• Title/Summary/Keyword: Malicious Traffic Detection

Search Result 66, Processing Time 0.021 seconds

Experiments on An Network Processor-based Intrusion Detection (네트워크 프로세서 기반의 침입탐지 시스템 구현)

  • Kim, Hyeong-Ju;Kim, Ik-Kyun;Park, Dae-Chul
    • The KIPS Transactions:PartC
    • /
    • v.11C no.3
    • /
    • pp.319-326
    • /
    • 2004
  • To help network intrusion detection systems(NIDSs) keep up with the demands of today's networks, that we the increasing network throughput and amount of attacks, a radical new approach in hardware and software system architecture is required. In this paper, we propose a Network Processor(NP) based In-Line mode NIDS that supports the packet payload inspection detecting the malicious behaviors, as well as the packet filtering and the traffic metering. In particular, we separate the filtering and metering functions from the deep packet inspection function using two-level searching scheme, thus the complicated and time-consuming operation of the deep packet inspection function does not hinder or flop the basic operations of the In-line mode system. From a proto-type NP-based NIDS implemented at a PC platform with an x86 processor running Linux, two Gigabit Ethernet ports, and 2.5Gbps Agere PayloadPlus(APP) NP solution, the experiment results show that our proposed scheme can reliably filter and meter the full traffic of two gigabit ports at the first level even though it can inspect the packet payload up to 320 Mbps in real-time at the second level, which can be compared to the performance of general-purpose processor based Inspection. However, the simulation results show that the deep packet searching is also possible up to 2Gbps in wire speed when we adopt 10Gbps APP solution.

Efficient Buffer Management Scheme for Mitigating Possibility of DDoS Attack (DDoS 공격 가능성 완화를 위한 효율적인 버퍼 관리 기술)

  • Noh, Hee-Kyeong;Kang, Nam-Hi
    • The Journal of the Institute of Internet, Broadcasting and Communication
    • /
    • v.12 no.2
    • /
    • pp.1-7
    • /
    • 2012
  • DDoS attack is a malicious attempt to exhaust resources of target system and network capacities using lots of distributed zombi systems. DDoS attack introduced in early 2000 has being evolved over time and presented in a various form of attacks. This paper proposes a scheme to detect DDoS attacks and to reduce possibility of such attacks that are especially based on vulnerabilities presented by using control packets of existing network protocols. To cope with DDoS attacks, the proposed scheme utilizes a buffer management techniques commonly used for congestion control in Internet. Our scheme is not intended to detect DDoS attacks perfectly but to minimize possibility of overloading of internal system and to mitigate possibility of attacks by discarding control packets at the time of detecting DDoS attacks. In addition, the detection module of our scheme can adapt dynamically to instantly increasing traffic unlike previously proposed schemes.

A comparative study of the performance of machine learning algorithms to detect malicious traffic in IoT networks (IoT 네트워크에서 악성 트래픽을 탐지하기 위한 머신러닝 알고리즘의 성능 비교연구)

  • Hyun, Mi-Jin
    • Journal of Digital Convergence
    • /
    • v.19 no.9
    • /
    • pp.463-468
    • /
    • 2021
  • Although the IoT is showing explosive growth due to the development of technology and the spread of IoT devices and activation of services, serious security risks and financial damage are occurring due to the activities of various botnets. Therefore, it is important to accurately and quickly detect the activities of these botnets. As security in the IoT environment has characteristics that require operation with minimum processing performance and memory, in this paper, the minimum characteristics for detection are selected, and KNN (K-Nearest Neighbor), Naïve Bayes, Decision Tree, Random A comparative study was conducted on the performance of machine learning algorithms such as Forest to detect botnet activity. Experimental results using the Bot-IoT dataset showed that KNN can detect DDoS, DoS, and Reconnaissance attacks most effectively and efficiently among the applied machine learning algorithms.

Performance Analysis of TCAM-based Jumping Window Algorithm for Snort 2.9.0 (Snort 2.9.0 환경을 위한 TCAM 기반 점핑 윈도우 알고리즘의 성능 분석)

  • Lee, Sung-Yun;Ryu, Ki-Yeol
    • Journal of Internet Computing and Services
    • /
    • v.13 no.2
    • /
    • pp.41-49
    • /
    • 2012
  • Wireless network support and extended mobile network environment with exponential growth of smart phone users allow us to utilize the network anytime or anywhere. Malicious attacks such as distributed DOS, internet worm, e-mail virus and so on through high-speed networks increase and the number of patterns is dramatically increasing accordingly by increasing network traffic due to this internet technology development. To detect the patterns in intrusion detection systems, an existing research proposed an efficient algorithm called the jumping window algorithm and analyzed approximately 2,000 patterns in Snort 2.1.0, the most famous intrusion detection system. using the algorithm. However, it is inappropriate from the number of TCAM lookups and TCAM memory efficiency to use the result proposed in the research in current environment (Snort 2.9.0) that has longer patterns and a lot of patterns because the jumping window algorithm is affected by the number of patterns and pattern length. In this paper, we simulate the number of TCAM lookups and the required TCAM size in the jumping window with approximately 8,100 patterns from Snort-2.9.0 rules, and then analyse the simulation result. While Snort 2.1.0 requires 16-byte window and 9Mb TCAM size to show the most effective performance as proposed in the previous research, in this paper we suggest 16-byte window and 4 18Mb-TCAMs which are cascaded in Snort 2.9.0 environment.

Performance Evaluation of Scaling based Dynamic Time Warping Algorithms for the Detection of Low-rate TCP Attacks (Low-rate TCP 공격 탐지를 위한 스케일링 기반 DTW 알고리즘의 성능 분석)

  • So, Won-Ho;Shim, Sang-Heon;Yoo, Kyoung-Min;Kim, Young-Chon
    • Journal of the Institute of Electronics Engineers of Korea TC
    • /
    • v.44 no.3 s.357
    • /
    • pp.33-40
    • /
    • 2007
  • In this paper, low-rate TCP attack as one of shrew attacks is considered and the scaling based dynamic time warping (S-DTW) algorithm is introduced. The low-rate TCP attack can not be detected by the detection method for the previous flooding DoS/DDoS (Denial of Service/Distirbuted Denial of Service) attacks due to its low average traffic rate. It, however, is a periodic short burst that exploits the homogeneity of the minimum retransmission timeout (RTO) of TCP flows and then some pattern matching mechanisms have been proposed to detect it among legitimate input flows. A DTW mechanism as one of detection approaches has proposed to detect attack input stream consisting of many legitimate or attack flows, and shown a depending method as well. This approach, however, has a problem that legitimate input stream may be caught as an attack one. In addition, it is difficult to decide a threshold for separation between the legitimate and the malicious. Thus, the causes of this problem are analyzed through simulation and the scaling by maximum auto-correlation value is executed before computing the DTW. We also discuss the results on applying various scaling approaches and using standard deviation of input streams monitored.

Behavioural Analysis of Password Authentication and Countermeasure to Phishing Attacks - from User Experience and HCI Perspectives (사용자의 패스워드 인증 행위 분석 및 피싱 공격시 대응방안 - 사용자 경험 및 HCI의 관점에서)

  • Ryu, Hong Ryeol;Hong, Moses;Kwon, Taekyoung
    • Journal of Internet Computing and Services
    • /
    • v.15 no.3
    • /
    • pp.79-90
    • /
    • 2014
  • User authentication based on ID and PW has been widely used. As the Internet has become a growing part of people' lives, input times of ID/PW have been increased for a variety of services. People have already learned enough to perform the authentication procedure and have entered ID/PW while ones are unconscious. This is referred to as the adaptive unconscious, a set of mental processes incoming information and producing judgements and behaviors without our conscious awareness and within a second. Most people have joined up for various websites with a small number of IDs/PWs, because they relied on their memory for managing IDs/PWs. Human memory decays with the passing of time and knowledges in human memory tend to interfere with each other. For that reason, there is the potential for people to enter an invalid ID/PW. Therefore, these characteristics above mentioned regarding of user authentication with ID/PW can lead to human vulnerabilities: people use a few PWs for various websites, manage IDs/PWs depending on their memory, and enter ID/PW unconsciously. Based on the vulnerability of human factors, a variety of information leakage attacks such as phishing and pharming attacks have been increasing exponentially. In the past, information leakage attacks exploited vulnerabilities of hardware, operating system, software and so on. However, most of current attacks tend to exploit the vulnerabilities of the human factors. These attacks based on the vulnerability of the human factor are called social-engineering attacks. Recently, malicious social-engineering technique such as phishing and pharming attacks is one of the biggest security problems. Phishing is an attack of attempting to obtain valuable information such as ID/PW and pharming is an attack intended to steal personal data by redirecting a website's traffic to a fraudulent copy of a legitimate website. Screens of fraudulent copies used for both phishing and pharming attacks are almost identical to those of legitimate websites, and even the pharming can include the deceptive URL address. Therefore, without the supports of prevention and detection techniques such as vaccines and reputation system, it is difficult for users to determine intuitively whether the site is the phishing and pharming sites or legitimate site. The previous researches in terms of phishing and pharming attacks have mainly studied on technical solutions. In this paper, we focus on human behaviour when users are confronted by phishing and pharming attacks without knowing them. We conducted an attack experiment in order to find out how many IDs/PWs are leaked from pharming and phishing attack. We firstly configured the experimental settings in the same condition of phishing and pharming attacks and build a phishing site for the experiment. We then recruited 64 voluntary participants and asked them to log in our experimental site. For each participant, we conducted a questionnaire survey with regard to the experiment. Through the attack experiment and survey, we observed whether their password are leaked out when logging in the experimental phishing site, and how many different passwords are leaked among the total number of passwords of each participant. Consequently, we found out that most participants unconsciously logged in the site and the ID/PW management dependent on human memory caused the leakage of multiple passwords. The user should actively utilize repudiation systems and the service provider with online site should support prevention techniques that the user can intuitively determined whether the site is phishing.