• Journal of Platform Technology
• /
• v.9 no.3
• /
• pp.3-17
• /
• 2021

Advanced persistent threat (APT) attacks are attacks aimed at a particular entity as a set of latent and persistent computer hacking processes. These APT attacks are usually carried out through various methods, including spam mail and disguised banner advertising. The same name is also used for files, since most of them are distributed via spam mail disguised as invoices, shipment documents, and purchase orders. In addition, such Infostealer attacks were the most frequently discovered malicious code in the first week of February 2021. CDR is a 'Content Disarm & Reconstruction' technology that can prevent the risk of malware infection by removing potential security threats from files and recombining them into safe files. Gartner, a global IT advisory organization, recommends CDR as a solution to attacks in the form of attachments. There is a program using CDR techniques released as open source is called 'Dangerzone'. The program supports the extension of most document files, but does not support the extension of HWP files that are widely used in Korea. In addition, Gmail blocks malicious URLs first, but it does not block malicious URLs in mail systems such as Naver and Daum, so malicious URLs can be easily distributed. Based on this problem, we developed a 'Dangerzone' program that supports the HWP extension to prevent APT attacks, and a Chrome extension that performs URL checking in Naver and Daum mail and blocking banner ads.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.6
• /
• pp.129-140
• /
• 2003

Recently viruses and various hacking tools that threat hosts on a network becomes more intelligent and cleverer, and so the various security mechanisms against them have ken developed during last decades. To detect these network attacks, many NIPSs(Network-based Intrusion Prevention Systems) that are more functional than traditional NIDSs are developed by several companies and organizations. But, many previous NIPSS are hewn to have some weakness in protecting important hosts from network attacks because of its incorrectness and post-management aspects. The aspect of incorrectness means that many NIPSs incorrectly discriminate between normal and attack network traffic in real time. The aspect of post-management means that they generally respond to attacks after the intrusions are already performed to a large extent. Therefore, to detect network attacks in realtime and to increase the capability of analyzing packets, faster and more active responding capabilities are required for NIPS frameworks. In this paper, we propose a framework for real-time intrusion prevention. This framework consists of packet filtering component that works on netfilter in Linux kernel and traffic control component that have a capability of step-by-step control over abnormal network traffic with the CBQ mechanism.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.18 no.7
• /
• pp.1-8
• /
• 2017

As the IT environment becomes more sophisticated, various threats and their associated serious risks are increasing. Threats such as DDoS attacks, malware, worms, and APT attacks can be a very serious risk to enterprises and must be efficiently managed in a timely manner. Therefore, the government has designated the important system as the main information communication infrastructure in consideration of the impact on the national security and the economic society according to the 'Information and Communication Infrastructure Protection Act', which, in particular, protects the main information communication infrastructure from cyber infringement. In addition, it conducts management supervision such as analysis and evaluation of vulnerability, establishment of protection measures, implementation of protection measures, and distribution of technology guides. Even now, security consulting is proceeding on the basis of 'Guidance for Evaluation of Technical Vulnerability Analysis of Major IT Infrastructure Facilities'. There are neglected inspection items in the applied items, and the vulnerability of APT attack, malicious code, and risk are present issues that are neglected. In order to eliminate the actual security risk, the security manager has arranged the inspection and ordered the special company. In other words, it is difficult to check against current hacking or vulnerability through current system vulnerability checking method. In this paper, we propose an efficient method for extracting diagnostic data regarding the necessity of upgrading system vulnerability check, a check item that does not reflect recent trends, a technical check case for latest intrusion technique, a related study on security threats and requirements. Based on this, we investigate the security vulnerability management system and vulnerability list of domestic and foreign countries, propose effective security vulnerability management system, and propose further study to improve overseas vulnerability diagnosis items so that they can be related to domestic vulnerability items.

• The KIPS Transactions:PartC
• /
• v.10C no.6
• /
• pp.683-694
• /
• 2003

We present X-tree Diff, a change detection algorithm for tree-structured data. Our work is motivated by need to monitor massive volume of web documents and detect suspicious changes, called defacement attack on web sites. From this context, our algorithm should be very efficient in speed and use of memory space. X-tree Diff uses a special ordered labeled tree, X-tree, to represent XML/HTML documents. X-tree nodes have a special field, tMD, which stores a 128-bit hash value representing the structure and data of subtrees, so match identical subtrees form the old and new versions. During this process, X-tree Diff uses the Rule of Delaying Ambiguous Matchings, implying that it perform exact matching where a node in the old version has one-to one corrspondence with the corresponding node in the new, by delaying all the others. It drastically reduces the possibility of wrong matchings. X-tree Diff propagates such exact matchings upwards in Step 2, and obtain more matchings downwsards from roots in Step 3. In step 4, nodes to ve inserted or deleted are decided, We aldo show thst X-tree Diff runs on O(n), woere n is the number of noses in X-trees, in worst case as well as in average case, This result is even better than that of BULD Diff algorithm, which is O(n log(n)) in worst case, We experimented X-tree Diff on reat data, which are about 11,000 home pages from about 20 wev sites, instead of synthetic documets manipulated for experimented for ex[erimentation. Currently, X-treeDiff algorithm is being used in a commeercial hacking detection system, called the WIDS(Web-Document Intrusion Detection System), which is to find changes occured in registered websites, and report suspicious changes to users.