• Journal of Korean Tunnelling and Underground Space Association
• /
• v.21 no.3
• /
• pp.419-432
• /
• 2019

Most of deep learning model training was proceeded by supervised learning, which is to train labeling data composed by inputs and corresponding outputs. Labeling data was directly generated manually, so labeling accuracy of data is relatively high. However, it requires heavy efforts in securing data because of cost and time. Additionally, the main goal of supervised learning is to improve detection performance for 'True Positive' data but not to reduce occurrence of 'False Positive' data. In this paper, the occurrence of unpredictable 'False Positive' appears by trained modes with labeling data and 'True Positive' data in monitoring of deep learning-based CCTV accident detection system, which is under operation at a tunnel monitoring center. Those types of 'False Positive' to 'fire' or 'person' objects were frequently taking place for lights of working vehicle, reflecting sunlight at tunnel entrance, long black feature which occurs to the part of lane or car, etc. To solve this problem, a deep learning model was developed by simultaneously training the 'False Positive' data generated in the field and the labeling data. As a result, in comparison with the model that was trained only by the existing labeling data, the re-inference performance with respect to the labeling data was improved. In addition, re-inference of the 'False Positive' data shows that the number of 'False Positive' for the persons were more reduced in case of training model including many 'False Positive' data. By training of the 'False Positive' data, the capability of field application of the deep learning model was improved automatically.

• Korean Journal of Remote Sensing
• /
• v.39 no.6_2
• /
• pp.1615-1633
• /
• 2023

Sargassum horneri is one of the floating algae in the sea, which breeds in large quantities in the Yellow Sea and East China Sea and then flows into the coast of Republic of Korea, causing various problems such as destroying the environment and damaging fish farms. In order to effectively prevent damage and preserve the coastal environment, the development of Sargassum horneri detection algorithms using satellite-based remote sensing technology has been actively developed. However, incorrect detection information causes an increase in the moving distance of ships collecting Sargassum horneri and confusion in the response of related local governments or institutions,so it is very important to minimize false detections when producing Sargassum horneri spatial information. This study applied technology to automatically remove false detection results using the GOCI-II-based Sargassum horneri detection algorithm of the National Ocean Satellite Center (NOSC) of the Korea Hydrographic and Oceanography Agency (KHOA). Based on the results of analyzing the causes of major false detection results, it includes a process of removing linear and sporadic false detections and green algae that occurs in large quantities along the coast of China in spring and summer by considering them as false detections. The technology to automatically remove false detection was applied to the dates when Sargassum horneri occurred from February 24 to June 25, 2022. Visual assessment results were generated using mid-resolution satellite images, qualitative and quantitative evaluations were performed. Linear false detection results were completely removed, and most of the sporadic and green algae false detection results that affected the distribution were removed. Even after the automatic false detection removal process, it was possible to confirm the distribution area of Sargassum horneri compared to the visual assessment results, and the accuracy and precision calculated using the binary classification model averaged 97.73% and 95.4%, respectively. Recall value was very low at 29.03%, which is presumed to be due to the effect of Sargassum horneri movement due to the observation time discrepancy between GOCI-II and mid-resolution satellite images, differences in spatial resolution, location deviation by orthocorrection, and cloud masking. The results of this study's removal of false detections of Sargassum horneri can determine the spatial distribution status in near real-time, but there are limitations in accurately estimating biomass. Therefore, continuous research on upgrading the Sargassum horneri monitoring system must be conducted to use it as data for establishing future Sargassum horneri response plans.

• Journal of the Korea Society for Simulation
• /
• v.19 no.4
• /
• pp.139-149
• /
• 2010

Internet was designed for network scalability and best-effort service which makes all hosts connected to Internet to be vulnerable against attack. Many papers have been proposed about attack detection algorithms against the attack using IP spoofing and DoS/DDoS attack. Purpose of DoS/DDoS attack is achieved in short period after the attack begins. Therefore, DoS/DDoS attack should be detected as soon as possible. Attack detection algorithms using false alarm rates consist of the false negative rate and the false positive rate. Moreover, they are important metrics to evaluate the attack detections. In this paper, we analyze the performance of the attack detection algorithms using the impact of false negative rate and false positive rate variation to the normal traffic and the attack traffic by simulations. As the result of this, we find that the number of passed attack packets is in the proportion to the false negative rate and the number of passed normal packets is in the inverse proportion to the false positive rate. We also analyze the limits of attack detection due to the relation between the false negative rate and the false positive rate. Finally, we propose a solution to minimize the limits of attack detection algorithms by defining the network state using the ratio between the number of packets classified as attack packets and the number of packets classified as normal packets. We find the performance of attack detection algorithm is improved by passing the packets classified as attacks.

• Journal of Korean Tunnelling and Underground Space Association
• /
• v.26 no.2
• /
• pp.129-152
• /
• 2024

In the application of deep learning object detection via CCTV in tunnels, a large number of false positive detections occur due to the poor environmental conditions of tunnels, such as low illumination and severe perspective effect. This problem directly impacts the reliability of the tunnel CCTV-based accident detection system reliant on object detection performance. Hence, it is necessary to reduce the number of false positive detections while also enhancing the number of true positive detections. Based on a deep learning object detection model, this paper proposes a false positive data training method that not only reduces false positives but also improves true positive detection performance through retraining of false positive data. This paper's false positive data training method is based on the following steps: initial training of a training dataset - inference of a validation dataset - correction of false positive data and dataset composition - addition to the training dataset and retraining. In this paper, experiments were conducted to verify the performance of this method. First, the optimal hyperparameters of the deep learning object detection model to be applied in this experiment were determined through previous experiments. Then, in this experiment, training image format was determined, and experiments were conducted sequentially to check the long-term performance improvement through retraining of repeated false detection datasets. As a result, in the first experiment, it was found that the inclusion of the background in the inferred image was more advantageous for object detection performance than the removal of the background excluding the object. In the second experiment, it was found that retraining by accumulating false positives from each level of retraining was more advantageous than retraining independently for each level of retraining in terms of continuous improvement of object detection performance. After retraining the false positive data with the method determined in the two experiments, the car object class showed excellent inference performance with an AP value of 0.95 or higher after the first retraining, and by the fifth retraining, the inference performance was improved by about 1.06 times compared to the initial inference. And the person object class continued to improve its inference performance as retraining progressed, and by the 18th retraining, it showed that it could self-improve its inference performance by more than 2.3 times compared to the initial inference.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.3
• /
• pp.65-76
• /
• 2006

This paper deals with an effective algerian aimed at improving the port scan detection in an intrusion detection system (IDS). In particular, a detection correlation algerian is proposed to maximize the detection capability in the network-based IDS whereby the 'misuse' is flagged for analysis to establish intrusion profile in relation to the overall port scan detection process. In addition, we establish an appropriate system maintenance policy for port scan detection as preprocessor for improved port scan in IDS, thereby achieving minimum false positive in the misuse detection engine while enhancing the system performance.

• The KIPS Transactions:PartC
• /
• v.13C no.3 s.106
• /
• pp.295-302
• /
• 2006

An intrusion detection system writes a lot of alarms against attack behaviors in real time. These alarms contain not only actual attack alarms, but also false alarms that are mistakes made by the intrusion detection system. False alarms are the main reason that reduces the efficiency of the intrusion detection system, and we propose framework for false alarms analysis in the paper. Also, we apply an incremental data mining method for pattern analysis of false alarms increasing continuously. The framework consists of GUI, DB Manager, Alert Preprocessor, and False Alarm Analyzer. We analyze the false alarms increasingly through the experiment of the proposed framework and show that false alarms are reduced by applying the analyzed false alarm rules in the intrusion detection system.

• Journal of KIISE:Information Networking
• /
• v.31 no.2
• /
• pp.171-178
• /
• 2004

Port scanning detection systems should rather satisfy a certain level of the requirement for system performance like a low rate of “False Positive” and “False Negative”, and requirement for convenience for users to be easy to manage the system security with detection systems. However, public domain Real Time Scan Detection Systems have high rate of false detection and have difficulty in detecting various scanning techniques. In addition, as current real time scan detection systems are based on command interface, the systems are poor at user interface and thus it is difficult to apply them to the system security management. Hence, we propose TkRTSD(Tcl/Tk Real Time Scan Detection System) that is able to detect various scan attacks based on port scanning techniques by applying a set of new filter rules, and minimize the rate of False Positive by applying proposed ABP-Rules derived from attacker's behavioral patterns. Also a GUI environment for TkRTSD is implemented by using Tcl/Tk for user's convenience of managing network security.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.2
• /
• pp.87-94
• /
• 2017

Microsoft Office is an office suite of applications developed by Microsoft. Recently users with malicious intent customize Office files as a container of the Malware because MS Office is most commonly used word processing program. To attack target system, many of malicious office files using a variety of skills and techniques like macro function, hiding shell code inside unused area, etc. And, people usually use two techniques to detect these kinds of malware. These are Signature-based detection and Sandbox. However, there is some limits to what it can afford because of the increasing complexity of malwares. Therefore, this paper propose methods to detect malicious MS office files in Computer forensics' way. We checked Macros and potential problem area with structural analysis of the MS Office file for this purpose.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2005.05a
• /
• pp.1185-1188
• /
• 2005

비정상 행위에 대한 true/false 방식의 공격 탐지 및 대응방법은 높은 오탐지율(false-positive)을 나타내기 때문에 이를 대체할 새로운 공격 탐지방법과 공격 대응방법이 연구되고 있다. 대표적인 연구로는 트래픽 제어 기술을 이용한 단계적 대응방법으로, 이 기술은 비정상 트래픽에 대해 단계적으로 대응함으로써 공격의 오탐지로 인하여 정상 서비스를 이용하는 트래픽이 차단되지 않도록 하는 기술이다. 비정상 트래픽 중 포트스캔 공격은 네트워크 기반 공격을 위해 공격대상 호스트의 서비스 포트를 찾아내는 공격으로 이 공격을 탐지하기 위해서는 일정 시간동안 특정 호스트의 특정 포트에 보내지는 패킷 수를 모니터링 하여 임계치와 비교하는 방식의 true/false 방식의 공격 탐지방법이 주로 사용되었다. 비정상 트래픽 제어 프레임워크(Abnormal Traffic Control Framework)는 true/false 방식의 공격 탐지방법을 이용하여 공격이 탐지되었을 때, 처음에는 트래픽 제어로 대응하고 같은 공격이 재차 탐지되었을때, 차단하여 기존의 true-false 방식의 공격 탐지 및 대응방법이 가지는 높은 오탐지율을 낮춘다. 하지만 포트스캔 공격의 특성상, 공격이 탐지된 후 바로 차단하지 못하였을 경우, 이미 공격자가 원하는 모든 정보를 유출하게 되는 문제가 있다. 본 논문에서는 기존의 True/False 방식의 포트스캔 공격 탐지방법에 퍼지 로직 개념을 추가하여 공격 탐지의 정확성을 높이고 기존의 탐지방법을 이용하였을 때보다 신속한 트래픽 제어 및 차단을 할 수 있는 방법을 제안한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2006.05a
• /
• pp.1109-1112
• /
• 2006

DDoS(Distributed Denial-of-Service) 공격은 인터넷 침해가운데 가장 위협적인 공격들 중 하나이며 이러한 공격을 실시간으로 탐지하기 위한 연구는 활발히 이루어져 왔다. 하지만 기존의 탐지 메커니즘이 가지고 있는 높은 오탐지율은 여전히 보완해야할 과제로 남아 있다. 따라서 본 논문에서는 DDoS공격 탐지의 근거로 사용된 기존의 트래픽 볼륨(traffic volume), 엔트로피(entropy), 그리고 카이제곱(chi-square)을 이용한 비정상 행위탐지(Anomaly detection)방식의 침임탐지시스템이 가지는 오탐지율(false alarm rate)을 개선할 수 있는 방안을 제안한다. 또한 공격 탐지 시 프로토콜, TCP 플래그(flag), 그리고 포트 번호를 이용하여 네트워크 관리자에게 보다 자세한 공격 정보를 제공함으로써 효율적으로 공격에 대처할 수 있는 시스템을 설계한다.