Yoojae Won

Ransomware detection method based on context-aware entropy analysis

Numerous countermeasures have been proposed since the first appearance of ransomware. However, many ransomware mutants continue to be created, and the damage they cause has been continually increasing. Existing antivirus tools are signature-dependent and cannot easily detect ransomware attack patterns. If the database used by the antivirus program does not contain the signature of the new malicious behavior, it is not possible to detect the new malware. Thus, the need has emerged for a normal/abnormal behavior analysis technique via a context-aware method. Therefore, a multilateral context-aware-based ransomware detection and response system model is presented in this paper. The proposed model is designed to preemptively respond to ransomware, and post-detection management is performed. An evaluation was conducted to obtain evidence that the given files were altered by ransomware through analyses based on multiple-context awareness. Entropy information was then used to detect abnormal behavior.

Improving personal information detection using OCR feature recognition rate

AbstractWith the recent advancements in information and communication technologies, the creation and storage of documents has become digitalized. Therefore, many documents are stored on computers. Documents containing personal information can be leaked by internal or external malicious acts, and the problem of information loss for individuals and corporations is gradually increasing. This paper proposes a method to more efficiently and quickly identify the existence of personal information among documents stored in image files on personal and corporate computers to prevent their leakage in advance. We improved the efficiency of personal information detection by classifying optical character recognition (OCR) features by recognition rate and deleting redundant ones to increase detection speed. In addition, the detection time was reduced using the reference frequency of the classified OCR features. Experiments confirm an improvement in the performance of the proposed method compared with that of the existing system.

Detection of damaged files and measurement of similarity to originals using entropy graph characteristics

An information entropy graph shows the probabilities of each piece of information being included in a dataset as entropy values using information entropy. Well-known filetypes exhibit different information entropy graph characteristics; hence, they can be detected and differentiated using these characteristics. In this paper, a method that detects damaged files using information entropy graphs is proposed. The proposed method expands on conventional proposals that use only information entropy values to facilitate differentiation of different filetypes that present the same entropy values. In experiments conducted, patterns that have significance for analysis and detection were shown in the information entropy graphs of well-known files. In addition, even when files had damaged header, footer, or body regions, the similarity of the graph pattern was preserved, even though the entropy values differed. The proposed method also enables quantitative comparison of the similarity of files before and after damage with their original versions through graph pattern similarity tests.

Frame Rate Control Buffer Management Technique for High-Quality Real-Time Video Conferencing System

The limitation of a real-time video conferencing system is that it does not perfectly guarantee real-time transmission due to a delay in the network and buffering as well as ineffective communication of user information between systems. Studies are actively investigating the network infrastructure expansion and jitter delay in order to overcome this problem. However, there has not been much progress with respect to buffering delay. This paper suggests a Frame Rate Control Buffer (FRCB) management technique to solve problems that occur due to buffering delay. The FRCB is used to prevent buffer overflow and underflow by adopting two levels of buffer thresholds, Fast-play Threshold (FTH) and Slow-play Threshold (STH). It demonstrates superior performance compared to jitter buffer in conditions such as high CPU load, thus proving its suitability for high-quality real-time video conferencing.

Study on Smart Automated Sales System with Blockchain-Based Data Storage and Management

Automated sales systems, a recent technology, offer a wide range of products and services. This technology has advanced by combining with Internet of Things (IoT) technology. However, because of the development of such technology, data storage and management systems with trusted third parties cannot efficiently defend against data forgery attacks. In this study, a blockchain network is applied to an automated sales system. A smart automated sales machine using smart contracts is proposed. This system enables users to know the quantity of products or status of service provision before they visit an automated sales system. In addition, the system administrator can immediately see the expense-reduction effect of system management and address any problems in the system.

An Automatic Patch Management System with Improved Security

As the number of patches in a patch management system increases due to software updates and security issues arise in the existing patch management system, a more efficient patch management system with reinforced security is required. Additionally, existing patch management systems must be improved, as they perform patch collection inefficiently and their patch integrity verification schemes are simple. In this paper, we propose an automatic patch management system with improved security, enhanced patch collection efficiency, and reinforced verification of patch integrity that automatically collects patches through patch sites.

Study on Malicious Code Behavior Detection Using Windows Filter Driver and API Call Sequence

As the internet environment has been developed recently, threats and damage to malicious codes are increasing day by day. Most of the damage is caused by new and variant malicious codes because of the vulnerability of Endpoint. Most of the Anti-Virus used in endpoints run on a signature basis, and as intelligence on malicious code is developed, the detection rate of existing Anti-Virus is declining. Therefore, there is a need for a technology capable of handling new and variant malicious codes in real time on the endpoint. In this paper, we present a method for analyzing behaviors of malicious code using behavioral analysis of the Windows kernel function call sequence.

Encrypted Network Traffic Analysis Method via Secure Socket Layer Handshake Control

As the amount of encrypted network traffic on enterprise networks increases steadily, the problem of malicious acts encrypted to bypass security devices has emerged. Previous studies analyzed the encrypted network traffic by changing the network traffic or communication flow between the encrypted communications to analyze such encrypted malicious behavior. However, there are limitations to the existing methods because they require additional prior-data or additional network configurations in order to analyze the encrypted network traffic. In this paper, we propose a system to decrypt secure socket layer network traffic to analyze the encrypted network traffic in the enterprise network environment. The proposed system can be used to analyze encrypted network traffic in order to detect malicious activity and corporate information leaks.

Property Analysis of SMS Spam Using Text Mining

A considerable amount of spam that occur each year can cause the financial damage as well as mental harm to the recipient. This is a serious problem in society. In this paper, we analyze properties of SMS spam in mobile phones to establish a method for effectively blocking SMS spam. As a result, SMS spam can be seen that the surge in the amount shipped during a specific time period. Also, we could find the frequently included word on spam and we could identify spammer that sent smishing messages frequently by comparing several spammers.

Study on Integrity Verification and Compatibility-Conflict Analysis for Safe Patching

A Patch Management System (PMS) distributes and manages security patches for patch-server agents after collecting the patch files from software vendors. The PMS must account for the integrity and safety of the patch files to prevent huge damage arising from possible security incidents at the agents’ environment. As software vendors cannot consider the patch compatibility of all patch-agent environments, the cause of a compatibility conflict must be analyzed when a patch fails. Existing PMSs manually verify the integrity of the patch files in a test environment. This study presents a method to automate patch testing and application, while monitoring the file modification, and reduce the time needed to analyze compatibility conflicts by using the modified file information.