Detection of Abnormal Traffic by Pre-Inflow Agent

사전유입 에이전트가 발생하는 이상트래픽 탐지 방안

  • Cho, Young Min (Graduate School of Information Security, Korea University) ;
  • Kwon, Hun Yeong (Graduate School of Information Security, Korea University)
  • 조영민 (고려대학교 정보보호대학원) ;
  • 권헌영 (고려대학교 정보보호대학원)
  • Received : 2018.07.17
  • Accepted : 2018.09.13
  • Published : 2018.10.31


Modern society is a period of rapid digital transformation. This digital-centric business proliferation offers convenience and efficiency to businesses and individuals, but cyber threats are increasing. In particular, cyber attacks are becoming more and more intelligent and precise, and various attempts have been made to prevent these attacks from being discovered. Therefore, it is increasingly difficult to respond to such attacks. According to the cyber kill chain concept, the attacker penetrates to achieve the goal in several stages. We aim to detect one of these stages and neutralize the attack. In this paper, we propose a method to detect anomalous traffic caused by an agent attacking an external attacker, assuming that an agent executing a malicious action has been introduced in advance due to various reasons such as a system error or a user's mistake.

현대 사회는 급격한 디지털 트랜스포메이션 시대라 할 수 있다. 이러한 디지털 중심의 비즈니스 확산은 기업과 개인에게 편리함과 효율성을 제공하지만 그만큼 사이버 위협은 증가하고 있다. 특히 사이버 공격은 점차 지능화, 정밀화되면서 다양화 되고 있으며 이러한 공격이 발각되지 않도록 다양한 방법을 시도하고 있다. 따라서 이러한 공격에 대응 하는 것이 점점 어려워지고 있는 현실이다. 사이버킬체인(Cyber Kill Chain) 개념에 따르면 공격자는 여러단계에 걸쳐 목적을 달성하기 위해 침투하게 되는데 우리는 이러한 여러 단계중 하나를 탐지하여 공격을 무력화하는 것이 목적이다. 본 논문에서는 시스템의 오류 또는 사용자의 실수 등 다양한 원인으로 사전에 악성행위를 실행하는 에이전트가(agent) 유입되었다고 가정하고, 이러한 에이전트가 외부의 공격자와 접속하기 위해 발생시키는 이상트래픽을 탐지하는 방안을 제안하고자 한다.

JBBHCB_2018_v28n5_1169_f0001.png 이미지

Fig. 1. Related Research Field

JBBHCB_2018_v28n5_1169_f0002.png 이미지

Fig. 2. Irregular Iteration Access

JBBHCB_2018_v28n5_1169_f0003.png 이미지

Fig. 3. Flow-chart(Irregular Iteration Access)

JBBHCB_2018_v28n5_1169_f0004.png 이미지

Fig. 4. Multiple Access

JBBHCB_2018_v28n5_1169_f0005.png 이미지

Fig. 5. Flow-chart(Multiple Access)

JBBHCB_2018_v28n5_1169_f0006.png 이미지

Fig. 6. Bypass Attempt Access

JBBHCB_2018_v28n5_1169_f0007.png 이미지

Fig. 7. Flow-chart(Bypass Attempt Access)

JBBHCB_2018_v28n5_1169_f0008.png 이미지

Fig. 8. Experiment Environment

Table 1. Selected Header Field

JBBHCB_2018_v28n5_1169_t0001.png 이미지

Table 2. Result of Verification

JBBHCB_2018_v28n5_1169_t0002.png 이미지


  1. IDC, 3rd platform Digital Transformation,
  2. IDG, Top 5 cybersecurity facts, figures, statistics for 2018,
  3. Boannews,
  4. Lockheedmartin, Cyber Kill Chain,
  5. AVTEST(The Independent IT-Security Institute), Malware Statistics,
  6. Kirti Mathur and Saroj Hiranwal, "A Survey on Techniques in Detection and Analyzing Malware Executables", International Journal of Advanced Research in Computer Science and Software Engineering, Vol. 3, Issue 4, 2013.
  7. PAYLOAD SECURITY, "Hybrid Analys is - Innovative Technology",
  8. Jan Goebel, Thorsten Holz, "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation", USENIX Hot Bots. pp.4-9, July. 2007.
  9. Marina Thottan and Chuanyi Ji, "Anomaly Detection in IP Networks", IEEE Transaction On Signal Processing, Vol. 51, No. 8, Aug. 2003.
  10. K. Illgun, R. Kemmerer, Phillip A. Porras, "State Transition Analysis : A rule-based intrusion detection approach," IEEE Transaction On Software Engineering, pp.181-199, Mar. 1995.
  11. Shen Maying, Jiang Xinghao, Sun Tanfeng, "Anomaly detection based on Nearest Neighbor search with Locality-Sensitive B-tree," Neurocomputing, Vol. 289, pp.55-67, May. 2018.
  12. Tonejc Jernej, Kobekova Alexandra, "Machine Learning Methods for Anomaly Detection in BACnet Networks," Journal Of Universal Computer Science, Vol. 22, No 9, pp.1203-1224, 2016.
  13. Liu, Weixin, Zheng, Kangfengm "Flow-based Anomaly Detection Using Access Behavior Profiling and Time-sequenced Relation Mining," KSII Transactions On Internet And Information Systems, Vol. 10, Issue 6, pp.2781-2800, June. 2016.
  14. Siwoon Son, Myeong-Seon Gil, "Anomaly Detection of Hadoop Log Data Using Moving Average and 3-Sigma," KIPS Tr. Software and Data Eng, Vol. 5, No. 6, pp.283-288, 2016.