• The KIPS Transactions:PartC
• /
• v.14C no.3 s.113
• /
• pp.199-208
• /
• 2007

In a ubiquitous network environment, detecting the leakage of personal information is very important. The leakage of personal information might cause severe problem such as impersonation, cyber criminal and personal privacy violation. In this paper, we have proposed a detection method of personal information leakage based on network traffic characteristics. The experimental results indicate that the traffic character of a real campus network shows the self-similarity and Proposed method can detect the anomaly of leakage of personal information by malicious code.

• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06a
• /
• pp.57-59
• /
• 2012

본 논문은 유해 트래픽을 탐지하는 보안 장비와 그에 따른 탐지 또는 차단 기법들을 분석한다. 즉 서버측의 방화벽, 침입 탐지 시스템과 웹 방화벽의 순서로 보안 장비의 배치와 클라이언트 측의 보안 시스템을 보여주고 이들의 탐지 기법들을 소개한다. 이후 이 장비들의 유해트래픽의 방향에 따른 탐지 기법들을 분석하고 유해트래픽 방향에 따라 침입을 탐지할 수 있는 탐지 기법들을 분석한다. 또한 유해 트래픽의 방향에 따라 탐지기법이 부족한 방향을 제시한다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.6
• /
• pp.3230-3253
• /
• 2017

Android malware steals users' private information, and embedded unsafe advertisement (ad) libraries, which execute unsafe code causing damage to users. The majority of such traffic is HTTP and is mixed with other normal traffic, which makes the detection of malware and unsafe ad libraries a challenging problem. To address this problem, this work describes a novel HTTP traffic flow mining approach to detect and categorize Android malware and unsafe ad library. This work designed AndroCollector, which can automatically execute the Android application (app) and collect the network traffic traces. From these traces, this work extracts HTTP traffic features along three important dimensions: quantitative, timing, and semantic and use these features for characterizing malware and unsafe ad libraries. Based on these HTTP traffic features, this work describes a supervised classification scheme for detecting malware and unsafe ad libraries. In addition, to help network operators, this work describes a fine-grained categorization method by generating fingerprints from HTTP request methods for each malware family and unsafe ad libraries. This work evaluated the scheme using HTTP traffic traces collected from 10778 Android apps. The experimental results show that the scheme can detect malware with 97% accuracy and unsafe ad libraries with 95% accuracy when tested on the popular third-party Android markets.

• Journal of Communications and Networks
• /
• v.10 no.1
• /
• pp.89-97
• /
• 2008

Anomaly detection systems playa significant role in protection mechanism against attacks launched on a network. The greatest challenge in designing systems detecting anomalous exploits is defining what to measure. Effective yet simple, Shannon entropy metrics have been successfully used to detect specific types of malicious traffic in a number of commercially available IDS's. We believe that Renyi entropy measures can also adequately describe the characteristics of a network as a whole as well as detect abnormal traces in the observed traffic. In addition, Renyi entropy metrics might boost sensitivity of the methods when disambiguating certain anomalous patterns. In this paper we describe our efforts to understand how Renyi mutual information can be applied to anomaly detection as an offline computation. An initial analysis has been performed to determine how well fast spreading worms (Slammer, Code Red, and Welchia) can be detected using our technique. We use both synthetic and real data audits to illustrate the potentials of our method and provide a tentative explanation of the results.

• Journal of the Korea Society of Computer and Information
• /
• v.26 no.12
• /
• pp.123-132
• /
• 2021

Malicious activities of Botnets are responsible for huge financial losses to Internet Service Providers, companies, governments and even home users. In this paper, we try to confirm the possibility of detecting botnet traffic by applying the deep learning model Convolutional Neural Network (CNN) using the CTU-13 botnet traffic dataset. In particular, we classify three classes, such as the C&C traffic between bots and C&C servers to detect C&C servers, traffic generated by bots other than C&C communication to detect bots, and normal traffic. Performance metrics were presented by accuracy, precision, recall, and F1 score on classifying both known and unknown botnet traffic. Moreover, we propose a stackable botnet detection system that can load modules for each botnet type considering scalability and operability on the real field.

• The Journal of the Korea Contents Association
• /
• v.6 no.12
• /
• pp.29-39
• /
• 2006

With the increasing popularity of the wireless network, the vulnerability issue on IEEE 802.1x Wireless Local Area Network (WLAN) are more serious than we expected. Security issues range from mis-configured wireless Access Point(AP) such as session hijacking to Denial of Service(DoS) attack. We propose a new system based on intrusion detection or prevention mechanism to protect the wireless network against these attacks. The proposed system has a security solution on AP that includes an intrusion detection and protection system(IDS/IPS) as an embedded module. In this paper, we suggest integrated wireless IDS/IPS module on AP with wireless traffic monitoring, analysis and packet filtering module against malicious wireless attacks. We also present that the system provides both enhanced security and performance such as on the university wireless campus network.

• Convergence Security Journal
• /
• v.5 no.4
• /
• pp.67-72
• /
• 2005

The exponential increase of malicious and criminal activities in cyber space is posing serious threat which could destabilize the foundation of modern information society. In particular, unexpected network paralysis or break-down created by the spread of malicious traffic could cause confusion and disorder in a nationwide scale, and unless effective countermeasures against such unexpected attacks are formulated in time, this could develop into a catastrophic condition. In order to solve a same problem, this paper researched early detection techniques for only early warning of cyber threats with separate way the detection due to and existing security equipment from the large network. It researched the cyber example alert system which applies the module of based honeynet from the actual large network and this technique against the malignant traffic how many probably it will be able to dispose effectively from large network.

• ETRI Journal
• /
• v.43 no.1
• /
• pp.40-52
• /
• 2021

DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal-spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.25 no.1
• /
• pp.69-74
• /
• 2021

Internet access is also increasing as online activities increase due to the influence of Corona 19. However, network attacks are also diversifying by malicious users, and DDoS among the attacks are increasing year by year. These attacks are detected by intrusion detection systems and can be prevented at an early stage. Various data sets are used to verify intrusion detection algorithms, but in this paper, CICIDS2017, the latest traffic, is used. DDoS attack traffic was analyzed using the decision tree. In this paper, we analyzed the traffic by using the decision tree. Through the analysis, a decisive feature was found, and the accuracy of the decisive feature was confirmed by proceeding the decision tree to prove the accuracy of detection. And the contents of false positive and false negative traffic were analyzed. As a result, learning the feature and the two features showed that the accuracy was 98% and 99.8% respectively.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.13 no.1
• /
• pp.49-57
• /
• 2017

IoT can be connected through a single network not only objects which can be connected to existing internet but also objects which has communication capability. This IoT environment will be a huge change to the existing communication paradigm. However, the big security problem must be solved in order to develop further IoT. Security mechanisms reflecting these characteristics should be applied because devices participating in the IoT have low processing ability and low power. In addition, devices which perform abnormal behaviors between objects should be also detected. Therefore, in this paper, we proposed D-IDS technique for efficient detection of malicious attack nodes between devices participating in the IoT. The proposed technique performs the central detection and distribution detection to improve the performance of attack detection. The central detection monitors the entire network traffic at the boundary router using SVM technique and detects abnormal behavior. And the distribution detection combines RSSI value and reliability of node and detects Sybil attack node. The performance of attack detection against malicious nodes is improved through the attack detection process. The superiority of the proposed technique can be verified by experiments.