• Journal of the Korea Convergence Society
• /
• v.8 no.8
• /
• pp.51-57
• /
• 2017

A wireless sensor network is composed of many resource constrained sensor nodes. These networks are attacked by malicious attacks like DDoS and routing attacks. In this paper, we propose the intrusion detection and prevention system using convergence of software-defined networking and security technology in wireless sensor networks. Our proposed scheme detects various intrusions in a central server by accumulating log messages of OpenFlow switch through SDN controller and prevents the intrusions by configuring OpenFlow switch. In order to validate our proposed scheme, we show it can detect and prevent some malicious attacks in wireless sensor networks.

• Convergence Security Journal
• /
• v.16 no.7
• /
• pp.21-29
• /
• 2016

Our society is currently exposed to environment of various information that is exchanged real time through networks. Especially regarding medical policy, the government rushes to practice remote medical treatment to improve the quality of medical services for citizens. The remote medical practice requires establishment of medical information based on big data for customized treatment regardless of where patients are. This study suggests establishment of regional medical cluster along with defense and protection cooperation models that in case service availability is harmed, and attacks occur, the attacks can be detected, and proper measures can be taken. For this, the study suggested forming networks with nationwide local government hospitals as regional virtual medical cluster bases by the same medical information system. The study also designed a mutual cooperation security model that can real time cope with IP Spoofing attack that can occur in the medical cluster and DDoS attacks accordingly, so that the limit that sole system and sole security policy have can be overcome.

• Journal of Korea Multimedia Society
• /
• v.16 no.8
• /
• pp.954-961
• /
• 2013

To enhance the efficiency of network, content-centric networking (CCN), one of future Internet architectures, allows network nodes to temporally cache transmitted contents and then to directly respond to request messages which are relevant to previously cached contents. Also, since CCN uses a hierarchical content-name, not a host identity like source/destination IP address, for request/response packet routing and CCN request message does not include requester's information for privacy protection, contents-providers/ network nodes can not identify practical requesters sending request messages. So to send back relevant contents, network nodes in CCN records both a request message and its incoming interfaces on Pending Interest Table (PIT). Then the devices refer PIT to return back a response message. If PIT is exhausted, the device can not normally handle request/response messages anymore. Hence, it is needed to detect/react attack to exhaust PIT. Hence, in this paper, we propose improved detection/reaction schemes against attacks to exhaust PIT. In practice, for fine-grained control, this proposal is applied to each incoming interface. Also, we propose the message framework to control attack traffic and evaluate the performance of our proposal.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.4
• /
• pp.51-61
• /
• 2009

Recently, the cyber-attacks using botnets are being increased, Because these attacks pursue the money, the criminal aspect is also being increased, There are spreading of spam mail, DDoS(Distributed Denial of Service) attacks, propagations of malicious codes and malwares, phishings. leaks of sensitive informations as cyber-attacks that used botnets. There are many studies about detection and mitigation techniques against centralized botnets, namely IRC and HITP botnets. However, P2P botnets are still in an early stage of their studies. In this paper, we analyzed the traffics of the Peacomm bot that is one of P2P-based storm bot by using honeynet which is utilized in active analysis of network attacks. As a result, we could see that the Peacomm bot sends a large number of UDP packets to the zombies in wide network through P2P. Furthermore, we could know that the Peacomm bot makes the scale of botnet maintained and extended through these results. We expect that these results are used as a basis of detection and mitigation techniques against P2P botnets.

• Journal of Internet Computing and Services
• /
• v.20 no.6
• /
• pp.11-20
• /
• 2019

Numerous enterprises, organizations and individual users are exposed to large DDoS (Distributed Denial of Service) attacks. DDoS attacks are performed through a BotNet, which is composed of a number of computers infected with a malware, e.g., zombie PCs and a special computer that controls the zombie PCs within a hierarchical chain of a command system. In order to detect a malware, a malware detection software or a vaccine program must identify the malware signature through an in-depth analysis, and these signatures need to be updated in priori. This is time consuming and costly. In this paper, we propose a botnet detection scheme that does not require a periodic signature update using an artificial neural network model. The proposed scheme exploits Word2Vec and accelerated hierarchical density-based clustering. Botnet detection performance of the proposed method was evaluated using the CTU-13 dataset. The experimental result shows that the detection rate is 99.9%, which outperforms the conventional method.

• Journal of KIISE:Information Networking
• /
• v.37 no.5
• /
• pp.339-350
• /
• 2010

Despite lots of efforts to obtain an accurate picture of structure at the level of individual ASes, there is a few application works using the AS-level Internet topology. In this paper, we show that the power-law fits the number of down-stream customer ASes very well and also present the distributions of AS links with the "public view" from UCLA IRL laboratory. Moreover, we obtain the distributions of source-destination pairs of routing hops for two sites in Korea and the United States, and then we propose a new method to decide the randomness of Internet traffic using the obtained distributions and the BGP valley-free routing policy. The randomness of traffic must be a portent of outbreak of the distributed denial-of-service attacks.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2019.01a
• /
• pp.119-122
• /
• 2019

최근 웹 변조 공격은 대형 포탈, 은행, 학교 등 접속자가 많은 홈페이지에 악성 URL을 불법 삽입하여 해당 URL을 통해 접속자 PC에 자동으로 악성코드 유포하고 대규모 봇넷(botnet)을 형성한 후 DDoS 공격을 수행하거나 감염 PC들의 정보를 지속적으로 유출하는 형태로 수행된다. 이때, 홈페이지에 삽입되는 악성 URL은 탐지가 어렵도록 Javascript 난독화 기법(obfuscation technique) 등으로 은밀히 삽입된다. 본 논문에서는 웹 소스코드에 은닉된 악성 Javascript URL들에 대한 일괄 점검체계를 제안하며, 구현된 점검체계의 prototype을 활용하여 점검성능에 대한 시험결과를 제시한다.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2004.05b
• /
• pp.412-415
• /
• 2004

As computers and networks become popular, corporation or country organization composes security network including various kinds information protection system to protect informations and resources from internet and is operating system and network. But current firewall and IDS(Intrusion Detection System) of the network level suffers from many vulnerabilities in internal computing informations and resources. In this paper, we design of ICMP-based Traceback System using a ICMP Traceback Message for efficiently traceback without change structure of routers. ICMP-based Traceback System. Create of ICMP message is managed by “Traceback Agent” mirroring port for router. Victim's systems that are received the message store it and “Traceback Manager” is detect a attack(like a DDoS). Using a information of this message starting a traceback and detecting a source of attacker, so response a attack.

• Journal of the Korea Society of Computer and Information
• /
• v.11 no.2 s.40
• /
• pp.351-360
• /
• 2006

Proposed security system attacks it, and detect it, and a filter generation, a business to be prompt of interception filtering dates at attack information public information. inner IPS to attack detour setting and a traffic band security, different connection security system, and be attack packet interceptions and service and port interception setting. Exchange new security rule and packet filtering for switch type implementation through dynamic reset memory by real time, and deal with a packet. The attack detection about DDoS, SQL Stammer, Bug bear, Opeserv worm etc. of the 2.5 Gbs which was an attack of a hacker consisted in network performance experiment by real time. Packet by attacks of a hacker was cut off, and ensured the normal inside and external network resources besides the packets which were normal by the results of active renewal.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2002.11a
• /
• pp.161-165
• /
• 2002

최근 증가하고 있는 인터넷 및 기타 네트워크 시스템에 대한 위협은 그 공격의 목적과 기법, 피해의 종류가 늘어남에 따라 효과적인 대응책으로 단순한 기술적 접근 이외에 법률 및 심리, 사회 공학적 접근의 결합적인 대처방안이 강구되어야 할 것이다. 이를 효과적으로 보조할 수 있는 시스템이 Honeypot이다. 하지만 Honeypot 자체는 공격의 위협을 그 즉시 막는데는 별다른 능력이 없기 때문에 Honeypot 시스템의 의도대로 공격자가 속지 않거나 Honeypot의 정보가 다른 보안 도구와 보안 정책 갱신에 이용되기 이전의 공격에 대해서는 취약점을 가지고 있다. 이에 따라 본 논문에서는 기존의 Honeypot이 설치된 시스템의 효과적 활용을 위해 신경망 이론에 기반한 침입 탐지 모듈을 연동하며 이를 통해 초기 공격에 대한 Honeypot 시스템 보호, Honeypot 시스템이 활성화 된 다음의 상호 연동 효과 및 향후 과제 등을 기술한다. 또한 이에 대한 보다 확실한 접근을 위해 Honeypot 시스템을 통해 DDoS를 방어하도록 제안되었던 시스템의 취약점과 이를 효과적으로 해결할 수 있는 방법을 제안한다.