• Journal of the Korea Society of Computer and Information
• /
• v.19 no.4
• /
• pp.81-90
• /
• 2014

As mobile devices have become widely used and developed, PC based malwares can be moving towards mobile-based units. In particular, mobile Botnet reuses powerful malicious behavior of PC-based Botnet or add new malicious techniques. Different from existing PC-based Botnet detection schemes, mobile Botnet detection schemes are generally host-based. It is because mobile Botnet has various attack vectors and it is difficult to inspect all the attack vector at the same time. In this paper, to overcome limitations of host-based scheme, we compare two network-based schemes which detect mobile Botnet by applying HMM and SVM techniques. Through the verification analysis under real Botnet attacks, we present detection rates and detection properties of two schemes.

• Journal of Communications and Networks
• /
• v.14 no.4
• /
• pp.396-409
• /
• 2012

With the proliferation of diverse wireless devices, there is an increasing concern about the security of location information which can be spoofed or disrupted by adversaries. This paper investigates the characterization and detection of location spoofing attacks, specifically those which are attempting to falsify (degrade) the position estimate through signal strength based attacks. Since the physical-layer approach identifies and assesses the security risk of position information based solely on using received signal strength (RSS), it is applicable to nearly any practical wireless network. In this paper, we characterize the impact of signal strength and beamforming attacks on range estimates and the resulting position estimate. It is shown that such attacks can be characterized by a scaling factor that biases the individual range estimators either uniformly or selectively. We then identify the more severe types of attacks, and develop an attack detection approach which does not rely on a priori knowledge (either statistical or environmental). The resulting approach, which exploits the dissimilar behavior of two RSS-based estimators when under attack, is shown to be effective at detecting both types of attacks with the detection rate increasing with the severity of the induced location error.

• Journal of Information Processing Systems
• /
• v.12 no.3
• /
• pp.422-435
• /
• 2016

Despite the convenience brought by the advances in web and Internet technology, users are increasingly being exposed to the danger of various types of cyber attacks. In particular, recent studies have shown that today's cyber attacks usually occur on the web via malware distribution and the stealing of personal information. A drive-by download is a kind of web-based attack for malware distribution. Researchers have proposed various methods for detecting a drive-by download attack effectively. However, existing methods have limitations against recent evasion techniques, including JavaScript obfuscation, hiding, and dynamic code evaluation. In this paper, we propose an emulation-based malicious webpage detection method. Based on our study on the limitations of the existing methods and the state-of-the-art evasion techniques, we will introduce four features that can detect malware distribution networks and we applied them to the proposed method. Our performance evaluation using a URL scan engine provided by VirusTotal shows that the proposed method detects malicious webpages more precisely than existing solutions.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.9
• /
• pp.4183-4204
• /
• 2018

The existing en-route filtering schemes only consider some simple false data injection attacks, which results in lower safety performance. In this paper, we propose an efficient geographical information-based en-route filtering scheme (EGEFS), in which each forwarding node verifies not only the message authentication codes (MACs), but also the report identifier and the legitimacy and authenticity of locations carried in a data report. Thus, EGEFS can defend against not only the simple false data injection attacks and the replay attack, but also the collusion attack with forged locations proposed in this paper. In addition, we propose a new method for electing the center-of-stimulus (CoS) node, which can ensure that only one detecting node will be elected as the CoS node to generate one data report for an event. The simulation results show that, compared to the existing en-route filtering schemes, EGEFS has higher safety performance, because it can resist more types of false data injection attacks, and it also has higher filtering efficiency and lower energy expenditure.

• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.47 no.1
• /
• pp.15-21
• /
• 2010

This paper proposes the multimedia fingerprinting code insertion algorithm when video content is distributed in P2P environment, and designs the collusion codebook SRP(Small RISC Processor) embedded system for the collusion attack prevention. In the implemented system, it is detecting the fingerprinting code inserted in the video content of the client user in which it requests an upload to the web server and in which if it is certified content then transmitted to the streaming server then the implemented system allowed to distribute in P2P network. On the contrary, if it detects the collusion code, than the implemented system blocks to transmit the video content to the streaming server and discontinues to distribute in P2P network. And also it traces the colluders who generate the collusion code and participates in the collusion attack. The collusion code of the averaging attack is generated with 10% of BIBD code v. Based on the generated collusion code, the codebook is designed. As a result, when the insert quantity of the fingerprinting code is 0.15% upper in bitplane 0~3 of the Y(luminance) element of I-frame at the video compression of ASF for a streaming service and MP4 for an offline offer of video content, the correlation coefficient of the inserted original code and the detected code is above 0.15. At the correlation coefficient is above 0.1 then the detection ratio of the collusion code is 38%, and is above 0.2 then the trace ratio of the colluder is 20%.

• Journal of Information Processing Systems
• /
• v.16 no.4
• /
• pp.975-990
• /
• 2020

Nowadays, the Internet of Things (IoT) network, is increasingly becoming a ubiquitous connectivity between different advanced applications such as smart cities, smart homes, smart grids, and many others. The emerging network of smart devices and objects enables people to make smart decisions through machine to machine (M2M) communication. Most real-world security and IoT-related challenges are vulnerable to various attacks that pose numerous security and privacy challenges. Therefore, IoT offers efficient and effective solutions. intrusion detection system (IDS) is a solution to address security and privacy challenges with detecting different IoT attacks. To develop an attack detection and a stable network, this paper's main objective is to provide a comprehensive overview of existing intrusion detections system for IoT environment, cyber-security threats challenges, and transparent problems and concerns are analyzed and discussed. In this paper, we propose software-defined IDS based distributed cloud architecture, that provides a secure IoT environment. Experimental evaluation of proposed architecture shows that it has better detection and accuracy than traditional methods.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.3
• /
• pp.667-678
• /
• 2016

Due to a development of the cable/wireless network infra, the traffic as big as unable to compare with the past is being served through the internet, the traffic is increasing every year following the change of the network paradigm such as the object internet, especially the traffic of about 1.6 zettabyte is expected to be distributed through the network in 2018. As the network traffic increases, the performance of the security infra is developing together to deal with the bulk terabyte traffic in the security equipment, and is generating hundreds of thousands of security events every day such as hacking attempt and the malignant code. Efficiently analyzing and responding to an event on the attack attempt detected by various kinds of security equipment of company is one of very important assignments for providing a stable internet service. This study attempts to overcome the limit of study such as the detection of Tor network traffic using the existing low-latency by classifying the anonymous network by means of the suggested algorithm about the event detected in the security infra.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.17 no.2
• /
• pp.703-711
• /
• 2016

IDS (Intrusion Detection System) is used to detect network attacks through network data analysis. The system requires a high accuracy and detection rate, and low false alarm rate. In addition, the system uses a range of techniques, such as expert system, data mining, and state transition analysis to analyze the network data. The purpose of this study was to compare the performance of two data mining methods for detecting network attacks. They are Support Vector Machine (SVM) and a neural network called Forward Additive Neural Network (FANN). The well-known KDD Cup 99 training and test data set were used to compare the performance of the two algorithms. The accuracy, detection rate, and false alarm rate were calculated. The FANN showed a slightly higher false alarm rate than the SVM, but showed a much higher accuracy and detection rate than the SVM. Considering that treating a real attack as a normal message is much riskier than treating a normal message as an attack, it is concluded that the FANN is more effective in intrusion detection than the SVM.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2015.01a
• /
• pp.55-58
• /
• 2015

무선 센서 네트워크는 개방된 환경에 단거리 무선 통신으로 정보를 수집하는 센서 노드와 이를 수집하는 베이스 스테이션으로 운영된다. 이러한 센서 네트워크의 특징으로 인해 공격자를 통해 쉽게 훼손될 수 있으며 대표적인 공격방법으로 싱크홀 공격이 있다. LEAP은 싱크홀 공격에 대응하기 위해 네 종류의 키를 사용하여 노드 간 인증을 하도록 제안되었다. 이 기법은 보안성을 유지하기 위해 주기적으로 베이스 스테이션까지의 경로를 갱신한다. 본 논문에서는, 내부 싱크홀 공격을 LEAP과 같은 키의 인증을 통하여 탐지하는 기법을 제안한다. 제안 기법은 이전 노드, 다음 노드와의 키 인증을 통해 공격을 탐지한다. 공격이 탐지되면 해당 노드를 네트워크에서 제외하고 경로를 갱신하며 갱신된 경로를 통해 새로운 키를 배포한다. 그러므로 제안 기법은 이전 노드, 다음 노드와의 키 인증을 통해 싱크홀 공격을 탐지함으로써 전체 네트워크 보안성 향상을 목적으로 한다.

• Proceedings of the IEEK Conference
• /
• 2008.06a
• /
• pp.669-670
• /
• 2008

In this paper, we present a real-time system to detect abnormal events on gas pipes, based on the signals which are observed through the audio sensors attached on them. First, features are extracted from these signals so that they are robust to noise and invariant to the distance between a sensor and a spot at which an abnormal event like an attack on the gas pipes occurs. Then, a classifier is constructed to detect abnormal events using neural networks. It is a combination of two neural network models, a Gaussian mixture model and a multi-layer perceptron, for the reduction of miss and false alarms. The former works for miss alarm prevention and the latter for false alarm prevention. The experimental result with real data from the actual gas system shows that the proposed system is effective in detecting the dangerous events in real-time with an accuracy of 92.9%.