• Title/Summary/Keyword: Malicious Traffic Detection

Search Result 66, Processing Time 0.025 seconds

Wireless DDoS Attack Detection and Prevention Mechanism using Packet Marking and Traffic Classification on Integrated Access Device (IAD 기반 패킷 마킹과 유무선 트래픽 분류를 통한 무선 DDoS 공격 탐지 및 차단 기법)

  • Jo, Je-Gyeong;Lee, Hyung-Woo;Park, Yeoung-Joon
    • The Journal of the Korea Contents Association
    • /
    • v.8 no.6
    • /
    • pp.54-65
    • /
    • 2008
  • When DDoS attack is achieved, malicious host discovering is more difficult on wireless network than existing wired network environment. Specially, because wireless network is weak on wireless user authentication attack and packet spoofing attack, advanced technology should be studied in reply. Integrated Access Device (IAD) that support VoIP communication facility etc with wireless routing function recently is developed and is distributed widely. IAD is alternating facility that is offered in existent AP. Therefore, advanced traffic classification function and real time attack detection function should be offered in IAD on wireless network environment. System that is presented in this research collects client information of wireless network that connect to IAD using AirSensor. And proposed mechanism also offers function that collects the wireless client's attack packet to monitoring its legality. Also the proposed mechanism classifies and detect the attack packet with W-TMS system that was received to IAD. As a result, it was possible for us to use IAD on wireless network service stably.

The Traffic Analysis of P2P-based Storm Botnet using Honeynet (허니넷을 이용한 P2P 기반 Storm 봇넷의 트래픽 분석)

  • Han, Kyoung-Soo;Lim, Kwang-Hyuk;Im, Eul-Gyu
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.19 no.4
    • /
    • pp.51-61
    • /
    • 2009
  • Recently, the cyber-attacks using botnets are being increased, Because these attacks pursue the money, the criminal aspect is also being increased, There are spreading of spam mail, DDoS(Distributed Denial of Service) attacks, propagations of malicious codes and malwares, phishings. leaks of sensitive informations as cyber-attacks that used botnets. There are many studies about detection and mitigation techniques against centralized botnets, namely IRC and HITP botnets. However, P2P botnets are still in an early stage of their studies. In this paper, we analyzed the traffics of the Peacomm bot that is one of P2P-based storm bot by using honeynet which is utilized in active analysis of network attacks. As a result, we could see that the Peacomm bot sends a large number of UDP packets to the zombies in wide network through P2P. Furthermore, we could know that the Peacomm bot makes the scale of botnet maintained and extended through these results. We expect that these results are used as a basis of detection and mitigation techniques against P2P botnets.

A Preemptive Detection Method for Unknown IoT Botnet Based on Darknet Traffic (다크넷 트래픽 기반의 알려지지 않은 IoT 봇넷 선제탐지 방안)

  • Gunyang Park;Jungsuk Song;Heejun Roh
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.33 no.2
    • /
    • pp.267-280
    • /
    • 2023
  • With development of computing and communications technologies, IoT environments based on high-speed networks have been extending rapidly. Especially, from home to an office or a factory, applications of IoT devices with sensing environment and performing computations are increasing. Unfortunately, IoT devices which have limited hardware resources can be vulnerable to cyber attacks. Hence, there is a concern that an IoT botnet can give rise to information leakage as a national cyber security crisis arising from abuse as a malicious waypoint or propagation through connected networks. In order to response in advance from unknown cyber threats in IoT networks, in this paper, We firstly define four types of We firstly define four types of characteristics by analyzing darknet traffic accessed from an IoT botnet. Using the characteristic, a suspicious IP address is filtered quickly. Secondly, the filtered address is identified by Cyber Threat Intelligence (CTI) or Open Source INTelligence (OSINT) in terms of an unknown suspicious host. The identified IP address is finally fingerprinted to determine whether the IP is a malicious host or not. To verify a validation of the proposed method, we apply to a Darknet on real-world SOC. As a result, about 1,000 hosts who are detected and blocked preemptively by the proposed method are confirmed as real IoT botnets.

Filtering and Intrusion Detection Approach for Secured Reconfigurable Mobile Systems

  • Idriss, Rim;Loukil, Adlen;Khalgui, Mohamed;Li, Zhiwu;Al-Ahmari, Abdulrahman
    • Journal of Electrical Engineering and Technology
    • /
    • v.12 no.5
    • /
    • pp.2051-2066
    • /
    • 2017
  • This paper deals with reconfigurable secured mobile systems where the reconfigurability has the potential of providing a required adaptability to change the system requirements. The reconfiguration scenario is presented as a run-time automatic operation which allows security mechanisms and the addition-removal-update of software tasks. In particular, there is a definite requirement for filtering and intrusion detection mechanisms that will use fewer resources and also that will improve the security on the secured mobile devices. Filtering methods are used to control incoming traffic and messages, whereas, detection methods are used to detect malware events. Nevertheless, when different reconfiguration scenarios are applied at run-time, new security threats will be emerged against those systems which need to support multiple security objectives: Confidentiality, integrity and availability. We propose in this paper a new approach that efficiently detects threats after reconfigurable scenarios and which is based on filtering and intrusion detection methods. The paper's contribution is applied to Android where the evaluation results demonstrate the effectiveness of the proposed middleware in order to detect the malicious events on reconfigurable secured mobile systems and the feasibility of running and executing such a system with the proposed solutions.

Intrusion Detection Methodology for SCADA system environment based on traffic self-similarity property (트래픽 자기 유사성(Self-similarity)에 기반한 SCADA 시스템 환경에서의 침입탐지방법론)

  • Koh, Pauline;Choi, Hwa-Jae;Kim, Se-Ryoung;Kwon, Hyuk-Min;Kim, Huy-Kang
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.2
    • /
    • pp.267-281
    • /
    • 2012
  • SCADA system is a computer system that monitors and controls the national infrastructure or industrial process including transportation facilities, water treatment and distribution, electrical power transmission and distribution, and gas pipelines. The SCADA system has been operated in a closed network, but it changes to open network as information and communication technology is developed rapidly. As the way of connecting with outside user extends, the possibility of exploitation of vulnerability of SCADA system gets high. The methodology to protect the possible huge damage caused by malicious user should be developed. In this paper, we proposed anomaly detection based intrusion detection methodology by estimating self-similarity of SCADA system.

Traffic Analysis Architecture for Secure Industrial Control System (안전한 제어시스템 환경을 위한 트래픽 분석망 설계)

  • Lee, Eun-Ji;Kwak, Jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.26 no.5
    • /
    • pp.1223-1234
    • /
    • 2016
  • The Industrial control system is adopted by various industry field and national infrastructure, therefore if it received cyber attack, the serious security problems can be occured in the public sector. For this reason, security requirements of the industrial control system have been proposed, in accordance with the security guidelines of the electronic control system, and it is operated by separate from the external and the internal network. Nevertheless, cyber attack by malware (such as Stuxnet) targeting to control system have been occurred continuously, and also the real-time detection of untrusted traffic is very difficult because there are some difficulty of keeping up with quickly evolving the advent of new-variant malicious codes. In this paper, we propose the traffic analysis architecture for providing secure industrial control system based on the analyzed the security threats, the security requirements, and our proposed architecture.

Detecting Jamming Attacks in MANET (MANET에서의 전파방해 공격 탐지)

  • Shrestha, Rakesh;Lee, Sang-Duk;Choi, Dong-You;Han, Seung-Jo
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.13 no.3
    • /
    • pp.482-488
    • /
    • 2009
  • Mobile Ad-hoc Networks provide communication without a centralized infrastructure, which makes them suitable for communication in disaster areas or when quick deployment is needed. On the other hand, they are susceptible to malicious exploitation and have to face different challenges at different layers due to its open Ad-hoc network structure which lacks previous security measures. Denial of service (DoS) attack is one that interferes with the radio transmission channel causing a jamming attack. In this kind of attack, an attacker emits a signal that interrupts the energy of the packets causing many errors in the packet currently being transmitted. In harsh environments where there is constant traffic, a jamming attack causes serious problems; therefore measures to prevent these types of attacks are required. The objective of this paper is to carry out the simulation of the jamming attack on the nodes and determine the DoS attacks in OPNET so as to obtain better results. We have used effective anomaly detection system to detect the malicious behaviour of the jammer node and analyzed the results that deny channel access by jamming in the mobile Ad-hoc networks.

A Network Packet Analysis Method to Discover Malicious Activities

  • Kwon, Taewoong;Myung, Joonwoo;Lee, Jun;Kim, Kyu-il;Song, Jungsuk
    • Journal of Information Science Theory and Practice
    • /
    • v.10 no.spc
    • /
    • pp.143-153
    • /
    • 2022
  • With the development of networks and the increase in the number of network devices, the number of cyber attacks targeting them is also increasing. Since these cyber-attacks aim to steal important information and destroy systems, it is necessary to minimize social and economic damage through early detection and rapid response. Many studies using machine learning (ML) and artificial intelligence (AI) have been conducted, among which payload learning is one of the most intuitive and effective methods to detect malicious behavior. In this study, we propose a preprocessing method to maximize the performance of the model when learning the payload in term units. The proposed method constructs a high-quality learning data set by eliminating unnecessary noise (stopwords) and preserving important features in consideration of the machine language and natural language characteristics of the packet payload. Our method consists of three steps: Preserving significant special characters, Generating a stopword list, and Class label refinement. By processing packets of various and complex structures based on these three processes, it is possible to make high-quality training data that can be helpful to build high-performance ML/AI models for security monitoring. We prove the effectiveness of the proposed method by comparing the performance of the AI model to which the proposed method is applied and not. Forthermore, by evaluating the performance of the AI model applied proposed method in the real-world Security Operating Center (SOC) environment with live network traffic, we demonstrate the applicability of the our method to the real environment.

A Study on Response Technique of Routing Attack under Wireless Ad Hoc Network. Environment (Wireless Ad Hoc Network환경에서의 라우팅 공격 대응 기법에 관한 연구)

  • Yang, Hwan Seok
    • Journal of Korea Society of Digital Industry and Information Management
    • /
    • v.10 no.1
    • /
    • pp.105-112
    • /
    • 2014
  • The utilization of Wireless Ad Hoc Network which can build easily network using wireless device in difficult situation to build network is very good. However, it has security threat element because it transfers data by only forwarding of wireless devices. The measures against this should be prepared because damage by especially routing attack can affect the entire network. It is hard to distinguish malicious node and normal node among nodes composing network and it is not easy also to detect routing attack and respond to this. In this paper, we propose new method which detect routing attack and can respond to this. The amount of traffic in all nodes is measured periodically to judge the presence or absence of attack node on the path set. The technique that hides inspection packet to suspected node and transmits is used in order to detect accurately attack node in the path occurred attack. The experiment is performed by comparing SRAODA and SEAODV technique to evaluate performance of the proposed technique and the excellent performance can be confirmed.

Advanced protocol against MITM attacks in Industrial Control System (산업제어시스템에서의 MITM 공격을 방어하기 위해 개선된 프로토콜)

  • Ko, Moo-seong;Oh, Sang-kyo;Lee, Kyung-ho
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.6
    • /
    • pp.1455-1463
    • /
    • 2015
  • If the industrial control system is infected by malicious worm such as Stuxnet, national disaster could be caused inevitably. Therefore, most of the industrial control system defence is focused on intrusion detection in network to protect against these threats. Conventional method is effective to monitor network traffic and detect anomalous patterns, but normal traffic pattern attacks using MITM technique are difficult to be detected. This study analyzes the PROFINET/DCP protocol and weaknesses with the data collected in real industrial control system. And add the authentication data field to secure the protocol, find out the applicability. Improved protocol may prevent the national disaster and defend against MITM attacks.