• Journal of Communications and Networks
• /
• v.3 no.4
• /
• pp.324-333
• /
• 2001

The Differentiated Services (Diffserv) framework has been proposed by the IETF as a simple service structure that can provide different Quality of Service (QoS) to different classes of packets in IP networks. IP packets are classified into one of a limited number of service classes, and are marked in the packet header for easy classification and differentiated treatments when transferred within a Diffserv domain. The Diffserv framework defines simple and efficient QoS differentiation mechanisms for the Internet. However, the original Diffserv concept does not provide a complete QoS management framework. Since traffic flows in IP networks are unidirectional from one network point to the other and routing paths and traffic demand get dynamically altered, it is important to monitor end-to-end traffic status, as well as traffic status in a single node. This paper suggests a distributed QoS monitoring method that collects the statistical data of each service class in every Diffserv router and calculates edge-to-edge QoS of the aggregated IP flows by combining routing topology and traffic status. A format modeling of edge-to-edge Diffserv flows and algorithms for aggregating edge-to-edge QoS is presented. Also an SNMP-based QoS management prototype system for Diffserv networks is presented, which validates our QoS management framework and demonstrates useful service management functionality.

• ETRI Journal
• /
• v.30 no.2
• /
• pp.205-215
• /
• 2008

Many control schemes have been proposed for flow-level traffic control. However, flow-level traffic control is implemented only in limited areas such as traffic monitoring and traffic control at edge nodes. No clear solution for end-to-end architecture has been proposed. Scalability and the lack of a business model are major problems for deploying end-to-end flow-level control architecture. This paper introduces an end-to-end transport architecture and a scalable control mechanism to support the various flow-level QoS requests from applications.

• Smart Media Journal
• /
• v.8 no.2
• /
• pp.29-38
• /
• 2019

With the advancement of information and communication technology, tactical networks are continuously being converted to All-IP future tactical networks that integrate all application services based on Internet protocol. Futuristic tactical mesh network is built with tactical WAN (wide area network) nodes that are inter-connected by a mesh structure. In order to guarantee QoS (quality of service) of application services, tactical service mesh (TSM) is suggested as an intermediate layer between infrastructure and application layers for futuristic tactical mesh network. The tactical service mesh requires dynamic QoS monitoring and control for intelligent QoS coordination. However, legacy networking nodes used for existing tactical networks are difficult to support these functionality due to inflexible monitoring support. In order to resolve such matter, we propose a tactical mesh WAN node as a hardware/software co-designed networking node in this paper. The tactical mesh WAN node is conceptually designed to have multi-access networking interfaces and virtualized networking switches by leveraging the DANOS whitebox server/switch. In addition, we explain how to apply eBPF-based traffic monitoring to the tactical mesh WAN node and verify the traffic monitoring feasibility for supporting QoS coordination of tactical-mesh traffic.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.8
• /
• pp.3946-3965
• /
• 2018

Network anomaly detection in Software Defined Networking, especially the detection of DDoS attack, has been given great attention in recent years. It is convenient to build the Traffic Matrix from a global view in SDN. However, the monitoring and management of high-volume feature-rich traffic in large networks brings significant challenges. In this paper, we propose a moving window Principal Components Analysis based anomaly detection and mitigation approach to map data onto a low-dimensional subspace and keep monitoring the network state in real-time. Once the anomaly is detected, the controller will install the defense flow table rules onto the corresponding data plane switches to mitigate the attack. Furthermore, we evaluate our approach with experiments. The Receiver Operating Characteristic curves show that our approach performs well in both detection probability and false alarm probability compared with the entropy-based approach. In addition, the mitigation effect is impressive that our approach can prevent most of the attacking traffic. At last, we evaluate the overhead of the system, including the detection delay and utilization of CPU, which is not excessive. Our anomaly detection approach is lightweight and effective.

• Journal of the Korea Convergence Society
• /
• v.10 no.12
• /
• pp.17-22
• /
• 2019

Network attack analysis and visualization methods using network traffic session data detect network anomalies by visualizing the sender's and receiver's IP addresses and the relationship between them. The traffic flow is a critical feature in detecting anomalies, but simply visualizing the source and destination IP addresses symmetrically from up-down or left-right would become a problematic factor for the analysis. Also, there is a risk of losing timely security situation when designing a visualization interface without considering the temporal characteristics of time-series traffic sessions. In this paper, we propose a visualization interface and analysis method that visualizes time-series traffic data by using the radial axis, divide IP addresses into network and host portions which then projects on the cylindrical coordinate system that could effectively monitor network attacks. The proposed method has the advantage of intuitively recognizing network attacks and identifying attack activity over time.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.10 no.4
• /
• pp.99-104
• /
• 2010

We introduce Internet TCP/IP control system to monitor the traffic volume on the traffic network system. To check the traffic volume on traffic road, we use the traffic detector system shppe of circle or diamond or rectangular. Nevertheless we use traffic detector, we will use internet addressin TCP/IP system. If we use TCP/IP control system, we acquire many good point, we achive high sircurity and low costness traffic monitoring system coming difficulty and high level position. But internet system is very easy and low cost direction. Traffic control system is very more depending on the high techinquesion and very complexity. Therefore we introducing TCP/IP internet addressing control system schemetic point.

• Journal of IKEEE
• /
• v.9 no.2 s.17
• /
• pp.79-86
• /
• 2005

Increasing network traffic and multimedia application services need realtime analysis of network traffic for improvement of QoS and effective management of network resource. Because difficulty of measurement based on software method, study of meter architecture for efficient capture function is necessary. Therefore we design and implement hardware metering system for efficient packet capture using embedded linux. And we analyze required bandwidth of system bus and memory for 10Gbps traffic through simulation.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.5 no.1
• /
• pp.44-50
• /
• 2010

Wireless sensor network is consist of multiple sensor nodes and performs a shared tasks through the coordination of sensor nodes. Traffic in WSN is categorized as periodical monitoring traffic, event-driven traffic and query-based traffic. Periodic traffic takes significant proportion of the whole traffic processing because multiple sensor nodes generate traffic in a steady interval although the generation frequency of periodic traffic is low. In this paper, we propose a traffic control algorithm of network protocol for periodic traffic in terms of energy efficiency and conduct performance analysis of the algorithm.

• KIPS Transactions on Software and Data Engineering
• /
• v.12 no.2
• /
• pp.99-110
• /
• 2023

This study proposed a classification of malicious network traffic using the cyber threat framework(Mitre ATT&CK) and machine learning to solve the real-time traffic detection problems faced by current security monitoring systems. We applied a network traffic dataset called UNSW-NB15 to the Mitre ATT&CK framework to transform the label and generate the final dataset through rare class processing. After learning several boosting-based ensemble models using the generated final dataset, we demonstrated how these ensemble models classify network traffic using various performance metrics. Based on the F-1 score, we showed that XGBoost with no rare class processing is the best in the multi-class traffic environment. We recognized that machine learning ensemble models through Mitre ATT&CK label conversion and oversampling processing have differences over existing studies, but have limitations due to (1) the inability to match perfectly when converting between existing datasets and Mitre ATT&CK labels and (2) the presence of excessive sparse classes. Nevertheless, Catboost with B-SMOTE achieved the classification accuracy of 0.9526, which is expected to be able to automatically detect normal/abnormal network traffic.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1315-1324
• /
• 2012

Security visualization is a form of the data visualization techniques in the field of network security by using security-related events so that it is quickly and easily to understand network traffic flow and security situation. In particular, the security visualization that detects the abnormal situation of network visualizing connections between two endpoints is a novel approach to detect unknown attack patterns and to reduce monitoring overhead in packets monitoring technique. However, the session-based visualization doesn't notice a difference between normal traffic and attacks that they are composed of similar connection pattern. Therefore, in this paper, we propose an efficient session-based visualization method for analyzing and detecting between normal server activities and attacks by using the IP address splitting and port attributes analysis. The proposed method can actually be used to detect and analyze the network security with the existing security tools because there is no dependence on other security monitoring methods. And also, it is helpful for network administrator to rapidly analyze the security status of managed network.