Accepted Papers

Short Session (Short Papers) :   (Day1 10:00 ~ 12:00)

Track1: ( Day1 10:00 ~ 12:00,  Room : Crystal I )

Title:: Security Analysis of Mobile Web Browser Hardware Accessibility: Study with Ambient Light Sensors
================================================================================================

Authors
-------
1. Sanghak Lee <uzbu89@postech.ac.kr> (POSTECH)
2. Sangwoo Ji <sangwooji@postech.ac.kr> (POSTECH)
3. Jong Kim <jkim@postech.ac.kr> (POSTECH)


Abstract
--------
Mobile web browsers are evolved to support the functionalities presented by HTML5. With the hardware accessibility of HTML5, it is now possible to access sensor hardwares of a mobile device through a web page regardless of the need for a mobile application. In this paper, we analyze the security impact of accessing sensor hardwares of a mobile device from mobile web page. First, we present the test results of hardware accessibility from mobile web browsers.  Second, to raise awareness of the seriousness of hardware accessibility, we introduce a new POC attack LightTracker which infers the victim's location using light sensor. We also show the effectiveness of the attack in real world.


Title:: HapticPoints : The Extended PassPoints Graphical Password
=========================================================================

Authors
-------
1. Trust Ratchasan <trustrat@gmail.com> (KMITL)
2. Rungrat Wiangsripanawan (KMITL)

Abstract
--------
The most common issue of alphanumeric passwords is users normal- ly create week passwords for the reason that strong passwords are difficult to recognise and memorise. Graphical password authentication system is one of the approach to address the issues of alphanumeric passwords memorability. Wiedenbeck et al. proposed PassPoints in which a password is a sequence of any 5 to 8 user-selected click points on a system-assigned image. Nevertheless PassPoints still faces the problem of predictable click points and shoulder surf- ing attack. In this paper, we purposed HapticPoints an alternative graphical password system on smartphones in which user does not need any additional memory task but be able to prevent the following problems by adding haptic feedback to PassPoints as additional decoy click points. We also conduct a user study to evaluate and compare the usability of HapticPoints and PassPoints.


Title:: ADSaS: Comprehensive Real-time Anomaly Detection System
=======================================================================

Authors
-------
1. SooYeon Lee <tndus95a@korea.ac.kr> (Graduate School of Information Security, Korea University)
2. Huy Kang Kim <cenda@korea.ac.kr> (Graduate School of Information Security, Korea University)

Abstract
--------
Since with massive data growth, the need for autonomous and generic anomaly detection system is increased. However, developing one stand-alone generic anomaly detection system that is accurate and fast is still a challenge. In this paper, we propose conventional time-series analysis approaches, the Seasonal Autoregressive Integrated Moving Average (SARIMA) model and Seasonal Trend decomposition using Loess (STL), to detect complex and various anomalies. Usually, SARIMA and STL are used in only for stationary and periodic time-series, but by combining, we show they can detect anomalies with high accuracy for data that is even noisy and non-periodic. We compared the algorithm to Long Short Term Memory (LSTM), a deep-learning based algorithm used for anomaly detection system. We used a total of seven real-world datasets and four artificial datasets with different time-series properties to verify the performance of the proposed algorithm.


Title:: One-Pixel Adversarial Example that is Safe for Friendly Deep Neural Networks
============================================================================================

Authors
-------
1. Hyun Kwon <khkh@kaist.ac.kr> (KAIST (Korea Advanced Institute of Science and Technology))
2. Yongchul Kim <kyc6454@kma.ac.kr> (Korea Military Academy)
3. Hyunsoo Yoon <hyoon@kaist.ac.kr> (KAIST (Korea Advanced Institute of Science and Technology))
4. Daeseon Choi <sunchoi@kongju.ac.kr> (Kongju National University)

Abstract
--------
Deep neural networks (DNNs) offer superior performance in machine learning tasks such as image recognition, speech recognition, pattern analysis, and intrusion detection. In this paper, we propose a one- pixel adversarial example that is safe for friendly deep neural networks. By modifying only one pixel, our proposed method generates a one-pixel- safe adversarial example that can be misclassified by an enemy classifier and correctly classified by a friendly classifier. To verify the performance of the proposed method, we used the CIFAR-10 dataset, ResNet model classifiers, and the Tensorflow library in our experiments. Results show that the proposed method modified only one pixel to achieve success rates of 13.5% and 26.0% in targeted and untargeted attacks, respectively. The success rate is slightly lower than that of the conventional one- pixel method, which has success rates of 15% and 33.5% in targeted and untargeted attacks, respectively; however, this method protects 100% of the friendly classifiers. In addition, if the proposed method modifies five pixels, this method can achieve success rates of 20.5% and 52.0% in targeted and untargeted attacks, respectively.


Title: Efficient Ate-Based Pairing over the Attractive Classes of BN Curves
===================================================================================

Authors
-------
1. Yuki Nanjo <yuki.nanjo@s.okayama-u.ac.jp> (Okayama University)
2. Md. Al-Amin Khandaker <khandaker@s.okayama-u.ac.jp> (Okayama University)
3. Masaaki Shirase <shirase@fun.ac.jp> (Future University Hakodate)
4. Takuya Kusaka <kusaka-t@okayama-u.ac.jp> (Okayama University)
5. Yasuyuki Nogami <yasuyuki.nogami@okayama-u.ac.jp> (Okayama University)

Abstract
--------
This paper proposes two attractive classes of Barreto-Naehrig curve for ate-based pairing by imposing certain condition $\chi \equiv 7,11~(\bmod~12)$ on the integer $\chi$ that parameterizes the curve settings. The restriction results in an unparalleled way to determine a BN curve, its twisted curve coefficients, and obvious generator points. The proposed $\chi \equiv 11~(\bmod~12)$ are found to be more efficient than $\chi \equiv 7~(\bmod~12)$ together with pseudo 8-sparse multiplication in Miller's algorithm. The authors also provide comparative implementations for the proposal.


Track2: ( Day1 10:00 ~ 12:00, Room : Crystal II )


Title:: A Study on the Vulnerability Assessment for Digital I&C System in Nuclear Power Plant
================================================================================================

Authors
-------
1. Sung Cheol KIM <kim.sungcheol17@kdn.com> (KEPCO KDN)
2. Ieck Chae EUOM <icelaken@gmail.com> (KEPCO KDN)
3. Chang Hyun HA <koreabomb89@gmail.com> (KEPCO KDN)
4. Bong Nam NOH <bbong@jnu.ac.kr> (Chonnam National University)

Abstract
--------
Nuclear Power Plant Operators have approached the problem of cyber security by simply attempting to apply nation’s committed catalog of cyber security requirements to every Critical Digital Asset under evaluation, which can number into the hundreds. This current approach does not provide guidance on how to assess a given requirement with a security method that effectively takes Critical Digital Asset. This paper analyzes Cyber Security Assessment Methodology about Industrial Control Systems. And then give an efficient methodology. It approaches the Regulations of KINAC/RS-015 from a technical vulnerability point of view, where any given Critical Digital Asset can be assessed for vulnerabilities


Title:: An Analysis on Time-Series Data from PLCs in ICS/SCADA systems
==============================================================================

Authors
-------
1. Chanwoo Bae <cwbae@nsr.re.kr> (National Security Research Institute)
2. Won-seok Hwang <hws@nsr.re.kr> (National Security Research Institute)

Abstract
--------
We suggest an RNN based anomaly detection method in ICS/SCADA systems (i.e., targeting PLCs), posing two significant domain problems; free from the type of PLC vendors and elaborate enough to cover sophisticated cyber attacks (e.g., PLC-blaster). In order to make RNN models achieve following goals, we use network-wide traceable features for the generality and adopt neural network models (i.e., RNNs) along with an automated hyperparameter optimization to enhance the performance. To show the effectivity, we have evaluated proposed method over the real-world PLC generating network traffic, also proved under the examplar targeting attack on the PLC testbed.

Nowadays, the security issues on programmable logic controllers (PLCs) are rising as devices are connected through the network so that the PLCs can influence the entire ICS/SCADA system. However, we are facing the major following obstacle that makes it hard to detect operation threats (i.e., anomaly)  from the diverse types of PLCs due to their manufacturers' design and implementation, several proposed work yet have the vendor dependency problem.

In this paper, we propose a novel and general anomaly detection method with a vendor-free property. For the generality, our method analyzes the network traffic transferred from each PLC, which depends on their program logic rather than their manufacturer. In addition, we employ the recurrent neural network (RNN) models along with an automated hyperparameter optimization. We have successfully detected sophisticated cyber attacks (e.g., PLC-blaster) by extensive evaluations using the datasets from real-world ICS and the testbed.


Title:: IP Address Mutation Scheme using Vector Projection for Tactical Wireless Networks
================================================================================================

Author
------
Jong-Kwan Lee <c13525@gmail.com, jklee64@kma.ac.kr> (Korea Military Academy, Cyber Warfare Research Center)

Abstract
--------
The static address configuration of networks and hosts allows attackers to have enough time to discover target networks and systems. On the other hands, the defenders always lack of time to respond because they can take action after attacker’s explicit behaviors. To eliminate the attacker’s asymmetric advantage of time, randomization of addresses have been suggested as Moving Target Defense (MTD) which is a promising technique to make the attacker’s reconnaissance activities difficult by dynamically changing network properties. In this paper, we propose the address mutation scheme using vector projection for tactical wireless networks that are a leader node centric hierarchical structure. In the proposed scheme, the addresses in the same networks are mutated with a simple vector operation by fully distributed manner and the mutated addresses are shared to all the members in the internal networks. Unlike the convenient schemes, all addresses associated with network entities for data delivery are mutated. We evaluate the performance of the proposed scheme by numerical analysis and experimental simulations. The results show that the proposed scheme could effectively randomize the addresses in tactical wireless networks.


Title: Parallel Implementations of CHAM
===============================================

Authors
-------
1. Hwajeong Seo <hwajeong84@gmail.com> (Hansung University)
2. Kyuhwang An <tigerk9212@gmail.com> (Hansung University)
3. Hyeokdong Kwon <hdgwon@naver.com> (Hansung University)
4. Taehwan Park <pth5804@gmail.com> (Pusan National University)
5. Zhi Hu <huzhi_math@csu.edu.cn> (Central South University)
6. Howon Kim <howonkim@gmail.com> (Pusan National University)

Abstract
--------
In this paper, we presented novel parallel implementations of CHAM-64/128 block cipher on modern ARM-NEON processors. In order to accelerate the performance of the implementation of CHAM-64/128 block cipher, the full specifications of ARM-NEON processors are utilized in terms of instruction set and multiple cores. First, the SIMD feature of ARM processor is fully utilized. The modern ARM processor provides 2  16-bit vectorized instruction. By using the instruction sets and full register files, total 4 CHAM-64/128 encryptions are performed at once in data parallel way. Second, the dedicated SIMD instruction sets, namely NEON engine, is fully exploited. The NEON engine supports 8 X 16-bit vectorized instruction over 128-bit Q registers. The 24 CHAM-64/128 encryptions are performed at once in data parallel way. Third, both ARM and NEON instruction sets are well re-ordered in interleaved way. This mixed approach hides the pipeline stalls between each instruction set. Fourth, the multiple cores are exploited to maximize the performance in thread level. Finally, we achieved the 0.42 cycles/byte for implementation of CHAM-64/128 on ARM-NEON processors. This result is faster than the parallel implementation of LEA-128/128 and HIGHT-64/128 on same processor by about 4.04x and 9.92x, respectively.


Title:: Logarithm Design on Encrypted Data with Bitwise Operation
=========================================================================

Authors
-------
1. YOO JOON SOO <sandiegojs@korea.ac.kr> (KOREA UNIVERSITY)
2. SONG BAEK KYUNG <baekkyung777@korea.ac.kr> (KOREA UNIVERSITY)
3. YOON JI WON <jiwon_yoon@korea.ac.kr> (KOREA UNIVERSITY)

Abstract
--------
Privacy preserving big data on cloud systems is becoming increasingly indispensable as the amount of information of the individuals is accumulated on our database system. 
As a way of maintaining security on cloud system, Homomorphic Encryption(HE) is considered to be theoretically eminent protecting against privacy leakage. However, insufficient number of operations on HE are developed, hindering many research developers to apply their knowledgeable techniques on this field.  Therefore, we propose a novel approach in constructing logarithm function based on mathematical theorem of Taylor expansion with fundamental arithmetic operations and  basic gate operations in usage.  Moreover, we present a more accurate way of deriving answers for logarithm using power and shift method.



Session 1 (Long Papers) : Systems Security: ( Day1 16:00 ~ 18:00, Room Crystal I + II )

Title:: VODKA: Virtualization Obfuscation using Dynamic Key Approach
============================================================================

Authors
-------
1. Jae Yung Lee <jaeyung1001@naver.com> (Korea University)
2. Jae Hyuk Suk <sjh2268@korea.ac.kr> (Korea University)
3. Dong Hoon Lee <donghlee@korea.ac.kr> (Korea University)

Abstract
--------
The virtualization obfuscation technique is known to possess excellent security among software protection techniques. However, research has shown that virtualization obfuscation techniques can be analyzed by automated analysis tools because the performance overhead is high whereas  the analysis is fixed. In this situation, additional protection techniques of the virtualization structure have been studied to supplement the protection strength of virtualization obfuscation. However, most of the proposed protection schemes require a special assumption or maximize the overhead of the program to be protected.

In this paper, we propose a delayed analysis method for a lightweight virtualization structure that does not require a strong assumption. Hence, we propose a new virtual code protection scheme combining an anti-analysis technique and dynamic key, and explain its mechanism. This causes correspondence ambiguity between the virtual code and the handler code, thus causing analysis delay. In addition, we show the result of debugging or dynamic instrumentation experiment when the additional anti-analysis technique is applied.


Title:: Emulator Detection Techniques for Commercially Deployed Software
================================================================================

Authors
-------
1. Daehee Jang <daehee87@kaist.ac.kr> (KAIST)
2. Yunjong Jung <yunjong@kaist.ac.kr> (KAIST)
3. Seongman Lee <augustus92@kaist.ac.kr> (KAIST)
4. Minjoon Park <dinggul@kaist.ac.kr> (KAIST)
5. Donguk Kim <donguk14.kim@samsung.com> (Samsung Research)
6. Keunwhan Kwak <kh243.kwak@samsung.com> (Samsung Research)

Abstract
--------
A number of state-of-the-art software analysis platforms are built up based on system emulators owing to the need for effectively analyzing unknown program (i.e., execution path exploration). In general, malware has the ability to equip itself with powerful anti-emulation techniques to fingerprint the emulated system environment, thereby avoiding runtime analysis. However, this is not the only use case of anti-emulation. Recently, software vendors often leverage anti-emulation techniques to prevent their products reverse-engineered by attackers equipped with emulators. In this paper, we flip the conventional paradigm and explore anti-emulation techniques and discuss their efficacy in terms of \emph{protecting commercially deployed software} against malicious emulators. In this paper, we discuss several ideas of anti-emulation techniques suited for large-scale commercial software. According to our study, deliberately misaligning the vectorization instruction (e.g., Intel SIMD, ARM NEON) can be served as a promising emulator detection technique over previous approaches. Based on the abnormal use of CPU vectorization technology, we design and implement efficient user level anti-emulation technique that outperforms previous methods in three aspects: (i) performance, (ii) accuracy, and (iii) reliability. To demonstrate the efficacy of our design, we implemented the detection algorithm as Android JNI library and tested against 174 ARM-based android devices and several emulators.


Title:: Reliable Rowhammer Attack and Mitigation Based on Reverse Engineering Memory Address Mapping Algorithms
================================================================================================

Authors
-------
1. Saeyoung Oh <osy4997@postech.ac.kr> (Dept. of Computer Science and Engineering, Pohang University of Science and Technology (POSTECH), Republic of Korea)
2. Jong Kim <jkim@postech.ac.kr> (Dept. of Computer Science and Engineering, Pohang University of Science and Technology (POSTECH), Republic of Korea)

Abstract
--------
Rowhammer attacks intentionally induce a disturbance error caused by the interference of neighboring rows. To perform sophisticated rowhammer attacks, attackers need to access the neighboring rows of target data repeatedly to corrupt the data. In DRAM, the physical addresses of neighboring rows are not always contiguous even if they are located before or after a target row. Hence, it is important to know the mapping algorithm which maps between physical addresses and physical row indexes not only for an attack but also for protection.

In this paper, we introduce a method to reverse engineer the exact mapping algorithm and demonstrate that the assumption in previous rowhammer work is faulty. In addition, we introduce a novel and efficient rowhammer method and improve existing mitigations that has a security hole caused by the faulty assumption. Finally, we evaluate the effectiveness of the proposed attack and show that the proposed mitigation almost perfectly defends against rowhammer attacks.


Session 2 (Long Papers) : Analysis and Visualization of Threats ( Day2 09:20 ~ 10:50, Room : Crystal I + II )



Title:: AlertVision: Visualizing Security Alerts
========================================================

Authors
-------
1. Jina Hong <jina3453@kaist.ac.kr> (KAIST)
2. JinKi Lee <jinki.lee@ahnlab.com> (AhnLab)
3. HyunKyu Lee <hyunkyu.lee@ahnlab.com> (AhnLab)
4. YoonHa Chang <yoonha.chang@ahnlab.com> (AhnLab)
5. KwangHo Choi <kwangho.choi@ahnlab.com> (AhnLab)
6. Sang Kil Cha <sangkilc@kaist.ac.kr> (KAIST)

Abstract
--------
Security is not just a technical problem, but it is a business problem. Companies are facing highly-sophisticated and targeted cyber attacks everyday, and losing a huge amount of money as well as private data. Threat intelligence helps in predicting and reacting to such problems, but extracting well-organized threat intelligence from enormous amount of information is significantly challenging. In this paper, we propose a novel technique for visualizing security alerts, and implement it in a system that we call AlertVision, which provides an analyst with a visual summary about the correlation between security alerts. The visualization helps in understanding various threats in wild in an intuitive manner, and eventually benefits the analyst to build TI. We applied our technique on real-world data obtained from the network of 85 organizations, which include 5,801,619 security events in total, and summarized lessons learned.



Session 3 (Long Papers) : Applied Crypto: ( Day3, 09:30 ~ 12:00, Room : Crystal I + II )


Title:: Threat modeling and analysis of voice assistant applications
============================================================================

Authors
-------
1. Geumhwan Cho <geumhwan@skku.edu> (Sungkyunkwan University)
2. Jusop Choi <cjs1992@skku.edu> (Sungkyunkwan University)
3. Hyoungshick Kim <hyoung@skku.edu> (Sungkyunkwan University)
4. Sangwon Hyun <shyun@chosun.ac.kr> (Chosun University)
5. Jungwoo Ryoo <jryoo@psu.edu> (Pennsylvania State University)

Abstract
--------
Voice assistant is an application that helps users to interact with their devices using voice commands in a more intuitive and natural manner. Recently, many voice assistant applications (e.g., Apple's Sri and Google's Now) have been popularly deployed on smartphones and voice-controlled smart speakers. However, the threat and security of those applications have been examined only in very few studies. In this paper, we identify potential threats to voice assistant applications and assess the risk of those threats using the STRIDE and DREAD models. Our threat modeling demonstrates that generic voice assistants can potentially have 16 security threats. To mitigate the identified threats, we also propose several defense strategies.



Title: Secure Comparison Protocol with Encrypted Output and the Computation for Proceeding 2 bits-by-2 bits
================================================================================================

Authors
-------
1. Takumi Kobayashi <s179506@matsu.shimane-u.ac.jp> (Interdisciplinary Graduate School of Science and Engineering, Shimane University)
2. Keisuke Hakuta <hakuta@cis.shimane-u.ac.jp> (Institute of Science and Engineering, Academic Assembly, Shimane University)

Abstract
--------
A secure comparison protocol computes a comparison result between private information from inputs without leakage of the information. It is a very important factor in many potential applications such as secure multi-party computation. These protocols under Yao's Millionaires' Problem output a plaintext of a comparison result. Because of this feature, however, these protocols are not suitable for some applications such as secure biometrics, secure statistics and so on. From this concern, we focus on a secure comparison protocol whose output is one bit encrypted comparison result. In recent works, the computation of such protocols proceeds bit-by-bit. For this reason, these protocols still have a problem about the efficiency. In this paper, as a first step of our study, we propose two secure comparison protocols with encrypted output. As an interesting feature, the computation of one of our protocols proceeds 2 bits-by-2 bits. We prove the correctness of our protocols and estimate the computational cost. Moreover we discuss the security of our protocols against semi-honest model.


Title:: Decentralized Public Key Infrastructure with Quantum-resistant Signatures
=========================================================================================

Authors
-------
1. Hyeongcheol An <anh1026@kaist.ac.kr> (KAIST)
2. Rakyong Choi <thepride@kaist.ac.kr> (KAIST)
3. Kwangjo Kim <kkj@kaist.ac.kr> (KAIST)

Abstract
--------
The blockchain techniqscenue was first proposed called Bitcoin in 2008 and is a distributed database technology. Public Key Infrastructure(PKI) system, which is one of the key management systems, is a centralized system. There is a possibility of single point failure in currently used centralized PKI system. Classical digital signature algorithm; ECDSA has used the well-known cryptocurrencies such as  Bitcoin and Ethereum. Using the Shor's algorithm, it is vulnerable to an attack by the quantum adversary. In this paper, we propose a blockchain-based key management system using quantum-resistant cryptography. Since it uses a GLP digital signature scheme, which is a lattice-based digital signature scheme. Therefore, our construction is based on quantum-resistant cryptography, it is secure against the attack of a quantum adversary and ensures long-term safety. In addition, we design a decentralized blockchain structure, and it is secure for the single point of failure.


Title:: A Construction of a Keyword Search to Allow Partial Matching with a Block Cipher
================================================================================================

Authors
-------
1. Yuta Kodera <yuta.kodera@s.okayama-u.ac.jp> (Okayama University, Japan)
2. Minoru Kuribayashi <kminoru@okayama-u.ac.jp> (Okayama University, Japan)
3. Takuya Kusaka <kusaka-t@okayama-u.ac.jp> (Okayama University, Japan)
4. Yasuyuki Nogami <yasuyuki.nogami@okayama-u.ac.jp> (Okayama University, Japan)

Abstract
--------
This paper considers a new construction of a keyword search including partial matching on an encrypted document. Typically, an index-based searchable symmetric encryption has been investigated. However, it makes a partial keyword matching difficult without a designated trapdoor. Thus, our objective is to propose a keyword search scheme which enables us to search a part of a keyword only by building trapdoors of each original keyword. The main idea is to insulate each character of a keyword into a bitstream of the sequence generated by a cryptographically secure pseudorandom number generator. It achieves a partial search by giving a restriction on the length of a keyword.


Title: Compact LEA and HIGHT Implementations on 8-bit AVR and 16-bit MSP Processors
===========================================================================================

Authors
-------
1. Hwajeong Seo <hwajeong84@gmail.com> (Hansung University)
2. Kyuhwang An <tigerk9212@gmail.com> (Hansung University)
3. Hyeokdong Kwon <hdgwon@naver.com> (Hansung University)

Abstract
--------
In this paper, we revisited the previous LEA and HIGHT implementations on the low-end embedded processors. First, the general purpose registers are fully utilized to cache the intermediate results of delta variable during key scheduling process of LEA. By caching the delta variables, the number of memory access is replaced to the relatively cheap register access. Similarly, the master key and plaintext are cached during key scheduling and encryption of HIGHT block cipher, respectively. Second, stack storage and pointer are fully utilized to store the intermediate results and access the round keys. This approach solves the limited storage problem and saves one general purpose register. Third, indirect addressing mode is more efficient than indexed addressing mode. In the decryption process of LEA, the round key pair is efficiently accessed through indirect addressing with minor address modication. Fourth, 8-bit word operations for HIGHT is efficiently handled by 16-bit wise instruction of 16-bit MSP processors. Finally, the proposed LEA implementations on the representative 8-bit AVR and 16-bit MSP processors are fully evaluated in terms of code size, RAM and execution timing. The proposed implementations over the target processors (8-bit AVR processor, 16-bit MSP processor) are faster than previous works by (13.6%, 9.3%), (0.6%, 8.5%), and (3.4%, 1.5%) for key scheduling, encryption, and decryption, respectively. Similarly, the proposed HIGHT implementations on the 16-bit MSP processors are faster than previous works by 38.6%, 33.7%, and 33.6% for key scheduling, encryption, and decryption, respectively.


Title:: A Study on Analyzing Risk Scenarios about Vulnerabilities of Security Monitoring System
================================================================================================

Authors
-------
1. Kunwoo Kim <kunwoo.kim317@gmail.com> (Chung-Ang University)
2. Jungduk Kim <jdkimsac@cau.ac.kr> (Chung-Ang University)

Abstract
--------
Information leakage by insider results in financial losses and ethical issues, thus affects business sustainability as well as corporate reputation. In Korea, infor-mation leakage by insiders occupies about 80% of the security incidents. Most companies are establishing preventive and prohibited security policies. Neverthe-less, security incidents are unceasing. Such restrictive security policies inhibit work efficiency or make employees recognize security negatively. Due to these problems, the rapid detection capability of leakage signs is required. To detect the signs of information leakage, security monitoring is an essential activity. This study is an exploratory case study that analyzed the current state of security moni-toring operated by three companies in Korea and provides some risk scenarios about information leakage. For the case analysis, this study collected each com-pany’s security policy, systems linked with security monitoring system, and sys-tem log used. As a result, this study identified vulnerabilities that were difficult to be detected with the current security monitoring system, and drew 4 risk scenari-os that were likely to occur in the future. The results of this study will be useful for the companies that are planning to establish effective security monitoring sys-tem.


Title:: A New Bayesian Approach to Exploring Damaged assets by Monitoring Mission Failures Caused by Undetected Attack
================================================================================================

Authors
-------
1. Shinwoo Shim <shimshinwoo@lignex1.com> (LIG Nex1)
2. Ji Won Yoon <jiwon_yoon@korea.ac.kr> (Korea University)

Abstract
--------
Modern military systems operated with a complex of computers and software may have mission failure which is caused by undetected attacks. Insuch situations, it is important to find out which assets are damaged. After identifying damaged assets, we need to immediately examine the  damaged assets to defend against the attacks. However, it is not straightforward to explore the damaged assets because there are the complicated relationships among assets, tasks and missions. In this paper, we propose an effective methodology to infer the damaged assets given observed mission impacts in a Bayesian framework. We used Bayesian networks to model assets, tasks, missions and to set the relationships among them. Our approach visually infers and identifies the damaged assets with the probability. We show that proposed Bayesian framework is practical and useful with the use case experiment.


Title:: Network Deployments of Bitcoin Peers and Malicious Nodes based on Darknet Sensor (short paper)
================================================================================================

Authors
-------
1. Mitsuyoshi Imamura <ic140tg528@gmail.com> (University of Tsukuba)
2. Kazumasa Omote <omote@risk.tsukuba.ac.jp> (University of Tsukuba)

Abstract
--------
Bitcoin depends on Peer-to-Peer (P2P) network in a major way and shares the connecting IP address list with the nearest peer. In addition, the blockchain which is the basic technology can be accessed by anyone, and the transaction stored in the block can be checked anytime. Recent research has reported that anonymity of such a bitcoin P2P network is low, regardless of whether peer uses the anonymizers like TOR to keep the anonymity. This fact shows the risk of the malicious users being able to use this public information without exception. However, when the malicious user is hiding behind the network and browsing public information, it is difficult to distinguish between a malicious user and a honest one, and it is a challenge to detect signs of hidden threats. In this research, we propose a method to analyze by combining two kinds of IP address distributions: Bitcoion peer and malicious node (not in the bitcoin network), in order to obtain characteristics of hidden users. As a result, we confirmed that the nodes, which matched the third octet of the IP address in the bitcoin network peer, sent the packet to the darknet. The contribution of this paper is three-fold: (1) we employ a novel approach to analyze a bitcoin network using Darknet dataset, (2) we identify the malicious node in the same network as the honest peer, and (3) we clarify the network deployments of Bitcoin peers and malicious nodes.


Poster presentation list