• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.2
• /
• pp.87-94
• /
• 2017

Microsoft Office is an office suite of applications developed by Microsoft. Recently users with malicious intent customize Office files as a container of the Malware because MS Office is most commonly used word processing program. To attack target system, many of malicious office files using a variety of skills and techniques like macro function, hiding shell code inside unused area, etc. And, people usually use two techniques to detect these kinds of malware. These are Signature-based detection and Sandbox. However, there is some limits to what it can afford because of the increasing complexity of malwares. Therefore, this paper propose methods to detect malicious MS office files in Computer forensics' way. We checked Macros and potential problem area with structural analysis of the MS Office file for this purpose.

• 제어로봇시스템학회:학술대회논문집
• /
• 2005.06a
• /
• pp.1439-1444
• /
• 2005

Induction motors are the most commonly used electrical drives because they are rugged, mechanically simple, adaptable to widely different operating conditions, and simple to control. The most common faults in squirrel-cage induction motors are bearing, stator and rotor faults. Surveys conducted by the IEEE and EPRI show that the most common fault in induction motor is bearing failure (${\sim}$40% of failure). Thence, this paper addresses experimental results for diagnosing faults with different rolling element bearing damage via motor current spectral analysis. Rolling element bearings generally consist of two rings, an inner and outer, between which a set of balls or rollers rotate in raceways. We set the experimental test bed to detect the rolling-element bearing misalignment of 3 type induction motors with normal condition bearing system, shaft deflection system by external force and a hole drilled through the outer race of the shaft end bearing of the four pole test motor. This paper takes the initial step of investigating the efficacy of current monitoring for bearing fault detection by incipient bearing failure. The failure modes are reviewed and the characteristics of bearing frequency associated with the physical construction of the bearings are defined. The effects on the stator current spectrum are described and related frequencies are also determined. This is an important result in the formulation of a fault detection scheme that monitors the stator currents. We utilized the FFT, Wavelet analysis and averaging signal pattern by inner product tool to analyze stator current components. The test results clearly illustrate that the stator signature can be used to identify the presence of a bearing fault.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.14 no.4
• /
• pp.451-456
• /
• 2004

Signature based intrusion detection system (IDS), having stored rules for detecting intrusions at the library, judges whether new inputs are intrusion or not by matching them with the new inputs. However their policy has two restrictions generally. First, when they couldn't make rules against new intrusions, false negative (FN) errors may are taken place. Second, when they made a lot of rules for maintaining diversification, the amount of resources grows larger proportional to their amount. In this paper, we propose the learning algorithm which can evolve the competent of anomaly detectors having the ability to detect anomalous attacks by genetic algorithm. The anomaly detectors are the population be composed of by following the negative selection procedure of the biological immune system. To show the effectiveness of proposed system, we apply the learning algorithm to the artificial network environment, which is a computer security system.

• Journal of the Korea Society of Computer and Information
• /
• v.25 no.11
• /
• pp.131-138
• /
• 2020

Malware is generally recognized as a computer program that penetrates another computer system and causes malicious behavior intended by the developer. In cyberspace, it is also used as a cyber weapon to attack adversary. The most important factor that a malware must have as a cyber weapon is that it must achieve its intended purpose before being detected by the other's detection system. It requires a lot of time and expertise to create a single malware to avoid the other's detection system. We propose the framework that automatically generates variant malware when a binary code type malware is input using the DCM technique. In this framework, the sample malware was automatically converted into variant malware, and it was confirmed that this variant malware was not detected in the signature-based malware detection system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.4
• /
• pp.97-110
• /
• 2004

As modem web services become enormously complex, web attacks has become frequent and serious. Existing security solutions such as firewalls or signature-based intrusion detection systems are generally inadequate in securing web services, and analysis of raw web log data is simply impractical for most organizations. Visual display of "interpreted" web logs, with emphasis on anomalous web requests, is essential for an organization to efficiently track web usage patterns and detect possible web attacks. In this paper, we discuss various issues related to effective real-time visualization of web usage patterns and anomalies. We implemented a software tool named SAD (session anomaly detection) Viewer to satisfy such need and conducted an empirical study in which anomalous web traffics such as Misuse attacks, DoS attacks, Code-Red worms and Whisker scans were injected. Our study confirms that SAD Viewer is useful in assisting web security engineers to monitor web usage patterns in general and anomalous web sessions in particular.articular.

• Journal of Internet Computing and Services
• /
• v.23 no.6
• /
• pp.1-13
• /
• 2022

As the information and communication environment develops, the environment of military facilities is also development remarkably. In proportion to this, cyber threats are also increasing, and in particular, APT attacks, which are difficult to prevent with existing signature-based cyber defense systems, are frequently targeting military and national infrastructure. It is important to identify attack groups for appropriate response, but it is very difficult to identify them due to the nature of cyber attacks conducted in secret using methods such as anti-forensics. In the past, after an attack was detected, a security expert had to perform high-level analysis for a long time based on the large amount of evidence collected to get a clue about the attack group. To solve this problem, in this paper, we proposed an automation technique that can classify an attack group within a short time after detection. In case of APT attacks, compared to general cyber attacks, the number of attacks is small, there is not much known data, and it is designed to bypass signature-based cyber defense techniques. As an attack model, we used MITRE ATT&CK® which modeled many parts of cyber attacks. We design an impact score considering the versatility of the attack techniques and proposed a group similarity score based on this. Experimental results show that the proposed method classified the attack group with a 72.62% probability based on Top-5 accuracy.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.42 no.1
• /
• pp.193-204
• /
• 2017

The security of Internet systems critically depends on the capability to keep anti-virus (AV) software up-to-date and maintain high detection accuracy against new malware. However, malware variants evolve so quickly they cannot be detected by conventional signature-based detection. In this paper, we proposed a malware classification method based on sequence patterns generated from the network flow of malware samples. We evaluated our method with 766 malware samples and obtained a classification accuracy of approximately 40.4%. In this study, malicious codes were classified only by network behavior of malicious codes, excluding codes and other characteristics. Therefore, this study is expected to be further developed in the future. Also, we can predict the attack groups and additional attacks can be prevented.

• KSCE Journal of Civil and Environmental Engineering Research
• /
• v.28 no.1A
• /
• pp.135-146
• /
• 2008

In this paper, a hybrid damage monitoring scheme for prestressed concrete (PSC) girder bridges by using sequential acceleration and impedance signatures is newly proposed. Damage types of interest include prestress-loss in tendon and flexural stiffness-loss in a concrete girder. The hybrid scheme mainly consists of three sequential phases: damage alarming, damage classification, and damage estimation. In the first phase, the global occurrence of damage is alarmed by monitoring changes in acceleration features. In the second phase, the type of damage is classified into either prestress-loss or flexural stiffness-loss by recognizing patterns of impedance features. In the third phase, the location and the extent of damage are estimated by using two different ways: a mode shape-based damage detection to detect flexural stiffness-loss and a natural frequency-based prestress prediction to identify prestress-loss. The feasibility of the proposed scheme is evaluated on a laboratory-scaled PSC girder model for which hybrid vibration-impedance signatures were measured for several damage scenarios of prestress-loss and flexural stiffness-loss.

• Journal of KIISE
• /
• v.43 no.3
• /
• pp.289-295
• /
• 2016

Malware authors spread malware variants in order to evade detection. It's hard to detect malware variants using static analysis. Therefore dynamic analysis based on API call information is necessary. In this paper, we proposed a malware family recommendation method to assist malware analysts in classifying malware variants. Our proposed method extract API call information of malware families by dynamic analysis. Then the multiple sequence alignment technique was applied to the extracted API call information. A signature of each family was extracted from the alignment results. By the similarity of the extracted signatures, our proposed method recommends three family candidates for unknown malware. We also measured the accuracy of our proposed method in an experiment using real malware samples.

• Journal of Astronomy and Space Sciences
• /
• v.33 no.1
• /
• pp.1-11
• /
• 2016

Over the last few years, the data obtained using the Large Area Telescope (LAT) aboard the Fermi Gamma-ray Space Telescope has provided new insights on high-energy processes in globular clusters, particularly those involving compact objects such as MilliSecond Pulsars (MSPs). Gamma-ray emission in the 100 MeV to 10 GeV range has been detected from more than a dozen globular clusters in our galaxy, including 47 Tucanae and Terzan 5. Based on a sample of known gammaray globular clusters, the empirical relations between gamma-ray luminosity and properties of globular clusters such as their stellar encounter rate, metallicity, and possible optical and infrared photon energy densities, have been derived. The measured gamma-ray spectra are generally described by a power law with a cut-off at a few gigaelectronvolts. Together with the detection of pulsed γ-rays from two MSPs in two different globular clusters, such spectral signature lends support to the hypothesis that γ-rays from globular clusters represent collective curvature emission from magnetospheres of MSPs in the clusters. Alternative models, involving Inverse-Compton (IC) emission of relativistic electrons that are accelerated close to MSPs or pulsar wind nebula shocks, have also been suggested. Observations at >100 GeV by using Fermi/LAT and atmospheric Cherenkov telescopes such as H.E.S.S.-II, MAGIC-II, VERITAS, and CTA will help to settle some questions unanswered by current data.