• The Journal of the Korea institute of electronic communication sciences
• /
• v.16 no.5
• /
• pp.807-816
• /
• 2021

With the technology of the 4th industrial revolution, network traffic is increasing due to an increase in supply, an increase in demand, and an increase in the complexity of traffic patterns. SDN, a concept in which H/W and S/W are separated in order to efficiently manage such massive traffic, is attracting attention as a next-generation network. A lot of research is being conducted on the merits of applying flexible policies by avoiding the problem of rigid vendor dependency by using the SDN controller implemented with S/W Opensource. Therefore, in this paper, we propose an efficient load balancing technique by grouping through the packet structure of the network layer using the control layer and infrastructure layer of SDN and analyzing the packet delay and reception rate.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.6
• /
• pp.129-140
• /
• 2003

Recently viruses and various hacking tools that threat hosts on a network becomes more intelligent and cleverer, and so the various security mechanisms against them have ken developed during last decades. To detect these network attacks, many NIPSs(Network-based Intrusion Prevention Systems) that are more functional than traditional NIDSs are developed by several companies and organizations. But, many previous NIPSS are hewn to have some weakness in protecting important hosts from network attacks because of its incorrectness and post-management aspects. The aspect of incorrectness means that many NIPSs incorrectly discriminate between normal and attack network traffic in real time. The aspect of post-management means that they generally respond to attacks after the intrusions are already performed to a large extent. Therefore, to detect network attacks in realtime and to increase the capability of analyzing packets, faster and more active responding capabilities are required for NIPS frameworks. In this paper, we propose a framework for real-time intrusion prevention. This framework consists of packet filtering component that works on netfilter in Linux kernel and traffic control component that have a capability of step-by-step control over abnormal network traffic with the CBQ mechanism.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.34 no.9B
• /
• pp.914-922
• /
• 2009

In this paper, we propose a matrix based real-time pattern matching method, called MDPI, for real-time intrusion detection on several Gbps network traffic. Particularly, in order to minimize a kind of overhead caused by buffering, reordering, and reassembling under the circumstance where the incoming packet sequence is disrupted, MDPI adopts independent partial matching in the case dealing with pattern matching matrix. Consequently, we achieved the performance improvement of the amount of 61% and 50% with respect to TCAM method efficiency through several experiments where the average length of the Snort rule set was maintained as 9 bytes, and w=4 bytes and w=8bytes were assigned, respectively, Moreover, we observed the pattern scan speed of MDPI was 10.941Gbps and the consumption of hardware resource was 5.79LC/Char in the pattern classification of MDPI. This means that MDPI provides the optimal performance compared to hardware complexity. Therefore, by decreasing the hardware cost came from the increased TCAM memory efficiency, MDPI is proven the cost effective high performance intrusion detection technique.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1185-1195
• /
• 2014

Domestic and international CERTs are carrying out security monitoring and response services based on security devices for intrusion incident prevention and damage minimization of the organizations. However, the security monitoring and response service has a fatal limitation in that it is unable to detect unknown attacks that are not matched to the predefined signatures. In recent, many approaches have adopted the darknet technique in order to overcome the limitation. Since the darknet means a set of unused IP addresses, no real systems connected to the darknet. Thus, all the incoming traffic to the darknet can be regarded as attack activities. In this paper, we present a collection and analysis method of malicious URLs based on darkent traffic for advanced security monitoring and response service. The proposed method prepared 8,192 darknet space and extracted all of URLs from the darknet traffic, and carried out in-depth analysis for the extracted URLs. The analysis results can contribute to the emergence response of large-scale cyber threats and it is able to improve the performance of the security monitoring and response if we apply the malicious URLs into the security devices, DNS sinkhole service, etc.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.3
• /
• pp.453-458
• /
• 2013

Aside from the issues like energy saving and maximizing network lifetime. WMSN has another issue to deal with: support of quality of service(QoS) which is required especially for handling real-time data such as object tracking and data gathering. This paper proposes a multipath routing algorithm considering the distance to sink node, energy level and link quality of neighbour nodes. Proposed algorithm supports multipath routing path with high quality links. Hence it helps to reduce a power consumption concentration that happens in particular set of nodes along the frequently selected route. It also specifies a service quality pattern and a service quality level depending on traffic pattern. By doing this, the proposed algorithm can realize a differentiated service with QoS guaranteed data transmission.

• Journal of the Korea Society of Computer and Information
• /
• v.7 no.4
• /
• pp.133-140
• /
• 2002

Distributed-queue Dual-Bus (DQDB) shows an unfair behavior in bandwidth allocation due to the nature of unidirectional bus architecture. The study on fairness control method for DQDB has been performed under specific load types such as equal Probability load. symmetric load and asymmetric load type. A client-server load type is more practical traffic pattern than specific load type in Web environments. In this paper, we propose an effective fairness control method to distribute DQDB network bandwidth fairly to all stations under Web environments. The proposed method directly calculates an access limit from the bandwidth demand pattern. Based on an access limit, it controls the allocation of bandwidth by yielding empty slots in clients to servers. And we were certain that it outperforms other mechanisms from simulation results.

• Journal of KIISE
• /
• v.45 no.1
• /
• pp.86-93
• /
• 2018

When multiple clients share bandwidth and receive a streaming service, HTTP Adaptive Streaming has a problem in that the bandwidth is measured inaccurately due to the ON-OFF pattern of the segment request. To solve the problem caused by the ON-OFF pattern, the proposed PANDA (Probe AND Adapt) determines the quality of the segment to be requested while increasing the target bandwidth. However, since the target bandwidth is increased by a fixed amount, there is a problem in low bandwidth utilization and a slow response to changes in bandwidth. In this paper, we propose a video quality control scheme that improves the low bandwidth utilization and slow responsiveness of PANDA. The proposed scheme adjusts the amount of increase in the target bandwidth according to the bandwidth utilization after judging the bandwidth utilization by comparing the segment download time and the request interval. Experimental results show that the proposed scheme can fully utilize the bandwidth and can quickly respond to changes in bandwidth.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.6
• /
• pp.1315-1324
• /
• 2012

Security visualization is a form of the data visualization techniques in the field of network security by using security-related events so that it is quickly and easily to understand network traffic flow and security situation. In particular, the security visualization that detects the abnormal situation of network visualizing connections between two endpoints is a novel approach to detect unknown attack patterns and to reduce monitoring overhead in packets monitoring technique. However, the session-based visualization doesn't notice a difference between normal traffic and attacks that they are composed of similar connection pattern. Therefore, in this paper, we propose an efficient session-based visualization method for analyzing and detecting between normal server activities and attacks by using the IP address splitting and port attributes analysis. The proposed method can actually be used to detect and analyze the network security with the existing security tools because there is no dependence on other security monitoring methods. And also, it is helpful for network administrator to rapidly analyze the security status of managed network.

• Journal of Internet Computing and Services
• /
• v.13 no.2
• /
• pp.41-49
• /
• 2012

Wireless network support and extended mobile network environment with exponential growth of smart phone users allow us to utilize the network anytime or anywhere. Malicious attacks such as distributed DOS, internet worm, e-mail virus and so on through high-speed networks increase and the number of patterns is dramatically increasing accordingly by increasing network traffic due to this internet technology development. To detect the patterns in intrusion detection systems, an existing research proposed an efficient algorithm called the jumping window algorithm and analyzed approximately 2,000 patterns in Snort 2.1.0, the most famous intrusion detection system. using the algorithm. However, it is inappropriate from the number of TCAM lookups and TCAM memory efficiency to use the result proposed in the research in current environment (Snort 2.9.0) that has longer patterns and a lot of patterns because the jumping window algorithm is affected by the number of patterns and pattern length. In this paper, we simulate the number of TCAM lookups and the required TCAM size in the jumping window with approximately 8,100 patterns from Snort-2.9.0 rules, and then analyse the simulation result. While Snort 2.1.0 requires 16-byte window and 9Mb TCAM size to show the most effective performance as proposed in the previous research, in this paper we suggest 16-byte window and 4 18Mb-TCAMs which are cascaded in Snort 2.9.0 environment.

• Proceedings of the Korean Information Science Society Conference
• /
• 2005.11a
• /
• pp.10-12
• /
• 2005

인터넷 및 네트워크가 급격하게 발전함에 따라 많은 피해가 발생하고 있으며, 이러한 피해중 웜은 많은 장비 및 네트워크 상의 위협을 준다 이러한 위협이 되는 웜을 잘 대처하기 위해서는 웜의 행동자체에 대한 파악을 반드시 해야 하고 이에 선행 연구작업으로써 웜 분류는 반드시 실시되어야 한다. 외국의 웜 분류 연구중 UC Berkeley와 시만텍사의 분류방안을 살펴보고 그러한 분류 방안에 기반한 트래픽 및 웜 행동 패턴을 기준으로 전파특성과 웜의 행동 단계별 기준하에 재정립 및 분류 기법을 제안하겠다. 이러한 웜의 분류는 차후 시뮬레이터 모듈의 구현과 칵 모듈의 조합을 통한 구체적인 웜 모델링에 대한 연구의 기초가 된다.