• Journal of the Korea Society for Simulation
• /
• v.13 no.3
• /
• pp.21-29
• /
• 2004

The major objective of this paper is to analyze network vulnerabilities using the SIMVA (SIMualtion-based Vulnerability Analyzer). SIMVA is capable of monitor network status and analyze vulnerabilities automatically. To do this, we have employed the advanced modeling and simulation concepts such as SES/MB (System Entity Structure / Model Base) framework, DEVS (Discrete Event System Specification) formalism, and experimental frame for developing network security models and simulation-based analysis of vulnerability. SIMVA can analyze static vulnerability as well as dynamic vulnerability consistently and quantitatively. In this paper, we verified and tested the capability of application of SIMVA by slammer worm attack scenario.

• Proceedings of the Korean Information Science Society Conference
• /
• 2005.07a
• /
• pp.133-135
• /
• 2005

인터넷에서 일어나는 침해사고 중에서 웜에 의한 피해가 가장 심각하다. 2001 년 Code Red 웜의 출현과 2003 년 SQL Slammer 웜의 출현 이후로 웜에 감염된 이후에 행동 양상을 탐지하여 대응하는 것은 웜의 피해를 최소화 하기에는 역부족이다. 웜에 의해서 감염이 되기 이전에 웜을 탐지하여 조기에 대처하는 것이 무엇보다 중요하다. 또한 이미 알려져 있는 웜에 대한 행동양상을 이용한 웜의 탐지는 신종 웜의 출현 주기가 급격히 짧아지는 현실에 능동적으로 대처할 수 없다. 현재까지 발생한 인터넷 웜은 감염시킬 대상을 선택함에 있어서 랜덤 생성기를 사용하였으며 향후 나타날 웜도 빠른 확산과 자신의 위치를 드러내지 않기 위해 랜덤 스케닝 방식을 사용할 것이다. 본 연구는 네트워크의 연결들을 행렬로 표현하고, 이 행렬의 랭크(rank)값을 구하여 랜덤성 체크를 하는 방식으로, 웜으로 인한 트래픽에서 발생하는 랜덤성을 탐지할 수 있도록 하였다. 이 방법은 네트워크에서 알려지지 않은 신종 웜을 탐지하도록 하므로, 웜에의한 확산을 조기 탐지할 수 있게 하고, 더불어 웜의 피해를 최소화 하는 것을 목적으로 한다.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37 no.3B
• /
• pp.212-218
• /
• 2012

An Internet worm is a self-replicating malware program which uses a computer network. As the network connectivity among computers increases, Internet worms have become widespread and are still big threats. There are many approaches to model the propagation of Internet worms such as Code Red, Nimda, and Slammer to get the insight of their behaviors and to devise possible defense methods to suppress worms' propagation activities. The influence of the network characteristics on the worm propagation has usually been modeled by medical epidemic model, named SI model, due to its simplicity and the similarity of propagation patterns. So far, SI model is still dominant and new variations of the SI model, called SI-style models, are being proposed for the modeling of new Internet worms. In this paper, we elaborate the problems of SI-style models and then propose a new accurate stochastic model using an occupancy problem.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.41 no.2
• /
• pp.277-284
• /
• 2016

Various network attacks such as DDoS(Distributed Denial of service) and orm are one of the biggest problems in the modern society. These attacks reduce the quality of internet service and caused the cyber crime. To solve the above problem, signature based IDS(Intrusion Detection System) has been developed by network vendors. It has a high detection rate by using database of previous attack signatures or known malicious traffic pattern. However, signature based IDS have the fatal weakness that the new types of attacks can not be detected. The reason is signature depend on previous attack signatures. In this paper, we propose a k-means clustering based malicious traffic detection method to complement the problem of signature IDS. In order to demonstrate efficiency of the proposed method, we apply the bayesian theorem.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.1
• /
• pp.55-63
• /
• 2006

Recently, there is much abnormal traffic driven by several worms, such as Nimda, Code Red, SQL Stammer, and so on, making badly severe damage to networks. Meanwhile, diverse prevention schemes for defeating abnormal traffic have been studied in the academic and commercial worlds. In this paper, we present the structure of a stepwise intrusion prevention system that is designed with the feature of putting limitation on the network bandwidth of each network traffic and dropping abnormal traffic, and then compare the proposed scheme with a pre-existing scheme, which is a True/False based an anomaly prevention scheme for several worm-patterns. There are two criteria for comparison of the schemes, which are Normal Traffic Rate (NTR) and False Positive Rate (FPR). Assuming that the abnormal traffic rate of a specific network is $\beta$ during a predefined time window, it is known that the average NTR of our stepwise intrusion prevention scheme increases by the factor of (1+$\beta$)/2 than that of True/False based anomaly prevention scheme and the average FPR of our scheme decrease by the factor of (1+$\beta$)/2.