• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.10
• /
• pp.1912-1918
• /
• 2016

MPTCP(Multipath Transmission Control Protocol) is able to compose many TCP paths when two hosts connect and the data is able to be transported through these paths simultaneously. When a new path is added, the authentication between both hosts is necessary to check the validity of host. So, MPTCP exchanges a key when initiating an connection and makes a token by using this key for authentication. However the original MPTCP is vulnerable to MITM(Man In The Middle) attacks because the key is transported in clear text. Therefore, we applied a ECDH(Elliptic Curve Diffie-Hellman) key exchange algorithm to original MPTCP and replaced the original key to the ECDH public key. And, by generating the secret key after the public key exchanges, only two hosts is able to make the token using the secret key to add new subflow. Also, we designed and implemented a method supporting encryption and decryption of data using a shared secret key to apply confidentiality to original MPTCP.

• Journal of KIISE:Information Networking
• /
• v.30 no.1
• /
• pp.9-16
• /
• 2003

In this paper, we propose a method for supporting VCR operations in a patching based multicast VOD system. Random access, pause and resume operations are supported in our system, and the channel and session scheduling algorithms for the VCR operations are proposed. When it is necessary to join a sharable multicast channel in the admission control for the VCR operations, the patching technique, which shares an on-going regular channel and allocates a new patching channel for the missing data, is used. Therefore, unlike the previous approach that allocates an excessive number of I-channels, service latency is minimized and channel usage is optimized in our system. Moreover buffered data. which is saved in disk during patching, is reused to prevent unnecessary patching channel allocation. For this. the patching management information is extended and a buffed data management scheme is proposed. In our system, the First-Come-First-Served scheduling is used to inform clients the service latency for the VCR operations immediately.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.2
• /
• pp.119-129
• /
• 2011

TCP-related Flooding attacks still dominate Distributed Denial of Service Attack. It is a great challenge to accurately detect the TCP flood attack in hish speed network. In this paper, we propose the NIC_Cookie logic implementation, which is a kind of security offload engine against TCP-related DDoS attacks, on network interface card. NIC_Cookie has robustness against DDoS attack itself and it is independent on server OS and external network configuration. It supports not IP-based response method but packet-level response, therefore it can handle attacks of NAT-based user group. We evaluate that the latency time of NIC_Cookie logics is $7{\times}10^{-6}$ seconds and we show 2Gbps wire-speed performance through a benchmark test.

• Journal of KIISE:Information Networking
• /
• v.31 no.6
• /
• pp.582-594
• /
• 2004

In school PC labs or other educational purpose PC labs with a few dozens of PCs, computers are configured in a distributed architecture so that they are set up, maintained and upgraded separately. As an alternative to the distributed architecture, we can consider a thin-client computing environment. In a thin-client computing environment, client side devices provide mainly I/O functions with user friendly GUI and multimedia processing support whereas remote servers called terminal server provide computing power. In order to support many clients in the environment, a cluster of terminal servers can be configured. In this architecture, it is difficult due to the characteristics of terminal session persistence and different pattern of computing usage of users so that the utilization of terminal server resources becomes low. To overcome this disadvantage, we propose an adaptive terminal cluster where terminal servers ,ire partitioned into groups and a terminal server in a light-loaded group can be dynamically reassigned to a heavy-loaded group at run time. The proposed adaptive scheme is compared with a generic terminal service cluster and a group based non-adaptive terminal server cluster. Experimental results show the effectiveness of the proposed scheme.

• KIPS Transactions on Computer and Communication Systems
• /
• v.4 no.4
• /
• pp.135-140
• /
• 2015

The WDSS improves defensive capacity against web application layer DDoS attack by using web cache server and L7 switch which are added on the DDoS shelter system. When web DDoS attack occurs, security agents divert traffic from backbone network to sub-network of the WDSS and then DDoS protection device and L7 switch block abnormal packets. In the meantime, web cache server responds only to requests of normal clients and maintains stable web service. In this way, the WDSS can counteract the web DDoS attack which generates small traffic and depletes server-client session resource. Furthermore, the WDSS does not require IP tunneling because it is not necessary to retransfer the normal requests to original web server. In this paper, we validate operation of the WDSS and verify defensive capability against web application layer DDoS attacks. In order to do this, we built the WDSS on backbone network of an ISP. And we performed web DDoS tests by using a testing system that consists of zombie PCs. The tests were performed by three types and various amounts of web DDoS attacks. Test results suggest that the WDSS can detect small traffic of the web DDoS attacks which do not have repeat flow whereas the formal DDoS shelter system cannot.