• Proceedings of the Korean Information Science Society Conference
• /
• 2007.06d
• /
• pp.489-494
• /
• 2007

침입방지 시스템(IPS, Intrusion Prevention System)은 인라인모드(in-line mode)로 네트워크에 설치되어, 네트워크를 지나는 패킷 또는 세션을 검사하여 만일 그 패킷에서 공격이 감지되면 해당 패킷을 폐기하거나 세션을 종료시킴으로서 외부의 침입으로부터 네트워크를 보호하는 시스템을 의미한다. 침입방지 시스템은 크게 두 가지 종류의 동작을 수행한다. 하나는 이미 알려진 공격으로부터 방어하는 시그너처 기반 필터링(signature based filtering)이고 다른 하나는 알려지지 않은 공격이나 비정상 세션으로부터 방어하는 자기 학습 기반의 변칙 탐지 및 방지(anomaly detection and prevention based on selflearning)이다. 시그너처 기반 필터링에서는 침입방지시스템을 통과하는 패킷의 페이로드와 시그너처라고 불리는 공격 패턴들과 비교하여 같으면 그 패킷을 폐기한다. 시그너처의 개수가 증가함에 따라 하나의 들어온 패킷에 대하여 요구되는 패턴 매칭 시간은 증가하게 되어 패킷지연 없이 동작하는 고성능 침입탐지시스템을 개발하는 것이 어렵게 되었다. 공개 침입방지 소프트웨어인 SNORT를 위한 여러 개의 효율적인 패턴 매칭 방식들이 제안되었는데 시그너처들의 공통된 부분에 대해 한번만 매칭을 수행하거나 한 바이트 단위 비교대신 여러 바이트 비교 동작을 수행함으로써 불필요한 매칭동작을 줄이려고 하였다. 본 논문에서는 패턴 매칭 시간을 시그너처의 개수와 무관하게 하기 위하여 시그너처 해싱 기반에 기반한 고성능 침입방지시스템을 제안한다.

• Journal of KIISE:Databases
• /
• v.30 no.5
• /
• pp.532-539
• /
• 2003

The paper proposes a pre-processing method for efficient processing of XML queries in information retrieval systems with a large amount of XML documents. For the pre-processing, we use a signature-based approach. In the conventional (flat document-based) information retrieval systems, user queries consist of keywords and boolean operators, and thus signatures are structured in a flat manner. However, in XML-based information retrieval systems, the user queries have the form of path query. Therefore, the flat signature cannot be effective for XML documents. In the paper, we propose a structured signature for XML documents. Through experiments, we evaluate the performance of the proposed method.

• Journal of Internet Computing and Services
• /
• v.8 no.6
• /
• pp.43-53
• /
• 2007

Intrusion detection system(IDS) has recently evolved while combining signature-based detection approach with anomaly detection approach. Although signature-based IDS tools have been commonly used by utilizing machine learning algorithms, they only detect network intrusions with already known patterns, Ideal IDS tools should always keep the signature database of your detection system up-to-date. The system needs to generate the signatures to detect new possible attacks while monitoring and analyzing incoming network data. In this paper, we propose a new outlier cluster detection algorithm with density (or influence) function, Our method assumes that an outlier is a kind of cluster with similar instances instead of a single object in the context of network intrusion, Through extensive experiments using KDD 1999 Cup Intrusion Detection dataset. we show that the proposed method outperform the conventional outlier detection method using Euclidean distance function, specially when attacks occurs frequently.

• The KIPS Transactions:PartC
• /
• v.14C no.3 s.113
• /
• pp.209-220
• /
• 2007

IPS(Intrusion Prevention Systems), which is installed in inline mode in a network, protects network from outside attacks by inspecting the incoming/outgoing packets and sessions, and dropping the packet or closing the sessions if an attack is detected in the packet. In the signature based filtering, the payload of a packet passing through IPS is matched with some attack patterns called signatures and dropped if matched. As the number of signatures increases, the time required for the pattern matching for a packet increases accordingly so that it becomes difficult to develop a high performance US working without packet delay. In this paper, we propose a high performance IPS based on signature hashing to make the pattern matching time independent of the number of signatures. We implemented the proposed scheme in a Linux kernel module in a PC and tested it using worm generator, packet generator and network performance measure instrument called smart bit. Experimental results show that the performance of existing method is degraded as the number of signatures increases whereas the performance of the proposed scheme is not degraded.

• Journal of the Korea Society of Computer and Information
• /
• v.10 no.6 s.38
• /
• pp.127-136
• /
• 2005

Recently, the damages occurring from the malware are increasing rapidly, regardless of continuous development of commercial vaccines . Generally, the vaccine detects well-known malware effectively, but it becomes helpless without any information against the unknown ones. Also, the malware generates its variations fast enough, so that the vaccine always gets behind in its updates. In this paper, we are describing a design and development of malware detection tool, which can detect such malware effectively. We first analyze the general functionality of the malware, and then extracts specific signatures. Such that, we can actively cope with a malware, which may come in previous type, a new type, and any of its mutations also.

• Journal of KIISE:Software and Applications
• /
• v.35 no.12
• /
• pp.774-779
• /
• 2008

In this work, we describe comments classification system using topic signature. Topic signature is widely used for selecting feature in document classification and summarization. Comments are short and have so many word spacing errors, special characters. We firstly convert comments into 7-gram. We consider the 7-gram as sentence. We convert the 7-gram into 3-gram. We consider the 3-gram as word. We select key feature using topic signature and classify new inputs by the Naive Bayesian method. From the result of experiments, we can see that the proposed method is outstanding over the previous methods.

• Proceedings of the Korean Information Science Society Conference
• /
• 2000.10a
• /
• pp.57-59
• /
• 2000

실세계의 객체들은 공간 정보뿐만 아니라 시간적 정보와도 연관을 갖는데 기존의 공간데이터베이스만으로는 시간 흐름에 따른 공간 객체의 정보를 효율적으로 관리해 주지 못하는 단점이 있다. 이러한 문제점을 해결하기 위하여 시공간 데이터베이스에 대한 데이터 모델과 시공간 연산자가 제시되었다. 그러나, 시공간 연산자에 대한 정의와 시그너처정도 만이 기술되었고 시공간 연산자에 대한 설계와 구현에 대한 사항은 제시되지 않았다. 이 논문에서는 시공간 데이터모델과 시공간 연산자 그리고 공간 연산자 구현 기법인 Planc-Sweep 기법을 이용한 시공간 연산자인 Trajectory와 MPIntersection에 대한 설계와 구현 알고리즘을 제시하였다.

• Convergence Security Journal
• /
• v.14 no.7
• /
• pp.53-58
• /
• 2014

MANET can quickly build a network because it is configured with only the mobile node and it is very popular today due to its various application range. However, MANET should solve vulnerable security problem that dynamic topology, limited resources of each nodes, and wireless communication by the frequent movement of nodes have. In this paper, we propose a domain-based distributed cooperative intrusion detection techniques that can perform accurate intrusion detection by reducing overhead. In the proposed intrusion detection techniques, the local detection and global detection is performed after network is divided into certain size. The local detection performs on all the nodes to detect abnormal behavior of the nodes and the global detection performs signature-based attack detection on gateway node. Signature DB managed by the gateway node accomplishes periodic update by configuring neighboring gateway node and honeynet and maintains the reliability of nodes in the domain by the trust management module. The excellent performance is confirmed through comparative experiments of a multi-layer cluster technique and proposed technique in order to confirm intrusion detection performance of the proposed technique.

• Convergence Security Journal
• /
• v.6 no.2
• /
• pp.21-29
• /
• 2006

Recently, illegal manipulation and forgery threats on computer softwares are increasing. Specially, forge the code of program and disrupt normal operation using a malicious loader program against the Internet application client. In this paper, we first analyze and generate signatures of malicious loader detection. And, we propose a method to secure the application client based on profiling which can detect and filter out abnormal malicious loader requests.

• Annual Conference on Human and Language Technology
• /
• 2008.10a
• /
• pp.189-194
• /
• 2008

본 논문에서는 토픽 시그너처(Topic Signature)와 n-gram을 이용한 댓글 분류 시스템을 개발한다. 토픽 시그너처는 문서요약이나 문서분류에서 자질 선택을 위한 방법으로 많이 사용되어지며, n-gram은 모든 언어에 적용 가능한 장점이 있다. 악성댓글은 대체로 문장 길이가 짧고 유행어나 변형어의 출현 빈도가 높으며 비정형화된 특징이 있다. 따라서 우리는 댓글을 n-gram으로 나누어 자질로 선택한다. 분류를 위해 베이지안(Bayesian)모델을 사용하였다. 본 논문에서는 한글과 영어 댓글에 대한 판별 실험을 통하여 구현한 시스템이 복잡한 전처리 과정이 필요한 기존에 제안된 방법들보다 더 나은 성능을 보이며, 언어에 관계없이 적용 가능하다는 것을 실험 결과를 통해 확인할 수 있었다.