• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.6
• /
• pp.3-13
• /
• 2006

Internet mail has become a common communication method to send and receive an amount of data due to the tremendous high speed Internet service increment. But in other respect, the risk and damage of Junk mail is growing rapidly and nowadays Junk mail delivery problem is becoming more serious, because this is used for an attack or propagation scheme of malicious code. It's a most dangerous dominant cause for computer system accident. This paper shows the Junk mail characteristic which is based on the analysis of mail log in reality and then shows the implementation of the FQDN (Fully Qualified Domain Name) check and Personalized classification system and evaluates its performance.

• Journal of KIISE:Information Networking
• /
• v.29 no.6
• /
• pp.663-673
• /
• 2002

Server-side anti-viruses are useful to protect their domains, because they can detect malicious codes at the gateway of their domains. In prevailing local network, all clients cannot be perfectly controlled by domain administrators, so server-side inspection, for example in e-mail server, is used as an efficient technique of detecting mobile malicious codes. However, current server-side anti-virus systems perform only signature-based detection for known malicious codes, simple filtering, and file name modification. One of the main reasons that they don't have detection features, for unknown malicious codes, is that activity monitoring technique is unavailable for server machines. In this paper, we propose a detection technique that is executed at the server, but it can monitor activities at the clients without any anti-virus features. we describe its implementation.

• Journal of Internet Computing and Services
• /
• v.18 no.6
• /
• pp.35-46
• /
• 2017

Recently, attackers using malicious code in cyber security have been increased by attaching malicious code to a mail and inducing the user to execute it. Especially, it is dangerous because it is easy to execute by attaching a document type file. The author analysis is a research area that is being studied in NLP (Neutral Language Process) and text mining, and it studies methods of analyzing authors by analyzing text sentences, texts, and documents in a specific language. In case of attack mail, it is created by the attacker. Therefore, by analyzing the contents of the mail and the attached document file and identifying the corresponding author, it is possible to discover more distinctive features from the normal mail and improve the detection accuracy. In this pager, we proposed IADA2(Intelligent Attack mail Detection based on Authorship Analysis) model for attack mail detection. The feature vector that can classify and detect attack mail from the features used in the existing machine learning based spam detection model and the features used in the author analysis of the document and the IADA2 detection model. We have improved the detection models of attack mails by simply detecting term features and extracted features that reflect the sequence characteristics of words by applying n-grams. Result of experiment show that the proposed method improves performance according to feature combinations, feature selection techniques, and appropriate models.

• The Journal of the Convergence on Culture Technology
• /
• v.2 no.1
• /
• pp.79-85
• /
• 2016

Ransomware was a malicious code that active around the US, but now it spreads rapidly all over the world and emerges in korea recently because of exponential computer supply and increase in users. Initially ransomware uses e-mail as an attack medium in such a way that induces to click a file through the spam mail Pam, but it is now circulated through the smart phone message. The current trend is an increase in the number of damage, including attacks such as the domestic large community site by ransomware hangul version. Ransomware outputs a warning message to the user to encrypt the file and leads to monetary damages and demands for payment via bitcoin as virtual currency is difficult to infer the tracking status. This paper presents an analysis and solutions to damage cases caused by ransomware.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.6
• /
• pp.2881-2894
• /
• 2018

Cyber attacks are increasing continuously. On average about one million malicious codes appear every day, and attacks are expanding gradually to IT convergence services (e.g. vehicles and television) and social infrastructure (nuclear energy, power, water, etc.), as well as cyberspace. Analysis of large-scale cyber incidents has revealed that most attacks are started by PCs infected with malicious code. This paper proposes a method of detecting an attack IP automatically by analyzing the characteristics of the e-mail transfer path, which cannot be manipulated by the attacker. In particular, we developed a system based on the proposed model, and operated it for more than four months, and then detected 1,750,000 attack IPs by analyzing 22,570,000 spam e-mails in a commercial environment. A detected attack IP can be used to remove spam e-mails by linking it with the cyber removal system, or to block spam e-mails by linking it with the RBL(Real-time Blocking List) system. In addition, the developed system is expected to play a positive role in preventing cyber attacks, as it can detect a large number of attack IPs when linked with the portal site.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.1-8
• /
• 2008

Not only the recent hacking techniques are becoming more malicious with the sophisticated technology but also its consequences are bringing more damages as the broadband Internet is growing rapidly. These may include invasion of information leakage, or identity theft over the internet. Its intent is very destructive which can result in invasion of information leakage, hacking, one of the most disturbing problems on the net. This thesis describes the technology of how you can effectively analyze and detect these kind of E-Mail malicious codes. This research explains how we can cope with malicious code more efficiently by detection method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.1
• /
• pp.73-81
• /
• 2021

When downloading files using an app or web-based application on the user's mobile phone, the path is set to be saved in the pre-defined default directory. Many applications requiring access to storage, including file managers, require a write or read permission of storage to provide numerous functions and services. This means that the application will have direct access to the download folder where the numerous files downloaded. In this paper, to prove our feasibility of attack using the security vulnerabilities mentioned above, we developed a file hacking function disguised as an encryption function in the file management application. The file that encrypted will be sent to hackers via E-mail simultaneously on the background. The developed application was evaluated from VirusTotal, a malicious analysis engine, was not detected as a malicious application in all 74 engines. Finally, in this paper, we propose a defense technique and an algorithm based on the Trusted Execution Environment (TEE) to supplement these storage vulnerabilities.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.15 no.6
• /
• pp.37-47
• /
• 2005

Recently, the malicious e-mail worm-viruses have been widely spreaded over the Internet. If the recipient opens the e-mail attachment or an e-mail itself that contains the worm-virus, the worm-virus can be activated and then cause a tremendous damage to the system by propagating itself to everyone on the mailing list in the user's e-mail package. In this paper, we have designed and implemented two methods blocking e-mail worm-viruses. In the fist method, each e-mail is transmitted only by sender activity such as the click of button on a mail client application. In the second one, we insert the two modules into the sender side, where the one module transforms a recipient's address depending on a predefined rule only in time of pushing button and the other converts the address reversely with the former module whenever an e-mail is sent. The lader method also supports a polymorphism model in order to cope with the new types of e-mail worm-virus attacks. The two methods are designed not to work for the e-mail viruses. There is no additional fraction on the receiver's side of the e-mail system. Experimental results show that the proposed methods can screen the e-mail worm-viruses efficiently with a low overhead.

• KSCI Review
• /
• v.14 no.2
• /
• pp.255-262
• /
• 2006

A Malicious code is used to SMiShing disguised as finance mobile Vishing, using Phishing, Pharming mail, VoIP service etc. to capture of personal information. A Malicious code deletes in Anti-Virus Spyware removal programs. or to cure use. By the way, the Malicious cord which is parasitic as use a DLL Injection technique, and operate are Isass.exe, winlogon.exe. csrss.exe of the window operating system. Be connected to the process that you shall be certainly performed of an exe back, and a treatment does not work. A user forces voluntarily a process, and rebooting occurs, or a blue screen occurs, and Compulsory end, operating system everyone does. Propose a treatment way like a bird curing a bad voice code to use a DLL Injection technique to occur in these fatal results. Click KILL DLL since insert voluntarily an end function to Thread for a new treatment, and Injection did again the Thread which finish an action of DLL, and an end function has as control Thread, and delete. The cornerstone that the treatment way that experimented on at these papers and a plan to solve will become a researcher or the revolutionary dimension that faced of a computer virus, and strengthen economic financial company meeting Ubiquitous Security will become.

• Journal of the Korea Society of Computer and Information
• /
• v.11 no.5 s.43
• /
• pp.251-258
• /
• 2006

A Malicious code is used to SMiShing disguised as finance mobile Vishing, using Phishing, Pharming mail, VoIP service etc. to capture of personal information. A Malicious code deletes in Anti-Virus Spyware removal programs, or to cure use. By the way, the Malicious cord which is parasitic as use a DLL Injection technique, and operate are Isass.exe, winlogon.exe, csrss.exe of the window operating system. Be connected to the process that you shall be certainly performed of an exe back, and a treatment does not work. A user forces voluntarily a process, and rebooting occurs, or a blue screen occurs, and Compulsory end, operating system everyone does. Propose a treatment way like a bird curing a bad voice code to use a DLL Injection technique to occur in these fatal results. Click KILL DLL since insert voluntarily an end function to Thread for a new treatment, and Injection did again the Thread which finish an action of DLL, and an end function has as control Thread, and delete. The cornerstone that the treatment wav that experimented on at these papers and a plan to solve will become a researcher of the revolutionary dimension that faced of a computer virus, and strengthen economic financial company meeting Ubiquitous Security will become.