• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.31 no.2C
• /
• pp.208-218
• /
• 2006

In this paper, we introduce the creation methods of attack detection model using data mining technologies that can classify the latest attack types, and can detect the modification of existing attacks as well as the novel attacks. Also, we evaluate comparatively these attack detection models in the view of detection accuracy and detection time. As the important factors for creating detection models, there are data, attribute, and detection algorithm. Thus, we used NetFlow data gathered at the real network, and KDD Cup 1999 data for the experiment in large quantities. And for attribute selection, we used a heuristic method and a theoretical method using decision tree algorithm. We evaluate comparatively detection models using a single supervised/unsupervised data mining approach and a combined supervised data mining approach. As a result, although a combined supervised data mining approach required more modeling time, it had better detection rate. All models using data mining techniques could detect the attacks within 1 second, thus these approaches could prove the real-time detection. Also, our experimental results for anomaly detection showed that our approaches provided the detection possibility for novel attack, and especially SOM model provided the additional information about existing attack that is similar to novel attack.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.13 no.1
• /
• pp.355-363
• /
• 2012

The Integration of multi-agent architecture and blackboard architecture may lead to a new architecture to cope with new application areas which need some good and strong points of both the architectures. This paper suggests an integrated architecture of blackboard architecture and multi-agent architecture by using event-based implicit invocation pattern and a blackboard event detection mechanism based on Rete network. From the viewpoints of weak couplings of system components and flexible control of knowledge source agents, it is desirable to use the event-based implicit invocation pattern in the integrated architecture. But the pattern itself does not concern the performance of the architecture, and it is very critical to the performance of the integrated architecture to detect efficiently the blackboard events which can activate knowledge source agents which can contribute to the problem-solving processes of the integrated architecture. The integrated architecture suggested in this paper uses a blackboard event detection mechanism based on Rete network to detect efficiently blackboard events which can activate knowledge source agents.

• Journal of the Korea Society for Simulation
• /
• v.18 no.4
• /
• pp.149-155
• /
• 2009

Attacks in wireless sensor networks (WSN), are similar to the attacks in ad-hoc networks because there are deployed on a wireless environment. However existing security mechanism cannot apply to WSN, because it has limited resource and hostile environment. One of the typical attack in WSN is setting up wrong route that using wormhole. To overcome this threat, Ji-Hoon Yun et al. proposed WODEM (WOrmhole attack DEfense Mechanism) which can detect and counter with wormhole. In this scheme, it can detect and counter with wormhole attacks by comparing hop count and initial TTL (Time To Live) which is pre-defined. The selection of a initial TTL is important since it can provide a tradeoff between detection ability ratio and energy consumption. In this paper, we proposed a fuzzy rule-based system for TTL determination that can conserve energy, while it provides sufficient detection ratio in wormhole attack.

• The KIPS Transactions:PartC
• /
• v.10C no.6
• /
• pp.799-808
• /
• 2003

Existing security solutions such as Firewell and IDS (Intrusion Detection System) have a trouble in getting accurate detection rate about new attack and can not block interior attack. That is, existing securuty solutions have various shortcomings. Shortcomings of these security solutions can be supplemented with mechanism which guarantees an availability of systems. The mechanism which guarantees the survivability of node is various, we approachintrusion telerance using real time response mechanism. The monitoring code monitors related resources of system for survivability of vulnerable systm continuously. When realted resources exceed threshold, monitoring and response code is deployed to run. These mechanism guarantees the availability of system. We propose control mathod about resource monitoring. The monitoring code operates with this method. The response code may be resident in active node for availability or execute a job when a request is occurred. We suggest the node survivability mechanism that integrates the intrusion tolerance mechanism that complements the problems of existing security solutions. The mechanism takes asvantage of the automated service distribution supported by Active Network infrastructure instead of passive solutions. The mechanism takes advantage of the automated service distribution supported by Active Network infrastructure instead of passive system reconfiguration and patch.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2002.11a
• /
• pp.183-186
• /
• 2002

시스템 콜 인터포지션 메커니즘은 침입 탐지 및 접근 제어와 같은 시스템 보안 기능을 강화하기 위해서 사용하는 방법이다. 현재까지 알려진 시스템 콜 인터포지션의 구현 방법은 크게 라이브러리 기반, 커널 기반 그리고 유저레벨 프로세스 기반의 접근방식이었다. 기존의 방식들은 대부분 범용적인 모노리틱커널에 적용되어 사용되고 있으며, 최근에 보안 운영체제로 개발되고 있는 마이크로커널 방식의 시스템에서는 적합하지 않다. 본 논문에서는 기존에 연구되었던 시스템 콜 인터포지션 방법들을 소개하고 마이크로커널 기반의 시스템 콜 인터포지션을 위한 메커니즘을 제안하고 있다. 제안된 메커니즘은 마이크로커널 위에 모니터 서버를 두고, IPC가 수행될 때 특정 시스템 콜을 비동기 IPC를 이용하여 감시하는 방식을 취하고 있다.

• Annual Conference of KIPS
• /
• 2003.11a
• /
• pp.463-466
• /
• 2003

시스템 콜 인터포지션 메커니즘은 침입 탐지 및 접근 제어와 같은 시스템 보안 기능을 강화하기 위해서 사용하는 방법이다. 현재까지 알려진 시스템 콜 인터포지션의 구현 방법은 크게 라이브러리 기반, 커널 기반 그리고 유저레벨 프로세스 기반의 접근방식이 있다. 기존의 방식들은 대부분 범용적인 모노리틱커널에 적용되어 사용되고 있으며, 최근에 보안 운영체제로 개발되고 있는 마이크로커널 방식의 시스템에서는 적합하지 않다. 본 논문에서는 기존에 연구되었던 시스템 콜 인터포지션 방법들을 소개하고 마이크로커널 기반의 시스템 콜 인터포지션을 위한 메커니즘과 기반이 되는 커널 컴포넌트들을 안전하게 관리하는 방법을 제안하고 있다. 제안된 메커니즘은 마이크로커널 위에 모니터 서버를 두고, IPC가 수행될 때 특정 시스템 콜을 비동기 IPC를 이용하여 감시하는 방식을 취하고 있다.

• Proceedings of the Korean Society of Broadcast Engineers Conference
• /
• 2021.06a
• /
• pp.28-31
• /
• 2021

전세계적으로 우울증은 정신 건강 질환으로써 문제가 되고 있으며, 이를 해결하기 위해 일상생활에서의 우울증 탐지에 대한 연구가 진행되고 있다. 따라서 본 논문에서는 일상생활에 밀접하게 연관되어 있는 AI 스피커를 사용한 어텐션 메커니즘(Attention Mechanism) 기반 멀티모달 우울증 감지 시스템을 제안한다. 제안된 방법은 AI 스피커로부터 수집할 수 있는 음성 및 텍스트 데이터를 수집하고 CNN(Convolutional Neural Network)과 BiLSTM(Bidirectional Long Short-Term Memory Network)를 통해 각 데이터에서의 학습을 진행한다. 학습과정에서 Self-Attention 을 적용하여 특징 벡터에 추가적인 가중치를 부여하는 어텐션 메커니즘을 사용한다. 최종적으로 음성 및 텍스트 데이터에서 어텐션 가중치가 추가된 특징들을 합하여 SoftMax 를 통해 우울증 점수를 예측한다.

• The KIPS Transactions:PartC
• /
• v.10C no.5
• /
• pp.525-532
• /
• 2003

This paper describes intrusion detection rule management using mobile agents. Intrusion detection can be divided into anomaly detection and misuse detection. Misuse detection is best suited for reliably detecting known use patterns. Misuse detection systems can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods. Therefore, the introduction of mobile agents to provide computational security by constantly moving around the Internet and propagating rules is presented as a solution to misuse detection. This work presents a new approach for detecting intrusions, in which mobile agent mechanisms are used for security rules propagation. To evaluate the proposed approach, we compared the workload data between a rules propagation method using a mobile agent and a conventional method. Also, we simulated a rules management using NS-2 (Network Simulator) with respect to time.

• Journal of the Korea Computer Industry Society
• /
• v.5 no.8
• /
• pp.781-790
• /
• 2004

This paper describes intrusion detection rule mangement using mobile agents. Intrusion detection can be divided into anomaly detection and misuse detection. Misuse detection is best suited for reliably detecting known use patterns. Misuse detection systems can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods. Therefore, the introduction of mobile agents to provide computational security by constantly moving around the Internet and propagating rules is presented as a solution to misuse detection. This work presents a new approach for detecting intrusions, in which mobile agent mechanisms are used for security rules propagation. To evaluate the proposed appraoch, we compared the workload data between a rules propagation method using a mobile agent and a conventional method. Also, we simulated a rules management using NS-2(Network Simulator) with respect to time.

• Journal of KIISE:Computing Practices and Letters
• /
• v.12 no.6
• /
• pp.339-348
• /
• 2006

Recently, many researches on detecting and responding worms due to the fatal infrastructural damages explosively damaged by automated attack tools, particularly worms. Network service vulnerability exploiting worms have high propagation velocity, exhaust network bandwidth and even disrupt the Internet. Previous worm researches focused on signature-based approaches however these days, approaches based on behavioral features of worms are more highlighted because of their low false positive rate and the attainability of early detection. In this paper, we propose a Distributed Worm Detection Model based on packet marking. The proposed model detects Worm Cycle and Infection Chain among which the behavior features of worms. Moreover, it supports high scalability and feasibility because of its distributed reacting mechanism and low processing overhead. We virtually implement worm propagation environment and evaluate the effectiveness of detecting and responding worm propagation.