• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.38 no.5
• /
• pp.37-43
• /
• 2001

Since Internet has been used anywhere, illegal intrusion to a certain host or network become the ciritical factor in security. Although many anomaly detection models have been proposed using the statistical analysis, data mining, genetic algorithm/programming to detect illegal intrusions, these models has defects to detect new types of intrusions. THRE-KBANN (theory-refinement knowledge-based artificial neural network) which can learn continuously based on KBANN, is proposed for the anomaly detection model in this paper. The performance of this model is compared with that of the model based on data mining using the experimental data. The ability of continual learning for the detection of new types of intrusions is also evaluated.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.18 no.5
• /
• pp.9-15
• /
• 2018

With the advent of the 5G communication era recently, advancement of the convergence technologies related to IoT has been progressed rapidly. IoT convergence technologies using various sensors are actively applied many fields in our lives, and it contributes to the popularization of these convergence technologies among many people successfully. The security problem of the IoT which connects many things on the network is critically vulnerable and is one of the most important challenge to be solved urgently. In this paper, we design an intrusion detection and self-treatment system for IoT, which can detect external attacks and anomalies in order to solve the security problems in IoT, perform self-treatment by operating the vaccine program according to the intrusion type whenever it detects certain intrusion. Furthermore, we consider the broadcasting of intrusion alarm message according to the frequency of similar circumstances in order to block intrusion contagious in IoT.

• Journal of KIISE:Information Networking
• /
• v.30 no.1
• /
• pp.97-116
• /
• 2003

Frequency of attacks on web services and the resulting damage continue to grow as web services become popular. Techniques used in web service attacks are usually different from traditional network intrusion techniques, and techniques to protect web services are badly needed. Unfortunately, conventional intrusion detection systems (IDS), especially those based on known attack signatures, are inadequate in providing reasonable degree of security to web services. An application-level IDS, tailored to web services, is needed to overcome such limitations. The first step in developing web application IDS is to analyze known attacks on web services and characterize them so that anomaly-based intrusion defection becomes possible. In this paper, we classified known attack techniques to web services by analyzing causes, locations where such attack can be easily detected, and the potential risks.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.11 no.3
• /
• pp.181-188
• /
• 2011

With the rapid proliferation of wireless networks and mobile computing applications, the landscape of the network security has greatly changed recently. Especially, Vehicular Ad Hoc Networks maintaining network topology with vehicle nodes of high mobility are self-organizing Peer-to-Peer networks that typically have short-lasting and unstable communication links. VANETs are formed with neither fixed infrastructure, centralized administration, nor dedicated routing equipment, and vehicle nodes are moving, joining and leaving the network with very high speed over time. So, VANET-security is very vulnerable for the intrusion of malicious and misbehaving nodes in the network, since VANETs are mostly open networks, allowing everyone connection without centralized control. In this paper, we propose a weighted intrusion detection method using rough set that can identify malicious behavior of vehicle node's activity and detect intrusions efficiently in VANETs. The performance of the proposed scheme is evaluated by a simulation study in terms of intrusion detection rate and false alarm rate for the threshold of deviation number ${\epsilon}$.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2002.11a
• /
• pp.511-514
• /
• 2002

네트웍 환경에서의 침입이 중요한 보안상의 문제점이 된 이래로, 네트웍 기반의 침입탐지시스템중에서 비정상 침입탐지 (anomaly detection)의 방법 중 클러스터링을 이용한 시도들이 있었는데 기존의 방법이 네트웍 정보로부터 정상적인 클러스터들과 그렇지 않은 클러스터들 두 집단으로 크게 나누어 비교하는데 제안모델에서는 이를 좀 더 세분화하여 네트웍 서비스(network service)별로 정상적인 클러스터들과 그렇지 않은 클러스터들을 가지게 되는 방법으로 침입탐지율을 향상시켜 보고자 한다.

• The KIPS Transactions:PartC
• /
• v.13C no.3 s.106
• /
• pp.283-294
• /
• 2006

Hostile network traffic is often different from normal traffic in ways that can be distinguished without knowing the exact nature of the attack. In this paper, we propose a new anomaly detection method using inbound network traffic distributions. For this purpose, we first characterize the traffic of a real campus network by the distributions of IP protocols, packet length, destination IP/port addresses, TTL value, TCP SYN packet, and fragment packet. And then we introduce the concept of entropy to transform the obtained baseline traffic distributions into manageable values. Finally, we can detect the anomalies by the difference of entropies between the current and baseline distributions. In particular, we apply the well-known denial-of-service attacks to a real campus network and show the experimental results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.10 no.4
• /
• pp.59-71
• /
• 2000

Due to the advance of computer and communication technology, intrusions or crimes using a computer have been increased rapidly while various information has been provided to users conveniently. As a results, many studies are necessary to detect the activities of intruders effectively. In this paper, a new association algorithm for the anomaly detection model is proposed in the process of generating user\`s normal patterns. It is that more recently observed behavior get more affection on the process of data mining. In addition, by clustering generated normal patterns for each use or a group of similar users, it is possible to identify the usual frequency of programs or command usage for each user or a group of uses. The performance of the proposed anomaly detection system has been tested on various system Parameters in order to identify their practical ranges for maximizing its detection rate.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.6
• /
• pp.287-294
• /
• 2016

APT attack aimed at the interruption of information and communication facilities and important information leakage of companies. it performs an attack using zero-day vulnerabilities, social engineering base on collected information, such as IT infra, business environment, information of employee, for a long period of time. Fragmentary response to cyber threats such as malware signature detection methods can not respond to sophisticated cyber-attacks, such as APT attacks. In this paper, we propose a cyber intrusion detection model for countermeasure of APT attack by utilizing heterogeneous system log into big-data. And it also utilizes that merging pattern-based detection methods and abnormality detection method.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2004.05a
• /
• pp.1063-1066
• /
• 2004

기존의 침입을 탐지하는 방법은 여러 가지가 있지만, 모든 침입을 다 탐지하지는 못하고 있다. 공격자는 알려지지 않은 취약점을 이용하거나 취득한 패스워드나 ID 계정을 이용하여 공격하고자 하는 시스템에 악의적인 행위를 한다. 이런 침입을 탐지하는 연구는 탐지엔진에 적용될 패턴구성 방법이 핵심이다. 본 논문에서는 기존의 사람이 패턴을 찾는 것을 자동화 시키고, 자동화된 패턴 구축 방법을 직접 시스템에 적용하여 침입을 탐지하는 방법을 제시하고자 한다. 그래서 알려지지 않은 침입을 탐지하기 위해 전문가 시스템을 이용하고 패턴을 지식 베이스화하는 작업과 그 지식을 추론할 수 있는 추론망을 추론망 자동 생성 기법으로 구성하여 비정상적인 침입을 탐지하는 방법을 본 논문에서 제시하고자 한다.

• Journal of Internet Computing and Services
• /
• v.23 no.5
• /
• pp.79-85
• /
• 2022

Anomaly detection is a method to detect and block abnormal data flows in general users' data sets. The previously known method is a method of detecting and defending an attack based on a signature using the signature of an already known attack. This has the advantage of a low false positive rate, but the problem is that it is very vulnerable to a zero-day vulnerability attack or a modified attack. However, in the case of anomaly detection, there is a disadvantage that the false positive rate is high, but it has the advantage of being able to identify, detect, and block zero-day vulnerability attacks or modified attacks, so related studies are being actively conducted. In this study, we want to deal with these anomaly detection mechanisms, and we propose a new mechanism that performs both anomaly detection and classification while supplementing the high false positive rate mentioned above. In this study, the experiment was conducted with five configurations considering the characteristics of various algorithms. As a result, the model showing the best accuracy was proposed as the result of this study. After detecting an attack by applying the Extra Tree and Three-layer ANN at the same time, the attack type is classified using the Extra Tree for the classified attack data. In this study, verification was performed on the NSL-KDD data set, and the accuracy was 99.8%, 99.1%, 98.9%, 98.7%, and 97.9% for Normal, Dos, Probe, U2R, and R2L, respectively. This configuration showed superior performance compared to other models.