• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.11
• /
• pp.5354-5369
• /
• 2019

Sensor networks are deployed in unheeded environment to monitor the situation. In view of the unheeded environment and by the nature of their communication channel sensor nodes are vulnerable to various attacks most commonly malicious packet dropping attacks namely blackhole, grayhole attack and sinkhole attack. In each of these attacks, the attackers capture the sensor nodes to inject fake details, to deceive other sensor nodes and to interrupt the network traffic by packet dropping. In all such attacks, the compromised node advertises itself with fake routing facts to draw its neighbor traffic and to plunge the data packets. False routing advertisement play vital role in deceiving genuine node in network. In this paper, behavior based routing misbehavior detection (BRMD) is designed in wireless sensor networks to detect false advertiser node in the network. Herein the sensor nodes are monitored by its neighbor. The node which attracts more neighbor traffic by fake routing advertisement and involves the malicious activities such as packet dropping, selective packet dropping and tampering data are detected by its various behaviors and isolated from the network. To estimate the effectiveness of the proposed technique, Network Simulator 2.34 is used. In addition packet delivery ratio, throughput and end-to-end delay of BRMD are compared with other existing routing protocols and as a consequence it is shown that BRMD performs better. The outcome also demonstrates that BRMD yields lesser false positive (less than 6%) and false negative (less than 4%) encountered in various attack detection.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37B no.11
• /
• pp.1082-1089
• /
• 2012

Recent malicious attempts in Cyber space are intended to emerge national threats such as Suxnet as well as to get financial benefits through a large pool of comprised botnets. The evolved botnets use the Domain Name System(DNS) to communicate with the C&C server and zombies. DNS is one of the core and most important components of the Internet and DNS traffic are continually increased by the popular wireless Internet service. On the other hand, domain names are popular for malicious use. This paper studies on DNS-based cyber threats domain detection by data classification based on supervised learning. Furthermore, the developed cyber threats domain detection system using DNS traffic analysis provides collection, analysis, and normal/abnormal domain classification of huge amounts of DNS data.

• IEIE Transactions on Smart Processing and Computing
• /
• v.5 no.2
• /
• pp.94-99
• /
• 2016

Application layer attacks have for years posed an ever-serious threat to network security, since they always come after a technically legitimate connection has been established. In recent years, cyber criminals have turned to fully exploiting the web as a medium of communication to launch a variety of forbidden or illicit activities by spreading malicious automated software (auto-ware) such as adware, spyware, or bots. When this malicious auto-ware infects a network, it will act like a robot, mimic normal behavior of web access, and bypass the network firewall or intrusion detection system. Besides that, in a private and large network, with huge Hypertext Transfer Protocol (HTTP) traffic generated each day, communication behavior identification and classification of auto-ware is a challenge. In this paper, based on a previous study, analysis of auto-ware communication behavior, and with the addition of new features, a method for classification of HTTP auto-ware communication is proposed. For that, a Not Only Structured Query Language (NoSQL) database is applied to handle large volumes of unstructured HTTP requests captured every day. The method is tested with real HTTP traffic data collected through a proxy server of a private network, providing good results in the classification and detection of suspicious auto-ware web access.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.4
• /
• pp.721-728
• /
• 2013

Big data is one of the most spotlighted technological trends in these days, enabling new methods to handle huge volume of complicated data for a broad range of applications. Real-time network traffic analysis essentially deals with big data, which is comprised of different types of log data from various sensors. To tackle this problem, in this paper, we devise a big data based platform, RENTAP, to detect and analyse malicious network traffic. Focused on military network environment such as closed network for C4I systems, leading big data based solutions are evaluated to verify which combination of the solutions is the best design for network traffic analysis platform. Based on the selected solutions, we provide detailed functional design of the suggested platform.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1185-1195
• /
• 2014

Domestic and international CERTs are carrying out security monitoring and response services based on security devices for intrusion incident prevention and damage minimization of the organizations. However, the security monitoring and response service has a fatal limitation in that it is unable to detect unknown attacks that are not matched to the predefined signatures. In recent, many approaches have adopted the darknet technique in order to overcome the limitation. Since the darknet means a set of unused IP addresses, no real systems connected to the darknet. Thus, all the incoming traffic to the darknet can be regarded as attack activities. In this paper, we present a collection and analysis method of malicious URLs based on darkent traffic for advanced security monitoring and response service. The proposed method prepared 8,192 darknet space and extracted all of URLs from the darknet traffic, and carried out in-depth analysis for the extracted URLs. The analysis results can contribute to the emergence response of large-scale cyber threats and it is able to improve the performance of the security monitoring and response if we apply the malicious URLs into the security devices, DNS sinkhole service, etc.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.9
• /
• pp.4641-4657
• /
• 2017

Named Data Networking (NDN) has emerged and become one of the most promising architectures for future Internet. However, like traditional IP-based networking paradigm, NDN may not evade some typical network threats such as malicious data aggregates (MDA), which may lead to bandwidth exhaustion, traffic congestion and router overload. This paper firstly analyzes the damage effect of MDA using realistic simulations in large-scale network topology, showing that it is not just theoretical, and then designs a fine-grained MDA mitigation mechanism (MDAM) based on the cooperation between routers via alert messages. Simulations results show that MDAM can significantly reduce the Pending Interest Table overload in involved routers, and bring in normal data-returning rate and data-retrieval delay.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.9 no.4
• /
• pp.95-101
• /
• 2013

MANET has an advantage that can build a network quickly and easily in difficult environment to build network. In particular, routing protocol that uses in existing mobile environment cannot be applied literally because it consists of only mobile node. Thus, routing protocol considering this characteristic is necessary. Malicious nodes do extensive damage to the whole network because each mobile node has to act as a router. In this paper, we propose technique that can detect accurately the suspected node which causes severely damage to the performance of the network. The proposed technique divides the whole network to zone of constant size and is performed simultaneously detection technique based zone and detection technique by collaboration between nodes. Detection based zone translates the information when member node finishes packet reception or transmission to master node managing zone and detects using this. The collaborative detection technique uses the information of zone table managing in master node which manages each zone. The proposed technique can reduce errors by performing detection which is a reflection of whole traffic of network.

• Korean Journal of Artificial Intelligence
• /
• v.11 no.2
• /
• pp.19-27
• /
• 2023

In recent times, an exponential increase in Internet traffic has been observed as a result of advancing development of the Internet of Things, mobile networks with sensors, and communication functions within various devices. Further, the COVID-19 pandemic has inevitably led to an explosion of social network traffic. Within this context, considerable attention has been drawn to research on network traffic analysis based on machine learning. In this paper, we design and develop a new machine learning framework for network traffic analysis whereby normal and abnormal traffic is distinguished from one another. To achieve this, we combine together well-known machine learning algorithms and network traffic analysis techniques. Using one of the most widely used datasets KDD CUP'99 in the Weka and Apache Spark environments, we compare and investigate results obtained from time series type analysis of various aspects including malicious codes, feature extraction, data formalization, network traffic measurement tool implementation. Experimental analysis showed that while both the logistic regression and the support vector machine algorithm were excellent for performance evaluation, among these, the logistic regression algorithm performs better. The quantitative analysis results of our proposed machine learning framework show that this approach is reliable and practical, and the performance of the proposed system and another paper is compared and analyzed. In addition, we determined that the framework developed in the Apache Spark environment exhibits a much faster processing speed in the Spark environment than in Weka as there are more datasets used to create and classify machine learning models.

• The Journal of the Korea Contents Association
• /
• v.7 no.1
• /
• pp.103-115
• /
• 2007

The vulnerability issue on IEEE 802.1x wireless LAN has been permits the malicious attack such as Auth/Deauth flooding more serious rather than we expected. Attacker can generate huge volume of malicious traffic as the same methods on existing wired network. The objective of wireless IP Traceback is to determine the real attack sources, as well as the full path taken by the wireless attack packets. Existing IP Traceback methods can be categorized as proactive or reactive tracing. But, these existing schemes did not provide enhanced performance against DoS attack on wireless traffic. In this paper, we propose a 'TTL based advanced Packet Marking' mechanism for wireless IP Packet Traceback with wireless Classification function. Proposed mechanism can detect and control DoS traffic on AP and can generate marked packet for reconstructing on the real path from the non-spoofed wireless attack source, by which we can construct secure wireless network based on AP with enhance traceback performance.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.10
• /
• pp.2587-2600
• /
• 2012

It has been demonstrated that choosing an appropriate relay node can improve the transmission rate for the system. However, such system improvement brought by the relay selection may be degraded with the presence of the malicious relay nodes, which are selected but refuse to cooperate for transmissions deliberately. In this paper, we formulate the relay selection issue as a restless bandit problem with the objective to maximize the average rate, while considering the credibility of each relay node, which may be different at each time instant. Then the optimization problem is solved by using the priority-index heuristic method effectively. Furthermore, a low complexity algorithm is offered in order to facilitate the practical implementations. Simulation results are conducted to demonstrate the effectiveness of the proposed trust-based relay selection scheme.