• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.11a
• /
• pp.464-465
• /
• 2014

Analysis of characteristics in software vulnerabilities can be used to assess security risks and to determine the resources needed to develop patches quickly to handle vulnerability discovered. Being a new research area, the quantitative aspects of software vulnerabilities and risk assessments have not been fully investigated. However, further detailed studies are required related to the security risk assessment, using rigorous analysis of actual data which can assist decision makers to maximize the returns on their security related efforts. In this paper, quantitative software vulnerability analysis has been presented for major Web browsers (Internet Explorer (IE), Firefox (FX), Chrome (CR) and Safari (SF)) with respect to the Common Vulnerability Scoring System (CVSS). The results show that, almost all the time, vulnerabilities are compromised from remote networks with no authentication required systems, and exploitation aftermath is getting worse.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.5
• /
• pp.1159-1168
• /
• 2012

Control Flow Integrity(CFI) and Control Flow Locking(CFL) prevent unintended execution of software and provide integrity in control flow. Attackers, however, can still hijack program controls since CFI and CFL does not support fine-granularity, context-sensitive protection. In this paper, we propose a new CFI scheme, Source-code CFI(SCFI), to overcome the problems. SCFI provides context-sensitive locking for control flow. Thus, the proposed approach protects software against the attacks on the previous CFI and CFL schemes and improves safety.

• International journal of advanced smart convergence
• /
• v.11 no.4
• /
• pp.10-19
• /
• 2022

AI-based Network Intrusion Detection Systems (AI-NIDS) detect network attacks using machine learning and deep learning models. Recently, unsupervised AI-NIDS methods are getting more attention since there is no need for labeling, which is crucial for building practical NIDS systems. This paper aims to test the impact of designing autoencoder models that can be applied to unsupervised an AI-NIDS in real network systems. We collected security events of legacy network security system and carried out an experiment. We report the results and discuss the findings.

• International Journal of Computer Science & Network Security
• /
• v.23 no.8
• /
• pp.199-203
• /
• 2023

Influential trend that widely reflected the software engineering industry is service oriented architecture. Vendors are migrating towards cloud environment to benefit their organization. Companies usually offer products and services with a goal to solve problems at customer end. Because customers are more interested in solution of their problem rather than focusing on products or services. In software industry the approach in which customers' problems are solved by providing services is known as software as a service. However, software development life cycle encounters enormous changes when migrating software from product model to service model. Enough research has been done on the overall development process but a limited work has been done on the factors that influence requirements elicitation process. This paper focuses on those changes that influence requirement elicitation process and proposes a systematic methodology for transformation of software from product to service model in a successful manner. The paper then elaborates the benefits that inherently come along with elicitation process in cloud environment. The paper also describes the problems during transformation. The paper concludes that requirement engineering process turn out to be more profitable after transformation of traditional software from product to service model.

• Journal of Digital Convergence
• /
• v.16 no.9
• /
• pp.179-185
• /
• 2018

Technology of Internet of Things (IoT) which is receiving the spotlight recently as a new growth engine of Information Communications Technology (ICT) industry in the $4^{th}$ Industrial Revolution needs trustworthiness beyond simple technology of security. IoT devices should consider trustworthiness from planning and design of IoTs so that everyone who develop, evaluate and use the device can measure and trust its security. Increased number of IoTs and long lifetime result in the increased securituy vulnerability due to the difficulty of software patch and update. In this paper, we investigated security and scalability issues of current IoT devices through research of the technical, political and industrial trend of IoT. In order to overcome the limitations, we propose an automatic verification of software integrity utilizing and a political solution to apply cyber killchain based security mechanism using hash which is an element technology of blockchain to solve these problems.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.4
• /
• pp.3-10
• /
• 2007

In this paper, we proposed the methodology for security testing using block-based file fault injection. When fault is inserted into software, we consider the format of file in order to efficiently reduce the error that is caused by mismatch of format of file. The Vulnerability the methodology focuses on is related to memory processing, such as buffer overflow, null pointer reference and so on. We implemented the automatic tool to apply the methodology to image file format and named the tool ImageDigger. We executed fault-injection focused on WMF and EMF file format using ImageDigger, and found 10 DOS(Denial of Service) in Windows Platform. This methodology can apply to block-based file format such as MS Office file.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.6
• /
• pp.1449-1453
• /
• 2015

Constrained IoT devices cannot achieve full coverage of software attestation even though the integrity of software is critical. The limited modification attacks on control flow of software aim at the shadow area uncovered in software attestation processes. In this paper, we propose a light-weight protection system that detects modification by injecting markers to program code.

• Convergence Security Journal
• /
• v.13 no.1
• /
• pp.3-10
• /
• 2013

In this paper, reliability software model considering fault detection rate based on observations from the process of software product testing was studied. Adding new fault probability using the S-shaped distribution model that is widely used in the field of reliability problems presented. When correcting or modifying the software, finite failure non-homogeneous Poisson process model was used. In a software failure data analysis considering the time-dependent fault detection rate, the parameters estimation using maximum likelihood estimation of failure time data and reliability make out.

• Journal of Information Processing Systems
• /
• v.1 no.1 s.1
• /
• pp.75-78
• /
• 2005

Although many tests for stabilization of the software have been done, vulnerability test for a system run by combination of the software of various products has not been conducted enough. This has led to increased threats and vulnerability of system. Especially, web-based software system, which is public, has inherent possibility of exposure to attacks and is likely to be seriously damaged by an accident. Consequently, comprehensive and systematic test plans and techniques are required. Moreover, it is necessary to establish a procedure for managing and handling the results of vulnerability test. This paper proposes vulnerability test plans and designs for implementing automated tools, both of which can be complied with on web-based software systems.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.6
• /
• pp.3299-3315
• /
• 2019

Deniable authentication (DA) is a protocol in which a receiver can generate an authenticator that is probabilistically indistinguishable from a sender. DA can be applied in many scenarios that require user privacy protection. To enhance the security of DA, in this paper, we construct a new deniable authenticated encryption (DAE) scheme that realizes deniable authentication and confidentiality in a logical single step. Compared with existing approaches, our approach provides proof of security and is efficient in terms of performance analysis. Our scheme is in an identity-based environment; thus, it avoids the public key certificate-based public key infrastructure (PKI). Moreover, we provide an example that shows that our protocol is applicable for e-voting systems.