• Journal of the Korea Society for Simulation
• /
• v.17 no.2
• /
• pp.83-90
• /
• 2008

We introduce the coordination among the intrusion detection agents by BBA(BlackBoard Architecture) that belongs to the field of distributed artificial intelligence. The system which uses BBA for the coordination can be easily expanded by adding new agents and increasing the number of BB(BlackBoard) levels. Several simulation tests performed on the targer network will illustrate our techniques. And this paper applies PBN(Policy-Based Network) to reduce the false positives that is one of the main problems of IDS. The performance obtained from the coordination of intrusion detection agent with PBN is compared against the corresponding non PBN type intrusion detection agent. The application of the research results lies in the experimentation of the various security policies according to the network types in selecting the best security policy that is most suitable for a given network.

• Convergence Security Journal
• /
• v.6 no.2
• /
• pp.91-99
• /
• 2006

As the speed of network has fastened and the Internet has became common, an ill-intentioned aggression, such as worm and E-mail virus rapidly increased. So that there too many defenses created the recent Intrusion detection system as well as the Intrusion Prevention Systems to defense the malicious aggression to the network. Also as the form of malicious aggression has changed, at the same time the method of defense has changed. There is "snort" the most representive method of defense and its Rules file increases due to the change of aggression form. This causes decline of capability for detection. This paper suggest, design, and realize the structure for the improvement of processing capability by separating the files of Snort Rule according to o/s. This system show more improvement of the processing capability than the existing composion.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.2
• /
• pp.385-395
• /
• 2018

With the development of Internet, cyber attack has become a major threat. To detect cyber attacks, intrusion detection system(IDS) has been widely deployed. But IDS has a critical weakness which is that it generates a large number of false alarms. One of the promising techniques that reduce the false alarms in real time is machine learning. However, there are problems that must be solved to use machine learning. So, many machine learning approaches have been applied to this field. But so far, researchers have not focused on features. Despite the features of IDS alerts are important for performance of model, the approach to feature is ignored. In this paper, we propose new feature set which can improve the performance of model and can be extracted from a single alarm. New features are motivated from security analyst's know-how. We trained and tested the proposed model applied new feature set with real IDS alerts. Experimental results indicate the proposed model can achieve better accuracy and false positive rate than SVM model with ordinary features.

• ETRI Journal
• /
• v.34 no.6
• /
• pp.847-857
• /
• 2012

Intrusion detection systems (IDSs) have an important effect on system defense and security. Recently, most IDS methods have used transformed features, selected features, or original features. Both feature transformation and feature selection have their advantages. Neighborhood component analysis feature transformation and genetic feature selection (NCAGAFS) is proposed in this research. NCAGAFS is based on soft computing and data mining and uses the advantages of both transformation and selection. This method transforms features via neighborhood component analysis and chooses the best features with a classifier based on a genetic feature selection method. This novel approach is verified using the KDD Cup99 dataset, demonstrating higher performances than other well-known methods under various classifiers have demonstrated.

• Proceedings of the Korea Multimedia Society Conference
• /
• 2003.11a
• /
• pp.154-157
• /
• 2003

네트워크 상에서 송수신되는 데이터를 외부의 침입으로부터 보호하는 것은 매우 중요하며, 그 중 데이터의 무결성을 검증하고 보장하기 위한 방법으로 SSL(Secure Socket Layer)을 사용한다. 본 논문에서는 웹 환경에서 클라이언트와 서버간에 송수신되는 데이터의 무결성이 위배되었을 경우, 그 정보를 검증 및 관리할 수 있는 무결성 위배 데이터 검증 및 관리 시스템을 OpenSSL을 이용하여 구성하고, 꾑 서버를 통해 기록된 무결성 위배 로그 데이터는 IDS(Intrusion Detection System)로 전송하여 침입 탐지 정보와 항께 데이터의 무결성 검증 정보를 통합적으로 관리할 수 있도록 IDS와 연계된 무결성 정보 통합관리 시스템을 제안 및 설계하고자 한다.

• The KIPS Transactions:PartC
• /
• v.14C no.1 s.111
• /
• pp.1-6
• /
• 2007

In order to operate a secure network, it is very important for the network to raise positive detection as well as lower negative detection for reducing the damage from network intrusion. By using SVM on the intrusion detection field, we expect to improve real-time detection of intrusion data. However, due to classification based on calculating values after having expressed input data in vector space by SVM, continuous data type can not be used as any input data. Therefore, we present the hybrid model between SVM and decision tree method to make up for the weak point. Accordingly, we see that intrusion detection rate, F-P error rate, F-N error rate are improved as 5.6%, 0.16%, 0.82%, respectively.

• Convergence Security Journal
• /
• v.13 no.3
• /
• pp.33-38
• /
• 2013

Security between mobile nodes and efficient communication is one of the most important parts of the MANET. In particular, the wireless network is significantly higher for the attack threats because of collaborative structure for open communication media and communication. However, application of existing security mechanisms and intrusion detection system is not easy due to the characteristics of MANET. It is because collection and integration of adult data by the dynamic topology due to the mobility of nodes and many network sensors is difficult. In this study, we propose cooperative security system technique that can improve the reliability based on authentication assessing confidence about the whole nodes which joins to network and detect effectively this when intrusion occurs. Cluster head which manages the cluster performs CA role for the certificate issue and the gateway node performs role of intrusion detection system. Intrusion detection is performed by cooperating with neighboring nodes when attack is not detected in one intrusion detection node. The performance of the proposed method was confirmed through experiments comparing with the SRP technique.

• Convergence Security Journal
• /
• v.9 no.4
• /
• pp.21-27
• /
• 2009

In the environment of development of network bandwidth and intrusion technology there is limit to the pattern analysis of all massed packets through the existing pattern matching method by the intrusion detection system. To detect the packets efficiently when they are received fragmented, it has been presented the matching method only the pattern of packets consisting with the operation system such as Esnort. Pattern matching performance is improved through the use of NMAP, the basic mechanism od Esnort, by scanning the operation system of the same network system and appling pattern match selectively scanned information and the same operation system as the received packets. However, it can be appeared the case of disregarding the receivied packets depending on the diversity of the kind of operation systems and recognition mistake of operation system of nmap. In this paper, we present and verify the improved intrusion detection system shortening the pattern matching time by the creation of hashy table through the pattern hash of intrusion detection system independently with the users system environment .in the state of flux.

• Journal of the Korea Society of Computer and Information
• /
• v.12 no.1 s.45
• /
• pp.127-135
• /
• 2007

As the Internet is used widely, criminal offense that use computer is increasing, and an information security technology to remove this crime is becoming competitive power of the country. In this paper, we suggest network-based intrusion detection system that use fuzzy expert system. This system can decide quick intrusion decision from attack pattern applying fuzzy rule through the packet classification method that is done similarity of protocol and fixed time interval. Proposed system uses fuzzy logic to detect attack from network traffic, and gets analysis result that is automated through fuzzy reasoning. In present network environment that must handle mass traffic, this system can reduce time and expense of security

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.29 no.7C
• /
• pp.985-996
• /
• 2004

In order to solve the increasing security problems, IDSs(Intrusion Detection System) have appeared. However, local IDSs have a limit to detect various intrusions in a large-scale network environment. So there are a lot of researches in progress which organize the elements of IDS in a distributed or hierarchical manner. In this paper, we design a integrated IDS which exchanges messages between them through the standardized message format (IDMEF) and communication protocol (IDXP). We also propose a policy profile for an effective control of IDSs, and employ the PKI mechanism for mutual authentication. We implement a prototype system for the proposed IDSs communicating with Snort and analyze its performance.