• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.371-379
• /
• 2022

Darknet is based on the characteristics of anonymity and security, and this leads darknet to be continuously abused for various crimes and illegal activities. Therefore, it is very important to detect and classify darknet traffic to prevent the misuse and abuse of darknet. This work proposes a novel approach, which uses the Gradient Boosting techniques for darknet traffic detection and classification. XGBoost and LightGBM algorithm achieve detection accuracy of 99.99%, and classification accuracy of over 99%, which could get more than 3% higher detection accuracy and over 13% higher classification accuracy, compared to the previous research. In particular, LightGBM algorithm could detect and classify darknet traffic in a way that is superior to XGBoost by reducing the learning time by about 1.6 times and hyperparameter tuning time by more than 10 times.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.821-830
• /
• 2017

The internet is an important infra resource that it controls the economy and society of our country. Also, it is providing convenience and efficiency of the everyday life. But, a case of various are occurred through an using vulnerability of an internet infra resource. Recently various attacks of unknown to the user are an increasing trend. Also, currently system of security control is focussing on patterns for detecting attacks. However, internet threats are consistently increasing by intelligent and advanced various attacks. In recent, the darknet is received attention to research for detecting unknown attacks. Since the darknet means a set of unused IP addresses, no real systems connected to the darknet. In this paper, we proposed an algorithm for finding black IPs through collected the darknet traffic based on a statistics data of port information. The proposed method prepared 8,192 darknet space and collected the darknet traffic during 3 months. It collected total 827,254,121 during 3 months of 2016. Applied results of the proposed algorithm, black IPs are June 19, July 21, and August 17. In this paper, results by analysis identify to detect frequency of black IPs and find new black IPs of caused potential cyber threats.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1185-1195
• /
• 2014

Domestic and international CERTs are carrying out security monitoring and response services based on security devices for intrusion incident prevention and damage minimization of the organizations. However, the security monitoring and response service has a fatal limitation in that it is unable to detect unknown attacks that are not matched to the predefined signatures. In recent, many approaches have adopted the darknet technique in order to overcome the limitation. Since the darknet means a set of unused IP addresses, no real systems connected to the darknet. Thus, all the incoming traffic to the darknet can be regarded as attack activities. In this paper, we present a collection and analysis method of malicious URLs based on darkent traffic for advanced security monitoring and response service. The proposed method prepared 8,192 darknet space and extracted all of URLs from the darknet traffic, and carried out in-depth analysis for the extracted URLs. The analysis results can contribute to the emergence response of large-scale cyber threats and it is able to improve the performance of the security monitoring and response if we apply the malicious URLs into the security devices, DNS sinkhole service, etc.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.12
• /
• pp.1841-1848
• /
• 2013

In this paper, the plans for improvement of real-time security monitoring accuracy and expansion of control region were investigated through comprehensive and systematic collection and analysis of the anomalous activities that inflow and outflow in the network on a large scale in order to overcome the existing security monitoring system based on stylized detection patterns which could correspond to only very limited cyber attacks. This study established an anomaly observation system to collect, store and analyze a diverse infringement threat information flowing into the darknet network, and presented the information classification system of cyber threats, unknown anomalies and high-risk anomalous activities through the statistics based trend analysis of hacking. If this security monitoring system utilizing darknet traffic as presented in the study is applied, it was indicated that detection of all infringement threats was increased by 12.6 percent compared with conventional case and 120 kinds of new type and varietal attacks that could not be detected in the past were detected.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.9 no.2
• /
• pp.261-266
• /
• 2014

The current status of domestic monitoring centers was reviewed and the pattern-based security monitoring system and the centralized security monitoring system, both of which are the characteristics of security monitoring systems, were analyzed together with their advantages and disadvantages. In addition, as for a development plan of domestic security monitoring systems, in order to improve the problems of the existing pattern-based centralized monitoring system, Honeynet and Darknet, which are based on anomalous behavior detection, were analyzed and their application plans were described.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.2
• /
• pp.267-280
• /
• 2023

With development of computing and communications technologies, IoT environments based on high-speed networks have been extending rapidly. Especially, from home to an office or a factory, applications of IoT devices with sensing environment and performing computations are increasing. Unfortunately, IoT devices which have limited hardware resources can be vulnerable to cyber attacks. Hence, there is a concern that an IoT botnet can give rise to information leakage as a national cyber security crisis arising from abuse as a malicious waypoint or propagation through connected networks. In order to response in advance from unknown cyber threats in IoT networks, in this paper, We firstly define four types of We firstly define four types of characteristics by analyzing darknet traffic accessed from an IoT botnet. Using the characteristic, a suspicious IP address is filtered quickly. Secondly, the filtered address is identified by Cyber Threat Intelligence (CTI) or Open Source INTelligence (OSINT) in terms of an unknown suspicious host. The identified IP address is finally fingerprinted to determine whether the IP is a malicious host or not. To verify a validation of the proposed method, we apply to a Darknet on real-world SOC. As a result, about 1,000 hosts who are detected and blocked preemptively by the proposed method are confirmed as real IoT botnets.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2021.01a
• /
• pp.233-236
• /
• 2021

본 논문에서는 국내 드론 사용량이 증가하고 있으나 드론을 제재하기 위한 수단과 AI를 활용한 드론 콘텐츠가 부족하다. 상기 문제점을 해결하기 위해 Darknet 과 YOLO_mark를 사용하여 디바이스를 학습시켜 손쉽게 드론 인식 및 구별을 할 수 있게 구현하였다. 이를 통해 기존 드론 제재 수단의 한계를 극복하고 손쉽게 이용할 수 있다. 나아가 본 논문을 이용하여 군◦경에서 드론 식별 등으로 활용할 수 있다.

• Journal of the Institute of Convergence Signal Processing
• /
• v.21 no.1
• /
• pp.29-37
• /
• 2020

This paper implements a method of extracting an object about a dog through real-time image analysis and classifying dog behaviors from the extracted images. The Darknet YOLO was used to detect dog objects, and the Teachable Machine provided by Google was used to classify behavior patterns from the extracted images. The trained Teachable Machine is saved in Google Drive and can be used by ml5.js implemented on a node.js server. By implementing an interactive web server using a socket.io module on the node.js server, the classified results are transmitted to the user's smart phone or PC in real time so that it can be checked anytime, anywhere.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.19 no.2
• /
• pp.161-168
• /
• 2019

Recently, video equipments such as CCTV, which is spreading rapidly, is being used as a means to monitor and cope with abnormal situations in almost governments, companies, and households. However, in most cases, since recognizing the abnormal situation is carried out by the monitoring person, the immediate response is difficult and is used only for post-analysis. In this paper, we present the results of the development of video surveillance system that automatically recognizing the abnormal situations and sending such events to the smartphone immediately using the latest deep learning technology. The proposed system extracts skeletons from the human objects in real time using Openpose library and then recognizes the human behaviors automatically using deep learning technology. To this end, we reconstruct Openpose library, which developed in the Caffe framework, on Darknet framework to improve real-time processing. We also verified the performance improvement through experiments. The system to be introduced in this paper has accurate and fast behavioral recognition performance and scalability, so it is expected that it can be used for video surveillance systems for various applications.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.20 no.6
• /
• pp.157-165
• /
• 2020

Aiming at the development of neural network and self-driving data set, it is also an idea to improve the performance of network model to detect moving objects by dividing the data set. In Darknet network framework, the YOLOv4 (You Only Look Once v4) network model was used to train and test Udacity data set. According to 7 proportions of the Udacity data set, it was divided into three subsets including training set, validation set and test set. K-means++ algorithm was used to conduct dimensional clustering of object boxes in 7 groups. By adjusting the super parameters of YOLOv4 network for training, Optimal model parameters for 7 groups were obtained respectively. These model parameters were used to detect and compare 7 test sets respectively. The experimental results showed that YOLOv4 can effectively detect the large, medium and small moving objects represented by Truck, Car and Pedestrian in the Udacity data set. When the ratio of training set, validation set and test set is 7:1.5:1.5, the optimal model parameters of the YOLOv4 have highest detection performance. The values show mAP50 reaching 80.89%, mAP75 reaching 47.08%, and the detection speed reaching 10.56 FPS.