• Title/Summary/Keyword: 비정상행위기반탐지

Search Result 78, Processing Time 0.021 seconds

Stateful Virtual Proxy Server for Attack Detection based on SIP Protocol State Monitoring Mechanism (SIP 프로토콜 상태정보 기반 공격 탐지 기능을 제공하는 가상 프록시 서버 설계 및 구현)

  • Lee, Hyung-Woo
    • Journal of Internet Computing and Services
    • /
    • v.9 no.6
    • /
    • pp.37-48
    • /
    • 2008
  • VoIP service is a transmission of voice data using SIP protocol on IP based network, The SIP protocol has many advantages such as providing IP based voice communication and multimedia service with cheap communication cost and so on. Therefore the SIP protocol spread out very quickly. But, SIP protocol exposes new forms of vulnerabilities on malicious attacks such as Message Flooding attack and protocol parsing attack. And it also suffers threats from many existing vulnerabilities like on IP based protocol. In this paper, we propose a new Virtual Proxy Server system in front of the existed Proxy Server for anomaly detection of SIP attack and stateful management of SIP session with enhanced security. Based on stateful virtual proxy server, out solution shows promising SIP Message Flooding attack verification and detection performance with minimized latency on SIP packet transmission.

  • PDF

Comparative Study of Anomaly Detection Accuracy of Intrusion Detection Systems Based on Various Data Preprocessing Techniques (다양한 데이터 전처리 기법 기반 침입탐지 시스템의 이상탐지 정확도 비교 연구)

  • Park, Kyungseon;Kim, Kangseok
    • KIPS Transactions on Software and Data Engineering
    • /
    • v.10 no.11
    • /
    • pp.449-456
    • /
    • 2021
  • An intrusion detection system is a technology that detects abnormal behaviors that violate security, and detects abnormal operations and prevents system attacks. Existing intrusion detection systems have been designed using statistical analysis or anomaly detection techniques for traffic patterns, but modern systems generate a variety of traffic different from existing systems due to rapidly growing technologies, so the existing methods have limitations. In order to overcome this limitation, study on intrusion detection methods applying various machine learning techniques is being actively conducted. In this study, a comparative study was conducted on data preprocessing techniques that can improve the accuracy of anomaly detection using NGIDS-DS (Next Generation IDS Database) generated by simulation equipment for traffic in various network environments. Padding and sliding window were used as data preprocessing, and an oversampling technique with Adversarial Auto-Encoder (AAE) was applied to solve the problem of imbalance between the normal data rate and the abnormal data rate. In addition, the performance improvement of detection accuracy was confirmed by using Skip-gram among the Word2Vec techniques that can extract feature vectors of preprocessed sequence data. PCA-SVM and GRU were used as models for comparative experiments, and the experimental results showed better performance when sliding window, skip-gram, AAE, and GRU were applied.

Abnormal Behavior Detection for Zero Trust Security Model Using Deep Learning (제로트러스트 모델을 위한 딥러닝 기반의 비정상 행위 탐지)

  • Kim, Seo-Young;Jeong, Kyung-Hwa;Hwang, Yuna;Nyang, Dae-Hun
    • Annual Conference of KIPS
    • /
    • 2021.05a
    • /
    • pp.132-135
    • /
    • 2021
  • 최근 네트워크의 확장으로 인한 공격 벡터의 증가로 외부자뿐 아니라 내부자를 경계해야 할 필요성이 증가함에 따라, 이를 다룬 보안 모델인 제로트러스트 모델이 주목받고 있다. 이 논문에서는 reverse proxy 와 사용자 패턴 인식 AI 를 이용한 제로트러스트 아키텍처를 제시하며 제로트러스트의 구현 가능성을 보이고, 새롭고 효율적인 전처리 과정을 통해 효과적으로 사용자를 인증할 수 있음을 제시한다. 이를 위해 사용자별로 마우스 사용 패턴, 리소스 사용 패턴을 인식하는 딥러닝 모델을 설계하였다. 끝으로 제로트러스트 모델에서 사용자 패턴 인식의 활용 가능성과 확장성을 보인다.

Design and Implementation of Web Attack Detection System Based on Integrated Web Audit Data (통합 이벤트 로그 기반 웹 공격 탐지 시스템 설계 및 구현)

  • Lee, Hyung-Woo
    • Journal of Internet Computing and Services
    • /
    • v.11 no.6
    • /
    • pp.73-86
    • /
    • 2010
  • In proportion to the rapid increase in the number of Web users, web attack techniques are also getting more sophisticated. Therefore, we need not only to detect Web attack based on the log analysis but also to extract web attack events from audit information such as Web firewall, Web IDS and system logs for detecting abnormal Web behaviors. In this paper, web attack detection system was designed and implemented based on integrated web audit data for detecting diverse web attack by generating integrated log information generated from W3C form of IIS log and web firewall/IDS log. The proposed system analyzes multiple web sessions and determines its correlation between the sessions and web attack efficiently. Therefore, proposed system has advantages on extracting the latest web attack events efficiently by designing and implementing the multiple web session and log correlation analysis actively.

The Study of Bot Program Detection based on User Behavior in Online Game Environment (온라인 게임 환경에서 사용자 행위 정보에 기반한 봇 프로그램 탐지 기법 연구)

  • Yoon, Tae-Bok
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.13 no.9
    • /
    • pp.4200-4206
    • /
    • 2012
  • Recently, online-game industry has been rapidly expanding in these days. But, the various game service victimized cases are generated by the bots program. Particularly, the abnormal collection of the game money and item loses the inherent fun of a game. It reaches ultimately the definite bad effect to the game life cycle. In this paper, we propose a Bots detection method by observing the playing patterns of game characters with game log data. It analyzed behaviors of human players as well as bots and identified features to build the model to differentiate bots from human players. In an experiment, by using the served online-game, the model of a user and bots were generated was distinguished. And the reasonable result was confirmed.

Attack Detection in Recommender Systems Using a Rating Stream Trend Analysis (평가 스트림 추세 분석을 이용한 추천 시스템의 공격 탐지)

  • Kim, Yong-Uk;Kim, Jun-Tae
    • Journal of Internet Computing and Services
    • /
    • v.12 no.2
    • /
    • pp.85-101
    • /
    • 2011
  • The recommender system analyzes users' preference and predicts the users' preference to items in order to recommend various items such as book, movie and music for the users. The collaborative filtering method is used most widely in the recommender system. The method uses rating information of similar users when recommending items for the target users. Performance of the collaborative filtering-based recommendation is lowered when attacker maliciously manipulates the rating information on items. This kind of malicious act on a recommender system is called 'Recommendation Attack'. When the evaluation data that are in continuous change are analyzed in the perspective of data stream, it is possible to predict attack on the recommender system. In this paper, we will suggest the method to detect attack on the recommender system by using the stream trend of the item evaluation in the collaborative filtering-based recommender system. Since the information on item evaluation included in the evaluation data tends to change frequently according to passage of time, the measurement of changes in item evaluation in a fixed period of time can enable detection of attack on the recommender system. The method suggested in this paper is to compare the evaluation stream that is entered continuously with the normal stream trend in the test cycle for attack detection with a view to detecting the abnormal stream trend. The proposed method can enhance operability of the recommender system and re-usability of the evaluation data. The effectiveness of the method was verified in various experiments.

Feature Selection for Anomaly Detection Based on Genetic Algorithm (유전 알고리즘 기반의 비정상 행위 탐지를 위한 특징선택)

  • Seo, Jae-Hyun
    • Journal of the Korea Convergence Society
    • /
    • v.9 no.7
    • /
    • pp.1-7
    • /
    • 2018
  • Feature selection, one of data preprocessing techniques, is one of major research areas in many applications dealing with large dataset. It has been used in pattern recognition, machine learning and data mining, and is now widely applied in a variety of fields such as text classification, image retrieval, intrusion detection and genome analysis. The proposed method is based on a genetic algorithm which is one of meta-heuristic algorithms. There are two methods of finding feature subsets: a filter method and a wrapper method. In this study, we use a wrapper method, which evaluates feature subsets using a real classifier, to find an optimal feature subset. The training dataset used in the experiment has a severe class imbalance and it is difficult to improve classification performance for rare classes. After preprocessing the training dataset with SMOTE, we select features and evaluate them with various machine learning algorithms.

Anomaly Detection for User Action with Generative Adversarial Networks (적대적 생성 모델을 활용한 사용자 행위 이상 탐지 방법)

  • Choi, Nam woong;Kim, Wooju
    • Journal of Intelligence and Information Systems
    • /
    • v.25 no.3
    • /
    • pp.43-62
    • /
    • 2019
  • At one time, the anomaly detection sector dominated the method of determining whether there was an abnormality based on the statistics derived from specific data. This methodology was possible because the dimension of the data was simple in the past, so the classical statistical method could work effectively. However, as the characteristics of data have changed complexly in the era of big data, it has become more difficult to accurately analyze and predict the data that occurs throughout the industry in the conventional way. Therefore, SVM and Decision Tree based supervised learning algorithms were used. However, there is peculiarity that supervised learning based model can only accurately predict the test data, when the number of classes is equal to the number of normal classes and most of the data generated in the industry has unbalanced data class. Therefore, the predicted results are not always valid when supervised learning model is applied. In order to overcome these drawbacks, many studies now use the unsupervised learning-based model that is not influenced by class distribution, such as autoencoder or generative adversarial networks. In this paper, we propose a method to detect anomalies using generative adversarial networks. AnoGAN, introduced in the study of Thomas et al (2017), is a classification model that performs abnormal detection of medical images. It was composed of a Convolution Neural Net and was used in the field of detection. On the other hand, sequencing data abnormality detection using generative adversarial network is a lack of research papers compared to image data. Of course, in Li et al (2018), a study by Li et al (LSTM), a type of recurrent neural network, has proposed a model to classify the abnormities of numerical sequence data, but it has not been used for categorical sequence data, as well as feature matching method applied by salans et al.(2016). So it suggests that there are a number of studies to be tried on in the ideal classification of sequence data through a generative adversarial Network. In order to learn the sequence data, the structure of the generative adversarial networks is composed of LSTM, and the 2 stacked-LSTM of the generator is composed of 32-dim hidden unit layers and 64-dim hidden unit layers. The LSTM of the discriminator consists of 64-dim hidden unit layer were used. In the process of deriving abnormal scores from existing paper of Anomaly Detection for Sequence data, entropy values of probability of actual data are used in the process of deriving abnormal scores. but in this paper, as mentioned earlier, abnormal scores have been derived by using feature matching techniques. In addition, the process of optimizing latent variables was designed with LSTM to improve model performance. The modified form of generative adversarial model was more accurate in all experiments than the autoencoder in terms of precision and was approximately 7% higher in accuracy. In terms of Robustness, Generative adversarial networks also performed better than autoencoder. Because generative adversarial networks can learn data distribution from real categorical sequence data, Unaffected by a single normal data. But autoencoder is not. Result of Robustness test showed that he accuracy of the autocoder was 92%, the accuracy of the hostile neural network was 96%, and in terms of sensitivity, the autocoder was 40% and the hostile neural network was 51%. In this paper, experiments have also been conducted to show how much performance changes due to differences in the optimization structure of potential variables. As a result, the level of 1% was improved in terms of sensitivity. These results suggest that it presented a new perspective on optimizing latent variable that were relatively insignificant.