• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.5
• /
• pp.69-78
• /
• 2004

The change of attack techniques paradigm was begun by fast extension of the latest Internet and new attack form appearing. But, Most intrusion detection systems detect only known attack type as IDS is doing based on misuse detection, and active correspondence is difficult in new attack. Therefore, to heighten detection rate for new attack pattern, the experiments to apply various techniques of anomaly detection are appearing. In this paper, we propose an behavior profiling method using Bayesian framework based on graphics from audit data and visualize behavior profile to detect/analyze anomaly behavior. We achieve simulation to translate host/network audit data into BF-XML which is behavior profile of semi-structured data type for anomaly detection and to visualize BF-XML as SVG.

• ETRI Journal
• /
• v.43 no.3
• /
• pp.511-523
• /
• 2021

The World Health Organization provides guidelines for managing the particulate matter (PM) level because a higher PM level represents a threat to human health. To manage the PM level, a procedure for measuring the PM value is first needed. We use a PM sensor that collects the PM level by laser-based light scattering (LLS) method because it is more cost effective than a beta attenuation monitor-based sensor or tapered element oscillating microbalance-based sensor. However, an LLS-based sensor has a higher probability of malfunctioning than the higher cost sensors. In this paper, we regard the overall malfunctioning, including strange value collection or missing collection data as anomalies, and we aim to detect anomalies for the maintenance of PM measuring sensors. We propose a novel architecture for solving the above aim that we call the hypothesis pruning generative adversarial network (HP-GAN). Through comparative experiments, we achieve AUROC and AUPRC values of 0.948 and 0.967, respectively, in the detection of anomalies in LLS-based PM measuring sensors. We conclude that our HP-GAN is a cutting-edge model for anomaly detection.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.5
• /
• pp.939-946
• /
• 2013

This paper proposes normal behavior profiling methods for anomaly detection in IEC 61850 based substation network. Signature based security solutions, currently used primarily, are inadequate for APT attack using zero-day vulnerabilities. Recently, some researches about anomaly detection in control network are ongoing. However, there are no published result for IEC 61850 substation network. Our proposed methods includes 3-phase preprocessing for MMS/GOOSE packets and normal behavior profiling using one-class SVM algorithm. These approaches are beneficial to detect APT attacks on IEC 61850 substation network.

• Journal of Sensor Science and Technology
• /
• v.32 no.6
• /
• pp.481-486
• /
• 2023

Anomaly detection holds paramount significance across diverse fields, encompassing fraud detection, risk mitigation, and sensor evaluation tests. Its pertinence extends notably to the military, particularly within the Warrior Platform, a comprehensive combat equipment system with wearable sensors. Hence, we propose a data-compression-based anomaly detection approach tailored to unlabeled time series and sequence data. This method entailed the construction of two distinctive features, typicality and atypicality, to discern anomalies effectively. The typicality of a test sequence was determined by evaluating the compression efficacy achieved through the pattern dictionary. This dictionary was established based on the frequency of all patterns identified in a training sequence generated for each sensor within Warrior Platform. The resulting typicality served as an anomaly score, facilitating the identification of anomalous data using a predetermined threshold. To improve the performance of the pattern dictionary method, we leveraged atypicality to discern sequences that could undergo compression independently without relying on the pattern dictionary. Consequently, our refined approach integrated both typicality and atypicality, augmenting the effectiveness of the pattern dictionary method. Our proposed method exhibited heightened capability in detecting a spectrum of unpredictable anomalies, fortifying the stability of wearable sensors prevalent in military equipment, including the Army TIGER 4.0 system.

• Journal of Intelligence and Information Systems
• /
• v.29 no.3
• /
• pp.229-247
• /
• 2023

With the increasing emphasis on anomaly detection across various fields, diverse anomaly detection algorithms have been developed for various data types and anomaly patterns. However, the performance of anomaly detection algorithms is generally evaluated on publicly available datasets, and the specific performance of each algorithm on anomalies of particular types remains unexplored. Consequently, selecting an appropriate anomaly detection algorithm for specific analytical contexts poses challenges. Therefore, in this paper, we aim to investigate the types of anomalies and various attributes of data. Subsequently, we intend to propose approaches that can assist in the selection of appropriate anomaly detection algorithms based on this understanding. Specifically, this study compares the performance of anomaly detection algorithms for four types of anomalies: local, global, contextual, and clustered anomalies. Through further analysis, the impact of label availability, data quantity, and dimensionality on algorithm performance is examined. Experimental results demonstrate that the most effective algorithm varies depending on the type of anomaly, and certain algorithms exhibit stable performance even in the absence of anomaly-specific information. Furthermore, in some types of anomalies, the performance of unsupervised anomaly detection algorithms was observed to be lower than that of supervised and semi-supervised learning algorithms. Lastly, we found that the performance of most algorithms is more strongly influenced by the type of anomalies when the data quantity is relatively scarce or abundant. Additionally, in cases of higher dimensionality, it was noted that excellent performance was exhibited in detecting local and global anomalies, while lower performance was observed for clustered anomaly types.

• Journal of KIISE:Information Networking
• /
• v.37 no.4
• /
• pp.263-271
• /
• 2010

SIP/RTP-based VoIP services are being popular. Recently, however, VoIP anomaly traffic such as delay, interference and termination of call establishment, and degradation of voice quality has been reported. An attacker could intercept a packet, and obtain user and header information so as to generate an anomaly traffic, because most Korean VoIP applications do not use standard security protocols. In this paper, we propose three VoIP anomaly traffic generation methods for CANCEL;BYE DoS and RTP flooding, and a detection method through flow-based traffic measurement. From our experiments, we showed that 97% of anomaly traffic could be detected in real commercial VoIP networks in Korea.

• ETRI Journal
• /
• v.41 no.5
• /
• pp.684-695
• /
• 2019

In a cloud environment, performance degradation, or even downtime, of virtual machines (VMs) usually appears gradually along with anomalous states of VMs. To better characterize the state of a VM, all possible performance metrics are collected. For such high-dimensional datasets, this article proposes a feature extraction algorithm based on unsupervised fuzzy linear discriminant analysis with kernel (UFKLDA). By introducing the kernel method, UFKLDA can not only effectively deal with non-Gaussian datasets but also implement nonlinear feature extraction. Two sets of experiments were undertaken. In discriminability experiments, this article introduces quantitative criteria to measure discriminability among all classes of samples. The results show that UFKLDA improves discriminability compared with other popular feature extraction algorithms. In detection accuracy experiments, this article computes accuracy measures of an anomaly detection algorithm (i.e., C-SVM) on the original performance metrics and extracted features. The results show that anomaly detection with features extracted by UFKLDA improves the accuracy of detection in terms of sensitivity and specificity.

• Nuclear Engineering and Technology
• /
• v.56 no.4
• /
• pp.1284-1295
• /
• 2024

Due to increasing operational security demands, digital and intelligent condition monitoring of nuclear power plants is becoming more significant. However, establishing an accurate and effective anomaly detection model is still challenging. This is mainly because of data characteristics of nuclear power data, including the lack of clear class labels combined with frequent interference from outliers and anomalies. In this paper, we introduce a Transformer-based unsupervised model for anomaly detection of nuclear power data, a modified loss function based on the maximum correntropy criterion (MCC) is applied in the model training to improve the robustness. Experimental results on simulation datasets demonstrate that the proposed Trans-MCC model achieves equivalent or superior detection performance to the baseline models, and the use of the MCC loss function is proven can obviously alleviate the negative effect of outliers and anomalies in the training procedure, the F1 score is improved by up to 0.31 compared to Trans-MSE on a specific dataset. Further studies on genuine nuclear power data have verified the model's capability to detect anomalies at an earlier stage, which is significant to condition monitoring.

• Convergence Security Journal
• /
• v.19 no.4
• /
• pp.181-188
• /
• 2019

Recently, attempts to apply artificial intelligence technology to create the normal profile in Anomaly-based intrusion detection systems have been made actively. But existing studies that proposed the application of artificial intelligence technology mostly focus on improving the structure of artificial neural networks and finding optimal hyper-parameter values, and fail to address various problems that may arise from the misconfiguration of learning data. In this paper, we identify the main problems that may arise due to the misconfiguration of learning data through experiment. And we also propose a novel approach that can address such problems and improve the detection performance through reconstruction of learning data.

• Journal of the Korea Society of Computer and Information
• /
• v.8 no.1
• /
• pp.103-113
• /
• 2003

Program Behavior Intrusion Detection Technique analyses system calls that called by daemon program or root authority, constructs profiles. and detectes anomaly intrusions effectively. Anomaly detections using system calls are detected only anomaly processes. But this has a Problem that doesn't detect affected various Part by anomaly processes. To improve this problem, the relation among system calls of processes is represented by bayesian probability values. Application behavior profiling by Bayesian Network supports anomaly intrusion informations . This paper overcomes the Problems of various intrusion detection models we Propose effective intrusion detection technique using Bayesian Networks. we have profiled concisely normal behaviors using behavior context. And this method be able to detect new intrusions or modificated intrusions we had simulation by proposed normal behavior profiling technique using UNM data.