• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.5
• /
• pp.939-946
• /
• 2013

This paper proposes normal behavior profiling methods for anomaly detection in IEC 61850 based substation network. Signature based security solutions, currently used primarily, are inadequate for APT attack using zero-day vulnerabilities. Recently, some researches about anomaly detection in control network are ongoing. However, there are no published result for IEC 61850 substation network. Our proposed methods includes 3-phase preprocessing for MMS/GOOSE packets and normal behavior profiling using one-class SVM algorithm. These approaches are beneficial to detect APT attacks on IEC 61850 substation network.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.6
• /
• pp.2781-2800
• /
• 2016

Emerging attacks aim to access proprietary assets and steal data for business or political motives, such as Operation Aurora and Operation Shady RAT. Skilled Intruders would likely remove their traces on targeted hosts, but their network movements, which are continuously recorded by network devices, cannot be easily eliminated by themselves. However, without complete knowledge about both inbound/outbound and internal traffic, it is difficult for security team to unveil hidden traces of intruders. In this paper, we propose an autonomous anomaly detection system based on behavior profiling and relation mining. The single-hop access profiling model employ a novel linear grouping algorithm PSOLGA to create behavior profiles for each individual server application discovered automatically in historical flow analysis. Besides that, the double-hop access relation model utilizes in-memory graph to mine time-sequenced access relations between different server applications. Using the behavior profiles and relation rules, this approach is able to detect possible anomalies and violations in real-time detection. Finally, the experimental results demonstrate that the designed models are promising in terms of accuracy and computational efficiency.

• Journal of Internet Computing and Services
• /
• v.4 no.2
• /
• pp.69-80
• /
• 2003

Program Behavior Intrusion Detection Technique analyses system calls that called by daemon program or root authority, constructs profiles, and detectes modificated anomaly intrusions effectively. In this paper, the relation among system calls of processes is represented by bayesian network and Multiple Sequence Alignment. Program behavior profiling by Bayesian Network classifies modified anomaly intrusion behaviors, and detects anomaly behaviors. we had simulation by proposed normal behavior profiling technique using UNM data.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.987-995
• /
• 2022

Deep learning-based profiling side-channel analysis has been many proposed. Deep learning-based profiling analysis is a technique that trains the relationship between the side-channel information and the intermediate values to the neural network, then finds the secret key of the attack device using the trained neural network. Recently, cross-device profiling side channel analysis was proposed to consider the realistic deep learning-based profiling side channel analysis scenarios. However, it has a limitation in that attack performance is lowered if the profiling device and the attack device have not the same chips. In this paper, an environment in which the profiling device and the attack device have not the same chips is defined as the different-device, and a novel deep learning-based profiling side-channel analysis on different-device is proposed. Also, MCNN is used to well extract the characteristic of each data. We experimented with the six different boards to verify the attack performance of the proposed method; as a result, when the proposed method was used, the minimum number of attack traces was reduced by up to 25 times compared to without the proposed method.

• Journal of the Korea Society of Computer and Information
• /
• v.8 no.1
• /
• pp.103-113
• /
• 2003

Program Behavior Intrusion Detection Technique analyses system calls that called by daemon program or root authority, constructs profiles. and detectes anomaly intrusions effectively. Anomaly detections using system calls are detected only anomaly processes. But this has a Problem that doesn't detect affected various Part by anomaly processes. To improve this problem, the relation among system calls of processes is represented by bayesian probability values. Application behavior profiling by Bayesian Network supports anomaly intrusion informations . This paper overcomes the Problems of various intrusion detection models we Propose effective intrusion detection technique using Bayesian Networks. we have profiled concisely normal behaviors using behavior context. And this method be able to detect new intrusions or modificated intrusions we had simulation by proposed normal behavior profiling technique using UNM data.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.5
• /
• pp.1117-1127
• /
• 2017

With the advent of Internet of Things (IoT), the number of devices connected to Internet has rapidly increased, but the security for IoT is still vulnerable. It is difficult to integrate existing security technologies due to generating a large amount of traffic by using different protocols to use various IoT devices according to purposes and to operate in a low power environment. Therefore, in this paper, we propose a normal network behavior profiling method based on big data analysis techniques. The proposed method utilizes a Hadoop/Hive for Big Data analytics and an R for statistical computing. Also we verify the effectiveness of the proposed method through a simulation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1291-1300
• /
• 2020

Recently, a deep learning-based non-profiling side-channel analysis was proposed. The deep learning-based non-profiling analysis is a technique that trains a neural network model for all guessed keys and then finds the correct secret key through the difference in the training metrics. As the performance of non-profiling analysis varies greatly depending on the neural network training model design, a correct model design criterion is required. This paper describes the two types of loss functions and eight labeling methods used in the training model design. It predicts the analysis performance of each labeling method in terms of non-profiling analysis and power consumption model. Considering the characteristics of non-profiling analysis and the HW (Hamming Weight) power consumption model is assumed, we predict that the learning model applying the HW label without One-hot encoding and the Correlation Optimization (CO) loss will have the best analysis performance. And we performed actual analysis on three data sets that are Subbytes operation part of AES-128 1 round. We verified our prediction by non-profiling analyzing two data sets with a total 16 of MLP-based model, which we describe.

• Journal of KIISE:Computer Systems and Theory
• /
• v.36 no.2
• /
• pp.124-133
• /
• 2009

CANopen which is one of the in-vehicle network (IVN) protocols is adopted to solve the hardware dependency problem of the CAN-based application. CANopen makes different CAN devices interoperable each others. By the advantage of the device profiling concept, it can make the period of developing CAN-based application system shorten. The utilization of CANopen network must be reduced to improve the communication performance (e.g. worst-case response time). For reducing network utilization, messages need to be packed as many as possible so that message frame overhead can be decreased. In this paper, we suggested a PDO packing mechanism using object dictionary (OD) and process data object (PDO) communication service in CANopen. Through experiments, the performance of the mechanism is evaluated with SAE benchmark. As a result, network utilization is decreased about 10% compared to the result of the previous works.

• International Commerce and Information Review
• /
• v.9 no.3
• /
• pp.305-320
• /
• 2007

With expanded use of B2B(between enterprises), B2G(between enterprises and government) and EDI(Electronic Data Interchange), and increased amount of available network information and information protection threat, as it was judged that security can not be perfectly assured only with security technology such as electronic signature/authorization and access control, Bayesian networks have been developed for protection of information. Therefore, this study speculates Bayesian networks system, centering on ERP(Enterprise Resource Planning). The Bayesian networks system is one of the methods to resolve uncertainty in electronic data interchange and is applied to overcome uncertainty of abnormal invasion detection in ERP. Bayesian networks are applied to construct profiling for system call and network data, and simulate against abnormal invasion detection. The host-based abnormal invasion detection system in electronic trade analyses system call, applies Bayesian probability values, and constructs normal behavior profile to detect abnormal behaviors. This study assumes before and after of delivery behavior of the electronic document through Bayesian probability value and expresses before and after of the delivery behavior or events based on Bayesian networks. Therefore, profiling process using Bayesian networks can be applied for abnormal invasion detection based on host and network. In respect to transmission and reception of electronic documents, we need further studies on standards that classify abnormal invasion of various patterns in ERP and evaluate them by Bayesian probability values, and on classification of B2B invasion pattern genealogy to effectively detect deformed abnormal invasion patterns.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1271-1278
• /
• 2020

Deep learning-based profiling side-channel analysis is a powerful analysis method that utilizes the neural network to profile the relationship between the side-channel information and the intermediate value. Since the neural network interprets each point of the signal in a different dimension, jitter makes it much hard that the neural network with dimension-wise weights learns the relationship. This paper shows that replacing the fully-connected layer of the traditional CNN (Convolutional Neural Network) with global average pooling (GAP) allows us to design the inherently robust neural network inherently for jitter. We experimented with the ChipWhisperer-Lite board to demonstrate the proposed method: as a result, the validation accuracy of the CNN with a fully-connected layer was only up to 1.4%; contrastively, the validation accuracy of the CNN with GAP was very high at up to 41.7%.