• Annual Conference of KIPS
• /
• 2011.04a
• /
• pp.971-974
• /
• 2011

본 논문에서는 대용량 네트워크에 비정상적인 트래픽이 유입이 되거나 나가는 경우 패킷 기반의 비정상 트래픽의 탐지와 분석이 가능토록 하는 시스템을 설계하고 구현하였다. 본 논문에서 구현한 시스템은 네트워크상의 이상 행위를 탐지하기 위하여, DDoS HTTP Get Flooding 공격 탐지 알고리즘을 적용하고, NetFPGA를 이용하여 라우터 단에서 패킷을 모니터링하며 공격을 탐지한다. 본 논문에서 구현한 시스템은 Incomplete Get 공격 타입의 Slowloris 봇과, Attack Type-2 공격 타입의 BlackEnergy, Netbot Vip5.4 봇에 높은 탐지율을 보였다.

• The Journal of the Korea Contents Association
• /
• v.4 no.4
• /
• pp.33-43
• /
• 2004

In this paper, a traffic trend analysis based SNMP algorithm is proposed for improving the problem of existing traffic analysis using SNMP. The existing traffic analysis method has a vulnerability that is taken much time In analyzing by using a threshold and not detected a harmful traffic at the point of transition. The method that is proposed in this paper can solve the problems that the existing method had, simultaneously using traffic trend analysis of the day, traffic trend analysis happening in each protocol and MIB object analysis responding to attacks instead of using the threshold. The algorithm proposed in this paper will analyze harmful traffic more quickly and more precisely; hence it can reduce the damage made by traffic flooding attacks. When traffic happens, it can detect the abnormality through the three analysis methods previously mentioned. After that, if abnormal traffic overlaps in at least two of the three methods, we can consider it as harmful traffic. The proposed algorithm will analyze harmful traffic more quickly and more precisely; hence it can reduce the damage made by traffic flooding attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.2
• /
• pp.281-288
• /
• 2024

The sixth generation(6G) wireless communication technology is advancing toward ultra-high speed, ultra-high bandwidth, and hyper-connectivity. With the development of communication technologies, the formation of a hyper-connected society is rapidly accelerating, expanding from the IoT(Internet of Things) to the IoE(Internet of Everything). However, at the same time, security threats targeting IoT devices have become widespread, and there are concerns about security incidents such as unauthorized access and information leakage. As a result, the need for security-enhancing solutions is increasing. In this paper, we implement an autoencoder-based anomaly detection model utilizing real-time collected network traffics in respond to IoT security threats. Considering the difficulty of capturing IoT device traffic data for each attack in real IoT environments, we use an unsupervised learning-based autoencoder and implement 6 different autoencoder models based on the use of noise in the training data and the dimensions of the latent space. By comparing the model performance through experiments, we provide a performance evaluation of the anomaly detection model for detecting abnormal network traffic.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2003.12a
• /
• pp.137-140
• /
• 2003

최근 웜이나 바이러스, DDoS(Distributed Denial of Service)와 같은 네트워크 침해사고가 빈번히 발생되고 있어 이를 해결하기 위한 여러 가지 방안이 연구 중이다. 하지만 대개의 경우 외부의 침입탐지에 대한 대책만이 이루어지고 있어, 실제로 내부 호스트에서 감염되어 발생시키는 트래픽에 대해서는 원인 진단이 어려운 실정이다. 따라서 네트워크 장애의 원인이 되는 단말 호스트를 찾아내어 장애처리를 하는 것이 정상적인 네트워크 환경구축을 위하여 필요하다. 본 논문에서는 네트워크 자원 모니터링과 트래픽 분석을 통하여 이상 트래픽에 대한 징후를 사전에 탐지하고, 최종 단말 호스트의 위치까지 추적 가능한 시스템을 설계 및 구현하고자 한다.

• The Journal of the Korea Contents Association
• /
• v.5 no.5
• /
• pp.172-181
• /
• 2005

The latest attack type against network traffic appeared by worm and bot that are advanced in DDoS. It is difficult to detect them because they are diversified, intelligent, concealed and automated. The exisiting traffic analysis method using SNMP has a vulnerable problem; it considers normal P2P and other application program to be harmful traffic. It also has limitation that does not analyze advanced programs such as worm and bot to harmful traffic. Therefore, we analyzed harmful traffic out Protocol and Port analysis. We also classified traffic by protocol, well-known port, P2P port, existing attack port, and specification port, apply singularity weight to detect, and analyze attack availability. As a result of simulation, it is proved that it can effectively detect P2P application, worm, bot, and DDoS attack.

• KIPS Transactions on Software and Data Engineering
• /
• v.10 no.11
• /
• pp.449-456
• /
• 2021

An intrusion detection system is a technology that detects abnormal behaviors that violate security, and detects abnormal operations and prevents system attacks. Existing intrusion detection systems have been designed using statistical analysis or anomaly detection techniques for traffic patterns, but modern systems generate a variety of traffic different from existing systems due to rapidly growing technologies, so the existing methods have limitations. In order to overcome this limitation, study on intrusion detection methods applying various machine learning techniques is being actively conducted. In this study, a comparative study was conducted on data preprocessing techniques that can improve the accuracy of anomaly detection using NGIDS-DS (Next Generation IDS Database) generated by simulation equipment for traffic in various network environments. Padding and sliding window were used as data preprocessing, and an oversampling technique with Adversarial Auto-Encoder (AAE) was applied to solve the problem of imbalance between the normal data rate and the abnormal data rate. In addition, the performance improvement of detection accuracy was confirmed by using Skip-gram among the Word2Vec techniques that can extract feature vectors of preprocessed sequence data. PCA-SVM and GRU were used as models for comparative experiments, and the experimental results showed better performance when sliding window, skip-gram, AAE, and GRU were applied.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2014.01a
• /
• pp.15-18
• /
• 2014

하루가 다르게 최신의 기술이 쏟아져 나오는 정보화 시대에 들어서면서, 세계 ITC 분야는 디지털 기술과 유무선통신에 근간을 둔 인터넷의 확산으로 반도체, 컴퓨터, 콘텐츠 미디어, 정보가전 등 다양한 산업 분야가 융합되어 새로운 부가 가치를 창출하기에 이르렀다. 특히, 스마트 시대를 살아가는 우리의 일상생활은 모바일은 물론 일반적인 PC등을 사용한 인터넷 중심의 네트워크와 커뮤니케이션이 중요시 되고 있다. 이러한 시대의 흐름은 인프라 측면에서 네트워크의 트래픽을 폭증시키고, 많은 보안적인 문제를 야기하고 있다. 이에 임베디드 디바이스를 이용하여 네트워크를 운영하는 관리자에게 큰 도움을 주고, 업무 효율성을 높일 수 있는 포터블 형태의 네트워크 트래픽 탐지 시스템을 연구하게 되었다.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.12
• /
• pp.1841-1848
• /
• 2013

In this paper, the plans for improvement of real-time security monitoring accuracy and expansion of control region were investigated through comprehensive and systematic collection and analysis of the anomalous activities that inflow and outflow in the network on a large scale in order to overcome the existing security monitoring system based on stylized detection patterns which could correspond to only very limited cyber attacks. This study established an anomaly observation system to collect, store and analyze a diverse infringement threat information flowing into the darknet network, and presented the information classification system of cyber threats, unknown anomalies and high-risk anomalous activities through the statistics based trend analysis of hacking. If this security monitoring system utilizing darknet traffic as presented in the study is applied, it was indicated that detection of all infringement threats was increased by 12.6 percent compared with conventional case and 120 kinds of new type and varietal attacks that could not be detected in the past were detected.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.36 no.2B
• /
• pp.131-140
• /
• 2011

As the number of Internet users and applications is increasing, the importance of application traffic classification is growing more and more for efficient network management. While a number of methods for traffic classification have been introduced, such as signature-based and machine learning-based methods, Skype application, which uses encrypted communication on its own P2P network, is known as one of the most difficult traffic to identify. In this paper we propose a novel method to identify Skype application traffic on the fly. The main idea is to setup a list of Skype host information {IP, port} by examining the packets generated in the Skype login process and utilizes the list to identify other Skype traffic. By implementing the identification system and deploying it on our campus network, we proved the performance and feasibility of the proposed method.

• Convergence Security Journal
• /
• v.6 no.4
• /
• pp.75-82
• /
• 2006

Internet worm gives various while we paralyze the network and flow the information out damages. In this paper, I suggest the method to prevent this. This method detect internet worm in PC first. and present the method to do an automatic confrontation. This method detect a traffic foundation network scanning of internet worm which is the feature and accomplish the confrontation. This method stop the process to be infected at the internet worm and prevent that traffic is flowed out to the outside. and This method isolate the execution file to be infected at the internet worm and move at a specific location for organizing at the postmortem so that we could accomplish the investigation about internet worm. Such method is useful to the radiation detection indication and computation of unknown internet worm. therefore, Stable network operation is possible through this method.