DoHoon Lee

Advanced White List Approach for Preventing Access to Phishing Sites

Solutions based on black lists of phishing Web sites are partially effective. Such solutions, however, require the antiphishing organizations to be much faster than the attackers. And the effectiveness of private information preserving approach such as AntiPhish is totally dependent on users. To keep their private information could be irritating works for users. And it is not a good idea to store private information which is mostly memorized by users in a computer system. In this paper, we presents the white list based approach that prevents accesses to explicit phishing sites and warns for phishing-suspicious accesses by the URL similarity check. To cope with the local and DNS pharming attacks, we proposes a mechanism comparing DNS query results. Also, the implementation called PhishingGuard and test examples are introduced.

Practical Security Testing using File Fuzzing

File Fuzzing is the method that inserts fault into general file and monitors the errors during executing the software with fault-inserted file. In this paper, we propose the practical methodology for security testing of software using two file fuzzing approaches. The methodology focuses on binary fields and TAGs(in markup language) of the file. And we show the practical applying to WMF and HTML file.

Effective Fault Injection Model for Variant Network Traffic

As cyber attacks by the malicious users are increased with vulnerabilities in software, fuzz testing is emerging as an effective way to find out a security bug. Fuzz testing is mainly used in verifying the robustness of software by injecting the random or semi-valid data to areas such as network port, API and user interface. In fuzz testing of network software, the repeated transmission of packet is necessary and all network fuzz tools are depending on the recording scheme of packets for it. The characteristic causes a big overhead in the situation that network traffic is variant in doing the same task. This paper identifies four disadvantages of the general network fuzzer with the packet recording and replaying scheme. Their most expensive cost is to code a routine to handle the variant traffic of each same upcoming communication. By proposing fuzz model to inject the fault into the packet at the real-time, we address the weakness in the existing network fuzz tools. Last, we experiment the implemented tool, named RINF, against Windows RPC based service, and show that it works effectively comparing with the exiting.

An Empirical Study for Security of Windows DLL Files Using Automated API Fuzz Testing

Fuzz testing is a method that inserts an unexpected data into input of a software system and finds defects of it in order to perform security testing. In this paper , We proposed a novel methodology that performed API fuzz testing automatically and evaluated it for Windows system that most of people in the world used. We implemented an automated API fuzz testing tool that our methodology applied to. Using this tool, we experimented on 1,182 DLL files and 6,117 API functions in a system fold of Windows XP SP2. We found 177 faults in them. Among faults, 10 faults are related to control flow of a program.

LARGen : Automatic Signature Generation for Malwares Using Latent Dirichlet Allocation

As the quantity and complexity of network threats grow, Intrusion Detection Systems (IDSs) have become critical for securing networks. Achieving computer network intrusion detection with these IDSs requires high-level information technology and security expertise because malicious traffic has to be rigorously analyzed and the appropriate IDS rules written to effectively detect vulnerabilities that may potentially be exploited. However, incorrect IDS rules may produce numerous false positives, thereby degrading the performance of the IDS, and even worse, paralyzing the network. In this paper, we present a novel approach that exploits the Latent Dirichle Allocation (LDA) algorithm to generate IDS rules. Our proposed method, called LDA-based Automatic Rule Generation (LARGen), automatically performs an analysis of the malicious traffic and extracts the appropriate attack signatures that will be used for IDS rules. LARGen first extracts multiple signature strings embedded in network flows. Then, the flows are classified based on the extracted signature strings, and key content strings for malicious traffic are identified through the LDA inferential topic model. Those key content strings are the core of an IDS rule that can detect malicious traffic. We study the effectiveness of LDA in the context of network attack signature generation via extensive experiments with real network trace data, consisting of both benign and malicious traffic. Experimental results confirm that threat rules generated from LARGen accurately detect every cyber attack with high accuracy.

Internet Threat Detection, Prediction and Relevant Reaction System for Pattern-freeWorm

When in dual-shore software outsourcing, the working units are geographically distributed and each has unique management framework, procedure and security requirement. Timely business information convergence is necessary for the collaboration but difficult to achieve in such environment. A framework is proposed to adaptively collect the process information in dual-shore software outsourcing and to timely share the information among these heterogeneous working units. The further information analysis is also enabled, which may enhance the timely collaboration and decision making.With the development of Internet technology, the popularity of the malicious threat has grown beyond our imagination. The emergence of intelligent, sophisticated attack techniques makes the Internet services more vulnerable than ever, which become an important business technology in e-commerce. Many techniques have been proposed to detect (Zou et al., 2003; Lakhina and Diot, 2005; and Krishnamurthy et al., 2003), predict (Kai-Gui Wu, 2006 and Songjie Wei and Kirkovic, 2005) and react (Castaneda and Xuy, 2004 and Williamson, 2002) the malicious worm traffic, yet have limitations. In this paper, we proposed Internet threat detection, prediction and relevant reaction system for pattern-free worm. Our proposed system allows the system to detect, predict, react using grouping traffic characteristics. According to the proposed system, traffic factors generated by respective worms using k-means algorithms are grouped into N groups so that a great of Information may be effectively understood and a worm generated afterward is involved with characteristics of relevant group using cosine similarity for prediction and reaction.

Anatomy of Exploit Code in Non-Executable Files using Virtualization

In this paper, we propose a methodology for detecting and analyzing the exploit code in nonexecutable files using virtualization. It is difficult to detect and analyze the exploit code in a non-executable file because the code and real data are mixed in the file. We trace the execution flow of the target software system while parsing the file, and start to analyze the exploit code when the execution flow strays outside of normal modules. The normal module region is the region that the target software system executes normally. By extracting the exploit code from the nonexecutable file, signatures for detecting the nonexecutable material, including the exploit code, can begenerated.

Suppression of detrimental effects caused by a link control channel in 16×10 Gbit/s wavelength division multiplexing optical network

Abstract The detrimental effects caused by a link control (LC) channel have been investigated when most channels are dropped in the LC-based wavelength division multiplexing (WDM) optical network with 16 signal channels. The use of the LC control channel with longer wavelength than the signal-channel band mitigates the gain degradation of surviving channel caused by spectral hole burning in the erbium-doped fiber amplifier (EDFA) and avoids the gain amplification caused by stimulated Raman scattering in the optical fiber. Spectral broadening of the LC channel increases its threshold power of stimulated Brilluoin scattering in the optical fiber. By using a frequency-dithered LC channel with longer wavelength than the signal channels in the SMF 240 km, 16×10 Gbit/s WDM optical network, no degradation is observed in the received optical power whatever the channel count and the surviving channel power excursion is less than 1 dB up to 10 dropped channels.