• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.7
• /
• pp.1831-1853
• /
• 2012

By sending periodically short bursts of traffic to reduce legit transmission control protocol (TCP) traffic, the low-rate denial of service (LDoS) attacks are hard to be detected and may endanger covertly a network for a long period. Traditionally, LDoS detecting methods mainly concentrate on the attack stream with feature matching, and only a limited number of attack patterns can be detected off-line with high cost. Recent researches divert focus from the attack stream to the traffic anomalies induced by LDoS attacks, which can detect more kinds of attacks with higher efficiency. However, the limited number of abnormal characteristics and the inadequacy of judgment rules may cause wrong decision in some particular situations. In this paper, we address the problem of detecting LDoS attacks and present a scheme based on the fluctuant features of legit TCP and acknowledgment (ACK) traffic. In the scheme, we define judgment criteria which used to identify LDoS attacks in real time at an optimal detection cost. We evaluate the performance of our strategy in real-world network topologies. Simulations results clearly demonstrate the superiority of the method proposed in detecting LDoS attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.4
• /
• pp.693-704
• /
• 2020

As a company's network structure is getting bigger and the number of security system is increasing, it is not easy to quickly detect abnormal traffic from huge amounts of security system events. In this paper, We propose traffic visualization analysis system(FDANT-PCSV) that can detect and analyze security events of information security systems such as firewalls in real time. FDANT-PCSV consists of Parallel Coordinates visualization using five factors(source IP, destination IP, destination port, packet length, processing status) and Sankey visualization using four factors(source IP, destination IP, number of events, data size) among security events. In addition, the use of big data-based SIEM enables real-time detection of network attacks and network failure traffic from the internet and intranet. FDANT-PCSV enables cyber security officers and network administrators to quickly and easily detect network abnormal traffic and respond quickly to network threats.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.1
• /
• pp.55-63
• /
• 2006

Recently, there is much abnormal traffic driven by several worms, such as Nimda, Code Red, SQL Stammer, and so on, making badly severe damage to networks. Meanwhile, diverse prevention schemes for defeating abnormal traffic have been studied in the academic and commercial worlds. In this paper, we present the structure of a stepwise intrusion prevention system that is designed with the feature of putting limitation on the network bandwidth of each network traffic and dropping abnormal traffic, and then compare the proposed scheme with a pre-existing scheme, which is a True/False based an anomaly prevention scheme for several worm-patterns. There are two criteria for comparison of the schemes, which are Normal Traffic Rate (NTR) and False Positive Rate (FPR). Assuming that the abnormal traffic rate of a specific network is $\beta$ during a predefined time window, it is known that the average NTR of our stepwise intrusion prevention scheme increases by the factor of (1+$\beta$)/2 than that of True/False based anomaly prevention scheme and the average FPR of our scheme decrease by the factor of (1+$\beta$)/2.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.5
• /
• pp.21-28
• /
• 2012

Recently, the necessity for good techniques of detecting network traffic attack has increased. In this paper, we suggest a new method of detecting abnormal patterns of network traffic data by visualizing their IP and port information into two dimensional images. The proposed approach first generates four 2D images from IP data of transmitters and receivers, and makes one 2D image from port data. Analyzing those images, it then extracts their major features such as linear patterns or high intensity values, and determines if traffic data contain DDoS or DoS Attacks. To comparatively evaluate the performance of the proposed algorithm, we show that our abnormal pattern detection method outperforms the existing algorithm in terms of accuracy and speed.

• Journal of the Korean Society for Aviation and Aeronautics
• /
• v.26 no.4
• /
• pp.64-75
• /
• 2018

A status of air traffic controller is a government officer and air traffic controllers who work at airport are divided by duty rating and work experience. Abiding by law, rules and regulation, air traffic controllers are working together based on mutual trust. This paper's theoretical background is based on cultural bias theory. The theory divide people group into four groups according to cultural bias such as fatalism, hierarchy, individualism and egalitarianism. A research model was designed how such four cultural bias could affect air traffic controller's risk response in case of emergency or abnormal situation during their work. Depend on empirical research, it was found that air traffic controllers perceived they had been more biased to fatalism than hierarchy. The characteristics of fatalism group are as follows: first of all, they follow rigid rules and regulation. However, they have less self-efficacy compared to other government officers. According to structural equation model, air traffic controller's fatalism had a significant negative effect on organizational royalty. Their royalty, however, had a very significant positive effect on planning response and immediate response.

• Journal of IKEEE
• /
• v.13 no.2
• /
• pp.140-149
• /
• 2009

Traffic anomaly detection is one of important technology that should be considered in network security and administration. In this paper, we propose an abnormal traffic detection mechanism that includes traffic monitoring and traffic analysis. We develop analytical passive monitoring system called WISE-Mon which can inspect traffic behavior. We establish a criterion by analyzing the characteristics of a traffic training set. To detect abnormal traffic, we derive a hyperplane by using Fisher linear discriminant and chi-square distribution as well as the analyzed characteristics of traffic. Our mechanism can support reliable results for traffic anomaly detection and is compatible to real-time detection. In addition, since the trend of traffic can be changed as time passes, the hyperplane has to be updated periodically to reflect the changes. Accordingly, we consider the self-learning algorithm which reflects the trend of the traffic and so enables to increase the pliability of detection probability. Numerical results are presented to validate the accuracy of proposed mechanism. It shows that the proposed mechanism is reliable and relevant for traffic anomaly detection.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.33 no.5B
• /
• pp.304-309
• /
• 2008

This paper propose the traffic anomaly detection scheme based time series model. We apply ARIMA prediction model to this scheme and transform the value of the abnormal symptom into the probability value to maximize the traffic anomaly symptom detection. For this, we have evaluated the abnormal detection performance for the proposed model using total traffic and web traffic included the attack traffic. We will expect to have an great effect if this scheme is included in some network based intrusion detection system.

• 한국정보통신설비학회:학술대회논문집
• /
• 2008.08a
• /
• pp.364-367
• /
• 2008

Many different types of network equipments are deployed in a large-scale IP network. In this operating environment, network service providers suffer from difficulty in controlling various equipments simultaneously in case network faults happen in their overall or regional network due to physical link failure or abnormal traffic. This paper presents a policy-based methodology to control many different types of network equipments at the same time in abnormal cases. The key idea is that NMS(Network Management System) keeps vendor-neutral control policies in normal times and that when an abnormal case occurs in network, NMS transforms the selected policy into vendor-specific control commands and enforces them to various equipments simultaneously.

• Journal of the Korean Society for Aviation and Aeronautics
• /
• v.26 no.1
• /
• pp.10-24
• /
• 2018

This paper tried to analyze the response of air traffic controller(ATC) against abnormal situations using survey based on cognitive strategies suggested by Malakis et al.(2010). The survey designed to empirically analyze the effect of the cognitive strategy factors on organizational effectiveness. The main purpose of this research was as follows: First, it was analyzed both the individual-scale and team-scale factors which constructed the cognitive strategy against abnormal situations. Secondly, how seriously impact the ATC's cognitive strategies on their organizational effectiveness. The organizational effectiveness was divided into such two latent variables as job absorption and job satisfaction. According to the a analysis, it was proven that premeditated act of ATC had a positive significant effect on team-scale cognitive strategies such as teamwork, communication and error management. Moreover, it was found out the team-scale cognitive strategies had also a positive significant effect on job absorption. On the other hands, individual-scale cognitive strategies had no or negative effect on job absorption. Job absorption was proven to have a significant effect on job satisfaction of ATC.

• Journal of Information Processing Systems
• /
• v.11 no.2
• /
• pp.173-183
• /
• 2015

At present, it is simple to the electronic commerce credit scoring model, as a brush credit phenomenon in E-commerce has emerged. This phenomenon affects the judgment of consumers and hinders the rapid development of E-commerce. In this paper, that E-commerce credit evaluation model that uses a Gaussian density function is put forward by density test and the analysis for the anomalies of E-commerce credit rating, it can be fond out the abnormal point in credit scoring, these points were calculated by nonlinear credit scoring algorithm, thus it can effectively improve the current E-commerce credit score, and enhance the accuracy of E-commerce credit score.