• Proceedings of the Korea Information Processing Society Conference
• /
• 2015.04a
• /
• pp.380-383
• /
• 2015

오용 탐지모델 기반의 침입탐지시스템은 새로운 사이버 공격을 탐지하기 위해 지속적으로 탐지규칙을 생성해야 한다. 공격에 대한 특징을 정확히 식별하지 못하고 탐지규칙을 생성할 경우 많은 false positive를 발생시키며, 이로 인해 침해사고 대응시간이 늦어진다. 본 논문에서는 침입탐지시스템에서 탐지된 이벤트의 true positive와 false positive 데이터를 Keyword Tree의 node에 경로를 지나가는 횟수를 누적하는 값을 포함시킨 자료구조를 기반으로 비교분석하여 false positive를 감소시킬 수 있는 탐지규칙 패턴 생성 기법을 제안한다.

• The KIPS Transactions:PartC
• /
• v.12C no.1 s.97
• /
• pp.45-52
• /
• 2005

A damage scale of information property has been increasing rapidly by various illegal actions of information systems, which result from dysfunction of a knowledge society. Reinforcement in criminal investigation requests of network security has accelerated research and development of Intrusion Detection Systems(IDSs), which report intrusion-detection about these illegal actions. Due to limited designs of early IDSs, it is hard for the IDSs to cope with tricks to go around IDS as well as false-positive and false-negative trials in various network environments. In this paper, we showed that this kind of problems can be solved by using a Virtual Protocol Stack(VPS) that possesses automatic learning ability through an optimum-adaptive mobile code. Therefore, the enhanced IDS adapts dynamically to various network environments in consideration of monitored and self-learned network status. Moreover, it is shown that Insertion/Evasion attacks can be actively detected. Finally, we discussed that this method can be expanded to an intrusion detection technique that possesses adaptability in the various mixed network environments.

• The KIPS Transactions:PartC
• /
• v.11C no.5
• /
• pp.595-604
• /
• 2004

By the help of expansion of computer network and rapid growth of Internet, the information infrastructure is now able to provide a wide range of services. Especially open architecture - the inherent nature of Internet - has not only got in the way of offering QoS service, managing networks, but also made the users vulnerable to both the threat of backing and the issue of information leak. Thus, people recognized the importance of both taking active, prompt and real-time action against intrusion threat, and at the same time, analyzing the similar patterns of in-trusion already known. There are now many researches underway on Intrusion Detection System(IDS). The paper carries research on the in-trusion detection system which hired supervised learning algorithm and Fuzzy membership function especially with Neuro-Fuzzy model in order to improve its performance. It modifies tansigmoid transfer function of Neural Networks into fuzzy membership function, so that it can reduce the uncertainty of anomaly intrusion detection. Finally, the fuzzy logic suggested here has been applied to a network-based anomaly intrusion detection system, tested against intrusion data offered by DARPA 2000 Intrusion Data Sets, and proven that it overcomes the shortcomings that Anomaly Intrusion Detection usually has.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.6
• /
• pp.111-121
• /
• 2006

As Internet lastly grows, network attack techniques are transformed and new attack types are appearing. The existing network-based intrusion detection systems detect well known attack, but the false-positive or false-negative against unknown attack is appearing high. In addition, The existing network-based intrusion detection systems is difficult to real time detection against a large network pack data in the network and to response and recognition against new attack type. Therefore, it requires method to heighten the detection rate about a various large dataset and to reduce the false-positive. In this paper, we propose method to reduce the false-positive using multi-level detection algorithm, that is combine the multidimensional Apriori algorithm and the modified Negative Selection algorithm. And we apply this algorithm in intrusion detection and, to be sure, it has a good performance.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37 no.2B
• /
• pp.138-147
• /
• 2012

With the improvement of wireless communication and embedded technology, WSN is used at various fields. Meanwhile, because WSN is resource constrained, it is more vulnerable than other networks. To solve the security problem of WSN, we can use the traditional secure mechanism like as cryptography and authentication. But the traditional secure mechanism is not enough for all security issues that may be happened in WSN, especially attacks caused by the compromised node. So, we need the IDS as the second secure mechanism for WSN. In this paper, we propose the Specification-based Intrusion Detection Mechanism that makes LEACH, which is one of the clustering routing protocol for WSN, more reliable and safety.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2002.11a
• /
• pp.31-34
• /
• 2002

인터넷 상에서 사이버 공격은 특정 서버에 대해 서비스 요청 패킷을 플러딩 시킴으로써 상용 서비스의 제공을 방해하는 패킷 형태의 공격과 특정 호스트에 연결 설정을 통해 침입함으로써 특정 정보의 획득이나 변경을 목적으로 하는 세션 설정 형태의 공격이 있다. 본 논문에서는 로컬 도메인 보호에 치우쳐 있는 현재의 네트워크 보안 메카니즘에 비해 공격자에 대해서 강력한 대응을 가능하게 하는 공격자의 공격 세션 추적 및 차단에 대한 액티브 네트워크 기반의 네트워크 보안 메카니즘에 대해 기술한다.

• Proceedings of the Korean Institute of Intelligent Systems Conference
• /
• 2007.11a
• /
• pp.357-361
• /
• 2007

비정상 트래픽 제어 프레임워크에 적용된 비정상 트래픽 제어 기술은 침입, 분산서비스거부 공격, 포트스캔 공격과 같은 비정상 행위의 트래픽을 제어하는 공격 대응 방법이다. 이 대응 방법은 비정상 행위에 대한 true-false 방식의 공격 대응 방법이 가지는 높은 오탐율(false-positive rate)을 낮출 수 있다는 장점이 있지만, 공격 지속시간에만 의존하여 비정상 트래픽을 판단하기 때문에, 공격에 대한 신속한 대응을 하지 못한다는 한계를 가지고 있다. 이에 본 논문에서는 비정상 트래픽 제어 프레임워크에 퍼지 로직을 적용하여 신속한 공격 대응이 가능한 포트스캔 공격 탐지 기법을 제안한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1489-1497
• /
• 2018

Web application services have diversified. At the same time, research on intrusion detection is continuing due to the surge of cyber threats. Also, As a single-defense system evolves into multi-level security, we are responding to specific intrusions by correlating security events that have become vast. However, it is difficult to check the OS, service, web application type and version of the target system in real time, and intrusion detection events occurring in network-based security devices can not confirm vulnerability of the target system and success of the attack A blind spot can occur for threats that are not analyzed for problems and associativity. In this paper, we propose the validation of effectiveness for intrusion detection events using TF-IDF. The proposed scheme extracts the response traffics by mapping the response of the target system corresponding to the attack. Then, Response traffics are divided into lines and weights each line with an TF-IDF weight. we checked the valid intrusion detection events by sequentially examining the lines with high weights.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.9 no.1
• /
• pp.57-70
• /
• 1999

Since a hybrid firewall filters packets at a network layer along with providing gateway functionalities at an application layer, it has a better performance than an If filtering firewall. In addition, it provides both the various kinds of access control mechanisms and transparent services to users. However, the security policies of a network layer are different from those of an application layer. Thus, the user interfaces for managing a hybrid firewalls in a consistent manner are needed. In this paper, we implement a graphical user interface to provide access control mechanisms and management facilities for a hybrid firewall such as log analysis, a real-time monitor for network traffics, and the statisics on traffics. And we also propose a new rule script language for specifying access control rules. By using the script language, users can generate the various forma of access control rules which are adapted by the existing firewalls.

• KIPS Transactions on Computer and Communication Systems
• /
• v.5 no.12
• /
• pp.471-480
• /
• 2016

Recently, the damage of cyber attack toward infra-system, national defence and security system is gradually increasing. In this situation, military recognizes the importance of cyber warfare, and they establish a cyber system in preparation, regardless of the existence of threaten. Thus, the study of Intrusion Detection System(IDS) that plays an important role in network defence system is required. IDS is divided into misuse and anomaly detection methods. Recent studies attempt to combine those two methods to maximize advantagesand to minimize disadvantages both of misuse and anomaly. The combination is called Hybrid IDS. Previous studies would not be inappropriate for near real-time network environments because they have computational complexity problems. It leads to the need of the study considering the structure of IDS that have high detection rate and low computational cost. In this paper, we proposed a Hybrid IDS which combines C4.5 decision tree(misuse detection method) and Weighted K-means algorithm (anomaly detection method) hierarchically. It can detect malicious network packets effectively with low complexity by applying mutual information and genetic algorithm based efficient feature selection technique. Also we construct upgraded the the hierarchical structure of IDS reusing feature weights in anomaly detection section. It is validated that proposed Hybrid IDS ensures high detection accuracy (98.68%) and performance at experiment section.