Woonyon Kim

Parametric study on the impact-echo method using mock-up shafts

In this study, the impact-echo method was employed to evaluate the integrity of shafts, and parametric simulations of the impact-echo method were carried out numerically and experimentally. A one-dimensional finite element study was performed for mock-up shafts that include solid and damaged shafts. The mock-up shaft was made of Monocast, and four types of flaws were considered: (1) axisymmetric voids, (2) non-axisymmetric voids, (3) necks, and (4) bulbs. The reduction in shaft cross-sectional area varied from 30 to 80%. Subsequently, experimental studies were carried out to verify the finite element models using similar mock-up shafts. These experimental studies were carried out in the air and soil, and impact responses were analyzed in both time and frequency domains. It was shown that the results of the experiment were in agreement with those of numerical studies, and the accuracy of the impact-echo method was influenced by the type, size and location of flaws. In addition, it was also revealed that axisymmetric void, non-axisymmetric void, and neck could be detected in the frequency domain when the reduction in shaft cross-sectional area was more than 50%. Alternatively in the time domain, it was possible to identify the flaw reliably when the reduction was 30%. This latter approach provides the better possibility of detecting smaller flaw in shaft.

Obfuscation of Critical Infrastructure Network Traffic Using Fake Communication

The tendency in cyber attacks has evolved from ones immediately causing abnormal operations to advanced attacks after information extraction by traffic sniffing. In particular, the unchanging characteristics of CIS networks are more susceptible to advanced attacks through information extraction. In this paper, we suggest the concept of an obfuscation method for CIS network traffic to interfere with information extraction. We investigated the characteristics of CIS traffic as found from real data. Based on our observations, we propose a method of creating fake communication to make the best use of surplus network bandwidth. We show that our method can vary the characteristics of a CIS network to prevent information extraction by sniffing.

Traffic-Locality-Based Creation of Flow Whitelists for SCADA Networks

The security of supervisory control and data acquisition (SCADA) networks has attracted considerable attention since the discovery of Stuxnet in 2010. Meanwhile, SCADA networks have become increasingly interconnected both locally and remotely. It is, therefore, necessary to develop effective network intrusion detection capabilities. Whitelist-based intrusion detection has become an attractive approach for SCADA networks. However, when analyzing network traffic in SCADA systems, general properties such as TCP handshaking and common ports are insufficient to create flow whitelists. To address the problem, this chapter proposes a methodology for locality-based creation of flow whitelists and conducts experiments to evaluate its effectiveness in seven SCADA systems. The experimental results demonstrate that the methodology generates effective whitelists for deployment in SCADA networks.

Reply-Type based Agent Generation of Legacy Service on One-way data transfer system

Physical One-way Transfer, one of network Separating Network Technologies, shut off intrusion possibilities by removing data transfer line from external network to internal network. Physical One-way Transfer technology can not support legacy services based duplex transmission. Legacy services operating need agent for extra service with the support. But, Agent development have problems with adding cost and open internal protocols. In this papers, We analyzed legacy services between Control network and OA network in working SCADA systems, and based on the results obtained from the analysis, categorized the legacy services into three forms. We propose an agent generation method of the three service categories for Physical One-Way Transfer System. In addition, we design an automatic generation tool using the proposed method.

Multivariate Statistic Approach to Field Specifications of Binary Protocols in SCADA System

In recent years, there has been an increasing interest in security of Industrial Control System (ICS) to figure out vulnerabilities in Supervisory Control and Data Acquisition (SCADA) system. One of the popular methods to find vulnerabilities is fuzzing, which is test of pushing data to the target for more secure operations. However, it is necessary to have in-depth knowledge of protocol specification as long as we want to utilize fuzzing in both intelligent and time-efficient manner. Although extensive research has been carried out on protocol specification, most studies in this field have focused on plain text protocol such as typically Hyper Text Transport Protocol (HTTP). In this paper, we have proposed multivariate statistic approach to binary protocols in SCADA system in order to obtain information of field specification. Then, we showed that informative results with field specification from our approach.

Packet Loss Consideration for Burst-Based Anomaly Detection in SCADA Network

ICS (Industrial Control System) is a computer-controlled system that monitors and controls distributed field devices for power grid, water treatment and other industrial areas. Because ICS components fulfill their own roles, the network traffic of ICS has obvious regular patterns. These patterns can be used effectively in monitoring ICS network and detecting signs of cyber-attacks. In our previous work, we proposed a burst-based anomaly detection method for DNP3 protocol using the regularity of ICS network traffic. Traffic monitoring method such as switch mirroring causes many problems; packet duplication, packet out-of-order, and packet loss. The problems cause many false alarms. Furthermore, it is hard to decide whether the alarms caused by lost packets are true or false. In this paper, we apply our burst-based approach to TCP protocol in SCADA network and propose a method to manage monitoring problems for burst-based anomaly detection.

Internet Threat Detection, Prediction and Relevant Reaction System for Pattern-freeWorm

When in dual-shore software outsourcing, the working units are geographically distributed and each has unique management framework, procedure and security requirement. Timely business information convergence is necessary for the collaboration but difficult to achieve in such environment. A framework is proposed to adaptively collect the process information in dual-shore software outsourcing and to timely share the information among these heterogeneous working units. The further information analysis is also enabled, which may enhance the timely collaboration and decision making.With the development of Internet technology, the popularity of the malicious threat has grown beyond our imagination. The emergence of intelligent, sophisticated attack techniques makes the Internet services more vulnerable than ever, which become an important business technology in e-commerce. Many techniques have been proposed to detect (Zou et al., 2003; Lakhina and Diot, 2005; and Krishnamurthy et al., 2003), predict (Kai-Gui Wu, 2006 and Songjie Wei and Kirkovic, 2005) and react (Castaneda and Xuy, 2004 and Williamson, 2002) the malicious worm traffic, yet have limitations. In this paper, we proposed Internet threat detection, prediction and relevant reaction system for pattern-free worm. Our proposed system allows the system to detect, predict, react using grouping traffic characteristics. According to the proposed system, traffic factors generated by respective worms using k-means algorithms are grouped into N groups so that a great of Information may be effectively understood and a worm generated afterward is involved with characteristics of relevant group using cosine similarity for prediction and reaction.

Usable Security Management for Network Access Rules of Critical Infrastructure

The security problem of the national critical infrastructure is constantly occurring. In recent years, penetrating into the closure network of the critical infrastructure and attack from the inside frequently occur, so that detecting and managing the internal threat is also a very important security issue. Thus, we developed F.Switch, a network switch that can monitor all traffic without installing a software agent in a controlling system and remotely apply a white-list based access control list (ACL), and we designed F.Manager, which is an integrated management system that can monitor, control and manage multiple F.Switch at the same time, so that the internal security network can be efficiently controlled and managed. In this case, F.Manager, which is an integrated management system, is designed by applying usable security viewpoints and methodologies from the planning period to prevent the decrease of productivity of operator’s work due to the manager system which is not user friendly, and we have secured usability that was essential for the control and management of security system by inducing the use of the full function of the program, and discovered the value and role of new usable security in the security area.

Security Validation for Data Diode with Reverse Channel

Hardware-based data diode is a powerful security method that removes the reverse channel for network intrusion. However, simple removal leads to data unreliability and user inconvenience. A reverse channel is forbidden if it affects physical unidirectionality without an exact security analysis. If a reverse channel is used restrictively and its security is validated, the data diode can be a secure solution. Thus, we propose security criteria based on an application environment for a data diode that was implemented with a reverse channel and validate the data diode’s security by unit/integration/system testing based on our security criteria.

A cost-optimized detection system location scheme for DDoS attack

DDoS attack presents a very serious threat to the stability of the Internet. In this paper, we propose cost-optimized detection system location scheme based on the zero-one linear programming model. The performance of proposed model is evaluated based on a manually created network topology. From the evaluation results, we present that the total location cost increases exponentially according to the number of detection system, and the number of hop is reduced by adapting relative weights to the scheme.