Offensive cybersecuritymodel for secure smart mobility and smart homes : focused on Z-Waveprotocol

김경곤 Graduate School of Cybersecurity, Korea University 2020 국내박사

디지털 사회가 발전함에 따라 우리가 살고 있는 도시도 점차 스마트 도시로 변해 가고 있다. 스마트 도시에서는 자율주행차와 같은 스마트 모빌리티, 원격에서 집안을 관리할 수 있는 스마트 홈 등 Internet of Things, Sensor Network 서비스를 통해 거주자들은 보다 효율적인 삶을 살고 있다. 하지만, 디지털 사회가 발전함에 따라, 사이버 공격의 위협도 함께 증가한다. 또한 사이버 공격의 양상은 점차 변화하고 있다. 초기 사이버 공격자는 호기심 많은 개인 해커가 대다수였으며, 간단한 기술을 통해 홈페이지를 해킹하고 개인 정보를 도용했다. 그러나 최근 사이버 공격은 개인 정보를 훔치거나 웹 사이트를 손상시키는 것 이상으로, 발전된 사이버 공격 기술을 통해 기업 또는 국가의 기밀 정보를 획득하거나, 스마트 도시의 인프라를 파괴 할 정도로 위협적이다. 많은 보고서에서 "정교화 된" 사이버 공격을 언급하고 있으나, "정교화 된"은 추상적 개념이다. 따라서 본 논문에서는 스마트 도시의 보안 요소들을 살펴보고, 그 중 스마트 홈에서 사용하고 있는 Z-Wave Protocol 취약점에 대해 상세히 분석한다. 나아가 본 논문에서는 "정교한 사이버 공격"을 정량화하는 방법론을 제안한다. 이를 위해 사이버 공격에 사용되는 공격적인 사이버 보안의 각 세부기술을 조사한다. 이러한 조사를 바탕으로 사이버 공격의 복잡성과 강도를 측정하고 정량화 할 수 있다. 이 연구에서는 우리가 제안한 측정 모델을 바탕으로, 최근에 발생한 10개의 fileless cyberattack과, 국가가 지원하는 것으로 알려진 지능형 지속 위협 (APT)에 대해 수치화하여 평가한다. 이 연구 결과를 통해 향후 스마트 모빌리티, 스마트 홈 등 스마트 도시에서 발생할 수 있는 사이버 공격에 대해 객관적으로 분석할 수 있는 기반을 제공할 수 있을 것으로 기대한다.

(A) password guessing method based on generative adversarial networks with offensive security perspective

남성엽 Graduate School of Cybersecurity, Korea University 2021 국내박사

Text-based passwords are a fundamental and popular means of authentication. Password authentication is simple to implement because it does not require any equipment, unlike biometric authentication, and it relies only on the user’s memory. Therefore, people often use easy-to-remember passwords, such as ”iloveyou1234.” This reliance on memory, however, is an inherent weakness of passwords, mainly because these easy-to-remember passwords can also be cracked easily. Despite this well-known weakness, passwords are still the de-facto authentication method for most online systems. Owing to this importance, password cracking has been researched extensively, both for offensive and defensive purposes. Hashcat and John the Ripper are the most popular cracking tools, allowing users to crack millions of passwords in a short time, based on password- cracking dictionaries and rule-sets. However, rule-based cracking has an explicit limitation of depending on password-cracking experts to come up with creative rules. To overcome this limitation, a recent trend has been to apply machine learning techniques to conduct research on password cracking. For instance, state-of-the-art password guessing studies such as PassGAN adopted a Generative Adversarial Network (GAN) and used it to generate highquality password guesses without knowledge of password structures. However, compared to the probabilistic context-free grammar (PCFG), PassGAN showed inferior passwordcracking performance in all experimental cases. In addition, PassGAN could not prove its cracking performance under practical cases (long-length and complicated passwords). In this thesis, I propose new methods for achieving improved password-cracking performance, which are based on both the generator and discriminator modules of a GAN. With respect to the generator of GAN, I describe new techniques for improving the passwordcracking performance of PassGAN. Interestingly, changing both basic neural networks and the hyper-parameter configuration of GANs outperforms the cracking performance of PassGAN. In addition, transforming to dual-discriminator architecture has a beneficial effect on improving the password-cracking performance. These new approaches are denoted as rPassGAN, rPassD2CGAN, and rPassD2SGAN. In some experimental cases, the rPassGAN series surpasses PCFG as well. Through several experiments with rPassGAN, I observed that each password guessing model has its own cracking space that does not overlap with other models. This observation led me to realize that an optimized candidate dictionary can be made by combining the password candidates generated by multiple password generation models. The second technique I suggest is a deep learning-based approach called REDPACK that addresses the weakness of the cutting-edge GAN-based password-cracking tools. To this end, REDPACK combines multiple password generator models in an effective way. This approach uses the discriminator of the rPassGAN as the password-candidate selector. Then, by collecting passwords selectively, REDPACK achieves a more realistic password candidate dictionary. Also, REDPACK improves password cracking performance by incorporating both the generator and the discriminator in a GAN framework. I evaluated this model on various datasets with password candidates composed of symbols, digits, upper, and lowercase letters. The results clearly show that my approach outperforms all existing approaches, including rule-based Hashcat, GAN-based PassGAN, and probability-based PCFG. Another advantage of the proposed model is that REDPACK can reduce the number of password candidates by up to one-third or one-fourth, with small cracking performance loss compared to the union set of passwords cracked by multiple-generation models. Finally, I propose iREDPACK, which is the first heterogeneously-structured GAN model in the password-cracking domain and adopts the concept of Google Inception. iREDPACK is designed for handling passphrase-structured passwords. iREDPACK selects more password candidates of PCFG than REDPACK in all experiments.

(A) bitwise design and implementation for privacy preserving data mining from atomic operations to advanced algorithms

송백경 Graduate School of Cybersecurity, Korea University 2020 국내석사

Homomorphic encryption (HE) is considered as one of the most powerful solutions to securely protect clients' data from malicious users and even severs in the cloud computing. However, though it is known that HE can protect the data in theory, it has not been well utilized because many operations of HE are too slow, especially multiplication. In addition, existing data mining research studies using encrypted data focus on implementing only specic algorithms without addressing the fundamental problem of HE. In this paper, we propose a fundamental design and implementation of data mining algorithm through logical gates. In order to do this, we design various logic of atomic operations in encrypted domain and nally apply these logic to well-known data mining algorithms. We also analyze the execution time of atomic and advanced algorithms.

Security model design framework and application to PPDR operational environment

김대건 Graduate School of Cybersecurity, Korea University 2021 국내박사

본 논문은 아래 물음에 대한 해결책이 될 수 있는 방법론을 제공한다. “통제 권한을 벗어난 외부의 시스템에 의존하여 구축되는 대규모 시스템의 보안 모델을 어떻게 효율적으로 설계 할 수 있는가?” 본 연구에서는 위 질문에서 제기된 제한된 환경에서 안전하게 시스템을 구현하기 위해 요구되는 시스템 아키텍처 및 보안요건을 도출하기 위한 보안 모델 설계 프레임워크를 제안한다. 또한 제안된 프레임워크를 적용하여 공공안전 (Public safety) LTE (PS-LTE) 기반의 공공안전 및 재난구호 (Protection and Disaster Relief, PPDR) 작전 시스템을 위한 보안 모델을 제안한다. 국가적으로 발생하는 재해 및 재난 상황은 국가안보를 위협할 수 있으며, 이에 대응하기 위해 여러 정부기관의 기능을 통합해야 한다. 전세계적으로 많은 국가들은 재해 및 재난정보를 관련 대응 기관들이 신속하게 공유하고 소통하기 위해 전국 단위의 이동통신 네트워크 인프라를 구축하고 있다. PS-LTE는 이러한 목적을 달성하기 위해 많은 국가에서 채택된 통신 메커니즘이다. 재해 및 재난 대응 관련 조직은 기존에 각 기관의 고유 네트워크에서 실행되는 서비스를 PS-LTE 인프라에 안전하게 연결하여 기관 고유 네트워크에서 제공되는 정보와 시스템 기능을 PS-LTE 환경에서 지속적으로 활용하도록 수 있도록 함으로써 PPDR 활동의 효율성을 높일 수 있다. 그러나 이러한 운용 환경은 상용 LTE 환경과는 다른 특성이 있기 때문에 기관의 고유 네트워크와 PS-LTE 인프라를 안전하게 연결하기 위해서는 환경에 특화된 취약성을 명확히 분석하고 이를 해소할 필요가 있다. 또한, PS-LTE 인프라를 활용한 PPDR 운영 환경의 특성을 분석한 후, 기존에 각 기관의 고유 네트워크에서 운영되는 PPDR 서비스를 이 인프라를 통해 제공하고자 하는 조직에서 적용할 수 있는 보안 모델을 도출하기 위해 제안한 프레임워크를 적용하였다. 본 연구에서는 제안된 보안 모델 설계 프레임워크를 PPDR 을 위한 특정 상황에 적용했지만, 본 프레임워크는 어떤 환경에 대한 분석에도 일반적으로 적용될 수 있다. This thesis is to provide the methodology as a solution for the following question: “How can I design the security model for a large-scale system that built upon external system that is unauthorized to control?” This study proposes the security model design framework to derive the system architecture and security requirements targeting the restricted environment as the question. Moreover, the application example of the framework to design the system's security model for public protection and disaster relief (PPDR) operations based on PS-LTE is provided. National disasters can threaten national security and require integrating the functionalities of several organizations to correspond to the event. Many countries are constructing a nationwide mobile communication network infrastructure to share information and promptly communicate with corresponding organizations. Public Safety Long-Term Evolution (PS-LTE) is a communication mechanism adopted in many countries to achieve such a purpose. Organizations can increase the efficiency of PPDR operations by securely connecting the services run on their legacy networks to the PS-LTE infrastructure. The connection of the legacy networks allows the organizations to facilitate the legacy network's information and system functionalities continuously. To securely connect the network, the vulnerabilities in the environment, which differ from commercial LTE, need to be resolved. Although the proposed security model design framework is applied to a specific circumstance in this research, it can be generally adopted to analyze any application environment.

Tight security for cryptographic schemes in the multi-instance settings

이영경 Graduate School of Cybersecurity, Korea University 2021 국내박사

This thesis presents tight security results in independent cryptographic schemes public-key encryption (PKE) and identity-based signature (IBS). The security of PKE schemes in multi-user settings is aimed at capturing real-world scenarios in which an adversary could attack multiple users and multiple ciphertexts of its choice. However, the fact that a real-world adversary can also mount key-exposure attacks requires us to consider a more realistic notion of security in multi-user settings. An IBS scheme can be generically constructed from an ordinary signature scheme. But it was unclear that a generic construction leads to a tightly secure IBS scheme, no matter what tightly secure signature scheme be used as a building block. The summary of tight security results of this thesis is presented as follows: • This thesis defines the security notion of PKE in a multi-user setting with corruptions, where an adversary is able to issue corruption (i.e., private key) queries. Then, this thesis proposes the first practical and tightly secure PKE scheme in the multi-user setting with corruptions. • This thesis shows that the recent work by Seo, Abdalla, Lee, and Park (Information Sciences, July 2019) has a flaw in the security analysis of CCA conversion methods and presents revised security proofs. • This thesis demonstrates that the generic construction of IBS can achieve tightness if the underlying signature scheme is tightly secure in the multiuser setting with corruption. In addition, this thesis extends the tightness result of IBS to the multi-instance setting, where an adversary can corrupt multiple key generation centers and obtain related master secret keys.

Uncovering how game bots get detected through Explainable Artificial Intelligence (XAI)

박은지 Graduate School of Cybersecurity, Korea University 2021 국내석사

Game bots are either bots using automated hardware or artificial intelligence bots using software for collecting assets in a game. Bots disturb other game players and destroy the environmental system of the games. For these reasons, the game industry has long had problems with game bots. The game industry put its best efforts into detecting the game bots using activity history in a learning-based detection method. These detection methods have captured game bots with high performance; however, they do not provide a reasonable explanation of the detection results. To solve this problem, in this paper, we investigate the explainabilities of game bot detection, utilizing a dataset from MMORG game AION, which includes both game logs from normal players and game bots. We conduct the detection of game bots through two classification models and analyze the detection process by applying explainable AI modules. We propose the verification of the explanation of the bot’s behavior, and the truthfulness has been evaluated. Besides, explainability contributes to minimizing false detection.

HTTP/3 stream prioritization based on web object dependency

정예지 Graduate School of Cybersecurity, Korea University 2021 국내석사

HTTP/3 is an application layer protocol that includes new features to meet the needs of the modern web. IETF standardization of HTTP/3 has come to its final stage. HTTP/3 provides transport layer level stream multiplexing and accordingly it has encountered stream prioritization problem. The problem states the determination of which stream to transmit amongst multiple streams on a connection within limited network resources and this contributes to the completion time of web object loading. Meanwhile, dependency relationship between web activities exists and this implies that dependency relationship between web object loading activities also exists. In order to transfer web objects in accordance with the web page load process at the browser, we proposed a HTTP/3 stream prioritization scheme based on web object dependency. Particularly, we built a browser-based testbed that can load arbitrary web pages in HTTP/3 and the tool is expected to be used in various HTTP/3 researches. Conclusively, the proposed prioritization scheme was evaluated using the testbed and it was shown that the application of the scheme could improve the user experience. In addition, we conducted the performance comparison study between previous HTTP protocols and HTTP/3 under different network conditions using the tool. 현대 웹의 요구에 부응하는 새로운 기능을 포함하는 응용 계층 프로토콜인 HTTP/3가 IETF 표준화 마무리 단계에 있다. HTTP/3의 전송 계층 수준 스트림 다중화로 인해 한 연결 내에 여러 스트림 중 어떤 것을 먼저 전송할지 정하는 스트림 우선순위 선정 문제가 등장하였으며 이는 웹 오브젝트들의 전송 완료 시간에 영향을 준다. 한편, 브라우저에서의 세부 연산인 웹 활동 간에는 의존성 관계가 존재하는데, 이는 각 웹 활동에 필요한 웹 오브젝트 간에도 의존성 관계가 있음을 의미한다. 본 논문은 브라우저에서의 페이지 로드 과정에 부합하는 웹 오브젝트 전송을 위해, 웹 오브젝트 간 의존성을 고려하여 HTTP/3 스트림에 우선순위를 선정하는 방법을 제안한다. 또한, HTTP/3 라이브러리 수준의 평가가 아닌, 브라우저 기반의 테스트베드를 구축하고 이를 바탕으로 제안 기법을 평가하여 본 기법의 적용이 사용자 경험 지표를 향상시킬 수 있음을 보였다. 추가적으로, 테스트베드를 이용하여 기존 HTTP 프로토콜과 HTTP/3의 성능 비교 연구를 수행하였다.

Data de-identification framework

오준형 Graduate School of Cybersecurity, Korea University 2021 국내박사

As the technology level is advanced, the amount of information used is increasing. Each company learns big data and provides customized services to consumers. Accordingly, collecting and analyzing data subject data has become one of the core competencies of companies. However, when collecting and using data subject information, the authority of the data subject may be violated. Data by itself is often identifiable, and even if it cannot be personal information that infringes on an individual's authority, the moment they are connected, it becomes important, sensitive, or personal information that you never thought of. Therefore, recent trends in privacy regulation such as GDPR are changing toward more and more guaranteeing the rights of data subjects. In order to use data effectively without infringing on the rights of the data subject, the concept of de-identification was created. Researchers and companies can lower the identification of personal information through appropriate de-identification / pseudonymization and use the data for research and statistical purposes. De-identification / pseudonymization techniques have been studied a lot, but it is difficult for companies and researchers to know how and how specifically to identify data / pseudonymization. This is because the organization of knowledge is not properly organized. And it is difficult to clearly understand how and to what extent each organization should take de-identification measures, and how it will affect them. Currently, each organization does not systematically analyze and conduct the situation, but is taking minimal action while looking at the guidelines distributed by each country. We solved this problem from the perspective of risk management. Several steps are required from securing the dataset and starting from pre-processing until the dataset is released. We can analyze the dataset, analyze the risk, evaluate the risk, and treat the risk appropriately. When analyzing a dataset, it includes classifying identifiers and selecting sensitive attributes from various viewpoints such as cultural, historical, and context. When analyzing risk, it can be analyzed based on scenarios, and various re-identification cases that have existed can be organized and analyzed by reference. In addition, risk can be analyzed by quantifying the vulnerability of each threat. We can analyze the risk and assess the risk through a cost benefit study or adequacy evaluation. The outcomes of each step can then be used to take appropriate action on the dataset to eliminate or reduce the risk. Then, you can release the dataset according to your purpose. These series of processes were reconstructed according to the current situation by analyzing various standards such as ISO/IEC 20889, NIST IR 8053, NIST SP 800-188, and ITU-T X.1148. Then, we propose an integrated framework based on situational awareness model and risk management model.

BinTyper : type confusion detection for C++ Binaries

김동주 Graduate School of Cybersecurity, Korea University 2021 국내석사

타입 컨퓨전 버그는 C++로 개발된 소프트웨어를 공격하기 위해 사용되는 인기 있는 취약점 클래스 중 하나이다. 이 버그는 프로그램이 오브젝트를 호환되지 않는 클래스 타입으로 형변환(타입캐스팅)하여 발생한다. 공격자는 이 취약점(버그)을 악용해 대상 소프트웨어에서 악성 코드를 실행할 수 있다. 유형 혼동 버그를 탐지하기 위한 기존 연구들은 모두 소스 코드 수준에서 제안되었다. 이들은 소스 코드의 컴파일 과정에서 타입캐스팅 연산자에 타입 호환성을 검증하기 위한 추가적인 코드를 삽입하여 런타임에서 타입 컨퓨전 버그를 탐지한다. 그러나 이러한 방법들은 바이너리 수준에서 적용될 수 없다. 컴파일된 바이너리에는 클래스 정보와 타입캐스팅 연산자 등의 고수준 정보가 존재하지 않기 때문이다. 본 논문은 바이너리 수준에서 타입 컨퓨전 버그를 탐지할 수 있는 최초의 도구인 BinTyper를 제안한다. BinTyper는 정적 분석을 통해 클래스 오브젝트를 클래스 상속 구조에 따라 여러 영역으로 나눈다. 이후 동적 분석을 수행해 타입 컨퓨전 버그를 유발하지 않고 프로그램이 실행되기 위해 오브젝트에 필요한 조건들을 추론한다. 마지막으로, 추론된 조건들을 바탕으로 타입 호환성을 검증하여 타입 컨퓨전 버그를 탐지한다. 우리는 제안된 방법을 Google PDFium과 LibSass에 적용해 바이너리 수준에서 타입 컨퓨전 버그를 성공적으로 탐지하였다. Type confusion bug is a popular vulnerability class used to attack C++-based software. This bug occurs when a program typecasts an object to an incompatible class type. An attacker can exploit this vulnerability to execute malicious code on the target software. Existing researches to detect type confusion bugs have been proposed at the source level. They perform detection at runtime by adding extra code that verifies type compatibility to the typecasting operator. However, this approach is not applicable at the binary level, because high-level information such as class information and the typecasting operator does not exist in the compiled binary. In this paper, we propose BinTyper, a tool that detects type confusion bugs at the binary level for the first time. BinTyper divides the object into several areas according to the class hierarchy by static analysis. After that, BinTyper performs dynamic analysis to infer the condition of the object for the program to be executed without causing a type confusion bug. Finally, based on the inferred condition, type compatibility is verified to detect a type confusion bug. We actually applied our proposed method to Google PDFium and LibSass, which confirmed that our proposed method successfully detects a type confusion bug at the binary level.

Anomaly detection system for periodic time series : a machine learning case study using betting transaction data

민무홍 Graduate School of Cybersecurity, Korea University 2021 국내박사

Advances in information technology and the widespread use of smartphones have led to enormous growth in the gambling industry over the past decade, primarily across a network of mobile apps, websites, and platforms. In order to combat growing issues with addiction, government agencies have responded with strict regulations regarding monetary limits and gambling locations. As a result, some foreigner bettors ​have found new ways to evade emerging regulations in lawful gambling environments. The absence of technical systems to identify anomalous activity has led to cases like the Walkerhill Incident (2016-2017) that occurred between June 2016 and September 2017 at Grand Walkerhill Seoul Hotel, when foreign bettors automated ticket purchases by modifying a Korean betting application called “MyCard”. This study proposes a method to detect and prevent anomalous activity. The analysis utilizes periodic transaction data in a time series provided by real-world horse racing records rather than artificial data. This study then used time series machine learning algorithms to identify anomalous transactions and conduct a comparative analysis of the results of existing statistical techniques and machine learning techniques. This study also demonstrates a process to detect anomalous transactions, as well as specific methodologies and systems to respond to new types of anomalies. The detection method and its systems are designed based on time series research, which takes a similar form to the data produced in the horse racing industry. The resulting analysis and discussion could prove useful in a wide variety of real-world applications, including the gambling industry that originally inspired the research.