• Title/Summary/Keyword: Malicious Traffic Detection

Search Result 66, Processing Time 0.029 seconds

Malicious Traffic Classification Using Mitre ATT&CK and Machine Learning Based on UNSW-NB15 Dataset (마이터 어택과 머신러닝을 이용한 UNSW-NB15 데이터셋 기반 유해 트래픽 분류)

  • Yoon, Dong Hyun;Koo, Ja Hwan;Won, Dong Ho
    • KIPS Transactions on Software and Data Engineering
    • /
    • v.12 no.2
    • /
    • pp.99-110
    • /
    • 2023
  • This study proposed a classification of malicious network traffic using the cyber threat framework(Mitre ATT&CK) and machine learning to solve the real-time traffic detection problems faced by current security monitoring systems. We applied a network traffic dataset called UNSW-NB15 to the Mitre ATT&CK framework to transform the label and generate the final dataset through rare class processing. After learning several boosting-based ensemble models using the generated final dataset, we demonstrated how these ensemble models classify network traffic using various performance metrics. Based on the F-1 score, we showed that XGBoost with no rare class processing is the best in the multi-class traffic environment. We recognized that machine learning ensemble models through Mitre ATT&CK label conversion and oversampling processing have differences over existing studies, but have limitations due to (1) the inability to match perfectly when converting between existing datasets and Mitre ATT&CK labels and (2) the presence of excessive sparse classes. Nevertheless, Catboost with B-SMOTE achieved the classification accuracy of 0.9526, which is expected to be able to automatically detect normal/abnormal network traffic.

De-cloaking Malicious Activities in Smartphones Using HTTP Flow Mining

  • Su, Xin;Liu, Xuchong;Lin, Jiuchuang;He, Shiming;Fu, Zhangjie;Li, Wenjia
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.11 no.6
    • /
    • pp.3230-3253
    • /
    • 2017
  • Android malware steals users' private information, and embedded unsafe advertisement (ad) libraries, which execute unsafe code causing damage to users. The majority of such traffic is HTTP and is mixed with other normal traffic, which makes the detection of malware and unsafe ad libraries a challenging problem. To address this problem, this work describes a novel HTTP traffic flow mining approach to detect and categorize Android malware and unsafe ad library. This work designed AndroCollector, which can automatically execute the Android application (app) and collect the network traffic traces. From these traces, this work extracts HTTP traffic features along three important dimensions: quantitative, timing, and semantic and use these features for characterizing malware and unsafe ad libraries. Based on these HTTP traffic features, this work describes a supervised classification scheme for detecting malware and unsafe ad libraries. In addition, to help network operators, this work describes a fine-grained categorization method by generating fingerprints from HTTP request methods for each malware family and unsafe ad libraries. This work evaluated the scheme using HTTP traffic traces collected from 10778 Android apps. The experimental results show that the scheme can detect malware with 97% accuracy and unsafe ad libraries with 95% accuracy when tested on the popular third-party Android markets.

A Conceptual Study on the Development of Intelligent Detection Model for the anonymous Communication bypassing the Cyber Defense System (사이버 방어체계를 우회하는 익명통신의 지능형 탐지모델개발을 위한 개념연구)

  • Jung, Ui Seob;Kim, Jae Hyun;Jeong, Chan Ki
    • Convergence Security Journal
    • /
    • v.19 no.4
    • /
    • pp.77-85
    • /
    • 2019
  • As the Internet continues to evolve, cyber attacks are becoming more precise and covert. Anonymous communication, which is used to protect personal privacy, is also being used for cyber attacks. Not only it hides the attacker's IP address but also encrypts traffic, which allows users to bypass the information protection system that most organizations and institutions are using to defend cyber attacks. For this reason, anonymous communication can be used as a means of attacking malicious code or for downloading additional malware. Therefore, this study aims to suggest a method to detect and block encrypted anonymous communication as quickly as possible through artificial intelligence. Furthermore, it will be applied to the defense to detect malicious communication and contribute to preventing the leakage of important data and cyber attacks.

A study on the managed security services(MSS) method for energy-based SCADA Systems (에너지 기반보호시설의 보안관제 방안에 관한 연구)

  • Jang, Jeong-Woo;Kim, Woo-Suk;Yoon, Ji-Won
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.2
    • /
    • pp.279-292
    • /
    • 2015
  • In this study, we propose an effective network managed security services model that can detect a presence of potential malicious codes inside the energy-based SCADA Systems. Especially, by analyzing the data obtained in the same environment of SCADA Systems, we develop detection factors to applicable to the managed security services and propose the method for the network managed security services. Finally, the proposed network managed security services model through simulation proved possibility to detect malicious traffic in SCADA systems effectively.

The Design and Implementation of Network Intrusion Detection System Hardware on FPGA (FPGA 기반 네트워크 침입탐지 시스템 하드웨어 설계 및 구현)

  • Kim, Taek-Hun;Yun, Sang-Kyun
    • Journal of the Korea Society of Computer and Information
    • /
    • v.17 no.4
    • /
    • pp.11-18
    • /
    • 2012
  • Deep packet inspection which perform pattern matching to search for malicious patterns in the packet is most computationally intensive task. Hardware-based pattern matching is required for real-time packet inspection in high-speed network. In this paper, we have designed and implemented network intrusion detection hardware as a Microblaze-based SoC using Virtex-6 FPGA, which capture the network input packet, perform hardware-based pattern matching for patterns in the Snort rule, and provide the matching result to the software. We verify the operation of the implemented system using traffic generator and real network traffic. The implemented hardware can be used in network intrusion detection system operated in wire-speed.

Detection of Abnormal Traffic by Pre-Inflow Agent (사전유입 에이전트가 발생하는 이상트래픽 탐지 방안)

  • Cho, Young Min;Kwon, Hun Yeong
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.5
    • /
    • pp.1169-1177
    • /
    • 2018
  • Modern society is a period of rapid digital transformation. This digital-centric business proliferation offers convenience and efficiency to businesses and individuals, but cyber threats are increasing. In particular, cyber attacks are becoming more and more intelligent and precise, and various attempts have been made to prevent these attacks from being discovered. Therefore, it is increasingly difficult to respond to such attacks. According to the cyber kill chain concept, the attacker penetrates to achieve the goal in several stages. We aim to detect one of these stages and neutralize the attack. In this paper, we propose a method to detect anomalous traffic caused by an agent attacking an external attacker, assuming that an agent executing a malicious action has been introduced in advance due to various reasons such as a system error or a user's mistake.

Modeling and Performance Analysis on the Response Capacity against Alert Information in an Intrusion Detection System (침입탐지시스템에서 경보정보에 대한 대응 능력 모델링 및 성능분석)

  • Jeon Yong-Hee;Jang Jung-Sook;Jang Jong-Soo
    • The KIPS Transactions:PartC
    • /
    • v.12C no.6 s.102
    • /
    • pp.855-864
    • /
    • 2005
  • In this paper, we propose an intrusion detection system(IDS) architecture which can detect and respond against the generation of abnormal traffic such as malicious code and Internet worms. We model the system, design and implement a simulator using OPNET Modeller, for the performance analysis on the response capacity of alert information in the proposed system. At first, we model the arrival process of alert information resulted from abnormal traffic. In order to model the situation in which alert information is intensively produced, we apply the IBP(Interrupted Bernoulli Process) which may represent well the burstiness of traffic. Then we perform the simulation in order to gain some quantitative understanding of the system for our performance parameters. Based on the results of the performance analysis, we analyze factors which may hinder in accelerating the speed of security node, and would like to present some methods to enhance performance.

Research on Malware Classification with Network Activity for Classification and Attack Prediction of Attack Groups (공격그룹 분류 및 예측을 위한 네트워크 행위기반 악성코드 분류에 관한 연구)

  • Lim, Hyo-young;Kim, Wan-ju;Noh, Hong-jun;Lim, Jae-sung
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.42 no.1
    • /
    • pp.193-204
    • /
    • 2017
  • The security of Internet systems critically depends on the capability to keep anti-virus (AV) software up-to-date and maintain high detection accuracy against new malware. However, malware variants evolve so quickly they cannot be detected by conventional signature-based detection. In this paper, we proposed a malware classification method based on sequence patterns generated from the network flow of malware samples. We evaluated our method with 766 malware samples and obtained a classification accuracy of approximately 40.4%. In this study, malicious codes were classified only by network behavior of malicious codes, excluding codes and other characteristics. Therefore, this study is expected to be further developed in the future. Also, we can predict the attack groups and additional attacks can be prevented.

Detection of Anomaly VMS Messages Using Bi-Directional GPT Networks (양방향 GPT 네트워크를 이용한 VMS 메시지 이상 탐지)

  • Choi, Hyo Rim;Park, Seungyoung
    • The Journal of The Korea Institute of Intelligent Transport Systems
    • /
    • v.21 no.4
    • /
    • pp.125-144
    • /
    • 2022
  • When a variable message signs (VMS) system displays false information related to traffic safety caused by malicious attacks, it could pose a serious risk to drivers. If the normal message patterns displayed on the VMS system are learned, it would be possible to detect and respond to the anomalous messages quickly. This paper proposes a method for detecting anomalous messages by learning the normal patterns of messages using a bi-directional generative pre-trained transformer (GPT) network. In particular, the proposed method was trained using the normal messages and their system parameters to minimize the corresponding negative log-likelihood (NLL) values. After adequate training, the proposed method could detect an anomalous message when its NLL value was larger than a pre-specified threshold value. The experiment results showed that the proposed method could detect malicious messages and cases when the system error occurs.

Study of Snort Intrusion Detection Rules for Recognition of Intelligent Threats and Response of Active Detection (지능형 위협인지 및 능동적 탐지대응을 위한 Snort 침입탐지규칙 연구)

  • Han, Dong-hee;Lee, Sang-jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.5
    • /
    • pp.1043-1057
    • /
    • 2015
  • In order to recognize intelligent threats quickly and detect and respond to them actively, major public bodies and private institutions operate and administer an Intrusion Detection Systems (IDS), which plays a very important role in finding and detecting attacks. However, most IDS alerts have a problem that they generate false positives. In addition, in order to detect unknown malicious codes and recognize and respond to their threats in advance, APT response solutions or actions based systems are introduced and operated. These execute malicious codes directly using virtual technology and detect abnormal activities in virtual environments or unknown attacks with other methods. However, these, too, have weaknesses such as the avoidance of the virtual environments, the problem of performance about total inspection of traffic and errors in policy. Accordingly, for the effective detection of intrusion, it is very important to enhance security monitoring, consequentially. This study discusses a plan for the reduction of false positives as a plan for the enhancement of security monitoring. As a result of an experiment based on the empirical data of G, rules were drawn in three types and 11 kinds. As a result of a test following these rules, it was verified that the overall detection rate decreased by 30% to 50%, and the performance was improved by over 30%.