• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.2
• /
• pp.263-279
• /
• 2024

With the increasing trend of Cloud migration, security threats in the Cloud computing environment have also experienced a significant increase. Consequently, the importance of efficient incident investigation through log data analysis is being emphasized. In Cloud environments, the diversity of services and ease of resource creation generate a large volume of log data. Difficulties remain in determining which events to investigate when an incident occurs, and examining all the extensive log data requires considerable time and effort. Therefore, a systematic approach for efficient data investigation is necessary. CloudTrail, the Amazon Web Services(AWS) logging service, collects logs of all API call events occurring in an account. However, CloudTrail lacks insights into which logs to analyze in the event of an incident. This paper proposes an automated analysis framework that integrates Cloud Matrix and event information for efficient incident investigation. The framework enables simultaneous examination of user behavior log events, event frequency, and attack information. We believe the proposed framework contributes to Cloud incident investigations by efficiently identifying critical events based on the ATT&CK Framework.

• The KIPS Transactions:PartC
• /
• v.15C no.5
• /
• pp.375-382
• /
• 2008

As the use of Internet and information communication technology is being generalized, the SSL protocol is essential in Internet because the important data should be transferred securely. While the SSL protocol is designed to defend from active attack such as message forgery and message alteration, the cipher suite setting can be easily modified. If the attacker draw on a malfunction of the client system and modify the cipher suite setting to the symmetric key algorithm which has short key length, he should eavesdrop and cryptanalysis the encrypt data. In this paper, we examine the domestic web site whether they generate the security session in the symmetric key algorithm which has short key length and propose the solution of the cipher suite setting problem.

• Korean Security Journal
• /
• no.34
• /
• pp.259-278
• /
• 2013

With advances of information technology (IT) and the Internet, it became much easier to search and collect information through many different types of web search engine. Such information only restricted to the intelligence services became available to the public, and the increased open source changed the intelligence collection activities of governments. Open Source Intelligence (OSINT) was introduced to organize and analyze the large volumes of information. OSINT is actively used after the 9/11 terrorist attack, and the United States government invest a huge amount of budget to conduct research and develope technology about OSINT. Although many Western countries recognize the importance of OSINT and deal with open source as priority, South Korea has not fully understand the important role of OSINT. Therefore, this study introduces the fundamental principles of OSINT and provides practical examples of OSINT usage. OSINT is an effective source to prevent terrorist attacks as well as a variety of crimes. Extensive discussion and suggestions for future usages are provided.

• The Transactions of The Korean Institute of Electrical Engineers
• /
• v.65 no.1
• /
• pp.128-134
• /
• 2016

IoT devices including smart devices are connected with internet, thus they have security threats everytime. Particularly, IoT devices are composed of low performance MCU and small-capacity memory because they are miniaturized, so they are likely to be exposed to various security threats like DoS attacks. In addition, in case of IoT devices installed for a remote place, it's not easy for users to control continuously them and to install immediately security patch for them. For most of IoT devices connected directly with internet under user's intention, devices exposed to outside by setting IoT gateway, and devices exposed to outside by the DMZ function or Port Forwarding function of router, specific protocol for IoT services was used and the devices show a response when services about related protocol are required from outside. From internet search engine for IoT devices, IP addresses are inspected on the basis of protocol mainly used for IoT devices and then IP addresses showing a response are maintained as database, so that users can utilize related information. Specially, IoT devices using HTTP and HTTPS protocol, which are used at usual web server, are easily searched at usual search engines like Google as well as search engine for the sole IoT devices. Ill-intentioned attackers get the IP addresses of vulnerable devices from search engine and try to attack the devices. The purpose of this study is to find the problems arisen when HTTP, HTTPS, CoAP, SOAP, and RestFUL protocols used for IoT devices are detected by search engine and are maintained as database, and to seek the solution for the problems. In particular, when the user ID and password of IoT devices set by manufacturing factory are still same or the already known vulnerabilities of IoT devices are not patched, the dangerousness of the IoT devices and its related solution were found in this study.

• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.48 no.1
• /
• pp.133-140
• /
• 2011

Recently, Web applications, such as Stock Image and Image Library, are developed to provide the integrated management for user's images. Image hash techniques are used for the image registration, management and retrieval as the identifier and many researches have been performed to raise the hash performance. This paper proposes GLOCAL image hashing method utilizing the hierarchical histogram which based on histogram bin population method. So far, many researches have proven that image hashing techniques based on histogram are robust image processing and geometrical attack. We modified existing image hashing method developed by our research team. The main idea is that it makes more fluent hash string if we have histogram bin of specific length as shown in the body of paper. Finally, we can raise the magnitude of hash string within same context or feature and strengthen the robustness of hash.

• Asian Pacific Journal of Cancer Prevention
• /
• v.16 no.14
• /
• pp.5903-5906
• /
• 2015

Background: Cholangiocarcinoma (CCA) is a serious public health problem in the Northeast of Thailand. CCA is considered to be an incurable and rapidly lethal disease. Knowledge of the distribution of CCA patients is necessary for management strategies. Objectives: This study aimed to utilize the Geographic Information System and Google $Earth^{TM}$ for distribution mapping of cholangiocarcinoma in Satuek District, Buriram, Thailand, during a 5-year period (2008-2012). Materials and Methods: In this retrospective study data were collected and reviewed from the OPD cards, definitive cases of CCA were patients who were treated in Satuek hospital and were diagnosed with CCA or ICD-10 code C22.1. CCA cases were used to analyze and calculate with ArcGIS 9.2, all of data were imported into Google Earth using the online web page www.earthpoint.us. Data were displayed at village points. Results: A total of 53 cases were diagnosed and identified as CCA. The incidence was 53.57 per 100,000 population (65.5 for males and 30.8 for females) and the majority of CCA cases were in stages IV and IIA. The average age was 67 years old. The highest attack rate was observed in Thung Wang sub-district (161.4 per 100,000 population). The map display at village points for CCA patients based on Google Earth gave a clear visual deistribution. Conclusions: CCA is still a major problem in Satuek district, Buriram province of Thailand. The Google Earth production process is very simple and easy to learn. It is suitable for the use in further development of CCA management strategies.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.11
• /
• pp.5642-5670
• /
• 2017

Antivirus is an important issue to the security of virtual machine (VM). According to where the antivirus system resides, the existing approaches can be categorized into three classes: internal approach, external approach and hybrid approach. However, for the internal approach, it is susceptible to attacks and may cause antivirus storm and rollback vulnerability problems. On the other hand, for the external approach, the antivirus systems built upon virtual machine introspection (VMI) technology cannot find and prohibit viruses promptly. Although the hybrid approach performs virus scanning out of the virtual machine, it is still vulnerable to attacks since it completely depends on the agent and hooks to deliver events in the guest operating system. To solve the aforementioned problems, based on in-memory signature scanning, we propose an agentless runtime antivirus system VirtAV, which scans each piece of binary codes to execute in guest VMs on the VMM side to detect and prevent viruses. As an external approach, VirtAV does not rely on any hooks or agents in the guest OS, and exposes no attack surface to the outside world, so it guarantees the security of itself to the greatest extent. In addition, it solves the antivirus storm problem and the rollback vulnerability problem in virtualization environment. We implemented a prototype based on Qemu/KVM hypervisor and ClamAV antivirus engine. Experimental results demonstrate that VirtAV is able to detect both user-level and kernel-level virus programs inside Windows and Linux guest, no matter whether they are packed or not. From the performance aspect, the overhead of VirtAV on guest performance is acceptable. Especially, VirtAV has little impact on the performance of common desktop applications, such as video playing, web browsing and Microsoft Office series.

• Journal of Internet Computing and Services
• /
• v.2 no.4
• /
• pp.41-53
• /
• 2001

Multi-distributed web cluster model built for high availability E-Business model exposes internal system nodes on its structural characteristics and has a potential that normal job performance is impossible due to the intentional prevention and attack by an illegal third party. Therefore, the security system which protects the structured system nodes and can correspond to the outflow of information from illegal users and unfair service requirements effectively is needed. Therefore the suggested distributed invasion detection system is the technology which detects the illegal requirement or resource access of system node distributed on open network through organic control between SC-Agents based on the shared memory of SC-Server. Distributed invasion detection system performs the examination of job requirement packet using Detection Agent primarily for detecting illegal invasion, observes the job process through monitoring agent when job is progressed and then judges the invasion through close cooperative works with other system nodes when there is access or demand of resource not permitted.

• Journal of Information Processing Systems
• /
• v.8 no.2
• /
• pp.347-358
• /
• 2012

Recently, security researches have been processed on the method to cover a broader range of hacking attacks at the low level in the perspective of hardware. This system security applies not only to individuals' computer systems but also to cloud environments. "Cloud" concerns operations on the web. Therefore it is exposed to a lot of risks and the security of its spaces where data is stored is vulnerable. Accordingly, in order to reduce threat factors to security, the TCG proposed a highly reliable platform based on a semiconductor-chip, the TPM. However, there have been no technologies up to date that enables a real-time visual monitoring of the security status of a PC that is operated based on the TPM. And the TPB has provided the function in a visual method to monitor system status and resources only for the system behavior of a single host. Therefore, this paper will propose a m-TMS (Mobile Trusted Monitoring System) that monitors the trusted state of a computing environment in which a TPM chip-based TPB is mounted and the current status of its system resources in a mobile device environment resulting from the development of network service technology. The m-TMS is provided to users so that system resources of CPU, RAM, and process, which are the monitoring objects in a computer system, may be monitored. Moreover, converting and detouring single entities like a PC or target addresses, which are attack pattern methods that pose a threat to the computer system security, are combined. The branch instruction trace function is monitored using a BiT Profiling tool through which processes attacked or those suspected of being attacked may be traced, thereby enabling users to actively respond.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.3
• /
• pp.87-96
• /
• 2014

Hackers try to achieve their purpose in a variety of ways, such as operating own website and hacking a website. Hackers seize a large amount of private information after they have made a zombie PC by using malicious code to upload the website and it would be used another hacking. Almost detection technique is the use Snort rule. When unknown code and the patterns in IDS/IPS devices are matching on network, it detects unknown code as malicious code. However, if unknown code is not matching, unknown code would be normal and it would attack system. Hackers try to find patterns and make shellcode to avoid patterns. So, new method is needed to detect that kinds of shellcode. In this paper, we proposed a noble method to detect the shellcode by using Shannon's information entropy.