• Journal of Information Processing Systems
• /
• v.14 no.3
• /
• pp.740-750
• /
• 2018

There are a great number of Internet-connected devices and their information can be acquired through an Internet-wide scanning tool. By associating device information with publicly known security vulnerabilities, security experts are able to determine whether a particular device is vulnerable. Currently, the identification of the device information and its related vulnerabilities is manually carried out. It is necessary to automate the process to identify a huge number of Internet-connected devices in order to analyze more than one hundred thousand security vulnerabilities. In this paper, we propose a method of automatically generating device information in the Common Platform Enumeration (CPE) format from banner text to discover potentially weak devices having the Common Vulnerabilities Exposures (CVE) vulnerability. We demonstrated that our proposed method can distinguish as much adequate CPE information as possible in the service banner.

• KIPS Transactions on Computer and Communication Systems
• /
• v.4 no.3
• /
• pp.97-104
• /
• 2015

This paper will feature designs for security vulnerability based on MS-SQL Database and OLE connectivity by checking the MS-SQL database password policy, the user account password access attempts, a user without password, and password does not be changed for a period of time. This paper uses the MS-SQL database and C++ linkage in order to use the OLE DB function. The design module should judge presence or absence of security vulnerability by checking database password policy, the user account password access attempts, a user without password, password does not be changed for a period of time. The MS-SQL database password associated with a feature, judging from the many features allows you to check for security vulnerability. This paper strengthen the security of the MS-SQL database by taking the advantage of the proposed ability.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.3
• /
• pp.535-545
• /
• 2014

As the software industry has developed, the attacks making use of software vulnerability has become a big issue in society. In particular, because the attacks using the vulnerability of web browsers bypass Windows protection mechanism, web browsers can readily be attacked. To protect web browsers against security threat, research on fuzzing has constantly been conducted. However, most existing web browser fuzzing tools use a simple fuzzing technique which randomly mutates DOM tree. Therefore, this paper analyzed existing web browser fuzzing tools and the patterns of their already-known vulnerability to propose an event and command based fuzzing tool which can detect the latest web browser vulnerability more effectively. Three kinds of existing fuzzing tools were compared with the proposed tool. As a result, it was found that the event and command based fuzzing tool proposed was more effective.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.8
• /
• pp.271-276
• /
• 2014

This study analyzed that N/A check items affect the results of the security level degree, when performing vulnerability analysis evaluation. For this, we were used vulnerability analysis evaluation range, check items and quantitative calculation method. Furthermore, were applied grade and weight for the importance of the items. In addition, because technology develop rapidly, the institution is always exposed risk. therefore, this study was carried out empirical analysis by applying RAL(Risk Acceptabel Level). According to the analyzed result N/A check items factors affecting the level of security has been proven. In other words, this study found that we shall exclude inspection items irrelevant to the institution characteristics, when perform vulnerability analysis evaluation. In this study suggested that security level evaluation shall performed, after that exclude items irrelevant to the institution characteristics based on empirical verification. And also, it proposed that model research is required for establish check items for which analysis-evaluate vulnerability based on empirical verification.

• Journal of Information Technology and Architecture
• /
• v.9 no.4
• /
• pp.401-411
• /
• 2012

There has been increased interest for cloud computing services that can promote cost savings while increasing investment in information resources. Cloud computing, however, has a disadvantage physically located in the external information resources to take advantage of the economic benefits, the advantages and increase the vulnerability of information protection and control of information assets. In this study, due to the unique properties of the new services, including vulnerability, the vulnerability of cloud computing derive the vulnerability of cloud computing and control items were derived through the mapping between vulnerability and control items, that are not being managed to identify vulnerabilities Cloud computing risk factors are presented.

• Convergence Security Journal
• /
• v.6 no.3
• /
• pp.107-115
• /
• 2006

It discovered a design error from the module to search required installing security patch of Windows Update and Automatic Updates that Microsoft supports it to install security patch easily and quickly. It explains and tests security patch-disguise attack by this error. Security patch-disguise attack is to maintains a vulnerability and to be not searched the security patch simultaneously. Also it composes an attack scenario. Is like that, it proposes the method which solves an design error of the module to search required installing security patch.

• Journal of Internet Computing and Services
• /
• v.14 no.3
• /
• pp.23-33
• /
• 2013

Recently in the field of IT, cloud computing technology has been deployed rapidly in the current society because of its flexibility, efficiency and cost savings features. However, cloud computing system has a big problem of vulnerability in security. In order to solve the vulnerability of cloud computing systems security in this study, impact types of virtual machine about the vulnerability were determined and the priorities were determined according to the risk evaluation of virtual machine's vulnerability. For analyzing the vulnerability, risk measurement standards about the vulnerability were defined based on CVSS2.0, which is an open frame work; and the risk measurement was systematized by scoring for relevant vulnerabilities. Vulnerability risk standards are considered to suggest fundamental characteristics of vulnerability and to provide the degree of risks and consequently to be applicable to technical guides to minimize the vulnerability. Additionally, suggested risk standard of vulnerability is meaningful as the study content itself and could be used in technology policy project which is to be conducted in the future.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.2
• /
• pp.259-266
• /
• 2017

In modern society, IT technology based systems are introduced and operated in various fields such as home, industry, and finance. To ensure the safety of society, IT systems introduced throughout society should be protected from cyber attacks. Understanding and checking the current security status of the system is one of the important tasks to response effectively against cyber attacks. In this paper, we analyze limitations of Game Theory and Attack Tree methodologies used to inspect for security vulnerabilities. Based on this, we propose a security vulnerability quantification method that complements the limitations of both methodologies. This provides a more objective and systematic way to inspect for security weaknesses.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1219-1230
• /
• 2012

Recently, lots of users are using wireless LAN providing authentication and confidentiality with security mechanism such as WEP, WPA. But, weakness of each security mechanism was discovered and attack methods that user's information was exposed or modified to the third parties with it and abused by them were suggested. In this paper, we analyzed architecture of security mechanisms in wireless LAN and performed PSK cracking attack and cookie session hijacking attack with the known vulnerability. And, an improved 4-way handshake mechanism which can counter PSK cracking attack and a cookie replay detection mechanism which can prevent cookie session hijacking attack were proposed. Proposed mechanisms are expected to apply to establish more secure wireless LAN environment by countering existing vulnerability.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1449-1461
• /
• 2018

As the number of software vulnerabilities grows year by year, attacks on software are also taking place a lot. As a result, the security administrator must identify and patch vulnerabilities in the software. However, it is important to prioritize the patches because patches for all vulnerabilities are realistically hard. In this paper, we propose a scoring system that expands the scale of risk assessment metric by taking into consideration attack patterns or weaknesses cause vulnerabilities with the vulnerability information provided by the NIST(National Institute of Standards and Technology). The proposed scoring system is expanded based on the CWSS and uses only public vulnerability information to utilize easily for any company. In this paper, we applied the automated scoring system to software vulnerabilities, and showed the expanded metrics with consideration for influence of attack pattern and weakness are meaningful.