• Title/Summary/Keyword: Intrusion Prevention System

Search Result 109, Processing Time 0.023 seconds

Design and Implementation of Anomaly Traffic Control framework based on Linux Netfilter System and CBQ Routing Mechanisms (리눅스 Netfilter시스템과 CBQ 라우팅 기능을 이용한 비정상 트래픽 제어 프레임워크 설계 및 구현)

  • 조은경;고광선;이태근;강용혁;엄영익
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.13 no.6
    • /
    • pp.129-140
    • /
    • 2003
  • Recently viruses and various hacking tools that threat hosts on a network becomes more intelligent and cleverer, and so the various security mechanisms against them have ken developed during last decades. To detect these network attacks, many NIPSs(Network-based Intrusion Prevention Systems) that are more functional than traditional NIDSs are developed by several companies and organizations. But, many previous NIPSS are hewn to have some weakness in protecting important hosts from network attacks because of its incorrectness and post-management aspects. The aspect of incorrectness means that many NIPSs incorrectly discriminate between normal and attack network traffic in real time. The aspect of post-management means that they generally respond to attacks after the intrusions are already performed to a large extent. Therefore, to detect network attacks in realtime and to increase the capability of analyzing packets, faster and more active responding capabilities are required for NIPS frameworks. In this paper, we propose a framework for real-time intrusion prevention. This framework consists of packet filtering component that works on netfilter in Linux kernel and traffic control component that have a capability of step-by-step control over abnormal network traffic with the CBQ mechanism.

PR Focus-뜨는 침입방지시스템(IPS) 시장

  • Korea Venture Business Association
    • Venture DIGEST
    • /
    • s.54
    • /
    • pp.9-9
    • /
    • 2004
  • 네트워크 보안업계가 최근 IPS(Intrusion Prevention System) 제품 출시와 개발에 열을 올리고 있는 가운데 경쟁력을 좌우하는 관건으로 기가비트 데이터 처리 속도가 떠오르고 있다. IPS는 네트워크 초입에 설치돼 실시간으로 유해 트래픽을 분석 차단해주는 능동형 보안제품. IPS는 방화벽처럼 네트워크 처리속도가 확보되지 않으면 전체 네트워크가 마비되는 인라인(IN LINE) 방식으로 설치되기 때문에 기가비트 처리 속도가 필수적으로 요구된다. 기가비트 처리 속도가 적어도 2Gbps급은 되어야 한다는 것. 이에 따라 보안업계에 기가비트급 IPS 출시와 개발이 붐을 이루고 있다.

  • PDF

Sensor based Intrusion Detection and Prevention System using LKM (LKM을 이용한 센서기반 침입 탐지 및 보호 시스템)

  • 장철연;조성제;최종무
    • Proceedings of the Korean Information Science Society Conference
    • /
    • 2003.10a
    • /
    • pp.694-696
    • /
    • 2003
  • 우리 생활은 컴퓨터와 인터넷의 발달로 많이 편리해 졌고 향상되었다. 그러나 예전엔 중요하게 생각하지 않았던 보안이라는 문제가 발생되었다. 그 해결책으로 많은 침입 탐지 시스템이 개발되었다. 본 논문에서는 주요 디렉토리 및 파일의 접근을 감시하며 중요한 정보가 외부로 유출되는 것을 막고 시스템을 보호하는 SIDPS를 제안한다. 이 시스템은 특정 패턴을 이용한 기존의 방식과는 다른“센서 파일/데이터”를 이용한다. 또한 LKM방식을 이용해 실행하도록 함으로서 손쉬운 설치 및 성능향상이 가능하도록 하였다.

  • PDF

A Design and Implementation of the IPS for Embedded Linux (임베디드 리눅스에서 IPS의 설계 및 구현)

  • 채경철;김상욱
    • Proceedings of the Korean Information Science Society Conference
    • /
    • 2002.10c
    • /
    • pp.634-636
    • /
    • 2002
  • 인터넷과 내장형 시스템의 발전으로 인하여 가정내의 모든 정보가전들이 홈 네트워크를 통하여 인터넷과 연결되어 있고 원격에서 제어가 가능하다. 또한 휴대폰, PDA와 같은 무선단말기를 이용한 정보검색, 메일송수신, 증권거래, 은행거래와 같은 다양한 전자상거래가 활발히 진행되고 있다. 이와 반면에 이런 정보가 전이나 무선단말기에 대한 해킹 바이러스 사례가 갈수록 많아지고 있다. 본 논문에서는 내장형 시스템인 임베디드 리눅스에서 IPS(Intrusion Prevention System)를 설계하고 구현하여 이런 정보가전이나 무선단말기에 대한 보안 방안을 제시한다.

  • PDF

Design of Network-based Real-time Connection Traceback System with Connection Redirection Technology

  • Choi, Yang-Sec;Kim, Hwan-Guk;Seo, Dong-Il;Lee, Sang-Ho
    • 제어로봇시스템학회:학술대회논문집
    • /
    • 2003.10a
    • /
    • pp.2101-2105
    • /
    • 2003
  • Recently the number of Internet users has very sharply increased, and the number of intrusions has also increased very much. Consequently, security products are being developed and adapted to prevent systems and networks from being hacked and intruded. Even if security products are adapted, however, hackers can still attack a system and get a special authorization because the security products cannot prevent a system and network from every instance of hacking and intrusion. Therefore, the researchers have focused on an active hacking prevention method, and they have tried to develop a traceback system that can find the real location of an attacker. At present, however, because of the characteristics of Internet - diversity, anonymity - the real-time traceback is very difficult. To over-come this problem the Network-based Real-Time Connection Traceback System (NRCTS) was proposed. But there is a security problem that the victim system can be hacked during the traceback. So, in this paper, we propose modified NRCTS with connection redirection technique. We call this traceback system as Connection Redirected Network-based Real-Time Connection Traceback System (CR-NRCTS).

  • PDF

Implementation and Design of Policy Based Security System for Integration Management (통합 관리를 위한 정책 기반의 보안시스템 설계 및 구현)

  • Kim, Yong-Tak;Lee, Jong-Min;Kim, Tai-Suk;Kwon, Oh-Jun
    • Journal of Korea Multimedia Society
    • /
    • v.10 no.8
    • /
    • pp.1052-1059
    • /
    • 2007
  • Network security system used in the large scale network composes individual security system which protects only own domain. Problems of individual security system are not to protect the backbone network and to be hard to cope with in real-time. In this paper we proposed a security system which includes security function at the router, and the access point, which exist at the backbone network, to solve the problems. This security system sends the alert messages to an integrated security management system after detecting intrusions. The integrated security management system releases confrontation plan to each suity system. Thus the systematic and immediate confrontation is possible. We analyzed function verification and efficiency by using the security system and the integrated security management system suggested in this paper. We confirmed this integrated security management system has a possibility of a systematic and immediate confrontation.

  • PDF

The Design and Implementation of High Performance Intrusion Prevention Algorithm based on Signature Hashing (시그너처 해싱 기반 고성능 침입방지 알고리즘 설계 및 구현)

  • Wang, Jeong-Seok;Jung, Yun-Jae;Kwon, H-Uing;Chung, Kyu-Sik;Kwak, Hu-Keun
    • The KIPS Transactions:PartC
    • /
    • v.14C no.3 s.113
    • /
    • pp.209-220
    • /
    • 2007
  • IPS(Intrusion Prevention Systems), which is installed in inline mode in a network, protects network from outside attacks by inspecting the incoming/outgoing packets and sessions, and dropping the packet or closing the sessions if an attack is detected in the packet. In the signature based filtering, the payload of a packet passing through IPS is matched with some attack patterns called signatures and dropped if matched. As the number of signatures increases, the time required for the pattern matching for a packet increases accordingly so that it becomes difficult to develop a high performance US working without packet delay. In this paper, we propose a high performance IPS based on signature hashing to make the pattern matching time independent of the number of signatures. We implemented the proposed scheme in a Linux kernel module in a PC and tested it using worm generator, packet generator and network performance measure instrument called smart bit. Experimental results show that the performance of existing method is degraded as the number of signatures increases whereas the performance of the proposed scheme is not degraded.

An Architecture Design of Distributed Internet Worm Detection System for Fast Response

  • Lim, Jung-Muk;Han, Young-Ju;Chung, Tai-Myoung
    • Proceedings of the Korea Society of Information Technology Applications Conference
    • /
    • 2005.11a
    • /
    • pp.161-164
    • /
    • 2005
  • As the power of influence of the Internet grows steadily, attacks against the Internet can cause enormous monetary damages nowadays. A worm can not only replicate itself like a virus but also propagate itself across the Internet. So it infects vulnerable hosts in the Internet and then downgrades the overall performance of the Internet or makes the Internet not to work. To response this, worm detection and prevention technologies are developed. The worm detection technologies are classified into two categories, host based detection and network based detection. Host based detection methods are a method which checks the files that worms make, a method which checks the integrity of the file systems and so on. Network based detection methods are a misuse detection method which compares traffic payloads with worm signatures and anomaly detection methods which check inbound/outbound scan rates, ICMP host/port unreachable message rates, and TCP RST packet rates. However, single detection methods like the aforementioned can't response worms' attacks effectively because worms attack the Internet in the distributed fashion. In this paper, we propose a design of distributed worm detection system to overcome the inefficiency. Existing distributed network intrusion detection systems cooperate with each other only with their own information. Unlike this, in our proposed system, a worm detection system on a network in which worms select targets and a worm detection system on a network in which worms propagate themselves cooperate with each other with the direction-aware information in terms of worm's lifecycle. The direction-aware information includes the moving direction of worms and the service port attacked by worms. In this way, we can not only reduce false positive rate of the system but also prevent worms from propagating themselves across the Internet through dispersing the confirmed worm signature.

  • PDF

Modeling and Implementation of Firewall and IPS for Security Simulation on Large-scale Network Using SSFNet (SSFNet을 이용한 대규모 네트워크상에서의 보안 시뮬레이션을 위한 방화벽과 IPS모듈의 모델링 및 구현)

  • Kim, Yong-Tak;Kwon, Oh-Jun;Kim, Tai-Suk
    • Journal of Korea Multimedia Society
    • /
    • v.9 no.8
    • /
    • pp.1037-1044
    • /
    • 2006
  • It's difficult to check cyber attacks and the performance of a security system in a real large-scale network. Generally, a new security system or the effect of a new security attack are checked by simulation. We use SSFNet to simulate our security system and cyber attack. SSFNet is an event-driven simulation tools based on process, which has a strength to be capable of expressing a large-scale network. But it doesn't offer any API's which can manipulate not only the related function of security but also the packet. In this paper, we developed a firewall and IPS class, used for a security system, and added to them components of SSFNet. The firewall is modelled a security system based on packet filtering. We checked the function of the firewall and the IPS with network modelled as using our SSFNet. The firewall blocks packets through rules of an address and port of packets. The result of this simulation shows that we can check a status of packets through a log screen of IPS installed in a router and confirm abnormal packet to be dropped.

  • PDF

A Slow Portscan Attack Detection and Countermove Mechanism based on Fuzzy Logic (퍼지 로직을 이용한 느린 포트스캔 공격 탐지 및 대응 기법)

  • Kim, Jae-Kwang;Yoon, Kwang-Ho;Lee, Seung-Hoon;Jung, Je-Hee;Lee, Jee-Hyong
    • Journal of the Korean Institute of Intelligent Systems
    • /
    • v.18 no.5
    • /
    • pp.679-684
    • /
    • 2008
  • The slow port scan attack detection is the one of the important topics in the network security. We suggest an abnormal traffic control framework to detect slow port scan attacks using fuzzy rules. The abnormal traffic control framework acts as an intrusion prevention system to suspicious network traffic. It manages traffic with a stepwise policy: first decreasing network bandwidth and then discarding traffic. In this paper, we show that our abnormal traffic control framework effectively detects slow port scan attacks traffic using fuzzy rules and a stepwise policy.