• ETRI Journal
• /
• v.43 no.1
• /
• pp.152-162
• /
• 2021

In the last few years, detection has become a powerful methodology for network protection and security. This paper presents a new detection scheme for data recorded over a computer network. This approach is applicable to the broad scientific field of information security, including intrusion detection and prevention. The proposed method employs bidimensional (time-frequency) data representations of the forms of the short-time Fourier transform, as well as the Wigner distribution. Moreover, the method applies matrix factorization using singular value decomposition and principal component analysis of the two-dimensional data representation matrices to detect intrusions. The current scheme was evaluated using numerous tests on network activities, which were recorded and presented in the KDD-NSL and UNSW-NB15 datasets. The efficiency and robustness of the technique have been experimentally proved.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2010.10a
• /
• pp.434-437
• /
• 2010

NIPS(Network Intrusion Prevention System) is in line at the end of the external and internal networks which performed two kinds of action: Signature-based filtering and anomaly detection and prevention-based on self-learning. Among them, a signature-based filtering is well known to defend against attacks. By using signature-based filtering, intrusion prevention system passing a payload of packets is compared with attack patterns which are signature. If match, the packet is discard. However, when there is packet delay, it will increase the required pattern matching time as the number of signature is increasing whenever there is delay occur. Therefore, to ensure the performance of IPS, we needed more efficient pattern matching algorithm for high-performance ISP. To improve the performance of pattern matching the most important part is to reduce the number of comparisons signature rules and the packet whenever the packets arrive. In this paper, we propose an improve signature hashing-based pattern matching method. We use tuple pruning algorithm with Bloom filters, which effectively remove unnecessary tuples. Unlike other existing signature hashing-based IPS, our proposed method to improve the performance of IPS.

• The Journal of the Korea Contents Association
• /
• v.9 no.4
• /
• pp.131-141
• /
• 2009

An increasing variety of malware, such as worms, spyware and adware, threatens both personal and business computing. Remotely controlled bot networks of compromised systems are growing quickly. This paper proposes an intrusion detection system based outflow traffic analysis. Many research efforts and commercial products have focused on preventing intrusion by filtering known exploits or unknown ones exploiting known vulnerabilities. Complementary to these solutions, the proposed IDS can detect intrusion of unknown new mal ware before their signatures are widely distributed. The proposed IDS is consists of a outflow detector, user monitor, process monitor and network monitor. To infer user intent, the proposed IDS correlates outbound connections with user-driven input at the process level under the assumption that user intent is implied by user-driven input. As a complement to existing prevention system, proposed IDS decreases the danger of information leak and protects computers and networks from more severe damage.

• The KIPS Transactions:PartC
• /
• v.14C no.3 s.113
• /
• pp.209-220
• /
• 2007

IPS(Intrusion Prevention Systems), which is installed in inline mode in a network, protects network from outside attacks by inspecting the incoming/outgoing packets and sessions, and dropping the packet or closing the sessions if an attack is detected in the packet. In the signature based filtering, the payload of a packet passing through IPS is matched with some attack patterns called signatures and dropped if matched. As the number of signatures increases, the time required for the pattern matching for a packet increases accordingly so that it becomes difficult to develop a high performance US working without packet delay. In this paper, we propose a high performance IPS based on signature hashing to make the pattern matching time independent of the number of signatures. We implemented the proposed scheme in a Linux kernel module in a PC and tested it using worm generator, packet generator and network performance measure instrument called smart bit. Experimental results show that the performance of existing method is degraded as the number of signatures increases whereas the performance of the proposed scheme is not degraded.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.6
• /
• pp.129-140
• /
• 2003

Recently viruses and various hacking tools that threat hosts on a network becomes more intelligent and cleverer, and so the various security mechanisms against them have ken developed during last decades. To detect these network attacks, many NIPSs(Network-based Intrusion Prevention Systems) that are more functional than traditional NIDSs are developed by several companies and organizations. But, many previous NIPSS are hewn to have some weakness in protecting important hosts from network attacks because of its incorrectness and post-management aspects. The aspect of incorrectness means that many NIPSs incorrectly discriminate between normal and attack network traffic in real time. The aspect of post-management means that they generally respond to attacks after the intrusions are already performed to a large extent. Therefore, to detect network attacks in realtime and to increase the capability of analyzing packets, faster and more active responding capabilities are required for NIPS frameworks. In this paper, we propose a framework for real-time intrusion prevention. This framework consists of packet filtering component that works on netfilter in Linux kernel and traffic control component that have a capability of step-by-step control over abnormal network traffic with the CBQ mechanism.

• Venture DIGEST
• /
• s.54
• /
• pp.9-9
• /
• 2004

네트워크 보안업계가 최근 IPS(Intrusion Prevention System) 제품 출시와 개발에 열을 올리고 있는 가운데 경쟁력을 좌우하는 관건으로 기가비트 데이터 처리 속도가 떠오르고 있다. IPS는 네트워크 초입에 설치돼 실시간으로 유해 트래픽을 분석 차단해주는 능동형 보안제품. IPS는 방화벽처럼 네트워크 처리속도가 확보되지 않으면 전체 네트워크가 마비되는 인라인(IN LINE) 방식으로 설치되기 때문에 기가비트 처리 속도가 필수적으로 요구된다. 기가비트 처리 속도가 적어도 2Gbps급은 되어야 한다는 것. 이에 따라 보안업계에 기가비트급 IPS 출시와 개발이 붐을 이루고 있다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2003.10a
• /
• pp.694-696
• /
• 2003

우리 생활은 컴퓨터와 인터넷의 발달로 많이 편리해 졌고 향상되었다. 그러나 예전엔 중요하게 생각하지 않았던 보안이라는 문제가 발생되었다. 그 해결책으로 많은 침입 탐지 시스템이 개발되었다. 본 논문에서는 주요 디렉토리 및 파일의 접근을 감시하며 중요한 정보가 외부로 유출되는 것을 막고 시스템을 보호하는 SIDPS를 제안한다. 이 시스템은 특정 패턴을 이용한 기존의 방식과는 다른“센서 파일/데이터”를 이용한다. 또한 LKM방식을 이용해 실행하도록 함으로서 손쉬운 설치 및 성능향상이 가능하도록 하였다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2002.10c
• /
• pp.634-636
• /
• 2002

인터넷과 내장형 시스템의 발전으로 인하여 가정내의 모든 정보가전들이 홈 네트워크를 통하여 인터넷과 연결되어 있고 원격에서 제어가 가능하다. 또한 휴대폰, PDA와 같은 무선단말기를 이용한 정보검색, 메일송수신, 증권거래, 은행거래와 같은 다양한 전자상거래가 활발히 진행되고 있다. 이와 반면에 이런 정보가 전이나 무선단말기에 대한 해킹 바이러스 사례가 갈수록 많아지고 있다. 본 논문에서는 내장형 시스템인 임베디드 리눅스에서 IPS(Intrusion Prevention System)를 설계하고 구현하여 이런 정보가전이나 무선단말기에 대한 보안 방안을 제시한다.

• Journal of Internet Computing and Services
• /
• v.17 no.3
• /
• pp.11-18
• /
• 2016

Accessing unauthorized rogue APs in WiFi environments is a very dangerous behavior which may lead WiFi users to be exposed to the various cyber attacks such as sniffing, phishing, and pharming attacks. Therefore, prompt and precise detection of rogue APs and properly alarming to the corresponding users has become one of most essential requirements for the WiFi security. This paper proposes a new rogue AP detection method which is mainly using the installation information of authorized APs and the DHCP snooping information of the corresponding switches. The proposed method detects rogue APs promptly and precisely, and notify in realtime to the corresponding users. Since the proposed method is simple and does not require any special devices, it is very cost-effective comparing to the wireless intrusion prevention systems which are normally based on a number of detection sensors and servers. And it is highly precise and prompt in rogue AP detection and flexible in deployment comparing to the existing rogue AP detection methods based on the timing information, location information, and white list information.

• Journal of KIISE
• /
• v.42 no.8
• /
• pp.1049-1056
• /
• 2015

Runtime Intrusion Prevention Evaluator (RIPE), published in 2011, is a benchmark suite for evaluating mitigation techniques against 850 attack patterns using only buffer overflow. Since RIPE is built as a single process, defense and attack routines cannot help sharing process states and address space layouts when RIPE is tested. As a result, attack routines can access the memory space for defense routines without restriction. We separate RIPE into two independent processes of defense and attacks so that mitigations based on confidentiality such as address space layout randomization are properly evaluated. In addition, we add an execution mode to test robustness against brute force attacks. Finally, we extend RIPE by adding 38 attack forms to perform format string attacks and virtual table (vtable) hijacking attacks. The revised RIPE contributes to the diversification of attack patterns and precise evaluation of the effectiveness of mitigations.