• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06c
• /
• pp.283-285
• /
• 2012

2009년 7.7 DDoS 공격을 기점으로 DDOS 공격에 HTTP-GET 프로토콜이 공격에 주로 사용되고 있다. 본 논문에서는 클라이언트에서 개인사용자의 웹 브라우징 패턴을 분석함으로써 HTTP-GET 공격을 탐지하는 방법을 제안한다. 웹 브라우징 패턴 분석에는 Markov Model을 사용하여 사용자의 정상적인 행동패턴을 계산하고, 공격을 탐지하는데 사용한다. 제안한 방법은 클라이언트에서 개인사용자에 대한 개별적인 웹 브라우징 패턴을 분석하기 때문에 서버에서보다 계산량이 적으며, 클라이언트 레벨에서 DDoS 공격을 조기에 탐지/차단함으로써 서버에서의 DDoS 공격 탐지에 의한 부하를 줄일 수 있다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.5
• /
• pp.135-148
• /
• 2008

The expansion of the internet has made web applications become a part of everyday lift. As a result the number of incidents which exploit web application vulnerabilities are increasing. A large percentage of these incidents are SQL Injection attacks which are a serious security threat to databases with potentially sensitive information. Therefore, much research has been done to detect and prevent these attacks and it resulted in a decline of SQL Injection attacks. However, there are still methods to bypass them and these methods are too complex to implement in real web applications. This paper proposes a simple and effective SQL Query attribute value removal method which uses Static and Dynamic Analysis and evaluates the efficiency through various experiments.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2022.05a
• /
• pp.192-194
• /
• 2022

This paper analyzes the attack method of pastejacking and proposes a clip toaster that can effectively defend it. When programming, developers often copy and paste code from GitHub, Stack Overflow, or blogs. Pastejacking is an attack that injects malicious data into the clipboard when a user copies code posted on the web, resulting in security threats by executing malicious commands that the user does not intend or by inserting dangerous code snippets into the software. In this paper, we propose clip toaster to visualize and alertusers of threats to defend pastejacking that threatens the security of the developer's terminal and program code. Clip Toaster can visualize security threat notifications and effectively detect and respond to attacks without interfering with user actions.

• Journal of Internet Computing and Services
• /
• v.2 no.4
• /
• pp.41-53
• /
• 2001

Multi-distributed web cluster model built for high availability E-Business model exposes internal system nodes on its structural characteristics and has a potential that normal job performance is impossible due to the intentional prevention and attack by an illegal third party. Therefore, the security system which protects the structured system nodes and can correspond to the outflow of information from illegal users and unfair service requirements effectively is needed. Therefore the suggested distributed invasion detection system is the technology which detects the illegal requirement or resource access of system node distributed on open network through organic control between SC-Agents based on the shared memory of SC-Server. Distributed invasion detection system performs the examination of job requirement packet using Detection Agent primarily for detecting illegal invasion, observes the job process through monitoring agent when job is progressed and then judges the invasion through close cooperative works with other system nodes when there is access or demand of resource not permitted.

• Journal of KIISE:Computing Practices and Letters
• /
• v.15 no.5
• /
• pp.345-349
• /
• 2009

Social bookmarking systems are a typical web 2.0 service based on folksonomy, providing the platform for storing and sharing bookmarking information. Spammers in social bookmarking systems denote the users who abuse the system for their own interests in an improper way. They can make the entire resources in social bookmarking systems useless by posting lots of wrong information. Hence, it is important to detect spammers as early as possible and protect social bookmarking systems from their attack. In this paper, we applied a diverse set of machine learning approaches, i.e., decision tables, decision trees (ID3), $na{\ddot{i}}ve$ Bayes classifiers, TAN (tree-augment $na{\ddot{i}}ve$ Bayes) classifiers, and artificial neural networks to this task. In our experiments, $na{\ddot{i}}ve$ Bayes classifiers performed significantly better than other methods with respect to the AUC (area under the ROC curve) score as veil as the model building time. Plausible explanations for this result are as follows. First, $na{\ddot{i}}ve$> Bayes classifiers art known to usually perform better than decision trees in terms of the AUC score. Second, the spammer detection problem in our experiments is likely to be linearly separable.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.7
• /
• pp.1290-1295
• /
• 2016

Recently, as mobile internet usage has been increasing rapidly, malware attacks through user's web browsers has been spreading in a way of social engineering or drive-by downloading. Existing defense mechanism against drive-by download attack mainly focused on final download sites and distribution paths. However, detection and prevention of injection sites to inject malicious code into the comprised websites have not been fully investigated. In this paper, for the purpose of improving defense mechanisms against these malware downloads attacks, we focus on detecting the injection site which is the key source of malware downloads spreading. As a result, in addition to the current URL blacklist techniques, we proposed the enhanced method which adds features of detecting the injection site to prevent the malware spreading. We empirically show that the proposed method can effectively minimize malware infections by blocking the source of the infection spreading, compared to other approaches of the URL blacklisting that directly uses the drive-by browser exploits.

• The Journal of Society for e-Business Studies
• /
• v.17 no.3
• /
• pp.117-128
• /
• 2012

There was a large scale of DDoS(Distributed Denial of Service) attacks mostly targeted at Korean government web sites and cooperations's on March 4, 2010(3.4 DDoS attack) after 7.7 DDoS on July 7, 2009. In these days, anyone can create zombie PCs to attack someone's website with malware development toolkits and farther more improve their knowledge of hacking skills as well as toolkits because it has become easier to obtain these toolkits on line, For that trend, it has been difficult for computer security specialists to counteract DDoS attacks. In this paper, we will introduce an essential control list to prevent malware infection with live forensics techniques after analysis of monitoring network systems and PCs. Hopefully our suggestion of how to coordinate a security monitoring system in this paper will give a good guideline for cooperations who try to build their new systems or to secure their existing systems.

• The KIPS Transactions:PartC
• /
• v.10C no.6
• /
• pp.683-694
• /
• 2003

We present X-tree Diff, a change detection algorithm for tree-structured data. Our work is motivated by need to monitor massive volume of web documents and detect suspicious changes, called defacement attack on web sites. From this context, our algorithm should be very efficient in speed and use of memory space. X-tree Diff uses a special ordered labeled tree, X-tree, to represent XML/HTML documents. X-tree nodes have a special field, tMD, which stores a 128-bit hash value representing the structure and data of subtrees, so match identical subtrees form the old and new versions. During this process, X-tree Diff uses the Rule of Delaying Ambiguous Matchings, implying that it perform exact matching where a node in the old version has one-to one corrspondence with the corresponding node in the new, by delaying all the others. It drastically reduces the possibility of wrong matchings. X-tree Diff propagates such exact matchings upwards in Step 2, and obtain more matchings downwsards from roots in Step 3. In step 4, nodes to ve inserted or deleted are decided, We aldo show thst X-tree Diff runs on O(n), woere n is the number of noses in X-trees, in worst case as well as in average case, This result is even better than that of BULD Diff algorithm, which is O(n log(n)) in worst case, We experimented X-tree Diff on reat data, which are about 11,000 home pages from about 20 wev sites, instead of synthetic documets manipulated for experimented for ex[erimentation. Currently, X-treeDiff algorithm is being used in a commeercial hacking detection system, called the WIDS(Web-Document Intrusion Detection System), which is to find changes occured in registered websites, and report suspicious changes to users.

• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.47 no.1
• /
• pp.15-21
• /
• 2010

This paper proposes the multimedia fingerprinting code insertion algorithm when video content is distributed in P2P environment, and designs the collusion codebook SRP(Small RISC Processor) embedded system for the collusion attack prevention. In the implemented system, it is detecting the fingerprinting code inserted in the video content of the client user in which it requests an upload to the web server and in which if it is certified content then transmitted to the streaming server then the implemented system allowed to distribute in P2P network. On the contrary, if it detects the collusion code, than the implemented system blocks to transmit the video content to the streaming server and discontinues to distribute in P2P network. And also it traces the colluders who generate the collusion code and participates in the collusion attack. The collusion code of the averaging attack is generated with 10% of BIBD code v. Based on the generated collusion code, the codebook is designed. As a result, when the insert quantity of the fingerprinting code is 0.15% upper in bitplane 0~3 of the Y(luminance) element of I-frame at the video compression of ASF for a streaming service and MP4 for an offline offer of video content, the correlation coefficient of the inserted original code and the detected code is above 0.15. At the correlation coefficient is above 0.1 then the detection ratio of the collusion code is 38%, and is above 0.2 then the trace ratio of the colluder is 20%.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.3
• /
• pp.87-96
• /
• 2014

Hackers try to achieve their purpose in a variety of ways, such as operating own website and hacking a website. Hackers seize a large amount of private information after they have made a zombie PC by using malicious code to upload the website and it would be used another hacking. Almost detection technique is the use Snort rule. When unknown code and the patterns in IDS/IPS devices are matching on network, it detects unknown code as malicious code. However, if unknown code is not matching, unknown code would be normal and it would attack system. Hackers try to find patterns and make shellcode to avoid patterns. So, new method is needed to detect that kinds of shellcode. In this paper, we proposed a noble method to detect the shellcode by using Shannon's information entropy.