• Title/Summary/Keyword: 행위 기반 공격 탐지

Search Result 148, Processing Time 0.028 seconds

Design and Evaluation of an Anomaly Detection Method based on Cross-Feature Analysis using Rough Sets for MANETs (모바일 애드 혹 망을 위한 러프 집합을 사용한 교차 특징 분석 기반 비정상 행위 탐지 방법의 설계 및 평가)

  • Bae, Ihn-Han;Lee, Hwa-Ju
    • Journal of Internet Computing and Services
    • /
    • v.9 no.6
    • /
    • pp.27-35
    • /
    • 2008
  • With the proliferation of wireless devices, mobile ad-hoc networking (MANETS) has become a very exciting and important technology. However, MANET is more vulnerable than wired networking. Existing security mechanisms designed for wired networks have to be redesigned in this new environment. In this paper, we discuss the problem of anomaly detection in MANET. The focus of our research is on techniques for automatically constructing anomaly detection models that are capable of detecting new or unseen attacks. We propose a new anomaly detection method for MANETs. The proposed method performs cross-feature analysis on the basis of Rough sets to capture the inter-feature correlation patterns in normal traffic. The performance of the proposed method is evaluated through a simulation. The results show that the performance of the proposed method is superior to the performance of Huang method that uses cross-feature based on the probability of feature attribute value. Accordingly, we know that the proposed method effectively detects anomalies.

  • PDF

Policy Based DDoS Attack Mitigation Methodology (정책기반의 분산서비스거부공격 대응방안 연구)

  • Kim, Hyuk Joon;Lee, Dong Hwan;Kim, Dong Hwa;Ahn, Myung Kil;Kim, Yong Hyun
    • Journal of KIISE
    • /
    • v.43 no.5
    • /
    • pp.596-605
    • /
    • 2016
  • Since the Denial of Service Attack against multiple targets in the Korean network in private and public sectors in 2009, Korea has spent a great amount of its budget to build strong Internet infrastructure against DDoS attacks. As a result of the investments, many major governments and corporations installed dedicated DDoS defense systems. However, even organizations equipped with the product based defense system often showed incompetency in dealing with DDoS attacks with little variations from known attack types. In contrast, by following a capacity centric DDoS detection method, defense personnel can identify various types of DDoS attacks and abnormality of the system through checking availability of service resources, regardless of the types of specific attack techniques. Thus, the defense personnel can easily derive proper response methods according to the attacks. Deviating from the existing DDoS defense framework, this research study introduces a capacity centric DDoS detection methodology and provides methods to mitigate DDoS attacks by applying the methodology.

Design and Implementation of Scenario-based Attack Simulator using NS (NS를 이용한 시나리오기반 공격 시뮬레이터 설계 및 구현)

  • Choi, Hyang-Chang;Noh Bong-Nam;Lee Hyung-Hyo
    • Journal of Internet Computing and Services
    • /
    • v.7 no.5
    • /
    • pp.59-69
    • /
    • 2006
  • Generally, network attacks are based on a scenario composed of a series of single-attacks, scenario attacks are launched over a wide network environment and their targets are not apparent. it is required to analyze entire packets captured on the network. This method makes it difficult to detect accurate patterns of attacks because it unnecessarily analyzes even packets unrelated to attacks. In this paper, we design and implement a simulation system for attacks scenario, which helps packet classification connected with attacks. The proposed system constitutes a target network for analysis in a virtual simulation environment, and it simulates dumping TCPDUMP packets including scenario attacks under the constructed virtual environment, We believe that our proposed simulation system will be a useful tool when security administrators perform the analysis of patterns of attack scenarios.

  • PDF

Extendable Victimized-System-Based Attack Taxonomy (피해시스템 기반의 확장형 공격 분류기법)

  • Choi Youn-Sung;Choi Dong-Hyun;Jo Hea-Suk;Lee Young-Gyo;Kim Seung-Joo;Won Dong-Ho
    • Proceedings of the Korea Institutes of Information Security and Cryptology Conference
    • /
    • 2006.06a
    • /
    • pp.791-794
    • /
    • 2006
  • 컴퓨터의 정상적인 활동을 방해하는 공격행위는 네트워크로 연결된 컴퓨터를 기반으로 하는 사회 활동이 증가함에 따라 심각한 문제를 유발하고 있다. 하지만 기존의 네트워크 및 시스템공격에 대한 분류기법은 주로 공격자 입장에서 연구되어서 피해를 입은 시스템이 사용하기에는 부족하였다. 그래서 피해시스템 입장에서 공격을 정확히 분류하고 탐지할 수 있는 분류기법을 개발하는 것은 중요하다. 본 논문에서는 기존의 공격 분류방식을 분석하여 문제점을 발견한 후, 공격 분류방식이 가져야할 요구사항을 도출한다. 공격 분류기법의 요구사항을 만족하면서, 피해 시스템의 관리자가 공격에 대한 대책수립에 도움이 되는 공격 분류기법을 제안한다. 제안하는 분류기법은 공격방식에 따라 확장이 가능하므로 복합적 공격을 보다 정확하게 분류할 수 있다.

  • PDF

Attack Detection in Recommender Systems Using a Rating Stream Trend Analysis (평가 스트림 추세 분석을 이용한 추천 시스템의 공격 탐지)

  • Kim, Yong-Uk;Kim, Jun-Tae
    • Journal of Internet Computing and Services
    • /
    • v.12 no.2
    • /
    • pp.85-101
    • /
    • 2011
  • The recommender system analyzes users' preference and predicts the users' preference to items in order to recommend various items such as book, movie and music for the users. The collaborative filtering method is used most widely in the recommender system. The method uses rating information of similar users when recommending items for the target users. Performance of the collaborative filtering-based recommendation is lowered when attacker maliciously manipulates the rating information on items. This kind of malicious act on a recommender system is called 'Recommendation Attack'. When the evaluation data that are in continuous change are analyzed in the perspective of data stream, it is possible to predict attack on the recommender system. In this paper, we will suggest the method to detect attack on the recommender system by using the stream trend of the item evaluation in the collaborative filtering-based recommender system. Since the information on item evaluation included in the evaluation data tends to change frequently according to passage of time, the measurement of changes in item evaluation in a fixed period of time can enable detection of attack on the recommender system. The method suggested in this paper is to compare the evaluation stream that is entered continuously with the normal stream trend in the test cycle for attack detection with a view to detecting the abnormal stream trend. The proposed method can enhance operability of the recommender system and re-usability of the evaluation data. The effectiveness of the method was verified in various experiments.

Android-based Malware Detection Using SVM (SVM(Support Vector Machine)을 이용한 안드로이드 기반의 악성코드 탐지)

  • Kim, Ki-Hyun;Ham, Hyo-sik;Choi, Mi-Jung
    • Annual Conference of KIPS
    • /
    • 2013.11a
    • /
    • pp.771-773
    • /
    • 2013
  • 모바일 단말은 다양한 서비스와 컨텐츠를 지원하지만, 최근 모바일 악성코드의 급증으로 인하여 사용자에게 개인 정보 유출, 요금 과다 등의 피해를 초래하고 있다. 특히, 안드로이드 플랫폼은 오픈 플랫폼으로서 공격자들이 악성코드를 배포하기에 유리한 환경을 가지고 있어 시그니처/행위기반 분석방법을 통한 악성코드 탐지 연구가 활발히 진행되고 있다. 본 논문에서는 안드로이드 플랫폼에서 악성코드를 탐지하기 위한 Feature를 선정하였다. 또한 SVM(Support Vector Machine) 기계학습 알고리즘을 통하여 악성코드 탐지성능을 분석하고 우수성을 검증하였다.

A Study of Security Rule Management for Misuse Intrusion Detection Systems using Mobile Agent (오용 침입탐지 시스템에서 모바일 에이전트를 이용한 보안규칙 관리에 관한 연구)

  • Kim, Tae-Kyung;Lee, Dong-Young;Chung, Tai-M.
    • The KIPS Transactions:PartC
    • /
    • v.10C no.5
    • /
    • pp.525-532
    • /
    • 2003
  • This paper describes intrusion detection rule management using mobile agents. Intrusion detection can be divided into anomaly detection and misuse detection. Misuse detection is best suited for reliably detecting known use patterns. Misuse detection systems can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods. Therefore, the introduction of mobile agents to provide computational security by constantly moving around the Internet and propagating rules is presented as a solution to misuse detection. This work presents a new approach for detecting intrusions, in which mobile agent mechanisms are used for security rules propagation. To evaluate the proposed approach, we compared the workload data between a rules propagation method using a mobile agent and a conventional method. Also, we simulated a rules management using NS-2 (Network Simulator) with respect to time.

A Study on Collection and Analysis Method of Malicious URLs Based on Darknet Traffic for Advanced Security Monitoring and Response (효율적인 보안관제 수행을 위한 다크넷 트래픽 기반 악성 URL 수집 및 분석방법 연구)

  • Kim, Kyu-Il;Choi, Sang-So;Park, Hark-Soo;Ko, Sang-Jun;Song, Jung-Suk
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.6
    • /
    • pp.1185-1195
    • /
    • 2014
  • Domestic and international CERTs are carrying out security monitoring and response services based on security devices for intrusion incident prevention and damage minimization of the organizations. However, the security monitoring and response service has a fatal limitation in that it is unable to detect unknown attacks that are not matched to the predefined signatures. In recent, many approaches have adopted the darknet technique in order to overcome the limitation. Since the darknet means a set of unused IP addresses, no real systems connected to the darknet. Thus, all the incoming traffic to the darknet can be regarded as attack activities. In this paper, we present a collection and analysis method of malicious URLs based on darkent traffic for advanced security monitoring and response service. The proposed method prepared 8,192 darknet space and extracted all of URLs from the darknet traffic, and carried out in-depth analysis for the extracted URLs. The analysis results can contribute to the emergence response of large-scale cyber threats and it is able to improve the performance of the security monitoring and response if we apply the malicious URLs into the security devices, DNS sinkhole service, etc.

A Study of Security Rule Management for Misuse Intrusion Detection Systems using Mobile Agen (오용침입탐지시스템에서보바일에이전트를이용한보안규칙관리에관한연구)

  • Kim, Tae-Kyoung;Seo, Hee-Suk;Kim, Hee-Wan
    • Journal of the Korea Computer Industry Society
    • /
    • v.5 no.8
    • /
    • pp.781-790
    • /
    • 2004
  • This paper describes intrusion detection rule mangement using mobile agents. Intrusion detection can be divided into anomaly detection and misuse detection. Misuse detection is best suited for reliably detecting known use patterns. Misuse detection systems can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods. Therefore, the introduction of mobile agents to provide computational security by constantly moving around the Internet and propagating rules is presented as a solution to misuse detection. This work presents a new approach for detecting intrusions, in which mobile agent mechanisms are used for security rules propagation. To evaluate the proposed appraoch, we compared the workload data between a rules propagation method using a mobile agent and a conventional method. Also, we simulated a rules management using NS-2(Network Simulator) with respect to time.

  • PDF

A Countermeasure against a Whitelist-based Access Control Bypass Attack Using Dynamic DLL Injection Scheme (동적 DLL 삽입 기술을 이용한 화이트리스트 기반 접근통제 우회공격 대응 방안 연구)

  • Kim, Dae-Youb
    • Journal of IKEEE
    • /
    • v.26 no.3
    • /
    • pp.380-388
    • /
    • 2022
  • The traditional malware detection technologies collect known malicious programs and analyze their characteristics. Then such a detection technology makes a blacklist based on the analyzed malicious characteristics and checks programs in the user's system based on the blacklist to determine whether each program is malware. However, such an approach can detect known malicious programs, but responding to unknown or variant malware is challenging. In addition, since such detection technologies generally monitor all programs in the system in real-time, there is a disadvantage that they can degrade the system performance. In order to solve such problems, various methods have been proposed to analyze major behaviors of malicious programs and to respond to them. The main characteristic of ransomware is to access and encrypt the user's file. So, a new approach is to produce the whitelist of programs installed in the user's system and allow the only programs listed on the whitelist to access the user's files. However, although it applies such an approach, attackers can still perform malicious behavior by performing a DLL(Dynamic-Link Library) injection attack on a regular program registered on the whitelist. This paper proposes a method to respond effectively to attacks using DLL injection.