is required, and the detection of the point where the actual drift occurs is uncertain. there is. This is because the model's error rate is greatly influenced by various external environmental factors, model selection and parameter settings, and new input data, so it is necessary to precisely determine when actual drift in the data occurs based only on the corresponding value. There are limits to this. Therefore, this paper proposes a method to detect when actual drift occurs through an Anomaly analysis technique based on XAI (eXplainable Artificial Intelligence). As a result of testing a classification model that detects DGA (Domain Generation Algorithm), anomaly scores were extracted through the SHAP(Shapley Additive exPlanations) Value of the data after distribution, and as a result, it was confirmed that efficient drift point detection was possible.