• Proceedings of the Korean Information Science Society Conference
• /
• 2007.06d
• /
• pp.489-494
• /
• 2007

침입방지 시스템(IPS, Intrusion Prevention System)은 인라인모드(in-line mode)로 네트워크에 설치되어, 네트워크를 지나는 패킷 또는 세션을 검사하여 만일 그 패킷에서 공격이 감지되면 해당 패킷을 폐기하거나 세션을 종료시킴으로서 외부의 침입으로부터 네트워크를 보호하는 시스템을 의미한다. 침입방지 시스템은 크게 두 가지 종류의 동작을 수행한다. 하나는 이미 알려진 공격으로부터 방어하는 시그너처 기반 필터링(signature based filtering)이고 다른 하나는 알려지지 않은 공격이나 비정상 세션으로부터 방어하는 자기 학습 기반의 변칙 탐지 및 방지(anomaly detection and prevention based on selflearning)이다. 시그너처 기반 필터링에서는 침입방지시스템을 통과하는 패킷의 페이로드와 시그너처라고 불리는 공격 패턴들과 비교하여 같으면 그 패킷을 폐기한다. 시그너처의 개수가 증가함에 따라 하나의 들어온 패킷에 대하여 요구되는 패턴 매칭 시간은 증가하게 되어 패킷지연 없이 동작하는 고성능 침입탐지시스템을 개발하는 것이 어렵게 되었다. 공개 침입방지 소프트웨어인 SNORT를 위한 여러 개의 효율적인 패턴 매칭 방식들이 제안되었는데 시그너처들의 공통된 부분에 대해 한번만 매칭을 수행하거나 한 바이트 단위 비교대신 여러 바이트 비교 동작을 수행함으로써 불필요한 매칭동작을 줄이려고 하였다. 본 논문에서는 패턴 매칭 시간을 시그너처의 개수와 무관하게 하기 위하여 시그너처 해싱 기반에 기반한 고성능 침입방지시스템을 제안한다.

• The KIPS Transactions:PartC
• /
• v.14C no.3 s.113
• /
• pp.209-220
• /
• 2007

IPS(Intrusion Prevention Systems), which is installed in inline mode in a network, protects network from outside attacks by inspecting the incoming/outgoing packets and sessions, and dropping the packet or closing the sessions if an attack is detected in the packet. In the signature based filtering, the payload of a packet passing through IPS is matched with some attack patterns called signatures and dropped if matched. As the number of signatures increases, the time required for the pattern matching for a packet increases accordingly so that it becomes difficult to develop a high performance US working without packet delay. In this paper, we propose a high performance IPS based on signature hashing to make the pattern matching time independent of the number of signatures. We implemented the proposed scheme in a Linux kernel module in a PC and tested it using worm generator, packet generator and network performance measure instrument called smart bit. Experimental results show that the performance of existing method is degraded as the number of signatures increases whereas the performance of the proposed scheme is not degraded.

• Journal of Internet Computing and Services
• /
• v.8 no.6
• /
• pp.43-53
• /
• 2007

Intrusion detection system(IDS) has recently evolved while combining signature-based detection approach with anomaly detection approach. Although signature-based IDS tools have been commonly used by utilizing machine learning algorithms, they only detect network intrusions with already known patterns, Ideal IDS tools should always keep the signature database of your detection system up-to-date. The system needs to generate the signatures to detect new possible attacks while monitoring and analyzing incoming network data. In this paper, we propose a new outlier cluster detection algorithm with density (or influence) function, Our method assumes that an outlier is a kind of cluster with similar instances instead of a single object in the context of network intrusion, Through extensive experiments using KDD 1999 Cup Intrusion Detection dataset. we show that the proposed method outperform the conventional outlier detection method using Euclidean distance function, specially when attacks occurs frequently.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.9
• /
• pp.1313-1318
• /
• 2013

In order to actively respond to cyber attacks, not only the security systems such as IDS, IPS, and Firewalls, but also ESM, a system that detects cyber attacks by analyzing various log data, are preferably deployed. However, as the attacks be come more elaborate and advanced, existing signature-based detection methods start to face their limitations. In response to that, researches upon symptom detection technology based on attack modeling by employing big-data analysis technology are actively on-going. This symptom detection technology is effective when it can accurately extract features of attacks and manipulate them to successfully execute the attack modeling. We propose the ways to extract attack features which can play a role as the basis of the modeling and detect intelligent threats by carrying out scenario-based modeling.

• Convergence Security Journal
• /
• v.6 no.2
• /
• pp.21-29
• /
• 2006

Recently, illegal manipulation and forgery threats on computer softwares are increasing. Specially, forge the code of program and disrupt normal operation using a malicious loader program against the Internet application client. In this paper, we first analyze and generate signatures of malicious loader detection. And, we propose a method to secure the application client based on profiling which can detect and filter out abnormal malicious loader requests.

• Journal of the Korea Society of Computer and Information
• /
• v.16 no.1
• /
• pp.125-132
• /
• 2011

A hierarchical Web Security System, which is a solution to various web-based attacks, seemingly is not able to keep up with the improvement of detoured or compound attacks. In this paper, we suggest an efficient detecting scheme for web-based attacks like Malware, XSS, Creating Webshell, URL Spoofing, and Exposing Private Information through monitoring HTTP outbound traffics in real time. Our proposed scheme detects web-based attacks by comparing the outbound traffics with the signatures of HTML tag or Javascript created by the attacks. Through the verification analysis under the real-attacked environment, we show that our scheme installed in a hierarchical web security system has superior detection capability for detoured web-based attacks.

• Journal of the Korea Society of Computer and Information
• /
• v.14 no.5
• /
• pp.65-75
• /
• 2009

The development of IT technology, Internet popularity is increasing geometrically. However, as its side effect, the intrusion behaviors such as information leakage for key system and infringement of computation network etc are also increasing fast. The attack traffic detection method which is suggested in this study utilizes the Snort, traditional NIDS, filters the packet with false positive among the detected attack traffics using Nmap information. Then, it performs the secondary filtering using nessus vulnerability information and finally performs correlation analysis considering appropriateness of management system, severity of signature and security hole so that it could reduce false positive alarm message as well as minimize the errors from false positive and as a result, it raised the overall attack detection results.

• Convergence Security Journal
• /
• v.14 no.7
• /
• pp.53-58
• /
• 2014

MANET can quickly build a network because it is configured with only the mobile node and it is very popular today due to its various application range. However, MANET should solve vulnerable security problem that dynamic topology, limited resources of each nodes, and wireless communication by the frequent movement of nodes have. In this paper, we propose a domain-based distributed cooperative intrusion detection techniques that can perform accurate intrusion detection by reducing overhead. In the proposed intrusion detection techniques, the local detection and global detection is performed after network is divided into certain size. The local detection performs on all the nodes to detect abnormal behavior of the nodes and the global detection performs signature-based attack detection on gateway node. Signature DB managed by the gateway node accomplishes periodic update by configuring neighboring gateway node and honeynet and maintains the reliability of nodes in the domain by the trust management module. The excellent performance is confirmed through comparative experiments of a multi-layer cluster technique and proposed technique in order to confirm intrusion detection performance of the proposed technique.

• Journal of KIISE:Information Networking
• /
• v.31 no.4
• /
• pp.363-374
• /
• 2004

In this paper, we propose an in-line mode NIDS using network processors(NPs) that achieve performance comparable to ASIC and flexibility comparable to general-purpose processors. Even if many networking applications using NPs have been proposed, we cannot find any NP applications to NIDS in the literature. The proposed NIDS supports packet payload inspection detecting attacks, as well as packet filtering and traffic metering. In particular, we separate the filtering and metering functions from the complicated and time-consuming operations of the deep packet inspection function using two-level searching scheme, thus we can improve the performance, stability, and scalability of In-line mode system. We also implement a proto-type based on a PC platform and the Agere PayloadPlus (APP) 2.5G NP solution, and present a payload inspection algorithm to apply APP NP.

• Journal of KIISE:Computing Practices and Letters
• /
• v.12 no.6
• /
• pp.339-348
• /
• 2006

Recently, many researches on detecting and responding worms due to the fatal infrastructural damages explosively damaged by automated attack tools, particularly worms. Network service vulnerability exploiting worms have high propagation velocity, exhaust network bandwidth and even disrupt the Internet. Previous worm researches focused on signature-based approaches however these days, approaches based on behavioral features of worms are more highlighted because of their low false positive rate and the attainability of early detection. In this paper, we propose a Distributed Worm Detection Model based on packet marking. The proposed model detects Worm Cycle and Infection Chain among which the behavior features of worms. Moreover, it supports high scalability and feasibility because of its distributed reacting mechanism and low processing overhead. We virtually implement worm propagation environment and evaluate the effectiveness of detecting and responding worm propagation.