The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Tracking the Source of Cascading Cyber Attack Traffic Using Network Traffic Analysis

네트워크 트래픽 분석을 이용한 연쇄적 사이버공격 트래픽의 발생원 추적 방법

  • Goo, Young-Hoon (Korea University Department of Computer and Information Science) ;
  • Choi, Sun-Oh (Network Security Research Section, Cyber Security Research Laboratory, ETRI) ;
  • Lee, Su-Kang (Korea University Department of Computer and Information Science) ;
  • Kim, Sung-Min (Korea University Department of Computer and Information Science) ;
  • Kim, Myung-Sup (Korea University Department of Computer and Information Science)
  • Received : 2016.03.07
  • Accepted : 2016.11.09
  • Published : 2016.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

In these days, the world is getting connected to the internet like a sophisticated net, such an environment gives a suitable environment for cyber attackers, so-called cyber-terrorists. As a result, a number of cyber attacks has significantly increased and researches to find cyber attack traffics in the field of network monitoring has also been proceeding. But cyber attack traffics have been appearing in new forms in every attack making it harder to monitor. This paper suggests a method of tracking down cyber attack traffic sources by defining relational information flow of traffic data from highest cascaded and grouped relational flow. The result of applying this cyber attack source tracking method to real cyber attack traffic, was found to be reliable with quality results.

오늘날 인터넷으로 연결된 세상은 그물망처럼 정교해지고 있으며 이러한 환경은 사이버 테러범으로 불리는 사이버 공격자들에게 더없이 좋은 공격 환경을 제공해 주고 있다. 이에 따라 사이버 공격 횟수는 매년 크게 증가하고 있으며 네트워크 모니터링 분야에서는 악성행위 및 사이버 공격트래픽을 찾아내려는 많은 연구들이 이루어지고 있다. 하지만 사이버 공격트래픽은 매 공격마다 알려지지 않는 새로운 형태의 트래픽이 발생하며 이는 사이버 공격트래픽 탐지를 어렵게 한다. 본 논문에서는 트래픽 데이터를 구성하는 플로우 정보 사이의 연관 관계를 정의하고, 연관성이 높은 플로우를 연쇄적으로 그룹화 하여 사이버 공격트래픽의 발생원을 추적하는 방법을 제안한다. 본 논문에서 제안한 사이버 공격트래픽 발생원 추적방법을 실제로 발생했던 사이버 공격 트래픽에 적용한 결과 신뢰할 만한 수준의 결과를 얻을 수 있었다.

Keywords

References

  1. KISA, "2016 report of 10 issues on Internet a nd information security(2016)," Retrieved Feb. 16, 2016, from http://www.kisa.or.kr/public/ library/IS_View.jsp?mode=view&p_No=158&b_No=158&d_No=295
  2. J. Mirkovic, G. Prier, and P. L. Reiher, "Attacking DDoS at the source," in Proc. IEEE ICNP, pp. 312-321, Nov. 2002
  3. J.-S. Choi, W.-H. Park, and K.-H. Kook, "Analysis of the advanced persistent threat (APT) - Targeting the korean defense industry -," Korea Ass. Defense Ind. Stud., vol. 19, no. 2, pp. 73-89, Dec. 2012.
  4. Y.-H. Kim and W.-H. Park, "A study on cyber threat prediction based on intrusion detection event for APT attack detection," Multimedia Tools and Appl., vol. 71, no. 2, pp. 685-698, Jul. 2014. https://doi.org/10.1007/s11042-012-1275-x
  5. S.-H. Yoon, J.-W. Park, and M.-S. Kim, "A study on internet traffic analysis based on two-way-flow," in Proc KICS ICC 2008, pp. 483-486, Yonsei Univ, Korea, Nov. 2008.
  6. S.-H. Yoon and M.-S. Kim, "Research on signature maintenance method for internet application traffic identification using header signatures," J. KSII, vol. 12, no. 6, pp. 19-33, Dec. 2011.
  7. S.-H. Yoon and M.-S. Kim, "Research on header signature maintenance method for internet application traffic identification," in Proc. KICS ICC 2011, pp. 1200-1201, Jeju Island, Korea, Jun. 2011.
  8. H.-M. An, J.-H. Ham, and M.-S. Kim, "Performance improvement of the statistical information based traffic identification system," KIPS Trans. Computer and Commun. Syst. (KTCCS), vol. 2, no. 8, pp. 335-342, Aug. 2013. https://doi.org/10.3745/KTCCS.2013.2.8.335
  9. H.-M. An, S,-K. Lee, J,-H. Ham, and M,-S. Kim, "Traffic identification based on applications using statistical signature free from abnormal TCP behavior," J. Inf. Sci. and Eng., vol. 31, no. 5, pp. 1669-1692, Sept. 2015.
  10. J.-S Park, J.-W. Park, S.-H. Yoon, and M.-S. Kim, "Performance improvement of application- level traffic classification algorithm based on payload signature," in Proc. KICS ICC 2010, pp. 1059-1060, Jun. 2010.

Cited by

  1. CNG 암호 라이브러리의 보안 취약점 분석 vol.42, pp.4, 2016, https://doi.org/10.7840/kics.2017.42.4.838
  2. CNG 암호 라이브러리에서의 SSL 통신과정 분석 vol.42, pp.5, 2017, https://doi.org/10.7840/kics.2017.42.5.1027