• KIPS Transactions on Software and Data Engineering
• /
• v.12 no.8
• /
• pp.355-364
• /
• 2023

As advanced cyber threats continue to increase in recent years, it is difficult to detect new types of cyber attacks with existing pattern or signature-based intrusion detection method. Therefore, research on anomaly detection methods using data learning-based artificial intelligence technology is increasing. In addition, supervised learning-based anomaly detection methods are difficult to use in real environments because they require sufficient labeled data for learning. Research on an unsupervised learning-based method that learns from normal data and detects an anomaly by finding a pattern in the data itself has been actively conducted. Therefore, this study aims to extract a latent vector that preserves useful sequence information from sequence log data and develop an anomaly detection learning model using the extracted latent vector. Word2Vec was used to create a dense vector representation corresponding to the characteristics of each sequence, and an unsupervised autoencoder was developed to extract latent vectors from sequence data expressed as dense vectors. The developed autoencoder model is a recurrent neural network GRU (Gated Recurrent Unit) based denoising autoencoder suitable for sequence data, a one-dimensional convolutional neural network-based autoencoder to solve the limited short-term memory problem that GRU can have, and an autoencoder combining GRU and one-dimensional convolution was used. The data used in the experiment is time-series-based NGIDS (Next Generation IDS Dataset) data, and as a result of the experiment, an autoencoder that combines GRU and one-dimensional convolution is better than a model using a GRU-based autoencoder or a one-dimensional convolution-based autoencoder. It was efficient in terms of learning time for extracting useful latent patterns from training data, and showed stable performance with smaller fluctuations in anomaly detection performance.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.36 no.2B
• /
• pp.131-140
• /
• 2011

As the number of Internet users and applications is increasing, the importance of application traffic classification is growing more and more for efficient network management. While a number of methods for traffic classification have been introduced, such as signature-based and machine learning-based methods, Skype application, which uses encrypted communication on its own P2P network, is known as one of the most difficult traffic to identify. In this paper we propose a novel method to identify Skype application traffic on the fly. The main idea is to setup a list of Skype host information {IP, port} by examining the packets generated in the Skype login process and utilizes the list to identify other Skype traffic. By implementing the identification system and deploying it on our campus network, we proved the performance and feasibility of the proposed method.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.13 no.3
• /
• pp.482-488
• /
• 2009

Mobile Ad-hoc Networks provide communication without a centralized infrastructure, which makes them suitable for communication in disaster areas or when quick deployment is needed. On the other hand, they are susceptible to malicious exploitation and have to face different challenges at different layers due to its open Ad-hoc network structure which lacks previous security measures. Denial of service (DoS) attack is one that interferes with the radio transmission channel causing a jamming attack. In this kind of attack, an attacker emits a signal that interrupts the energy of the packets causing many errors in the packet currently being transmitted. In harsh environments where there is constant traffic, a jamming attack causes serious problems; therefore measures to prevent these types of attacks are required. The objective of this paper is to carry out the simulation of the jamming attack on the nodes and determine the DoS attacks in OPNET so as to obtain better results. We have used effective anomaly detection system to detect the malicious behaviour of the jammer node and analyzed the results that deny channel access by jamming in the mobile Ad-hoc networks.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.26 no.3
• /
• pp.233-238
• /
• 2016

In this paper, we propose the algorithms of processing the uncertainty data using data fusion for the next generation intrusion detection. In the next generation intrusion detection, a lot of data are collected by many of network sensors to discover knowledge from generating information in cyber space. It is necessary the data fusion process to extract knowledge from collected sensors data. In this paper, we have proposed method to represent the uncertainty data, by classifying where is a confidence interval in interval of uncertainty data through feature analysis of different data using inference method with Dempster-Shafer Evidence Theory. In this paper, we have implemented a detection experiment that is classified by the confidence interval using IRIS plant Data Set for anomaly detection of uncertainty data. As a result, we found that it is possible to classify data by confidence interval.

• Smart Media Journal
• /
• v.12 no.11
• /
• pp.36-47
• /
• 2023

Industrial Control System(ICS), which controls facilities at major industrial sites, is increasingly connected to other systems through networks. With this integration and the development of intelligent attacks that can lead to a single external intrusion as a whole system paralysis, the risk and impact of security on industrial control systems are increasing. As a result, research on how to protect and detect cyber attacks is actively underway, and deep learning models in the form of unsupervised learning have achieved a lot, and many abnormal detection technologies based on deep learning are being introduced. In this study, we emphasize the application of preprocessing methodologies to enhance the anomaly detection performance of deep learning models on time series data. The results demonstrate the effectiveness of a Wavelet Transform (WT)-based noise reduction methodology as a preprocessing technique for deep learning-based anomaly detection. Particularly, by incorporating sensor characteristics through clustering, the differential application of the Dual-Tree Complex Wavelet Transform proves to be the most effective approach in improving the detection performance of cyber attacks.

• Electronics and Telecommunications Trends
• /
• v.20 no.1 s.91
• /
• pp.9-16
• /
• 2005

최초의 인터넷 웜(worm)으로 불리는 Morris 웜이 1988년 11월에 발표된 이래로 현재까지 많은 웜 공격이 발생되고 또 발표되어 왔다. 초기의 웜은 작은 규모의 네트워크에서 퍼지는 정도였으며, 실질적인 피해를 주는 경우는 거의 없었다. 그러나 2001년 CodeRed 웜은 인터넷에 연결된 많은 컴퓨터들을 순식간에 감염시켜 많은 피해를 발생시켰으며 그 이후 2003년 1월에 발생한 Slammer 웜은 10분이라는 짧은시간안에 75,000여 대 이상의 호스트를 감염시키고 네트워크 자체를 마비시켰다. 특히 Slammer 웜은 국내에서 더욱 유명하다. 명절 구정과 맞물려 호황을 누리던 인터넷 쇼핑 몰, 은행 거래 등을 일시에 마비시켜 버리면서 경제적으로도 막대한 피해를 우리에게 주었다. 이런 웜을 막기 위해서 많은 보안 업체들이나서고 있으나, 아직은 사전에 웜의 피해를 막을만한 확실한 대답을 얻지 못하고 있다. 본 문서에서는 현재 웜의 발생 초기 단계를 탐지하고 이를 피해가 커지기 이전에 막기 위한 연구들을 설명할 것이다.

• Journal of KIISE:Information Networking
• /
• v.32 no.3
• /
• pp.279-290
• /
• 2005

Recently, as the serious damage caused by DDoS attacks increases, the rapid detection and the proper response mechanisms are urgent. However, existing security mechanisms do not effectively defend against these attacks, or the defense capability of some mechanisms is only limited to specific DDoS attacks. In this paper, we propose a detection architecture against DDoS attack using data mining technology that can classify the latest types of DDoS attack, and can detect the modification of existing attacks as well as the novel attacks. This architecture consists of a Misuse Detection Module modeling to classify the existing attacks, and an Anomaly Detection Module modeling to detect the novel attacks. And it utilizes the off-line generated models in order to detect the DDoS attack using the real-time traffic. We gathered the NetFlow data generated at an access router of our network in order to model the real network traffic and test it. The NetFlow provides the useful flow-based statistical information without tremendous preprocessing. Also, we mounted the well-known DDoS attack tools to gather the attack traffic. And then, our experimental results show that our approach can provide the outstanding performance against existing attacks, and provide the possibility of detection against the novel attack.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2021.07a
• /
• pp.145-146
• /
• 2021

본 연구에서는 카메라의 촬영 시점에 의해서 발생되는 원근감이 광학 흐름 생성에 어떠한 영향을 주는지 살펴보고 광학 흐름 기반 이상행동 탐지 솔루션의 성능을 고도화하기 위해 기존 광학 흐름 영상으로부터 소실점 기반 가중치 행렬을 계산하여 원근감에 따른 광학 흐름 정도를 평활하는 기법에 대해서 연구한다. 카메라의 뷰포인트에 따라 원근감의 발생 정도나 객체의 크기 및 움직임의 정도가 달라지게 되며, 이는 원본 영상 프레임을 광학 흐름의 크기와 방향성으로 표현하는 영상 변환 네트워크를 가진 생성적 적대 신경망을 학습할 때 정상적인 행동 패턴의 범위를 결정짓는 데 방해가 될 수 있다. 이러한 문제를 해결하기 위하여 데이터셋의 배경으로부터 소실점을 추출하고 원근감에 따라 결정되는 광학 흐름의 크기를 평활하는 기법을 개발하여 기존 모델의 성능과 비교하였으며, 프레임 단위의 정확도 성능이 5.75% 향상된 것으로 확인되었다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2006.10d
• /
• pp.128-131
• /
• 2006

IPv6 프로토콜은 현재 인터넷 프로토콜로 사용되고 있는 IPv4 프로토콜이 가지고 있는 주소 부족 문제, 미흡한 QoS의 제공, 다양한 보안 문제 등을 해결하도록 설계된 차세대 인터넷 표준이다. IPv4에서 IPv6로의 전환이 이루어지고 있는 과정이지만, 아직까지 IPv6가 많이 사용되고 있지는 않고 있어 IPv6 트래픽 모니터링 도구 및 침입대응 장비도 많이 나와 있지 않다. 그러나, IPv6 네트워크가 점진적으로 등장하고 전환이 됨에 따라 IPv6에서 발생할 수 있는 각종 인터넷 침해사고에 대한 대비가 필요하다. 이미 IPv6 프로토콜의 허점을 이용한 서비스 거부공격, 디폴트 라우터 위장공격 등 IPv4에서 발생했던 이상트래픽, IPv6 확장헤더를 이용한 이상트래픽 및 IPv6-over-IPv4 터널링 등의 이상트래픽 발생이 보고되고 있다. 이에 본 논문은 IPv6 프로토콜에서 발생할 수 있는 이상트래픽에 대해 살펴보고, 이러한 이상트래픽의 탐지를 위해 IETF 표준인 IPFIX 템플릿을 이상 트래픽 탐지가 가능하게 제안한다. 제안된 IPFIX 플로우 메시지를 이용하여 간단하게 IPv6 이상 트래픽을 분류하는 방법도 제시하였다.

• KIPS Transactions on Software and Data Engineering
• /
• v.10 no.11
• /
• pp.449-456
• /
• 2021

An intrusion detection system is a technology that detects abnormal behaviors that violate security, and detects abnormal operations and prevents system attacks. Existing intrusion detection systems have been designed using statistical analysis or anomaly detection techniques for traffic patterns, but modern systems generate a variety of traffic different from existing systems due to rapidly growing technologies, so the existing methods have limitations. In order to overcome this limitation, study on intrusion detection methods applying various machine learning techniques is being actively conducted. In this study, a comparative study was conducted on data preprocessing techniques that can improve the accuracy of anomaly detection using NGIDS-DS (Next Generation IDS Database) generated by simulation equipment for traffic in various network environments. Padding and sliding window were used as data preprocessing, and an oversampling technique with Adversarial Auto-Encoder (AAE) was applied to solve the problem of imbalance between the normal data rate and the abnormal data rate. In addition, the performance improvement of detection accuracy was confirmed by using Skip-gram among the Word2Vec techniques that can extract feature vectors of preprocessed sequence data. PCA-SVM and GRU were used as models for comparative experiments, and the experimental results showed better performance when sliding window, skip-gram, AAE, and GRU were applied.