• Journal of KIISE:Information Networking
• /
• v.36 no.2
• /
• pp.69-79
• /
• 2009

Today's Internet is one of the necessaries of our life. Anomalies of the Internet provoke social problems. For that reason, Internet Measurement which studies characteristics on Internet traffic attracts pubic attention. Recently, Traffic Dispersion Graph (TDG), a novel traffic analysis method, was proposed. The TDG is not a statistical analysis method but a graphical visualization method on interactions among network components. In this paper, we propose a new anomaly detection paradigm and its technique using TDG. The existing studies have focused on detecting anomalous packets of flows. On the other hand, we focus on detecting the sources of anomalous traffic. To realize our paradigm, we designed the TDG Clustering method. Through this method, we could classify anomalous hosts infected by various worm viruses. We obtained normal traffic through dropping traffic of the anomalous hosts. Especially, we expect that the TDG clustering method can be applied to real-time anomaly detection because calculations of the method are fast.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.26 no.3
• /
• pp.233-238
• /
• 2016

In this paper, we propose the algorithms of processing the uncertainty data using data fusion for the next generation intrusion detection. In the next generation intrusion detection, a lot of data are collected by many of network sensors to discover knowledge from generating information in cyber space. It is necessary the data fusion process to extract knowledge from collected sensors data. In this paper, we have proposed method to represent the uncertainty data, by classifying where is a confidence interval in interval of uncertainty data through feature analysis of different data using inference method with Dempster-Shafer Evidence Theory. In this paper, we have implemented a detection experiment that is classified by the confidence interval using IRIS plant Data Set for anomaly detection of uncertainty data. As a result, we found that it is possible to classify data by confidence interval.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.39C no.8
• /
• pp.708-715
• /
• 2014

In this paper, we suggest a method of realtime confidence interval estimation to detect abnormal states of sensor data. For realtime confidence interval estimation, the mean square errors of the exponential smoothing method and moving average method, two of the time series analysis method, where compared, and the moving average method with less errors was applied. When the sensor data passes the bounds of the confidence interval estimation, the administrator is notified through alarming. As the suggested method is for realtime anomaly detection in a ship, an Android terminal was adopted for better communication between the wireless sensor network and users. For safe navigation, an administrator can make decisions promptly and accurately upon emergency situation in a ship by referring to the anomaly detection information through realtime confidence interval estimation.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.14 no.1
• /
• pp.75-81
• /
• 2004

Signature based intrusion detection system (IDS), having stored rules for detecting intrusions at the library, judges whether new inputs are intrusion or not by matching them with the new inputs. However their policy has two restrictions generally. First, when they couldn`t make rules against new intrusions, false negative (FN) errors may are taken place. Second, when they made a lot of rules for maintaining diversification, the amount of resources grows larger proportional to their amount. In this paper, we propose the learning algorithm which can evolve the competent of anomaly detectors having the ability to detect anomalous attacks by genetic algorithm. The anomaly detectors are the population be composed of by following the negative selection procedure of the biological immune system. To show the effectiveness of proposed system, we apply the learning algorithm to the artificial network environment, which is a computer security system.

• Journal of the Korean earth science society
• /
• v.24 no.3
• /
• pp.205-215
• /
• 2003

A precise and dense Bouguer anomaly is one of the most important data to improve the knowledge of our environment in the aspect of geophysics and physical geodesy. Besides the precise absolute gravity station net, we should consider two parts; one is to improve the precision in gravity measurement and correction of it, and the other is the density of measurement both in number and distribution. For the precise positioning, we have tested how we could use the GPS properly in gravity measurement, and deduced that the GPS measurement for 5 minutes would be effective when we used DGPS with two geodetic GPS receivers and the baseline was shorter than 40km. In this case we should use a precise geoid model such as PNU95. By applying this method, we are able to reduce the cost, time, and number of surveyors, furthermore we also get the benefit of improving in quality. Two kind of computer programs were developed to correct crossover errors and to calculate terrain effects more precisely. The repeated measurements on the same stations in gravity surveying are helpful not only to correct the drifts of spring but also to approach the results statistically by applying network adjustment. So we can find out the blunders of various causes easily and also able to estimate the quality of the measurements. The recent developments in computer technology, digital elevation data, and precise positioning also stimulate us to improve the Bouguer anomaly by more precise terrain correction. The gravity data of various sources, such as land gravity data (by Choi, NGI, etc.), marine gravity data (by NORI), Bouguer anomaly map of North Korea, Japanese gravity data, altimetry satellite data, and EGM96 geopotential model, were collected and processed to get a precise and dense Bouguer anomaly in and around the Korean Peninsula.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.41 no.8
• /
• pp.877-889
• /
• 2016

In this paper, we introduce the basic components of the Cognitive Radio Networks along with possible threats. Specifically, we investigate the SSDF (Spectrum Sensing Data Falsification) attack which is one of the easiest attack to carry out. Despite its simplicity, the SSDF attack needs careful attention in order to build a secure system that resists to it. The proposed scheme utilizes the Anomaly Detection technique to identify malicious users as well as their sensing reports. The simulation results shows that the proposed scheme can effectively detect erroneous sensing reports and thus result in correct detection of the active primary users.

• The KIPS Transactions:PartC
• /
• v.10C no.5
• /
• pp.525-532
• /
• 2003

This paper describes intrusion detection rule management using mobile agents. Intrusion detection can be divided into anomaly detection and misuse detection. Misuse detection is best suited for reliably detecting known use patterns. Misuse detection systems can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods. Therefore, the introduction of mobile agents to provide computational security by constantly moving around the Internet and propagating rules is presented as a solution to misuse detection. This work presents a new approach for detecting intrusions, in which mobile agent mechanisms are used for security rules propagation. To evaluate the proposed approach, we compared the workload data between a rules propagation method using a mobile agent and a conventional method. Also, we simulated a rules management using NS-2 (Network Simulator) with respect to time.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.12
• /
• pp.1841-1848
• /
• 2013

In this paper, the plans for improvement of real-time security monitoring accuracy and expansion of control region were investigated through comprehensive and systematic collection and analysis of the anomalous activities that inflow and outflow in the network on a large scale in order to overcome the existing security monitoring system based on stylized detection patterns which could correspond to only very limited cyber attacks. This study established an anomaly observation system to collect, store and analyze a diverse infringement threat information flowing into the darknet network, and presented the information classification system of cyber threats, unknown anomalies and high-risk anomalous activities through the statistics based trend analysis of hacking. If this security monitoring system utilizing darknet traffic as presented in the study is applied, it was indicated that detection of all infringement threats was increased by 12.6 percent compared with conventional case and 120 kinds of new type and varietal attacks that could not be detected in the past were detected.

• Journal of Internet Computing and Services
• /
• v.7 no.3
• /
• pp.119-132
• /
• 2006

The network based security techniques well-known until now have week points to be passive in attacks and susceptible to roundabout attacks so that the misuse detection based intrusion prevention system which enables positive correspondence to the attacks of inline mode are used widely. But because the Misuse detection based Intrusion prevention system is proportional to the detection rules, it causes excessive false alarm and is linked to wrong correspondence which prevents the regular network flow and is insufficient to detect transformed attacks, This study suggests an Intrusion prevention system which uses Support Vector machines(hereinafter referred to as SVM) as one of rule based Intrusion prevention system and Anomaly System in order to supplement these problems, When this compared with existing intrusion prevention system, show performance result that improve about 20% and could through intrusion prevention system that propose false positive minimize and know that can detect effectively about new variant attack.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.14 no.4
• /
• pp.1942-1950
• /
• 2013

This paper suggests a new method of detecting attacks of network traffic by visualizing original traffic data and applying multi-class SVM (support vector machine). The proposed method first generates 2D images from IP and ports of transmitters and receivers, and extracts linear patterns and high intensity values from the images, representing traffic attacks. It then obtains variance of ports of transmitters and receivers and extracts the number of clusters and entropy features using ISODATA algorithm. Finally, it determines through multi-class SVM if the traffic data contain DDoS, DoS, Internet worm, or port scans. Experimental results show that the suggested multi-class SVM-based algorithm can more effectively detect network traffic attacks.