• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제10권8호
• /
• pp.3884-3910
• /
• 2016

Intrusion Detection System (IDS) in general considers a big amount of data that are highly redundant and irrelevant. This trait causes slow instruction, assessment procedures, high resource consumption and poor detection rate. Due to their expensive computational requirements during both training and detection, IDSs are mostly ineffective for real-time anomaly detection. This paper proposes a dimensionality reduction technique that is able to enhance the performance of IDSs up to constant time O(1) based on the Principle Component Analysis (PCA). Furthermore, the present study offers a feature selection approach for identifying major components in real time. The PCA algorithm transforms high-dimensional feature vectors into a low-dimensional feature space, which is used to determine the optimum volume of factors. The proposed approach was assessed using HTTP packet payload of ISCX 2012 IDS and DARPA 1999 dataset. The experimental outcome demonstrated that our proposed anomaly detection achieved promising results with 97% detection rate with 1.2% false positive rate for ISCX 2012 dataset and 100% detection rate with 0.06% false positive rate for DARPA 1999 dataset. Our proposed anomaly detection also achieved comparable performance in terms of computational complexity when compared to three state-of-the-art anomaly detection systems.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제10권8호
• /
• pp.3865-3883
• /
• 2016

Infrastructure as a Service (IaaS) encapsulates computer hardware into a large amount of virtual and manageable instances mainly in the form of virtual machine (VM), and provides rental service for users. Currently, VM anomaly incidents occasionally occur, which leads to performance issues and even downtime. This paper aims at detecting anomalous VMs based on performance metrics data of VMs. Due to the dynamic nature and increasing scale of IaaS, detecting anomalous VMs from voluminous correlated and non-Gaussian monitored performance data is a challenging task. This paper designs an anomaly detection framework to solve this challenge. First, it collects 53 performance metrics to reflect the running state of each VM. The collected performance metrics are testified not to follow the Gaussian distribution. Then, it employs independent components analysis (ICA) instead of principal component analysis (PCA) to extract independent components from collected non-Gaussian performance metric data. For anomaly detection, it employs multi-class Bayesian classification to determine the current state of each VM. To evaluate the performance of the designed detection framework, four types of anomalies are separately or jointly injected into randomly selected VMs in a campus-wide testbed. The experimental results show that ICA-based detection mechanism outperforms PCA-based and LDA-based detection mechanisms in terms of sensitivity and specificity.

• 정보처리학회논문지C
• /
• 제8C권5호
• /
• pp.507-516
• /
• 2001

본 논문은 SOM과 HMM을 이용하여 시스템 호출 수준에서 순서기반의 비정상행위 탐지 센서를 구현하였다. 그리고, 시스템 호출에서 중요한 정보가 무엇이고 임계값은 어떻게 설정해야하는 지를 분석하였다. 본 논문에서 사용한 SOM의 새로운 필터링 규칙과 축약 규칙은 HMM의 입력 크기를 줄일 수 있었다. 이러한 축약은 HMM기반 비정상행위 탐지의 실시간 처리능력을 보장해 준다. 또한, 비정상행위 수라는 개념을 도입하여 HMM의 탐지결과에 대한 민감성을 둔화시켜서, 사용자가 탐지결과를 쉽게 이해하고 false-positive를 줄이는 효과가 있었다. 그리고, 능동적으로 threshold 값을 조정하여 시스템 상황에 따라 탐지센서가 적응할 수 있도록 하였다.

• Journal of Communications and Networks
• /
• 제18권5호
• /
• pp.818-825
• /
• 2016

Network management and anomaly detection are challenges in high-speed networks due to the high volume of packets that has to be analysed. Flow-based analysis is a scalable method which reduces the high volume of network traffic by dividing it into flows. As sampling methods are extensively used in flow generators such as NetFlow, the impact of sampling on the performance of flow-based analysis needs to be investigated. Monitoring using sampled traffic is a well-studied research area, however, the impact of sampling on flow-based anomaly detection is a poorly researched area. This paper investigates flow sampling methods and shows that these methods have negative impact on flow-based anomaly detection. Therefore, we propose an efficient probabilistic flow sampling method that can preserve flow traffic distribution. The proposed sampling method takes into account two flow features: Destination IP address and octet. The destination IP addresses are sampled based on the number of received bytes. Our method provides efficient sampled traffic which has the required traffic features for both flow-based anomaly detection and monitoring. The proposed sampling method is evaluated using a number of generated flow-based datasets. The results show improvement in preserved malicious flows.

• 융합보안논문지
• /
• 제19권4호
• /
• pp.181-188
• /
• 2019

최근 Anomaly 기반 침입탐지시스템에서의 탐지 기준점 생성을 위해 인공지능 기술을 적용하려는 시도가 활발하게 진행되고 있다. 그러나 인공지능 기술의 적용을 제안한 기존 연구들은 대부분 인공 신경망의 구조 개선과 최적의 하이퍼파라미터 값을 찾는데 중점을 두고 있으며, 학습 데이터의 잘못된 구성으로 인해 발생할 수 있는 다양한 문제점들은 해결하지 못하고 있다. 이에 본 논문에서는 학습 데이터의 잘못된 구성으로 인해 나타날 수 있는 주요 문제점을 실험을 통해 식별하고 학습 데이터의 재구성을 통해 그러한 문제점을 개선함으로써 침입탐지 성능을 향상시킬 수 있는 방안을 제안한다.

• 대한산업공학회지
• /
• 제41권6호
• /
• pp.540-550
• /
• 2015

There have been many attempts to find knowledge from data using conventional statistics, data mining, artificial intelligence, machine learning and pattern recognition. In those research areas, knowledge is approached in two ways. Firstly, researchers discover knowledge represented in general features for universal recognition, and secondly, they discover exceptional and distinctive features. In process mining, an instance is sequential information bounded by case ID, known as process instance. Here, an exceptional process instance can cause a problem in the analysis and discovery algorithm. Hence, in this paper we develop a method to detect the knowledge of exceptional and distinctive features when performing process mining. We propose a method for anomaly detection named Distance-based Anomaly Process Instance Detection (DAPID) which utilizes distance between process instances. DAPID contributes to a discovery of distinctive characteristic of process instance. For verifying the suggested methodology, we discovered characteristics of exceptional situations from log data. Additionally, we experiment on real data from a domestic port terminal to demonstrate our proposed methodology.

• 정보보호학회논문지
• /
• 제23권5호
• /
• pp.939-946
• /
• 2013

본 논문에서는 IEC 61850 기반 자동화 변전소 네트워크에서의 이상 징후 탐지를 위한 MMS/GOOSE 패킷 정상행위 프로파일링 방법을 제안한다. 기존에 주로 사용되고 있는 시그니처(signature) 기반의 보안 솔루션은 제로데이(zero-day) 취약점을 이용한 APT 공격에 취약에 취약할 수밖에 없다. 최근 제어시스템 환경에서의 이상 탐지(anomaly detection) 연구가 이뤄지고 있지만, 아직까지 IEC 61850 변전소 환경에서의 이상 탐지에 대한 연구는 잘 알려져 있지 않다. 제안하는 기법은 MMS/GOOSE 패킷에 대한 3가지 전처리(3-phase preprocessing) 방법과 one-class SVM 알고리즘을 이용한 정상 행위 모델링 방법을 포함한다. 본 논문에서 제시하는 방법은 IEC 61850 변전소 네트워크에 대한 APT 공격 대응 솔루션으로 활용될 것을 기대한다.

• The Journal of Asian Finance, Economics and Business
• /
• 제7권9호
• /
• pp.125-134
• /
• 2020

This study examines the nominal price anomaly in the Vietnamese stock market, that is, whether stocks with low nominal price outperform stocks with high nominal price. Using a sample of all 351 companies listed on the Ho Chi Minh Stock Exchange (HOSE) from June 2009 to March 2018, we confirm our hypothesis and document that cheaper stocks yield higher subsequent abnormal returns. The results are robust after controlling for various stock characteristics that have been documented to be value-relevant in prior literature, including firm size, book-to-market ratio, intermediate-term momentum, short-term reversal, skewness, market risk, idiosyncratic risk, illiquidity and extreme daily returns, using both the portfolio analysis and the Fama-MacBeth cross-sectional regression. The negative effect persists in the long term (i.e., after up to 12 months), implying a slow adjustment of stock prices to their intrinsic value. Further analysis show that the observed nominal price anomaly is mainly driven by mispricing but not a latent risk factor proxied by stock price, thus the observed anomaly reflects a mispricing but not a fundamental risk. The study highlights the irrational behaviour of investors and market inefficiency in the Vietnamese stock market and provides important implication for investors in the market.

• 대한두경부종양학회지
• /
• 제33권1호
• /
• pp.31-34
• /
• 2017

First branchial cleft anomaly is a very rare disease and exhibits various clinical presentations. Therefore, the diagnosis of first branchial cleft anomaly may be difficult; the condition is often misdiagnosed and mismanaged. Accurate diagnosis is very important, because if not diagnosed correctly, patients with first branchial cleft anomaly would be treated with local incision and drainage repeatedly. We report two cases of first branchial cleft anomaly. The first patient visited for recurrent swell and discharge in the infra-auricular area with a history of previous incision and drainage. The other patient showed a cystic mass in the infra-auricular area and all of them were misdiagnosed initially by their treating specialists elsewhere. The objective of this study is to share our experiences of first branchial cleft anomaly, and emphasize its various clinical patterns and the significance of accurate diagnosis.

• 한국컴퓨터정보학회논문지
• /
• 제11권5호
• /
• pp.157-164
• /
• 2006

최근에는 대부분의 인터넷 공격은 악성코드(Malware)에 의한 잘 알려지지 않은 제로데이 공격 형태가 주류를 이루고 있으며, 이미 알려진 공격유형들에 대해서 탐지하는 오용탐지 기술로는 이러한 공격에 대응하기가 어려운 실정이다. 또한, 다양한 공격 패턴들이 인터넷상에 나타나고 있기 때문에 기존의 정보 보호 기술로는 한계에 다다르게 되었고, 웹기반 서비스가 보편화됨에 따라 인터넷상에 노출된 웹 서비스가 주공격 대상이 되고 있다. 본 논문은 인터넷상의 트래픽 유형을 분류하고, 각 유형에 따른 이상 징후를 탐지하고 분석할 수 있는 비정상행위공격 탐지기술(Anomaly Intrusion Detection Technologies)을 포함하고 있는 위협관리 시스템(Threat Management System)을 제안한다.