• Journal of the Korea Society of Computer and Information
• /
• v.20 no.5
• /
• pp.41-51
• /
• 2015

In order to hide their identities, intruders on the Internet often attack targets indirectly by staging their attacks through intermediate hosts known as stepping stones. In this paper, we propose a brute-force technique to detect the stepping stone behavior on a Linux server where some shell processes remotely logged into using interactive services are trying to connect other hosts using the same interactive services such as Telnet, Secure Shell, and rlogin. The proposed scheme can provide an absolute solution even for the encrypted connections using SSH because it traces the system calls of all processes concerned with the interactive service daemon and their child processes. We also implement the proposed technique on a CentOS 6.5 x86_64 environment by the ptrace system call and a simple shell script using strace utility. Finally the experimental results show that the proposed scheme works perfectly under test scenarios.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.33 no.5B
• /
• pp.344-355
• /
• 2008

In this paper, we are dealing with the problems of performance evaluation of Differentiated Services(DiffServ) networks. For successful performance evaluation, the ability to accurately represent "real" traffic on the network by suitable traffic models is an essential ingredient. Many research results on the nature of real traffic measurements demonstrated LRD(long-range dependence) property for the Internet traffic including Web, TELNET, and P2P traffic. The LRD can be effectively represented by self-similarity. In this paper, we design and implement self-similar traffic generator using the aggregated On/Off source model, based on the analysis of the On-Off source model, FFT-FGN(Fast Fourier Transform-Fractional Gaussian Noise) model, and RMD(Random Midpoint Displacement) model. We confirmed the self-similarity of our generated traffic by checking the packet inter-arrival time of TCPdump data. Further we applied the implemented traffic generator to the performance evaluation of DiffServ networks and observed the effect of performance to the a value of the On/Off model, and performance of EF/BE class traffic by CBQ.

• Convergence Security Journal
• /
• v.21 no.2
• /
• pp.11-18
• /
• 2021

To protect tangible and intangible assets, most of the companies are conducting information protection monitoring by using various security equipment in the IT service network. As the security equipment that needs to be protected increases in the process of upgrading and expanding the service network, it is difficult to monitor the possible exposure to the attack for the entire service network. As a countermeasure to this, various studies have been conducted to detect external attacks and illegal communication of equipment, but studies on effective monitoring of the open service ports and construction of illegal communication monitoring system for large-scale service networks are insufficient. In this study, we propose a framework that can monitor information leakage and illegal communication attempts in a wide range of service networks without large-scale investment by analyzing 'Netflow statistical information' of backbone network equipment, which is the gateway to the entire data flow of the IT service network. By using machine learning algorithms to the Netfllow data, we could obtain the high classification accuracy of 94% in identifying whether the Telnet service port of operating equipment is open or not, and we could track the illegal communication of the damaged equipment by using the illegal communication history of the damaged equipment.