• Title/Summary/Keyword: Malicious Network Traffic

Search Result 86, Processing Time 0.027 seconds

A Study on the Analysis and Detection Method for Protecting Malware Spreading via E-mail (전자우편을 이용한 악성코드 유포방법 분석 및 탐지에 관한 연구)

  • Yang, Kyeong-Cheol;Lee, Su-Yeon;Park, Won-Hyung;Park, Kwang-Cheol;Lim, Jong-In
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.19 no.1
    • /
    • pp.93-101
    • /
    • 2009
  • This paper proposes the detection method of spreading mails which hacker injects malicious codes to steal the information. And I developed the 'Analysis model' which is decoding traffics when hacker's encoding them to steal the information. I researched 'Methodology of intrusion detection techniques' in the computer network monitoring. As a result of this simulation, I developed more efficient rules to detect the PCs which are infected malicious codes in the hacking mail. By proposing this security policy which can be applicable in the computer network environment including every government or company, I want to be helpful to minimize the damage by hacking mail with malicious codes.

Study on Outbound Traffic Monitoring with Bloom Filter (블룸필터를 이용한 아웃바운드 트래픽 모니터링 방안 연구)

  • Kang, Seong-Jung;Kim, Hyoung-Joong
    • Journal of Digital Contents Society
    • /
    • v.19 no.2
    • /
    • pp.327-334
    • /
    • 2018
  • When a PC is infected with a malicious code, it communicates with the control and command (C&C) server and, by the attacker's instructions, spreads to the internal network and acquires information. The company focuses on preventing attacks from the outside in advance, but malicious codes aiming at APT attacks are infiltrated into the inside somehow. In order to prevent the spread of the damage, it is necessary to perform internal monitoring to detect a PC that is infected with malicious code and attempts to communicate with the C&C server. In this paper, a destination IP monitoring method is proposed in this paper using Bloom filter to quickly and effectively check whether the destination IP of many packets is in the blacklist.

Refined identification of hybrid traffic in DNS tunnels based on regression analysis

  • Bai, Huiwen;Liu, Guangjie;Zhai, Jiangtao;Liu, Weiwei;Ji, Xiaopeng;Yang, Luhui;Dai, Yuewei
    • ETRI Journal
    • /
    • v.43 no.1
    • /
    • pp.40-52
    • /
    • 2021
  • DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal-spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.

The development of a ship's network monitoring system using SNMP based on standard IEC 61162-460

  • Wu, Zu-Xin;Rind, Sobia;Yu, Yung-Ho;Cho, Seok-Je
    • Journal of Advanced Marine Engineering and Technology
    • /
    • v.40 no.10
    • /
    • pp.906-915
    • /
    • 2016
  • In this study, a network monitoring system, including a secure 460-Network and a 460-Gateway, is designed and developed according with the requirements of the IEC (International Electro-Technical Commission) 61162-460 network standard for the safety and security of networks on board ships. At present, internal or external unauthorized access to or malicious attack on a ship's on board systems are possible threats to the safe operation of a ship's network. To secure the ship's network, a 460-Network was designed and implemented by using a 460-Switch, 460-Nodes, and a 460-Gateway that contains firewalls and a DMZ (Demilitarized Zone) with various application servers. In addition, a 460-firewall was used to block all traffic from unauthorized networks. 460-NMS (Network Monitoring System) is a network-monitoring software application that was developed by using an simple network management protocol (SNMP) SharpNet library with the .Net 4.5 framework and a backhand SQLite database management system, which is used to manage network information. 460-NMS receives network information from a 460-Switch by utilizing SNMP, SNMP Trap, and Syslog. 460-NMS monitors the 460-Network load, traffic flow, current network status, network failure, and unknown devices connected to the network. It notifies the network administrator via alarms, notifications, or warnings in case any network problem occurs. Once developed, 460-NMS was tested both in a laboratory environment and for a real ship network that had been installed by the manufacturer and was confirmed to comply with the IEC 61162-460 requirements. Network safety and security issues onboard ships could be solved by designing a secure 460-Network along with a 460-Gateway and by constantly monitoring the 460-Network according to the requirements of the IEC 61162-460 network standard.

A Study on Dual-IDS Technique for Improving Safety and Reliability in Internet of Things (사물인터넷 환경에서 안전성과 신뢰성 향상을 위한 Dual-IDS 기법에 관한 연구)

  • Yang, Hwanseok
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.13 no.1
    • /
    • pp.49-57
    • /
    • 2017
  • IoT can be connected through a single network not only objects which can be connected to existing internet but also objects which has communication capability. This IoT environment will be a huge change to the existing communication paradigm. However, the big security problem must be solved in order to develop further IoT. Security mechanisms reflecting these characteristics should be applied because devices participating in the IoT have low processing ability and low power. In addition, devices which perform abnormal behaviors between objects should be also detected. Therefore, in this paper, we proposed D-IDS technique for efficient detection of malicious attack nodes between devices participating in the IoT. The proposed technique performs the central detection and distribution detection to improve the performance of attack detection. The central detection monitors the entire network traffic at the boundary router using SVM technique and detects abnormal behavior. And the distribution detection combines RSSI value and reliability of node and detects Sybil attack node. The performance of attack detection against malicious nodes is improved through the attack detection process. The superiority of the proposed technique can be verified by experiments.

A Study on Improved Intrusion Detection Technique Using Distributed Monitoring in Mobile Ad Hoc Network (Mobile Ad Hoc Network에서 분산 모니터링을 이용한 향상된 침입탐지 기법 연구)

  • Yang, Hwanseok
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.14 no.1
    • /
    • pp.35-43
    • /
    • 2018
  • MANET composed of only wireless nodes is increasingly utilized in various fields. However, it is exposed to many security vulnerabilities because it doesn't have any infrastructure and transmits data by using multi-hop method. Therefore, MANET should be applied the intrusion detection technique that can detect efficiently malicious nodes and decrease impacts of various attacks. In this paper, we propose a distributed intrusion detection technique that can detect the various attacks while improving the efficiency of attack detection and reducing the false positive rate. The proposed technique uses the cluster structure to manage the information in the center and monitor the traffic of their neighbor nodes directly in all nodes. We use three parameters for attack detection. We also applied an efficient authentication technique using only key exchange without the help of CA in order to provide integrity when exchanging information between cluster heads. This makes it possible to free the forgery of information about trust information of the nodes and attack nodes. The superiority of the proposed technique can be confirmed through comparative experiments with existing intrusion detection techniques.

Measures for Adware and Spyware (애드웨어 및 스파이웨어 대응기법)

  • Kim, Bae-Hyun;Kwon, Moon-Taek
    • Convergence Security Journal
    • /
    • v.6 no.4
    • /
    • pp.41-47
    • /
    • 2006
  • Spyware is any technology that aids in gathering information about a person or organization with-out their knowledge. Software designed to serve advertising, known as adware, can usually be thought of as spyware as well because it almost invariably includes components for tracking and reporting user information. A piece of spyware and adware affect computers which can rapidly become infected with large numbers of spyware and adware components. Users frequently notice from un-wanted behavior and degradation of system performance, such as significant unwanted CPU activity, disk usage, and network traffic which thereby slows down legitimate uses of these resources. The presence of situation will continue because of rapid expansion of Internet usages. Therefore, security solutions, such as anti-adware and anti-spyware, for recovering these malfunction due to the malicious programs must be developed. However, studies on the malicious programs are still not sufficient. Accordingly, this paper has studied the malicious program techniques, based on the results of analysis of present adware and spyware techniques by employing collected samples, and presents efficient measures for blocking and remedying the malicious programs.

  • PDF

A Novel Technique to Detect Malicious Packet Dropping Attacks in Wireless Sensor Networks

  • Terence, J. Sebastian;Purushothaman, Geethanjali
    • Journal of Information Processing Systems
    • /
    • v.15 no.1
    • /
    • pp.203-216
    • /
    • 2019
  • The nature of wireless transmission has made wireless sensor networks defenseless against various attacks. This paper presents warning message counter method (WMC) to detect blackhole attack, grayhole attack and sinkhole attack in wireless sensor networks. The objective of these attackers are, to draw the nearby network traffic by false routing information and disrupt the network operation through dropping all the received packets (blackhole attack), selectively dropping the received packets (grayhole and sinkhole attack) and modifying the content of the packet (sinkhole attack). We have also attempted light weighted symmetric key cryptography to find data modification by the sinkhole node. Simulation results shows that, WMC detects sinkhole attack, blackhole attack and grayhole attack with less false positive 8% and less false negative 6%.

A Study on Response Technique of Routing Attack under Wireless Ad Hoc Network. Environment (Wireless Ad Hoc Network환경에서의 라우팅 공격 대응 기법에 관한 연구)

  • Yang, Hwan Seok
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.10 no.1
    • /
    • pp.105-112
    • /
    • 2014
  • The utilization of Wireless Ad Hoc Network which can build easily network using wireless device in difficult situation to build network is very good. However, it has security threat element because it transfers data by only forwarding of wireless devices. The measures against this should be prepared because damage by especially routing attack can affect the entire network. It is hard to distinguish malicious node and normal node among nodes composing network and it is not easy also to detect routing attack and respond to this. In this paper, we propose new method which detect routing attack and can respond to this. The amount of traffic in all nodes is measured periodically to judge the presence or absence of attack node on the path set. The technique that hides inspection packet to suspected node and transmits is used in order to detect accurately attack node in the path occurred attack. The experiment is performed by comparing SRAODA and SEAODV technique to evaluate performance of the proposed technique and the excellent performance can be confirmed.

A Building Method of Security Architecture Framework on the Medical Information Network Environment (의료정보시스템상에서의 네트워크 보안기능 프레임워크와 보안 아키텍쳐 설계방법)

  • Lee, Dae-Sung;Noh, Si-Choon
    • Convergence Security Journal
    • /
    • v.11 no.4
    • /
    • pp.3-9
    • /
    • 2011
  • On health information network architecture, traffic along the path of traffic and security, blocking malicious code penetration is performed. The medical information system network security infrastructure study, which was whether to be designed based on the structure and methodology is designed to develop the security features. Health informati on system's functionality and capabilities framework for infrastructure is the backbone and structure. The design fea tures a framework for the overall network structure formation of the skeleton and forms the basic structure of the security methodology. Infrastructure capabilities to build the framework and the application functionality is being implemented. Differentiated in accordance with security zones to perform security functions and security mechanisms that operate through this study is to present. u-Healthcare future advent of cloud computing and a new health information environment, the medical information on the preparation of this study is expected to be utilized for security.