• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.3
• /
• pp.87-96
• /
• 2014

Hackers try to achieve their purpose in a variety of ways, such as operating own website and hacking a website. Hackers seize a large amount of private information after they have made a zombie PC by using malicious code to upload the website and it would be used another hacking. Almost detection technique is the use Snort rule. When unknown code and the patterns in IDS/IPS devices are matching on network, it detects unknown code as malicious code. However, if unknown code is not matching, unknown code would be normal and it would attack system. Hackers try to find patterns and make shellcode to avoid patterns. So, new method is needed to detect that kinds of shellcode. In this paper, we proposed a noble method to detect the shellcode by using Shannon's information entropy.

• Journal of the Korea Society for Simulation
• /
• v.15 no.1
• /
• pp.87-95
• /
• 2006

We need to check into when a security system is newly developed, we against cyber attack which is expected in real network. However it is impossible to check it under the environment of a large-scale distributive network. So it is need to simulate it under the virtual network environment. SSFNet is a event-driven simulator which can be represent a large-scale network. Unfortunately, it doesn't have the module to simulate security functions. In this paper, we added the IDS module to SSFNet. We implement the IDS module by modeling a key functions of Snort. In addition, we developed some useful functions using Java language which can manipulate easily a packet for network simulation. Finally, we performed the simulation to verify the function if our developed IDS and Packets Manipulation. The simulation shows that our expanded SSFNet can be used to further large-scale security system simulator.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.31 no.2B
• /
• pp.91-97
• /
• 2006

As increasing the network bandwidth, the threat of a network also increases with emerging various new services. For a high-performance network security, It is generally used that high-speed packet classification methods which employ hardware like TCAM. There needs an method using these devices efficiently because they are expensive and their capacity is not sufficient. In this paper, we propose an efficient packet classification using a Ternary-CAM(TCAM) which is widely used device for high-speed packet classification in which we have applied Snort rule set for the well-known intrusion detection system. In order to save the size of an expensive TCAM, we have eliminated duplicated IP addresses and port numbers in the rule according to the partitioning of a table in the TCAM, and we have represented negation and range rules with reduced TCAM size. We also keep advantages of low TCAM capacity consumption and reduce the number of TCAM lookups by decreasing the TCAM partitioning using combining port numbers. According to simulation results on our TCAM partitioning, the size of a TCAM can be reduced by upto 98$\%$ and the performance does not degrade significantly for high-speed packet classification with a large amount of rules.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.3
• /
• pp.121-129
• /
• 2008

This paper presents vulnerability identification method based on meaning which is making use of the concept of atomic vulnerability. Also, we are making use of decomposition and specialization processes which were used in DEVS/SES to get identifiers. This vulnerability representation method is useful for managing and removing vulnerability in organized way. It is helpful to make a relation between vulnerability assessing and intrusion detection rules in lower level. The relation enables security manager to response more quickly and conveniently. Especially, this paper shows a mapping between Nessus plugins and Snort rules using meaning based vulnerability identification method and lists usages based on three goals that security officer keeps in mind about vulnerability. The contribution of this work is in suggestion of meaning based vulnerability identification method and showing the cases of its usage for the rule integration of vulnerability assessment and intrusion detection.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.2
• /
• pp.283-293
• /
• 2012

A new type of malware that extracts personal and account data over an extended period of time and that apparently is resistant to detection by vaccines has been identified. Generally, a malware is installed on a computer through network-to-network connections by utilizing Web vulnerabilities that contain injection, XSS, broken authentication and session management, or insecure direct-object references, among others. After the malware executes registration of an arbitrary service and an arbitrary process on a computer, it then periodically communicates the collected confidential information to a hacker. This paper is a systematic approach to analyzing a new type of malware called "winweng," a kind of worm that frequently made appearances during the first half of 2011. The research describes how the malware came to be in circulation, how it infects computers, how its operations expose its existence and suggests improvements in responses and countermeasures. Keywords: Malware, Worm, Winweng, SNORT.

• Proceedings of the Korean Information Science Society Conference
• /
• 2005.11a
• /
• pp.886-888
• /
• 2005

Network Intrusion Detection System(NIDS)는 네트워크를 통해 들어오는 패킷들을 모니터링 하고 분석하여 내부 시스템에 유해한 내용을 담고 있는 패킷을 탐지 하는 시스템이다. 이 시스템은 네트워크의 안에서 돌아다니는 패킷을 놓치지 않고 분석할 수 있어야 하며, 예측 불허의 공격 방법들에 대해서는 새로운 법칙을 적용하여 방어할 수 있어야 한다. 본 연구에서 NDIS에 snort를 이용한 소프트웨어적인 패턴매칭을 FPGA를 이용하여 하드웨어적 패턴매칭으로 구현하였으며, 새로운 법칙에 따라서 유연하게 적응할 수 있도록 패턴매칭을 정규 표현식(Regular Expression)으로 나타내어 FPGA에 재구성할 수 있도록 하였다.

• Convergence Security Journal
• /
• v.10 no.2
• /
• pp.43-49
• /
• 2010

Nowadays, the occurrence of Malware is steadily increasing. The Malware is also becoming more intelligent, advanced and changing into various types. With the development of the information industry, the economic and monetary value of the information is going up and the damage due to the leaked information by the Malware is also increasing. This paper investigates the general usage of the User Agent in the HTTP Header, studies the Malware production techniques by transformation of the User-Agent information and suggests the technical and political counterplan against them.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2006.06a
• /
• pp.637-640
• /
• 2006

본 논문에서는 HTTP 요청, 응답 헤더정보 분석을 통해, 실시간으로 웹 공격을 탐지하는 시각화도구를 제안한다. 공격 탐지기법은 이상, 오용 탐지 기법을 통합한 방식이다. 이상 탐지는 헤더정보의 Refer와 Uri 필드를 이용한 베이지언 분포를 통한 확률 값을 이용하였으며, 오용탐지는 Snort의 공격 시그너쳐의 웹 공격부분을 사용하였다. 공격 탐지 정보의 효율적인 전달을 위해, 시각화를 GUI로 구현하였다. 본 논문에서는 사용자 에이전트의 비정상 행위 감시, 빈도 분석, 공격 에이전트 위치추적을 실시간으로 시각화하여 표현하는 기법을 제안한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2001.10b
• /
• pp.973-976
• /
• 2001

본 논문은 공개 소프트웨어를 이용하여 침입자 감시시스템을 효과적으로 구축하는 방법을 제안한다. 침입자 감시시스템의 구축에는 Linux, Apache, PHP, MySQL, Snort, ACID, Tcpwrapper 그리고 phpMyAdmin 이 사용되었으며, 침입자 감시시스템의 자체 보안을 위해서 httpd.conf를 사용한 홈 디렉토리 접근제어 및 Tcpwrapper 의 inetd 방식의 데몬 접근제어를 통해서 관리자만이 시스템에 접근할 수 있도록 하였다. 본 논문의 실험 및 결과에서는 실제 테스트베드를 구축하고, 취약성 점검 툴인 Nessus를 이용하여 침입자 감시시스템을 공격하였다. 실험 결과는 ACID 를 통해서 웹상에서 효과적으로 분석할 수 있었다. 본 논문은 효율적인 네트워크 보안 관리 및 침입자를 감시 및 역추적하기 위해서 제안된 것이다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.04a
• /
• pp.90-93
• /
• 2017

인터넷과 클라우드 서비스 사용이 증가하면서 패킷의 양과 사이버 위협이 증가하였다. 본 논문에서는 빅데이터를 처리하기 위해 사용되는 NoSQL을 보안이벤트의 신속한 처리를 위한 침입탐지시스템에 적용하였다. 다양한 데이터 모델 유형의 NoSQL 데이터베이스 중에서 빅데이터 보안이벤트를 처리하는데 가장 적합한 시스템을 찾기 위해 세 가지 유형의 Snort 룰 기반 보안이벤트 분산 처리 프로토타입 시스템들을 구축하였고 각 시스템의 성능을 평가하였다. 그 결과로 MongoDB 기반의 보안이벤트 분산 처리 시스템이 가장 속도가 빠른 것을 확인하였다.