Hyukmin Kwon

Self-similarity based lightweight intrusion detection method for cloud computing

Information security is the key success factor to provide safe cloud computing services. Despite its usefulness and cost-effectiveness, public cloud computing service is hard to accept because there are many security concerns such as data leakage, unauthorized access from outside the system and abnormal activities from inside the system. To detect these abnormal activities, intrusion detection system (IDS) require a learning process that can cause system performance degradation. However, providing high performance computing environment to the subscribers is very important, so a lightweight anomaly detection method is highly desired. In this paper, we propose a lightweight IDS with self-similarity measures to resolve these problems. Normally, a regular and periodic self-similarity can be observed in a cloud systems internal activities such as system calls and process status. On the other hand, outliers occur when an anomalous attack happens, and then the systems self-similarity cannot be maintained. So monitoring a systems self-similarity can be used to detect the systems anomalies. We developed a new measure based on cosine similarity and found the optimal time interval for estimating the self-similarity of a given system. As a result, we can detect abnormal activities using only a few resources.

Crime Scene Reconstruction: Online Gold Farming Network Analysis

Many online games have their own ecosystems, where players can purchase in-game assets using game money. Players can obtain game money through active participation or “real money trading” through official channels: converting real money into game money. The unofficial market for real money trading gave rise to gold farming groups (GFGs), a phenomenon with serious impact in the cyber and real worlds. GFGs in massively multiplayer online role-playing games (MMORPGs) are some of the most interesting underground cyber economies because of the massive nature of the game. To detect GFGs, there have been various studies using behavioral traits. However, they can only detect gold farmers, not entire GFGs with internal hierarchies. Even worse, GFGs continuously develop techniques to hide, such as forming front organizations, concealing cyber-money, and changing trade patterns when online game service providers ban GFGs. In this paper, we analyze the characteristics of the ecosystem of a large-scale MMORPG, and devise a method for detecting GFGs. We build a graph that characterizes virtual economy transactions, and trace abnormal trades and activities. We derive features from the trading graph and physical networks used by GFGs to identify them in their entirety. Using their structure, we provide recommendations to defend effectively against GFGs while not affecting the existing virtual ecosystem.

Be closer as you being there: HMD-based social interaction system

The proposed system dose not only provides an immersive live 360 degree experience through the HMD-controlled remote stereoscopic cameras but also enables the users to perform social activities with an interactive virtual messenger. This system was originally developed to control a mobile robot/vehicle with monitoring purpose which is similar to DORA (Dexterous Observational Roving Automation) platform [ACKERMAN 2015]. However we duplicated and placed the system in a geographically dispersed location and connected between two systems over the real-time network. To enhance social interactivity, we implemented an interactive virtual messenger. As the result the system provides the feeling of social presence and the fun with an immersive experience.

Who Is Sending a Spam Email: Clustering and Characterizing Spamming Hosts

In this work, we propose a spam analyzing system that clusters the spamming hosts, characterizes and visualizes the spammers’ behaviors, and detects malicious clusters. The proposed system integrates behavior profiling in IP address level, IP address based clustering, characterizing spammer clusters, examining the maliciousness of embedded URLs, and deriving visual signatures for future detection of malicious spammers. We classify spamming hosts into botnet, worm, or individual spammers and derive their characteristics. We then design a clustering scheme to automatically classify the host IP addresses and to identify malicious groups according to known characteristics of each type of host. For rapid decision making in identifying botnets, we derive visual signatures using a parallel coordinates. We validate the proposed system using these spam email data collected by the spam trap system operated by the Korea Internet and Security Agency.