• Journal of Internet Computing and Services
• /
• v.4 no.2
• /
• pp.69-80
• /
• 2003

Program Behavior Intrusion Detection Technique analyses system calls that called by daemon program or root authority, constructs profiles, and detectes modificated anomaly intrusions effectively. In this paper, the relation among system calls of processes is represented by bayesian network and Multiple Sequence Alignment. Program behavior profiling by Bayesian Network classifies modified anomaly intrusion behaviors, and detects anomaly behaviors. we had simulation by proposed normal behavior profiling technique using UNM data.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.1
• /
• pp.71-79
• /
• 2009

Currently much research is being done on host based intrusion detection using system calls which is a portion of kernel based data. Sequence based and frequency based preprocessing methods are mostly used in research for intrusion detection using system calls. Due to the large amount of data and system call types, it requires a significant amount of preprocessing time. Therefore, it is difficult to implement real-time intrusion detection systems. Despite this disadvantage, the frequency based method which requires a relatively small amount of preprocessing time is usually used. This paper proposes an effective method for detecting denial of service attacks using the frequency based method. Principal Component Analysis(PCA) will be used to select the principle system calls and a bayesian network will be composed and the bayesian classifier will be used for the classification.

• KIPS Transactions on Software and Data Engineering
• /
• v.10 no.11
• /
• pp.449-456
• /
• 2021

An intrusion detection system is a technology that detects abnormal behaviors that violate security, and detects abnormal operations and prevents system attacks. Existing intrusion detection systems have been designed using statistical analysis or anomaly detection techniques for traffic patterns, but modern systems generate a variety of traffic different from existing systems due to rapidly growing technologies, so the existing methods have limitations. In order to overcome this limitation, study on intrusion detection methods applying various machine learning techniques is being actively conducted. In this study, a comparative study was conducted on data preprocessing techniques that can improve the accuracy of anomaly detection using NGIDS-DS (Next Generation IDS Database) generated by simulation equipment for traffic in various network environments. Padding and sliding window were used as data preprocessing, and an oversampling technique with Adversarial Auto-Encoder (AAE) was applied to solve the problem of imbalance between the normal data rate and the abnormal data rate. In addition, the performance improvement of detection accuracy was confirmed by using Skip-gram among the Word2Vec techniques that can extract feature vectors of preprocessed sequence data. PCA-SVM and GRU were used as models for comparative experiments, and the experimental results showed better performance when sliding window, skip-gram, AAE, and GRU were applied.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 1995.11a
• /
• pp.115-125
• /
• 1995

본 논문에서는 컴퓨터 시스템에서 침입 감지 시스템을 설계함에 있어서 사용될 수 있는 새로운 방법인 Event Sequence Tracking 방법을 제안하였다. Event Sequence Tracking 방법에서는 컴퓨터 시스템의 공격방법을 크게 두가지로 분류한다. 첫번째는 일련의 시스템 명령어를 이용한 공격방법이고 두번째는 침입자 자신이 만들었거나 다른 사람으로부터 얻은 프로그램을 이용하는 방법이다. 첫번째 공격방법에 대한 감지방법은 시스템을 공격할 때 사용한 일련의 시스템 명령어들을 감사 데이타를 분석하여 찾아내고 이 결과를 기존에 알려진 공격 시나리오들과 비교하여 침입자를 찾아내는 방식이다. 두번째 공격방법에 대한 감지 방법은 보안 관리자가 정해놓은, 시스템에서 일반 사용자가 할 수 없는 행위에 관한 보안 정책에 따라 Key-Event 데이타 베이스를 만들고 여기에 해당하는 event의 집합을 감사 데이타에서 찾아내는 방법이다. Event Sequence Tracking 방법은 Rule-based Penetration Identification 방법의 일종으로서 시스템의 공격방법을 분류하여 컴퓨터 시스템에의 침입을 효과적으로 감지할 수 있다는 것과 rule-base의 생성과 갱신을 함에 있어서 보다 간단하게 할 수 있다는 장점을 갖는다.

• Proceedings of the IEEK Conference
• /
• 2003.11a
• /
• pp.425-428
• /
• 2003

Recently, the IDS(Intrusion Detection System) using a video camera is an important part of the home security systems which start gaining popularity. However, the video intruder detection has not been widely used in the home surveillance systems due to its unreliable performance in the environment with abrupt illumination change. In this paper, we propose an effective moving edge extraction algorithm from a sequence image. The proposed algorithm extracts edge segments from current image and eliminates the background edge segments by matching them with reference edge list, which is updated at every frame, to find the moving edge segments. The test results show that it can detect the contour of moving object in the noisy environment with abrupt illumination change.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2002.04b
• /
• pp.927-930
• /
• 2002

본 논문에서는 중요 프로세스(privileged process)의 시스템 호출 순서(system call sequence)를 이용한 침입탐지 시스템을 제안한다. 기존 연구의 정상행위 기반 침입탐지 시스템은 정상행위를 모델링하여 시스템을 구성하고, 이와 비교를 통해 프로세스의 이상(anomaly) 여부를 결정한다. 이러한 방법은 모델링되지 않은 미지의 행위에 대한 적절한 판단을 행할 수 없으므로, 높은 오류율(false-positive/negative)을 보인다. 본 논문에서는 현재까지 알려진 공격에서 공통적으로 나타나는 윈도우들을 수집하여 침입예상윈도우를 구축하고, 이를 기존의 침입탐지 시스템에 부가적으로 사용하여 효과적으로 오류율(false-positive/negative)을 낮출 수 있음을 보인다. 실험 결과 제안된 방법을 통한 침입탐지는 기존의 방법에 비해 공격 탐지율은 증가하고 정상행위에 대한 오류율은 감소하였다.

• The KIPS Transactions:PartC
• /
• v.11C no.3
• /
• pp.301-308
• /
• 2004

Misuse IDS is known to have an acceptable accuracy but suffers from high rates of false alarms. We show a behavior based alarm reduction with a memory-based machine learning technique. Our extended form of IBL, (XIBL) examines SNORT alarm signals if that signal is worthy sending signals to security manager. An experiment shows that there exists an apparent difference between true alarms and false alarms with respect to XIBL behavior This gives clear evidence that although an attack in the network consists of a sequence of packets, decisions over Individual packet can be used in conjunction with misuse IDS for better performance.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.34 no.9B
• /
• pp.914-922
• /
• 2009

In this paper, we propose a matrix based real-time pattern matching method, called MDPI, for real-time intrusion detection on several Gbps network traffic. Particularly, in order to minimize a kind of overhead caused by buffering, reordering, and reassembling under the circumstance where the incoming packet sequence is disrupted, MDPI adopts independent partial matching in the case dealing with pattern matching matrix. Consequently, we achieved the performance improvement of the amount of 61% and 50% with respect to TCAM method efficiency through several experiments where the average length of the Snort rule set was maintained as 9 bytes, and w=4 bytes and w=8bytes were assigned, respectively, Moreover, we observed the pattern scan speed of MDPI was 10.941Gbps and the consumption of hardware resource was 5.79LC/Char in the pattern classification of MDPI. This means that MDPI provides the optimal performance compared to hardware complexity. Therefore, by decreasing the hardware cost came from the increased TCAM memory efficiency, MDPI is proven the cost effective high performance intrusion detection technique.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.15 no.5
• /
• pp.1066-1072
• /
• 2011

In the method to analyze the relationship in the system call orders, the normal system call orders are divided into a certain size of system call orders to generates gene and use them as the detectors. In the method to consider the system call parameters, the mean and standard deviation of the parameter lengths are used as the detectors. The attack of which system call order is normal but the parameter values are changed, such as the format string attack, cannot be detected by the method that considers only the system call orders, whereas the model that considers only the system call parameters has the drawback of high positive defect rate because of the information obtained from the interval where the attack has not been initiated, since the parameters are considered individually. To solve these problems, it is necessary to develop a more efficient learning and detecting method that groups the continuous system call orders and parameters as the approach that considers various characteristics of system call related to attacking simultaneously. In this article, we detected the anomaly of the system call orders and parameters by applying the temporal concept to the system call orders and parameters in order to improve the rate of positive defect, that is, the misjudgment of anomaly as normality. The result of the experiment where the DARPA data set was employed showed that the proposed method improved the positive defect rate by 13% in the system call order model where time was considered in comparison with that of the model where time was not considered.