• Convergence Security Journal
• /
• v.15 no.1
• /
• pp.3-9
• /
• 2015

In this paper, a detection technique of smishing using a TaintDroid is suggested. Suggesting system detects malicious acts by transmitting a URL to the TaintDroid server and installing a relevant application to a virtual device of the TaintDroid server, when a smartphone user receives a text message including the URL suspected as a smishing. Through this we want to distinguish an application that can not install because of suspicion of a smishing in an actual smartphone whether said application is malicious application or not by testing with the virtual device of said system. The detection technique of a smishing using the TaintDroid suggested in this paper is possible to detect in a new form a smishing with a text message and to identifying which application it is through analysis of results from a user.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.2
• /
• pp.766-783
• /
• 2012

Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.11 no.4
• /
• pp.81-87
• /
• 2015

Recently, with the development of the ICT environment, the use of the software is growing rapidly. And the number of the web server software used with a variety of users is also growing. However, There are also various damage cases increased due to a software security vulnerability as software usage is increasing. Especially web shell hacking which abuses software vulnerabilities accounts for a very high percentage. These web server environment damage can induce primary damage such like homepage modification for malware spreading and secondary damage such like privacy. Source code weaknesses checking system is needed during software development stage and operation stage in real-time to prevent software vulnerabilities. Also the system which can detect and determine web shell from checked code in real time is needed. Therefore, in this paper, we propose the system improving security for web server by detecting web shell attacks which are invisible to existing detection method such as Firewall, IDS/IPS, Web Firewall, Anti-Virus, etc. while satisfying existing secure coding guidelines from development stage to operation stage.

• Journal of Electrical Engineering and Technology
• /
• v.12 no.5
• /
• pp.2051-2066
• /
• 2017

This paper deals with reconfigurable secured mobile systems where the reconfigurability has the potential of providing a required adaptability to change the system requirements. The reconfiguration scenario is presented as a run-time automatic operation which allows security mechanisms and the addition-removal-update of software tasks. In particular, there is a definite requirement for filtering and intrusion detection mechanisms that will use fewer resources and also that will improve the security on the secured mobile devices. Filtering methods are used to control incoming traffic and messages, whereas, detection methods are used to detect malware events. Nevertheless, when different reconfiguration scenarios are applied at run-time, new security threats will be emerged against those systems which need to support multiple security objectives: Confidentiality, integrity and availability. We propose in this paper a new approach that efficiently detects threats after reconfigurable scenarios and which is based on filtering and intrusion detection methods. The paper's contribution is applied to Android where the evaluation results demonstrate the effectiveness of the proposed middleware in order to detect the malicious events on reconfigurable secured mobile systems and the feasibility of running and executing such a system with the proposed solutions.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.13 no.1
• /
• pp.71-76
• /
• 2013

A computer worm is a standalone malware computer program that probes and exploits vulnerabilities of systems. It replicates and spreads itself to other computers via networks. In this paper, we study how to detect and prevent worms. First, we generated Codered II traffic on the emulated testbed called Deterlab. Then we identified dubious parts using Earlybird and wrote down Snort rules using Wireshark. Finally, by applying the Snort rules to the traffic, we could confirmed that worm detection was successfully done.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.37-44
• /
• 2011

Recently malicious activities that is a DDoS, spam, propagation of malware, steeling person information, phishing on the Internet are related malicious botnet. To detect malicious botnet, Many researchers study a detection system for malicious botnet, but these applies specific protocol, action or attack based botnet. In this reason, we study a selection of measurement to detec malicious botnet in this paper. we collect a traffic of malicious botnet and analyze it for feature of network traffic. And we select a feature based measurement. we expect to help a detection of malicious botnet through this study.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.1
• /
• pp.69-79
• /
• 2013

Recently, many enterprises are suffering from advanced types of malware and their variants including intelligent malware that can evade the current security systems. This addresses the fact that current security systems have limits on protecting advanced and intelligent security threats. To enhance the overall level of security, first of all, it needs to increase detection ratio of each security solution within a security system. In addition, it is also necessary to implement internetworking between multiple security solutions to increase detection ratio and response speed. In this paper, we suggest a collaborative security response method to overcome the limitations of the previous Internet service security solutions. The proposed method can show an enhanced result to respond to intelligent security threats.

• Journal of Internet of Things and Convergence
• /
• v.9 no.6
• /
• pp.1-9
• /
• 2023

Malware files containing concealed malicious scripts have recently been identified within MS Office documents frequently. In response, this paper describes the design and implementation of a system that automatically detects malicious digital files using machine learning techniques. The system is proficient in identifying malicious scripts within MS Office files that exploit the OLE VBA macro functionality, detecting malicious scripts embedded within the CDH/LFH/ECDR internal field values through OOXML structure analysis, and recognizing abnormal CDH/LFH information introduced within the OOXML structure, which is not conventionally referenced. Furthermore, this paper presents a mechanism for utilizing the VirusTotal malicious script detection feature to autonomously determine instances of malicious tampering within MS Office files. This leads to the design and implementation of a machine learning-based integrated software. Experimental results confirm the software's capacity to autonomously assess MS Office file's integrity and provide enhanced detection performance for arbitrary MS Office files when employing the optimal machine learning model.

• The Journal of Society for e-Business Studies
• /
• v.17 no.3
• /
• pp.117-128
• /
• 2012

There was a large scale of DDoS(Distributed Denial of Service) attacks mostly targeted at Korean government web sites and cooperations's on March 4, 2010(3.4 DDoS attack) after 7.7 DDoS on July 7, 2009. In these days, anyone can create zombie PCs to attack someone's website with malware development toolkits and farther more improve their knowledge of hacking skills as well as toolkits because it has become easier to obtain these toolkits on line, For that trend, it has been difficult for computer security specialists to counteract DDoS attacks. In this paper, we will introduce an essential control list to prevent malware infection with live forensics techniques after analysis of monitoring network systems and PCs. Hopefully our suggestion of how to coordinate a security monitoring system in this paper will give a good guideline for cooperations who try to build their new systems or to secure their existing systems.

• Journal of Internet Computing and Services
• /
• v.22 no.3
• /
• pp.27-35
• /
• 2021

With the development of the Internet, various IT technologies such as IoT, Cloud, etc. have been developed, and various systems have been built in countries and companies. Because these systems generate and share vast amounts of data, they needed a variety of systems that could detect threats to protect the critical data contained in the system, which has been actively studied to date. Typical techniques include anomaly detection and misuse detection, and these techniques detect threats that are known or exhibit behavior different from normal. However, as IT technology advances, so do technologies that threaten systems, and these methods of detection. Advanced Persistent Threat (APT) attacks national or companies systems to steal important information and perform attacks such as system down. These threats apply previously unknown malware and attack technologies. Therefore, in this paper, we propose a hybrid intrusion detection system that combines anomaly detection and misuse detection to detect unknown threats. Two detection techniques have been applied to enable the detection of known and unknown threats, and by applying machine learning, more accurate threat detection is possible. In misuse detection, we applied Classification based on Association Rule(CBA) to generate rules for known threats, and in anomaly detection, we used One-Class SVM(OCSVM) to detect unknown threats. Experiments show that unknown threat detection accuracy is about 94%, and we confirm that unknown threats can be detected.