• The KIPS Transactions:PartC
• /
• v.16C no.4
• /
• pp.449-460
• /
• 2009

The signature hashing algorithm[9] provides the fast pattern matching speed for network IPS(Intrusion Prevention System) using the hash table. It selects 2 bytes from all signature rules and links to the hash table by the hash value. It has an advantage of performance improvement because it reduces the number of inspecting rules in the pattern matching. However it has a disadvantage of performance drop if the number of rules with the same hash value increases when the number of rules are large and the corelation among rules is strong. In this paper, we propose a method to make all rules distributed evenly to the hash table independent of the number of rules and corelation among rules for overcoming the disadvantage of the signature hashing algorithm. In the proposed method, it checks whether or not there is an already assigned rule linked to the same hash value before a new rule is linked to a hash value in the hash table. If there is no assigned rule, the new rule is linked to the hash value. Otherwise, the proposed method recalculate a hash value to put it in other position. We implemented the proposed method in a PC with a Linux module and performed experiments using Iperf as a network performance measurement tool. The signature hashing method shows performance drop if the number of rules with the same hash value increases when the number of rules are large and the corelation among rules is strong, but the proposed method shows no performance drop independent of the number of rules and corelation among rules.

• Journal of KIISE:Software and Applications
• /
• v.33 no.5
• /
• pp.508-524
• /
• 2006

We present our experience of combining, in a realistic setting, a static analyzer with a statistical analysis. This combination is in order to reduce the inevitable false alarms from a domain-unaware static analyzer. Our analyzer named Airac(Array Index Range Analyzer for C) collects all the true buffer-overrun points in ANSI C programs. The soundness is maintained, and the analysis' cost-accuracy improvement is achieved by techniques that static analysis community has long accumulated. For still inevitable false alarms (e.g. Airac raised 970 buffer-overrun alarms in commercial C programs of 5.3 million lines and 737 among the 970 alarms were false), which are always apt for particular C programs, we use a statistical post analysis. The statistical analysis, given the analysis results (alarms), sifts out probable false alarms and prioritizes true alarms. It estimates the probability of each alarm being true. The probabilities are used in two ways: 1) only the alarms that have true-alarm probabilities higher than a threshold are reported to the user; 2) the alarms are sorted by the probability before reporting, so that the user can check highly probable errors first. In our experiments with Linux kernel sources, if we set the risk of missing true error is about 3 times greater than false alarming, 74.83% of false alarms could be filtered; only 15.17% of false alarms were mixed up until the user observes 50% of the true alarms.

• The KIPS Transactions:PartC
• /
• v.12C no.1 s.97
• /
• pp.121-128
• /
• 2005

Tho existing TCP(Transmission Control Protocol) is known to be unsuitable for a network with the characteristics of high RDP(Bandwidth-Delay Product) because of the fixed small or large buffer size at the TCP sender and receiver. Thus, some trial cases of adjusting the buffer sizes automatically with respect to network condition have been proposed to improve the end-to-end TCP throughput. ATBT(Automatic TCP fluffer Tuning) attempts to assure the buffer size of TCP sender according to its current congestion window size but the ATBT assumes that the buffer size of TCP receiver is maximum value that operating system defines. In DRS(Dynamic Right Sizing), by estimating the TCP arrival data of two times the amount TCP data received previously, the TCP receiver simply reserves the buffer size for the next arrival, accordingly. However, we do not need to reserve exactly two times of buffer size because of the possibility of TCP segment loss. We propose an efficient TCP buffer tuning technique(called TBT-PLR: TCP buffer tuning algorithm based on packet loss ratio) since we adopt the ATBT mechanism and the TBT-PLR mechanism for the TCP sender and the TCP receiver, respectively. For the purpose of testing the actual TCP performance, we implemented our TBT-PLR by modifying the linux kernel version 2.4.18 and evaluated the TCP performance by comparing TBT-PLR with the TCP schemes of the fixed buffer size. As a result, more balanced usage among TCP connections was obtained.

• Journal of IKEEE
• /
• v.18 no.4
• /
• pp.471-477
• /
• 2014

In this paper, we propose a low-cost license plate recognition system based on smart cam system using Android. The proposed system consists of a portable device and server. Potable device Hardware consists of ARM Cortex-A9 (S5PV210) processor control unit, a power supply device, wired and wireless communication, input/output unit. We develope Linux kernel and dedicated device driver for WiFi module and camera. The license plate recognition algorithm is consisted of setting candidate plates areas with canny edge detector, extracting license plate number with Labeling, recognizing with template matching, etc. The number that is recognized by the device is transmitted to the remote server via the user mobile phone, and the server re-transfer the vehicle information in the database to the portable device. To verify the utility of the proposed system, user photographs the license plate of any vehicle in the natural environment. Confirming the recognition result, the recognition rate was 95%. The proposed system was suitable for low cost portable license plate recognition device, it enabled the stability of the system when used long time by using the Android operating system.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2002.11a
• /
• pp.701-705
• /
• 2002

This paper describes implementation of IPv6-IPv4 transition toolbox named as 6TALK(IPv6 TrAansLator of Krv6) and some scenarios using 6TALK which enables IPv6 island to connect other IPv6 island or IPv4 island seamlessly. 6TALK implements some transition mechanisms suggested in NGTrans Working Group of IETF. Those mechanisms are composed of basic mechanism, tunneling, and applied mechanism such as DSTM. 6TALK provides functions which enable IPv6 network at the edge of existing network to communicate with IPv4 network by using these transition mechanisms. As major transition mechanisms in 6TALK we adopt NAT-PT/SIIT and DSTM/DSTM options and as implementation environment we use Linux Kernel 2.4.18 and Netfilter framework. Software modules implemented in Linux kernel was ported to hardware box using Motorola MPC 8260 processor. The transition mechanisms used in 6TALK are the ones predicted to be used in initial transition step to IPv6.

• Journal of the Institute of Electronics and Information Engineers
• /
• v.54 no.2
• /
• pp.28-37
• /
• 2017

Multipath TCP (MPTCP), which is a layer 4 protocol that can get the reliability and the efficiency of the transmission by using multipath transfer, was standardized by the IETF. MPTCP provides superior performance when compared to a single TCP when used in a homogeneous network with similar network characteristics. However, MPTCP degrades performance when used in heterogeneous networks with different network characteristics. In this paper, we propose 'Delay-alerted path-blocking scheduler'. It measures the delay of each path and blocks the path with a long delay to reduce the order of packets in the receive buffer. If the duplicated packet is sent to the blocked path to measure the delay and the congestion on the blocking path is reduced, the blocked path is unblocked. For performance analysis, the proposed scheduler was implemented in the Linux kernel and improved performance was obtained in the test bed. We also confirmed that the proposed scheduler reduces the degradation of MPTCP performance in real wireless networks with heterogeneous path characteristics.

• The KIPS Transactions:PartA
• /
• v.19A no.1
• /
• pp.35-44
• /
• 2012

Traditional technologies that are used to improve the performance of hard disk drives show many negative cases if they are applied to solid state drives (SSD). Access time and block sequence in hard disk drives that consist of mechanical components are very important performance factors. Meanwhile, SSD provides superior random read performance that is not affected by block address sequence due to the characteristics of flash memory. Practically, it is recommended to disable prefetching if a SSD is installed in a personal computer. However, this paper presents a combinational method of a prefetching scheme and a memory management that consider the internal structure of SSD and the characteristics of NAND flash memory. It is important that SSD must concurrently operate multiple flash memory chips. The I/O unit size of NAND flash memory tends to increase and it exceeded the block size of operating systems. Hence, the proposed prefetching scheme performs in an operating unit of SSD. To complement a weak point of the prefetching scheme, the proposed memory management scheme adaptively evicts uselessly prefetched data to maximize the sum of cache hit rate and prefetch hit rate. We implemented the proposed schemes as a Linux kernel module and evaluated them using a commercial SSD. The schemes improved the I/O performance up to 26% in a given experiment.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.6
• /
• pp.129-140
• /
• 2003

Recently viruses and various hacking tools that threat hosts on a network becomes more intelligent and cleverer, and so the various security mechanisms against them have ken developed during last decades. To detect these network attacks, many NIPSs(Network-based Intrusion Prevention Systems) that are more functional than traditional NIDSs are developed by several companies and organizations. But, many previous NIPSS are hewn to have some weakness in protecting important hosts from network attacks because of its incorrectness and post-management aspects. The aspect of incorrectness means that many NIPSs incorrectly discriminate between normal and attack network traffic in real time. The aspect of post-management means that they generally respond to attacks after the intrusions are already performed to a large extent. Therefore, to detect network attacks in realtime and to increase the capability of analyzing packets, faster and more active responding capabilities are required for NIPS frameworks. In this paper, we propose a framework for real-time intrusion prevention. This framework consists of packet filtering component that works on netfilter in Linux kernel and traffic control component that have a capability of step-by-step control over abnormal network traffic with the CBQ mechanism.