• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.155-163
• /
• 2014

To enhance network efficiency, content-centric networking (CCN) proposes that intermediated network nodes on a content-delivery path temporally cache transmitted contents. Then if an intermediated node receives a content request message (Interest) for previously cached content, the node directly transmits the cached content as a response message (Data) to requestors and finishes the transmission of the received Interest. Since Interest is performed by intermediated network nodes, it is possible to efficiently transmit contents and to effectively solve a network congestion problem caused around contents sources. For that, CCN utilizes both content store to temporarily cache content and pending Interest table (PIT) to record Interest incoming Face. However, it has mentioned the possibility of denial service attack using both the limitation of PIT resource and fake Interests. In this paper, we briefly describe the presented PIT flooding attack utilizing fake Interest. Then we introduce new attack possibility using fake Data and propose a countermeasure for the proposed attack. Also we evaluate the performance of our proposal.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.33 no.7B
• /
• pp.592-600
• /
• 2008

In this paper, a Hybrid Scaling based DTW (HS-DTW) mechanism is proposed for detection of periodic shrew TCP attacks. A low-rate TCP attack which is a type of shrew DoS (Denial of Service) attacks, was reported recently, but it is difficult to detect the attack using previous flooding DoS detection mechanisms. A pattern matching method with DTW (Dynamic Time Warping) as a type of defense mechanisms was shown to be reasonable method of detecting and defending against a periodic low-rate TCP attack in an input traffic link. This method, however, has the problem that a legitimate link may be misidentified as an attack link, if the threshold of the DTW value is not reasonable. In order to effectively discriminate between attack traffic and legitimate traffic, the difference between their DTW values should be large as possible. To increase the difference, we analyze a critical problem with a previous algorithm and introduce a scaling method that increases the difference between DTW values. Four kinds of scaling methods are considered and the standard deviation of the sampling data is adopted. We can select an appropriate scaling scheme according to the standard deviation of an input signal. This is why the HS-DTW increases the difference between DTW values of legitimate and attack traffic. The result is that the determination of the threshold value for discrimination is easier and the probability of mistaking legitimate traffic for an attack is dramatically reduced.

• Journal of Digital Convergence
• /
• v.13 no.10
• /
• pp.279-285
• /
• 2015

In this paper, we present the design and implementation of a realtime DNS Query Analysis System to detect and to protect from DNS attacks. The proposed system uses mirroring to collect data in DMZ, then analizes the collected data. As a result of the analysis, if the proposed system finds attack information, the information is used as a filtering information of firewall. statistic of the collected data is viewed as a realtime monitoring information on the web. To verify the effictiveness of the proposed system, we have built the proposed system and conducted some experiments. As the result, Our proposed system can be used effectively to defend DNS spoofing, DNS flooding attack, DNS amplification attack, can prevent interior network's attackers from attacking and provides realtime DNS query statistic information and geographic information for monitoring DNS query using GeoIP API and Google API. It can be useful information for ICT convergence and the future work.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2018.10a
• /
• pp.152-155
• /
• 2018

Over the past years, Link Flooding Attacks (LFAs) have been introduced as new network threats. LFAs are indirect DDoS attacks that selectively flood intermediate core links, while legacy DDoS attacks directly targets end points. Flooding bandwidth in the core links results in that a wide target area is affected by the attack. In the traditional network, mitigating LFAs is a challenge since an attacker can easily construct a link map that contains entire network topology via traceroute. Security researchers have proposed many solutions, however, they focused on reactive countermeasures that respond to LFAs when attacks occurred. We argue that this reactive approach is limited in that core links are already exposed to an attacker. In this paper, we present SDHoneyNet that prelocates vulnerable links by computing static and dynamic property on Software-defined Networks (SDN). SDHoneyNet deploys Honey Topology, which is obfuscated topology, on the nearby links. Using this approach, core links can be hidden from attacker's sight, which leads to effectively building proactive method for mitigating LFAs.

• Proceedings of the Korean Information Science Society Conference
• /
• 2011.06d
• /
• pp.215-218
• /
• 2011

VoIP(Voice over Internet Protocol) 서비스는 기존의 음성전화 서비스(Public Switched Telephone Network, PSTN)와 달리 IP 프로토콜을 이용한 저렴한 통신비용 등의 장점이 있는 음성통신 기술로써, 기존의 아날로그 음성전화 서비스를 대신하는 서비스이며, 새로운 인터넷 융합서비스로 많은 사용자가 이용하고 있다. 하지만 VoIP 서비스가 인터넷망을 이용함으로 IP Spoofing, DoS (Denial of Server) / DDoS(Distributed Denial of Service), 등의 여러 가지 보안의 문제점을 가지고 있다. VoIP 서비스에서 DDoS 공격은 Proxy 서버 등에 대량의 공격 메시지를 보냄으로써 서버의 자원을 고갈시켜 정상적인 서비스를 하지 못하게 한다. DoS, DDoS 공격 중 Invite Flooding 공격은 1분에 수천 개의 Invite 메시지를 보내 회선의 자원을 고갈시키는 공격이다. 특히 IP/Port 위조하여 공격 경우 공격 패킷 탐지하기 어려우므로 차단할 수 없다. 따라서 본 논문에서는 VoIP의 DoS/DDoS 중 하나인 Invite Flooding 공격 시 SIP Proxy Server에서 메시지 분산시키는 방법과 MAC Address와 사용자 번호 등 IP 이외의 고정적인 사용자 정보를 확인하여 공격을 탐지하고, 공격 Agent에 감염된 Phone을 공격차단서비스로 보내 복구시키는 방법을 제안한다.

• Proceedings of the Korea Contents Association Conference
• /
• 2005.05a
• /
• pp.83-86
• /
• 2005

Recently, demage of denial of service attack and worm attack has grown larger and larger every year. But Research of harmful traffic detection is not sufficient when the IPv4 environment is replaced with the IPv6 environment in near future. The purpose of this paper is attact detection which has been detected harmful traffic monitoring on the IPv6 using the Internet management protocol SNMP.

• Proceedings of the Korean Institute of Intelligent Systems Conference
• /
• 2002.12a
• /
• pp.258-261
• /
• 2002

최근 네트워크 취약점 검색 방법을 이용한 침입 공격이 증가하는 추세이며 이런 공격에 대하여 적절하게 실시간 탐지 및 대응 처리하는 침입방지시스템(IPS: Intrusion Prevention System)에 대한 연구가 지속적으로 이루어지고 있다. 본 논문에서는 시스템에 허락을 얻지 않은 서비스거부 공격(Denial of Service Attack) 기술 중 TCP의 신뢰성 및 연결 지향적 전송서비스로 종단간에 이루어지는 3-Way Handshake를 이용한 Syn Flooding Attack에 대하여 침입시도패킷 정보를 수집, 분석하고 퍼지인식도(FCM : Fuzzy Cognitive Maps)를 이용한 침입시도여부결정 및 대응 처리하는 네트워크 기반의 실시간 탐지 및 방지 모델(Network based Real Time Scan Detection & Prevention Model)을 제안한다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.10
• /
• pp.5023-5038
• /
• 2017

Big data is an emerging technology which deals with wide range of data sets with sizes beyond the ability to work with software tools which is commonly used for processing of data. When we consider a huge network, we have to process a large amount of network information generated, which consists of both normal and abnormal activity logs in large volume of multi-dimensional data. Intrusion Detection System (IDS) is required to monitor the network and to detect the malicious nodes and activities in the network. Massive amount of data makes it difficult to detect threats and attacks. Sequential Pattern mining may be used to identify the patterns of malicious activities which have been an emerging popular trend due to the consideration of quantities, profits and time orders of item. Here we propose a sequential pattern mining algorithm with fuzzy logic feature selection and fuzzy weighted support for huge volumes of network logs to be implemented in Apache Hadoop YARN, which solves the problem of speed and time constraints. Fuzzy logic feature selection selects important features from the feature set. Fuzzy weighted supports provide weights to the inputs and avoid multiple scans. In our simulation we use the attack log from NS-2 MANET environment and compare the proposed algorithm with the state-of-the-art sequential Pattern Mining algorithm, SPADE and Support Vector Machine with Hadoop environment.

• Convergence Security Journal
• /
• v.13 no.1
• /
• pp.19-24
• /
• 2013

MANET has a highly dynamic topology because it consists of only mobile nodes. Various attacks using these characteristics exist. Among them, damage of the attacks based flooding such as DoS or DDos is large and traceback of the attack node is not easy. It is because route information by moving of intermediate nodes which pass the data changes frequently. In this paper, we propose table-based traceback technique to perform efficient traceback although route information by moving of nodes changes frequently. Cluster head manages route management table in order to form cluster status table and network topology snapshot for storing the location information of mobile nodes when cluster member nodes change. Also, bloom filter is used to reduce the amount of storing route information. The performance of the proposed technique is confirmed through experiment.

• Proceedings of the IEEK Conference
• /
• 2002.07b
• /
• pp.928-931
• /
• 2002

Network based intrusion detection system is a computer network security tool. In this paper, we present an intrusion detection system based on Self-Organizing Maps (SOM) and Resilient Propagation Neural Network (RPROP) for visualizing and classifying intrusion and normal patterns. We introduce a cluster matching equation for finding principal associated components in component planes. We apply data from The Third International Knowledge Discovery and Data Mining Tools Competition (KDD cup'99) for training and testing our prototype. From our experimental results with different network data, our scheme archives more than 90 percent detection rate, and less than 5 percent false alarm rate in one SYN flooding and two port scanning attack types.