• Journal of Korea Society of Industrial Information Systems
• /
• v.8 no.1
• /
• pp.75-82
• /
• 2003

Computer and network security has recently become a popular subject due to the explosive growth of the Internet Especially, attacks based on malformed packet are difficult to detect because these attacks use the skill of bypassing the intrusion detection system and Firewall. This paper designs and implements a network-based intrusion detection system (NIDS) which detects intrusions with malformed-packets in real-time. First, signatures, rules in NIDS like Snouts rule files, are classified using similar properties between signatures NIDS creates a rule tree applying hashing technique based on the classification. As a result the system can efficiently perform intrusion detection.

• Proceedings of the Korean Information Science Society Conference
• /
• 2002.10e
• /
• pp.571-573
• /
• 2002

네트워크 관련 기술들이 테라급으로 급속히 발전하고 있는데 비해, 상대적으로 네트워크의 발전 속도에 뒤지고 있는 네트워크 침입 탐지 시스템의 성능 향상을 위해서, 기존의 소프트웨어 방식으로 구현된 침입 탐지 시스템을 고속의 패킷 처리에 뛰어난 성능을 가지고 있는 네트워크 프로세서를 이용하여 재설계 및 구현하였다. 네트워크 침입 탐지 시스템에서 대부분의 수행시간을 차지하는 네트워크 패킷을 분류하고, 이상 패킷을 탐지하는 기능을 인텔의 IXP1200 네트워크 프로세서의 마이크로엔진이 고속으로 패킷을 처리하게 함으로써 네트워크 침입 탐지 시스템의 성능 향상을 도모하였다.

• The KIPS Transactions:PartC
• /
• v.9C no.4
• /
• pp.473-480
• /
• 2002

Although many researches on IDS (Intrusion Detection System) have been performed, the most of them are limited to the algorithm of detection software. However, even an IDS with superior algorithm can not detect intrusion, if it loses packets which nay have a clue of intrusions. In this paper, we suggest an efficient wav to improve the performance of IDS by reducing packet losses occurred due to hardware limitation and abundant processing overhead introduced by massive detection software itself. The reduction in packet losses is achieved by dropping hacking-free packets. The result shows that this decrease of packet losses leads an IDS to improve the detection rate of real attack.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2009.04a
• /
• pp.1112-1115
• /
• 2009

네트워크 관리자 입장에서 효율적인 네트워크 관리를 위해 응용 프로그램 별 트래픽 분류의 중요성이 커지고 있다. 응용 프로그램 별 트래픽 분류를 위해 signature 기반, machine learning 방법들이 제안되고 있지만 p2p 방식의 Skype 응용프로그램에 대한 적용결과는 그 신뢰성이 떨어지고 있는 것은 사실이다. 본 논문에서는 Skype의 트래픽을 분류하기 위해 각 Client 마다 Skype application install 시 동적으로 변화하는 Port 를 알아내는 방법, UDP 패킷의 특정위치의 특정 signature, TCP signal flow의 특정위치 패킷에 대한 payload 크기 등을 이용한 Skype traffic 분류 방법을 제안한다. 제안된 방법론은 학내 네트워크에 적용하여 그 타당성을 TMA를 통해 검증하였다.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2010.10a
• /
• pp.434-437
• /
• 2010

NIPS(Network Intrusion Prevention System) is in line at the end of the external and internal networks which performed two kinds of action: Signature-based filtering and anomaly detection and prevention-based on self-learning. Among them, a signature-based filtering is well known to defend against attacks. By using signature-based filtering, intrusion prevention system passing a payload of packets is compared with attack patterns which are signature. If match, the packet is discard. However, when there is packet delay, it will increase the required pattern matching time as the number of signature is increasing whenever there is delay occur. Therefore, to ensure the performance of IPS, we needed more efficient pattern matching algorithm for high-performance ISP. To improve the performance of pattern matching the most important part is to reduce the number of comparisons signature rules and the packet whenever the packets arrive. In this paper, we propose an improve signature hashing-based pattern matching method. We use tuple pruning algorithm with Bloom filters, which effectively remove unnecessary tuples. Unlike other existing signature hashing-based IPS, our proposed method to improve the performance of IPS.

• The Journal of the Korea Contents Association
• /
• v.8 no.6
• /
• pp.54-65
• /
• 2008

When DDoS attack is achieved, malicious host discovering is more difficult on wireless network than existing wired network environment. Specially, because wireless network is weak on wireless user authentication attack and packet spoofing attack, advanced technology should be studied in reply. Integrated Access Device (IAD) that support VoIP communication facility etc with wireless routing function recently is developed and is distributed widely. IAD is alternating facility that is offered in existent AP. Therefore, advanced traffic classification function and real time attack detection function should be offered in IAD on wireless network environment. System that is presented in this research collects client information of wireless network that connect to IAD using AirSensor. And proposed mechanism also offers function that collects the wireless client's attack packet to monitoring its legality. Also the proposed mechanism classifies and detect the attack packet with W-TMS system that was received to IAD. As a result, it was possible for us to use IAD on wireless network service stably.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.39B no.6
• /
• pp.350-359
• /
• 2014

With the rapid growth of Internet, the importance of application traffic analysis is increasing for efficient network management. The statistical information in traffic flows can be efficiently utilized for application traffic identification. However, the packet out-of-order and retransmission occurred at the traffic collection point reduces the performance of the statistics-based traffic analysis. In this paper, we propose a novel method to detect and resolve the packet out-of-order and retransmission problem in order to improve completeness and accuracy of the traffic identification. To prove the feasibility of the proposed method, we applied our method to a real traffic analysis system using statistical flow information, and compared the performance of the system with the selected 9 popular applications. The experiment showed maximum 4% of completeness growth in traffic bytes, which shows that the proposed method contributes to the analysis of heavy flow.

• Journal of KIISE
• /
• v.42 no.8
• /
• pp.961-971
• /
• 2015

As a representative area-decomposed algorithm, an area-based quad-trie (AQT) has an issue of search performance. The search procedure must continue to follow the path to its end, due to the possibility of the higher priority-matching rule, even though a matching rule is encountered in a node. A leaf-pushing AQT improves the search performance of the AQT by making a single rule node exist in each search path. This paper proposes a new algorithm to further improve the search performance of the leaf-pushing AQT. The proposed algorithm implements a leaf-pushing AQT using a hash table and an on-chip Bloom filter. In the proposed algorithm, by sequentially querying the Bloom filter, the level of the rule node in the leaf-pushing AQT is identified first. After this procedure, the rule database, which is usually stored in an off-chip memory, is accessed. Simulation results show that packet classification can be performed through a single hash table access using a reasonable sized Bloom filter. The proposed algorithm is compared with existing algorithms in terms of the memory requirement and the search performance.

• 한국정보통신설비학회:학술대회논문집
• /
• 2006.08a
• /
• pp.134-140
• /
• 2006

홈 게이트웨이가 가져야 하는 기능에 대한 요구사항을 분석하고 통신사업자의 관점에서, QoS 기능과 IP 주소변환 기능을 중심으로 세부적인 스위칭 칩의 기능과 성능을 규정하였다. QoS 기능, 패킷 필터링 기능, 그리고 IPv6 주소체계 도입 등과 같이 급변하는 네트워크의 요구사항을 유연하게 수용하여, 칩의 기능과 성능을 수정하거나 추가할 수 있도록 패킷프로세서 기반으로 스위칭 칩을 설계하였으며, 홈 게이트웨이의 구성을 단순화하기 위해 스위칭 칩의 패킷 메모리와 룩업 메모리를 칩 내부에 내장하였다. 그리고 칩의 설계를 검증하기 위해 FPGA를 이용하여 6포트 스위칭 칩으로 구현하여 기능 및 성능시험을 수행하였다. NAT, Flow에 따른 패킷 분류 및 패킷 변경, SPQ, DWRR과 같은 스케줄링 등의 시험을 통하여 설계한 칩의 기능과 성능을 확인하였다.

• Proceedings of the Korean Information Science Society Conference
• /
• 2004.04a
• /
• pp.658-660
• /
• 2004

디지털 방송을 위한 Java 언어 기반 MPEG-2 TS(전송 스트림) 패킷 분석 시스템은 TS 패킷의 내용을 분석하고. PSI Table과 SI Table 데이터를 수집하여 분석 할 수 있도록 해준다. 구현된 패킷 분석 시스템은 PAT PMT, NIT, CAT 등의 PSI Table과 BAT, NIT, EIT, SDT 등의 SI Table의 정보를 계층적으로 분류 시켜준다. 또한 그 안의 포함된 다양한 의미의 컨텐츠를 포함하는 여러 종류의 Descriptor들의 정보도 분석해준다. 패킷 분석 시스템은 멀티-쓰레딩과 편리한 데이터 관리를 위해서 몇몇 클래스들로 구성 되어있다. 그리고 패킷 분석 시스템의 GUI는 Swing 라이브러리로 구현되었기 때문에, 시스템은 GUI의 변화 없이 윈도우즈. 리눅스와 같은 여러 가지 플랫폼에서도 안정적으로 동작된다. 본 연구의 시스템은 향후 DSM-CC 메카니즘과 의미적 분석의 구현 그리고 데이터베이스 시스템과의 연동 등으로 심화되어 연구될 것이다.