• 융합보안논문지
• /
• 제10권4호
• /
• pp.13-19
• /
• 2010

시대의 흐름에 따라 기업의 지속적인 비지니스 연계 보증을 위하여 IT의 비중이 높아지면서, IT가 조직의 하나의 부분으로서 작용하는 것이 아닌 전사적인 차원에서 정보화 사회의 경쟁 화두로서 인식되어가고 있다. 정보보안 거버넌스는 정보의 무결성, 서비스 연속성, 정보자산의 보호라는 3가지 목적으로 시작된다. 이는 기업 거버넌스에 필수적이며 투명한 부분이 되어야 하고, IT프레임워크와 연계되어야 한다. 기존의 정보보안 거버넌스 프레임워크는 그 범위가 넓어 소규모 기업 거버넌스와 이해관계를 가지지 못한 문제점이 있다. 따라서 본 논문은 단순화된 정보보안 거버넌스 프레임워크를 제안하여, 문제점을 해결하고, 제안하는 프레임워크의 안전성 분석과 효율성 분석을 통하여 제안 방법의 효율성에 관하여 알아보았다.

• 정보보호학회논문지
• /
• 제24권4호
• /
• pp.669-679
• /
• 2014

본 연구에서는 스마트금융 서비스를 위한 서버 측 보안 프레임워크를 제안한다. 국내 금융기관의 전자금융서비스를 제공하는 서버 측 프레임워크 구조를 살펴보면 대부분 서비스제공위주의 구조를 가지고 있다. 따라서, 보안관련 요구사항들은 비즈니스 로직들에 같이 포함되어 있는 경우가 대부분이기 때문에 보안 사고에 효과적으로 대응하기 어렵다. 본 논문에서는 전자금융서비스시 보안영역을 비즈니스영역과 분리하여 업무에 대한 의존도(Dependency) 없이 보안 정책을 실시간으로 적용할 수 있는 프레임워크를 제안한다. 이를 통하여 보안관련 위협에 대한 신속하고 효과적인 대응기반을 제시한다. 또한 현재 서비스하고 있는 시스템구조에서도 시스템의 큰 변경없이 제안 프레임워크를 적용할 수 있는 방안을 제시한다.

• 정보보호학회논문지
• /
• 제19권3호
• /
• pp.143-152
• /
• 2009

정보보호 전문인력을 정의하고 양성하기 위해서는 무엇보다도 정보보호업무 전반을 체계화하여 표준화한 '직무체계'를 개발하고, 직무체계에 기반하여 인력을 어떻게 교육할 것인가를 정하는 교육과정 및 직무분석이 필요하다. 정보보호 분야의 직무를 정의하고 표준화함으로써 인력의 직무능력을 표준화하고 직무수행을 위해 필요한 지식 및 기술에 대한 정의가 가능해짐으로써 보다 실무 지향적인 전문인력의 양성이 가능할 것으로 기대된다. 직무체계(Skills Framework)란 산업현장의 직무에 근거하여 직무분류 및 직무수준을 설정하고 직무수준별 수행기준을 제시하는 것으로써, 현장 수요에 기초한 교육훈련과정의 개발, 자격 및 인력수급 체계 등을 위한 인프라 정비의 핵심 요소이다. 따라서, 본 논문에서는 정보보호산업의 발전을 이끌어갈 실수요에 기반한 체계적인 '정보보호 전문인력'의 중급을 위해서는 무엇보다도 표준화된 직무체계의 개발이 시급하다고 인식하고, 정보보호 분야의 직무체계를 개발하여 제시하고자 한다.

• 대한임베디드공학회논문지
• /
• 제1권2호
• /
• pp.56-63
• /
• 2006

In this paper, we propose the integrated security management framework supporting the trust for the ubiquitous environments. The proposed framework provides the gathering and analysis of the security related information including the location of mobile device and then dynamically configures the security policy and adopts them. More specially, it supports the authentication and delegation service to support the trusted security management for the ubiquitous networks. This system also provides the visible management tools to give the convenient view for network administrator.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제6권12호
• /
• pp.3366-3383
• /
• 2012

Reliance on the Internet has introduced Voice over Internet Protocol (VoIP) to various security threats. A reliable security protocol and an authentication scheme are thus required to prevent the aforementioned threats. However, an authentication scheme often demands additional cost and effort. Accordingly, a security framework for known participants in VoIP communication is proposed in this paper. The framework is known as Randomness-Optimized Self-Securing (ROSS), which performs authentication automatically throughout the session by optimizing the uniqueness and randomness of the communication itself. Elliptic Curve Diffie-Hellman (ECDH) key exchange and Salsa20 stream cipher are utilized in the framework correspondingly to secure the key agreement and the communication with low computational cost. Human intelligence supports ROSS authentication process to ensure participant authenticity and communication regularity. The results show that with marginal overhead, the proposed framework is able to secure VoIP communication by performing reliable authentication.

• International Journal of Computer Science & Network Security
• /
• 제24권6호
• /
• pp.41-48
• /
• 2024

Existing PoS (Point of Sale) based payment frameworks are vulnerable as the Payment Application's integrity in the smart phone and PoS are compromised, vulnerable to reverse engineering attacks. In addition to these existing PoS (Point of Sale) based payment frameworks do not perform point-to-point encryption and do not ensure communication security. We propose a Smart and Secure PoS (SSPoS) Framework which overcomes these attacks. Our proposed SSPoS framework ensures point-to-point encryption (P2PE), Application hardening and Application wrapping. SSPoS framework overcomes repackaging attacks. SSPoS framework has very less communication and computation cost. SSPoS framework also addresses Heartbleed vulnerability. SSPoS protocol is successfully verified using Burrows-Abadi-Needham (BAN) logic, so it ensures all the security properties. SSPoS is threat modeled and implemented successfully.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제13권5호
• /
• pp.2610-2628
• /
• 2019

Advanced persistent threats (APTs) are constant attacks of specific targets by hackers using intelligent methods. All current internal infrastructures are constantly subject to APT attacks created by external and unknown malware. Therefore, information security officers require a framework that can assess whether information security systems are capable of detecting and blocking APT attacks. Furthermore, an on-line evaluation of information security systems is required to cope with various malicious code attacks. A regular evaluation of the information security system is thus essential. In this paper, we propose a dynamic updated evaluation framework to improve the detection rate of internal information systems for malware that is unknown to most (over 60 %) existing static information security system evaluation methodologies using non-updated unknown malware.

• 제어로봇시스템학회:학술대회논문집
• /
• 제어로봇시스템학회 2005년도 ICCAS
• /
• pp.1586-1589
• /
• 2005

GUMF (Global User Management Framework) that is proposed in this research can be applied to next generation network such as BcN (Broadband convergence Network), it is QoS guaranteed security framework for user that can solve present Internet's security vulnerability. GUMF offers anonymity for user of service and use the user's real-name or ID for management of service and it is technology that can realize secure QoS. GUMF needs management framework, UMS (User Management System), VNC (Virtual Network Controller) etc. UMS consists of root UMS in country dimension and Local UMS in each site dimension. VNC is network security equipment including VPN, QoS and security functions etc., and it achieves the QoSS (Quality of Security Service) and CLS(Communication Level Switching) functions. GUMF can offer safety in bandwidth consumption attacks such as worm propagation and DoS/DDoS, IP spoofing attack, and current most attack such as abusing of private information because it can offer the different QoS guaranteed network according to user's grades. User's grades are divided by 4 levels from Level 0 to Level 3, and user's security service level is decided according to level of the private information. Level 3 users that offer bio-information can receive secure network service that privacy is guaranteed. Therefore, GUMF that is proposed in this research can offer profit model to ISP and NSP, and can be utilized by strategy for secure u-Korea realization.

• 한국전자거래학회지
• /
• 제1권1호
• /
• pp.51-67
• /
• 1996

Recently the interests in NII, CALS/EC, and security are rapidly increasing. However, only one of the security issues for CALS implementation, i.e., the security for EDI implementation, has been presented in the literature. No comprehensive discussion about CALS security including other CALS applications exists. This paper intends to present such a comprehensive analysis for the security requirements and standards for the well-recognized two-phase CALS implementation. We present a framework for CALS security encompassing security protocols and systems that are arranged into the framework in terms of the CALS implementation phases, application systems, and communication modes. This framework is followed by brief descriptions of the security services and mechanisms for each CALS application.

• 전기학회논문지
• /
• 제66권12호
• /
• pp.1879-1888
• /
• 2017

The Internet of Things (IoT) environment has been gradually approaching reality, and although it provides great convenience, security threats are increasing accordingly. For the IoT environment to settle safely, careful consideration of information security is necessary. Although many security measures in the design and development stages of IoT products have been studied thus far, apart from them, the establishment of systems and countermeasures for post management after the launch of IoT products is also very important. In the present paper, a technical and policy post-security management framework is proposed to provide secure IoT environments. The proposed framework defines the concrete response procedures of individual entities such as users, manufacturers, and competent authorities in the case of the occurrence of security flaws after launching IoT products, and performs appropriate measures such as software updates and recalls based on an assessment of the risk of security flaws.