• Title/Summary/Keyword: 행위 기반 공격 탐지

Search Result 148, Processing Time 0.027 seconds

Stateful Virtual Proxy Server for Attack Detection based on SIP Protocol State Monitoring Mechanism (SIP 프로토콜 상태정보 기반 공격 탐지 기능을 제공하는 가상 프록시 서버 설계 및 구현)

  • Lee, Hyung-Woo
    • Journal of Internet Computing and Services
    • /
    • v.9 no.6
    • /
    • pp.37-48
    • /
    • 2008
  • VoIP service is a transmission of voice data using SIP protocol on IP based network, The SIP protocol has many advantages such as providing IP based voice communication and multimedia service with cheap communication cost and so on. Therefore the SIP protocol spread out very quickly. But, SIP protocol exposes new forms of vulnerabilities on malicious attacks such as Message Flooding attack and protocol parsing attack. And it also suffers threats from many existing vulnerabilities like on IP based protocol. In this paper, we propose a new Virtual Proxy Server system in front of the existed Proxy Server for anomaly detection of SIP attack and stateful management of SIP session with enhanced security. Based on stateful virtual proxy server, out solution shows promising SIP Message Flooding attack verification and detection performance with minimized latency on SIP packet transmission.

  • PDF

Comparison of HMM and SVM schemes in detecting mobile Botnet (모바일 봇넷 탐지를 위한 HMM과 SVM 기법의 비교)

  • Choi, Byungha;Cho, Kyungsan
    • Journal of the Korea Society of Computer and Information
    • /
    • v.19 no.4
    • /
    • pp.81-90
    • /
    • 2014
  • As mobile devices have become widely used and developed, PC based malwares can be moving towards mobile-based units. In particular, mobile Botnet reuses powerful malicious behavior of PC-based Botnet or add new malicious techniques. Different from existing PC-based Botnet detection schemes, mobile Botnet detection schemes are generally host-based. It is because mobile Botnet has various attack vectors and it is difficult to inspect all the attack vector at the same time. In this paper, to overcome limitations of host-based scheme, we compare two network-based schemes which detect mobile Botnet by applying HMM and SVM techniques. Through the verification analysis under real Botnet attacks, we present detection rates and detection properties of two schemes.

Graph Database based Malware Behavior Detection Techniques (그래프 데이터베이스 기반 악성코드 행위 탐지 기법)

  • Choi, Do-Hyeon;Park, Jung-Oh
    • Journal of Convergence for Information Technology
    • /
    • v.11 no.4
    • /
    • pp.55-63
    • /
    • 2021
  • Recently, the incidence rate of malicious codes is over tens of thousands of cases, and it is known that it is almost impossible to detect/respond all of them. This study proposes a method for detecting multiple behavior patterns based on a graph database as a new method for dealing with malicious codes. Traditional dynamic analysis techniques and has applied a method to design and analyze graphs of representative associations malware pattern(process, PE, registry, etc.), another new graph model. As a result of the pattern verification, it was confirmed that the behavior of the basic malicious pattern was detected and the variant attack behavior(at least 5 steps), which was difficult to analyze in the past. In addition, as a result of the performance analysis, it was confirmed that the performance was improved by about 9.84 times or more compared to the relational database for complex patterns of 5 or more steps.

EDR platform construction using ELK Stack and Sysmon (ELK Stack과 Sysmon을 이용한 EDR 플랫폼 연구)

  • Shin, Hyun-chang;Kong, Seung-Jun;Oh, Myung-ho;Lee, Dong-hwi
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2022.10a
    • /
    • pp.333-336
    • /
    • 2022
  • With the development of IT technology, cybercrime is becoming sophisticated and intelligent. In particular, in the case of BackDoor, which is used in the APT attack (intelligent continuous attack), it is very important to detect malicious behavior and respond to infringement because it is often unaware that it has been damaged by an attacker. This paper aims to build an EDR platform that can monitor, analyze, and respond to malicious behavior in real time by collecting, storing, analyzing, and visualizing logs in an endpoint environment in real time using open source-based analysis solutions ELK Stack and Sysmon.

  • PDF

A Study on the Hierarchical Integrated Security Management System for the Large Scale Organization (대규모 조직에 적합한 계층적 구조의 통합보안관리시스템에 관한 연구)

  • 박준홍;남길현
    • Proceedings of the Korea Institutes of Information Security and Cryptology Conference
    • /
    • 2001.11a
    • /
    • pp.348-352
    • /
    • 2001
  • 본 논문은 다양한 침입행위를 탐지하고 보안시스템의 효율적 관리를 보장하는 국방전산망과 같은 대규모 네트워크 환경에 적합한 계층적 구조의 통합보안관리시스템 모델에 대한 연구이다. 전산망 위협요소 및 공격유형에 따른 취약점을 분석하여 필요한 전산망 보호기술을 판단하고 침입차단/탐지시스템, 안티바이러스 시스템, 취약점분석 시스템 등의 보안시스템과 상호연동 모델을 분석하여, 도출된 요구사항을 기반으로 대규모 조직에 적합한 계층구조의 통합보안관리시스템의 구축 방안을 제시하였다.

  • PDF

Detecting Network Port Scanning Using Markov Chain Model (마르코프 체인 모델을 이용한 네트워크 포트 스캐닝의 탐지)

  • 한상준;조성배
    • Proceedings of the Korean Information Science Society Conference
    • /
    • 2003.04a
    • /
    • pp.305-307
    • /
    • 2003
  • 일반적으로 해킹이 이루어지기 위해서는 공격의 대상이 되는 시스템과 네트워크의 정보를 수집하는 사전단계가 필수적이다. 네트워크 포트 스캐닝은 이 시스템 정보 수집단계에서 중요한 역할을 하는 방법으로 주로 통신 프로토콜의 취약점을 이용하여 비정상적인 패킷을 보낸 후 시스템의 반응을 살피는 방법으로 수행된다. 본 논문에서는 마르코프 체인 모델을 이용한 비정상행위기법 기반의 포트 스캐닝을 탐지방법을 제안하고 여러 가지 은닉/비은닉 포트 스캐닝 방법에 대하여 좋은 성능을 나타냄을 보인다.

  • PDF

Clustering Network Traffic Data Based on FGM for Intrusion Detection (침입 탐지를 위한 FCM 기반의 네트웍 트래픽 데이터 클러스터링)

  • Kwak, Mi-Ra;Cho, Dong-Sub
    • Proceedings of the KIEE Conference
    • /
    • 2003.07d
    • /
    • pp.2528-2530
    • /
    • 2003
  • 여러 종류의 트래픽을 포함하는 네트웍 트래픽 데이터에서 각 종의 트래픽을 분류할 수 있는 능력은 네트웍 침입 탐지를 가능하게 하는 기본이다. 본 연구에서는 서비스 거부 공격과 사전 조사 행위 트래픽을 다른 트래픽으로부터 구분해 낼 수 있는 특징을 파악하고, 그것이 효과적인지 퍼지 c-means 기법으로 사용하여 실험 하였다.

  • PDF

The Scheme for Generate to Active Response Policy in Intrusion Detection System (침입 탐지 도구에서 능동 대응 정책 생성 방안)

  • Lee Jaw-Kwang;Paek Seung-Hyun;Oh Hyung-Geun;Park Eung-Ki;Kim Bong-Han
    • The Journal of the Korea Contents Association
    • /
    • v.6 no.1
    • /
    • pp.151-159
    • /
    • 2006
  • This paper studied active response policy generation scheme in intrusion detection system. We considered seven requirements of intrusion detection system for active response with components as the preceding study We presented the scheme which I can generate signature with a base with integrate one model with NIDS and ADS. We studied detection of the Unknown Attack which was active, and studied scheme for generated to be able to do signature automatically through Unknown Attack detection.

  • PDF

Botnet Traceback Based on Honeypot Using Memory Analysis (메모리 감시를 이용한 허니팟 기반의 봇넷 역추적)

  • Park, Chan-Ho;Kang, Kweon-Hak;Kwon, Young-Chan;Jang, Hee-Jin;Kim, Chul-Ho
    • Proceedings of the Korean Information Science Society Conference
    • /
    • 2007.06d
    • /
    • pp.25-28
    • /
    • 2007
  • 최근 인터넷에서는 붓넷을 기반으로 한 스팸 발송, 분산 서비스 거부 공격 등이 급증하고 있으며 이는 인터넷 기반 서비스에 큰 위협이 되고 있다. 간접 통신 메커니즘을 사용하는 봇넷 공격에 대한 근본적인 대응을 지원하는 역추적 기술의 개발이 필요하다. 본 논문에서는 메모리 감시 기반의 봇넷 역추적 기술을 제안한다. 이 기술은 메모리 감시 기술을 이용하여 봇 서버의 행위를 감시하며, 네트워크 감시를 통하여 봇 서버로 감염된 허니팟이 오용될 위험성을 낮춘다. 또한 봇 서버 정보에 대한 자동분석기능을 제공하여 공격탐지와 동시에 봇넷의 C&C 서버를 빠르게 추적한다.

  • PDF

Efficient Attack Traffic Detection Method for Reducing False Alarms (False Alarm 감축을 위한 효율적인 공격 트래픽 탐지 기법)

  • Choi, Il-Jun;Chu, Byoung-Gyun;Oh, Chang-Suk
    • Journal of the Korea Society of Computer and Information
    • /
    • v.14 no.5
    • /
    • pp.65-75
    • /
    • 2009
  • The development of IT technology, Internet popularity is increasing geometrically. However, as its side effect, the intrusion behaviors such as information leakage for key system and infringement of computation network etc are also increasing fast. The attack traffic detection method which is suggested in this study utilizes the Snort, traditional NIDS, filters the packet with false positive among the detected attack traffics using Nmap information. Then, it performs the secondary filtering using nessus vulnerability information and finally performs correlation analysis considering appropriateness of management system, severity of signature and security hole so that it could reduce false positive alarm message as well as minimize the errors from false positive and as a result, it raised the overall attack detection results.