컴퓨터 포렌식스를 지원하는 증거 수집 시스템 설계 및 구현

김영모 大田大學校 大學院 2004 국내석사

From the Protection Technology for general Incident such as the existing Intrusion Detection/Firewall/Prevention system to the present ESM(Enterprise Security Management), more various and effective Security Technologies have been presented. However, the needs for Computer Forensics Technology is on the increase, which chases and analyses evidences of the intruder because in the case of these technologies, there are many poor things for the evidence taking of the intruder and network efficiency. Computer Forensics which has been used for a search method becomes more important in individuals' cases by frequently happened Incident. The integrity and reliability of the process was important because Victim system of Forensics played an important role as evidence, but quick judgment and confrontation for an event are getting more important too. However the existing Forensics tools were used as just simple methods. Therefore, in order to cope with the Hacking Incident we need the development of integrated forensics system adding the technology to collect and analysis evidences with the response technology. And also, it is needed the system which can take and analysis legal evidences quickly even if he is not a professional. In this paper, we present the system which provides automated and integrated technologies by setting a relation as Manager, correspondence interface and Agent according to given Computer Forensics process and we concrete the evidence collecting system. Central Manager analyses and guesses the gained evidences by each agent and can get the legal evidences easily through Manager even though Agent manager is not a professional which can analysis and guess evidences. Correspondence interface performs Integrity, storage and transportation of gained evidences and can get originality and authenticity of the digital evidences. And Agent is added to not only evidence collecting technology also intrusion detection technology so it is possible to cope with a intrusion directly moving together with Trace Back System. And also, the above processes are all programmed by computers and they are free to Hearsay Rule as direct evidences of Evidence Law and therefore they can be admitted to the evidence efficiency.

메타데이터 레지스트리를 이용한 디지털증거관리 시스템 설계 및 구현

김지영 대전대학교대학원 2007 국내석사

Because the cyber crime increases, the importance of digital evidence collection and analysis is embossed. However, general evidence and digital evidence are different. The reason is the character of digital evidence. So collection of digital evidence is difficulty. The collected great many digital evidences is added an extra weight the manpower insufficiency of the Digital Forensics Professional Investigator and an hour insufficiency. there is a problem. Must prove to digital evidence has evidence ability in court, that digital evidence collected in original system, that is not fabrication and that is not modification. Must do responsibility reinforcement ("Chain of Custody") of the Digital Forensics Professional Investigator for authentication about digital evidence. Purpose which accomplish "Chain of Custody" is thing to authentication evidences that is collected under the Digital Forensics Professional Investigator responsibility as well as thing that protect integrity of digital evidence. In this paper, Design and Implementation of Digital Evidence Repository System and Digital Evidence Integration System to collected great many digital evidences can be recognized evidence ability in court and technology which manage effectively. Digital Evidence Repository System records all informations on a Electronic Forensic Report from collection of evidence to preservation so that may can accomplish "Chain of Custody" of the Digital Forensics Professional Investigator and preserve both digital evidence and a Electronic Forensic Report. Digital Evidence Integration System creates some of information that is recorded on a Electronic Forensic Report to Metadata and manages integration. Therefore, Digital Evidence Management System does to integrity of digital evidence and "Chain of Custody" of the Digital Forensics Professional Investigator who take charge from collection of digital evidence to analysis so that may can use as legal evidence of digital evidence and improves legal reliability for a Electronic Forensic Report.

PKI 보안 서비스 기반의 프로그램 저작권 인증 시스템 설계

강석주 大田大學校 大學院 2004 국내박사

The copyrights of digital contents authors are infringed upon by illegitimate copying and distribution of digital contents, which threats the growth of the digital contents market. Therefore, technologies for legally protecting the copyrights of software authors are needed. To satisfy such needs, we propose an authentication model that registers software on a computer program registration system and protects the software itself and the corresponding copyrights. The proposed model offers single and multiple authentication policies to protect the works and their copyrights. In case a legal dispute regarding the copyrights occurs in the future, it includes non-refutability function for user requests and integrity function for proving that the works and registered information is identical to the original. The model also offers protection of data confidentiality over networks and traffic security. User agents for the works and copyright protection system adopted compression and encryption/decryption algorithms to offer works integrity. Based on a management server and PKI, hi-directional authentication is performed using an authentication certificate. The session key set through the security channel is used as the encryption key. The session key is managed not as a temporary key, but in such a way that it can be used when checking the original of the works in the future. In addition, the encrypted and transmitted works is managed in a works management database. The database backs up the works and manages it by applying a message authentication code model to verify the integrity. The copyright of the author is electronically signed using a private key. The copyright is managed separately based on whether it is owned by a single author or multiple authors. In case of a single-author copyright, only one electronic signature is needed, whereas for a multi-author copyright, the signatures of all authors are required. The policy used in the multi-author case is capsulation by electronic signatures on top of an electronic signature. The proposed program copyright certification system based on the PKI security service provides confidentiality using compression and encryption/decryption. The system is also capable of electronic signature, authentication, and non-repudiation using encryption by private keys. Also, system security is provided by offering integrity service using message authentication modes.

ESM기반의 전자적 증거관리 시스템 설계 및 구현

임의열 大田大學校 2006 국내석사

More various and effective security technology is introduced to us such as from protection technique against usual computer emergency incident like the existing intrusion detection system, firewall, intrusion prevention system to the present integration management system, ESM. However we should change it by the customers' needs- they need computer forensics technology which analyzes the evidence of intruders, tracks and finally finds it - because this technology is very poor to get the evidence for the intruders and network efficiency. The computer forensics field which has been used for the investigation method before becomes more important by often computer emergency incident. Confidence and integrity of incident system in forensics was recognized importantly, since it has been performed as an evidence however at this time also it is made much account of the prompt judgement and correspondence against the incident. ESM is a method to strengthen security and also gathers and manages log of each agent. For analyzing this, it provides a manger with log information. The gathered information could be legal evidence but it shows a boundary because of shortage of integrity and insufficiency of analysis technology. Integrated security management system has no problem in load management side because it transmits just the existing fixed log but, but the system, which supports computer forensic, needs to load management function because it must transmit high capacity files such as disk image. We classify the digital evidence management by module such as evidence charge module, evidence analysis module, agent management module, infringement accident confrontation module. We also design and implement the system to overcome the limit of integrated security management system above in this paper. We implement the system focusing on database, which guarantees the integrity of evidence and stores it, and load balancing of digital evidence management system. As a result of performance evaluation for verification, this system was far superior to general integrated security management system in the side of resource utilization. We know it mostly supports the functions of computer forensic.

효율적인 네트워크 램 관리 시스템의 설계 및 구현

민경민 弘益大學校 大學院 2001 국내석사

고속의 네트워크로 연결되어있는 클러스터 시스템에서 원격 노드에 있는 유휴한 메모리를 파일 시스템의 버퍼 캐쉬 또는 페이징 공간으로 사용하는 네트워크 메모리 (Network RAM)가 연구되었다. 네트워크 메모리는 원격 노드의 유휴한 메모리에 서 데이터를 캐싱(caching)함으로써 느린 속도의 로컬 하드디스크 접근을 줄일 수 있다. 클러스터 시스템에서 노드의 숫자가 증가함에 따라 클러스터 내의 유휴 메모리를 효율적으로 관리하는 것은 네트워크 메모리의 효과적인 관리를 위해서 중요하다. 본 논문에서는 서버와 클라이언트 사이에서 효율적인 네트워크 메모리 관리를 제공하는 매니저(Manager)를 도입한다. 이 시스템에서 클라이언트는 서버의 유휴 메모리를 버퍼 캐쉬처럼 사용하기 위해서 서버에게 유휴 메모리를 요청한다. 제안된 네트워크 메모리 관리 시스템(NRMS)은 마이크로소프트 윈도우 환경에서 설계되고 구현된다. Network RAM has been studied to use idle memory for file system buffer caches or a paging space in a cluster system where nodes are connected via high-speed networks. Network RAM reduces the number of accesses to relatively slow local disks by caching data in idle memory of a remote node. As the number of nodes in a cluster system grows, it is critical to efficiently manage idle memory in the system for the success of network RAM. In this thesis, a Manager is introduced to provide an efficient network RAM management between clients and servers. In the system, the clients request idle memory from servers to use it as buffer caches. The proposed Network RAM Management System is developed and implemented on Microsoft Windows systems.

WAN 환경의 대용량 분산 스토리지 시스템을 위한 데이터 사용률 기반 적응형 데이터 관리 기법

김경찬 중앙대학교 대학원 2021 국내석사

전세계적인 데이터 수요의 증가에 따라 대용량의 데이터를 효율적으로 처리할 수 있는 분산 스토리지 시스템에 대한 연구가 시작되었다. 기존의 단일 스토리지 시스템은 확장성에 제약이 존재하고 사용자의 요청에 대한 분산 처리가 불가능하기 때문에 대용량의 데이터를 관리하기에는 부적합하다. 이에 대해 분산 스토리지 시스템은 데이터를 다수의 노드에 저장 및 관리 비용을 최소화하는 기술이며, 평행하고 분산된 관리 기법을 이용해 확장성을 키우고 높은 데이터 처리 속도를 달성할 수 있기 때문에 대용량 데이터를 처리하기 위해 사용될 수 있다. 하지만 기존의 분산 스토리지 시스템은 데이터 지연 시간이 높은 WAN 환경에 구축될 경우 데이터의 소비 위치가 고려되지 않았기 때문에 낮은 지역성으로 인한 시스템 성능 저하 현상이 발생할 수 있다. 본 논문은 기존 분산 스토리지 시스템 연구에 존재하던 문제점을 해결하기 위해 WAN 환경에서의 높은 네트워크 지연 시간 및 데이터의 지역성을 고려하는 데이터 분산 기법을 제안했다. 제안하는 분산 스토리지 시스템은 데이터의 사용률을 기반으로 데이터를 배치시켜 데이터 탐색 시간을 최소화하였으며, 이를 통해 전체적인 시스템 성능을 향상시킬 수 있었다. As the global data demand increases, research on a distributed storage system that can efficiently process large amounts of data has been researched. Existing single storage systems are unsuitable for managing large-scale data because scalability is limited, and distributed processing of user requests is not possible. In contrast, a distributed storage system is a technology that minimizes the cost of storing and managing data in multiple nodes, and it can increase scalability and achieve high data look-up speed by using parallel and distributed management techniques. However, when the existing distributed storage system is built in an environment with high data latency, system performance may deteriorate due to low locality because the location of data usage is not considered. This paper proposes a data distribution scheme that considers high network latency and data locality in a WAN environment to solve the problems that existed in the previous distributed storage system research. The proposed distributed storage system minimizes the data look-up time by placing data based on the data usage rate, thereby improving the overall system performance.

서비스의 가중치를 고려한 정보시스템의 생존성 관리 모델

김봉회 大田大學校 2003 국내박사

In this paper we propose a management model to evaluate the tradeoffs between the cost of defence mechanisms for information systems with weighted service and the resulting expected survivability after a network attack and occurrence of incidents. It consists of three submodels: a stochastic process for the random occurrence of incidents at systems, a model for the state transition process for an attacked system given a level of defence - this depends on the type of attack and the defence mechanism installed in the system and the importance of service, and a method of estimation the expected survivability of the system given possible degradation due to these attack. By varying the level of defence in the simulation, we examine how this expected survivability changes with the defense level. Since costs are assumed to increase with the strength of the defense system, we can derive a cost/survivability and weighed service/survivability curve that managers can use to decide on the appropriate level of defense for the network system of their organizations. The stochastic process was simulated based on parameter values obtained from actual reported data. Also in this paper, we showed how expected survivability would change with varying parameter analysis results values.

모바일 인터넷 환경에서 네트워크 정보서비스의 생존성 평가 모델

김황래 大田大學校 2007 국내박사

모바일 인터넷과 같은 무한 네트워크 환경에서는 완벽한 보안 시스템을 구축하는 것이 불가능하며, 임의의 공격이나 네트워크 고장이 발생하여도 일정 수준으로 중요 서비스를 제공하도록 방어 장치를 구축하는가가 실제적인 문제이다. 보안을 완벽하게 향상시킬 필요는 있지만, 주어진 비용 하에서 얼마만큼의 보안을 향상시킬 수 있을 것인지를 결정할 필요가 있다. 모바일 인터넷 및 그에 연결된 네트워크 정보시스템이 고장을 극복하고 생존 가능한 서비스를 제공하는 능력을 가지는 것이 중요하다. 모바일 인터넷이 고도로 분산화되고 각 노드가 자체적으로 컴퓨팅 능력을 가진다면 고도의 정보시스템 서비스의 생존성이 모바일 인터넷 상에서 성취될 수 있다. 모바일 인터넷을 중앙 제어기를 가지는 네트워크와 비교하면, 어떤 노드나 링크의 고장으로 인해 네트워크 전체가 정지되지 않을 수 있는 것이 특징이다. 본 논문에서는 유선과 무선이 통합된 모바일 인터넷 환경에서 네트워크 정보서비스의 생존성을 평가하는 모델을 제안한다. 여기서 일시적인 과부하 분석과 고장과 공격 빈도 분석 및 비용/효과 분석을 사용하였다. 시스템에 대한 고장과 공격 영향을 평가하는 중요한 척도인 일시적인 시스템 행동 분석과 시스템의 안정 상태 행동을 분석하는 모델을 제안하였다. 본 모델을 통하여 고장 빈도와 고장 영향 측면, 비용/효과 측면이 네트워크 및 정보시스템 서비스의 생존성 특성을 분석할 수 있다. 여러 대체 시나리오를 통하여 시뮬레이션 함으로써 정보서비스의 생존성에 영향을 주는 요소들과의 관련성을 분석하였으며, 공격 및 고장으로 인한 네트워크 부하시 정보서비스의 생존성을 평가하였고, 보안 장치를 위한 소요 비용대비 효과 면에서도 생존성을 분석 평가하였다.

RTSD 기반의 침입위험관리 시스템 설계 및 구현

장재혁 大田大學校 大學院 2002 국내석사

The multilateral risks of transformed intrusion through the global network have threatened systems. A regional risk factor influences whole network with the fast speed, but there is no response method which could be processed rapidly. Therefore, an integrated management system is necessary to collect each risk factor of local area in advance. Analysis of the collected risk information in whole network area should prevent illegal intrusion trials. This paper utilizes RTSD agent that watches each local network to grasp the present condition of whole network. It detects intrusion risk factor and reports to central IRMS(Intrusion Risk Management System). This IRMS analyzes the intrusion risk statistics of current network and necessary information for response against intrusion, "day-month statistical informations of intrusion type and top 10 lists in graph. Response of intrusion risk is classified into members and nonmembers. In the case of nonmember, "whois" search server provides the administrator's E-Mail address of intrusion risk system to nonmember. On the other hand, member is offered it by response system of member management database. In the case of nonmember, the response system transmits only intrusion risk warning mail to nonmember in response. But, in the case of member it sends an warning message and authentication key which can run intrusion interception program automatically to protect the system by refusing service for attacker IP address. Thus, it can keep system safe by fast response against the external intrusion.

보안정책 기술언어 기반의 통합 보안관리 시스템 설계 및 구현

김이곤 대전대학교 대학원 2007 국내석사

The development of computer networks boosted the growth of our economy and industry. However, nowadays its negative function has become a social issue. The negative function includes rapidly increasing diverse illegal acts such as hacking, worms, viruses, and leakage of personal information. In order to prevent such negative functions, many security products have been used. However, it is difficult to manage efficiently large scale networks due to several limitations including diverse operating systems, setup methods, and interfaces of such security products. Therefore, it is necessary to prepare a tool to manage the various and complicated security solutions comprehensively from a central place. Consequently, integrated security management system based on a security policy description language was designed and implemented. This system is an integrated security management system where a security policy can be applied to security device and network device, of which the network mainly consists, by a single application of the security policy.