• Convergence Security Journal
• /
• v.14 no.7
• /
• pp.53-58
• /
• 2014

MANET can quickly build a network because it is configured with only the mobile node and it is very popular today due to its various application range. However, MANET should solve vulnerable security problem that dynamic topology, limited resources of each nodes, and wireless communication by the frequent movement of nodes have. In this paper, we propose a domain-based distributed cooperative intrusion detection techniques that can perform accurate intrusion detection by reducing overhead. In the proposed intrusion detection techniques, the local detection and global detection is performed after network is divided into certain size. The local detection performs on all the nodes to detect abnormal behavior of the nodes and the global detection performs signature-based attack detection on gateway node. Signature DB managed by the gateway node accomplishes periodic update by configuring neighboring gateway node and honeynet and maintains the reliability of nodes in the domain by the trust management module. The excellent performance is confirmed through comparative experiments of a multi-layer cluster technique and proposed technique in order to confirm intrusion detection performance of the proposed technique.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2003.05c
• /
• pp.2041-2044
• /
• 2003

네트워크에서 발생하는 다양한 침입 중에서 서비스거부공격(DoS Attack. Denial-of-Service Attack)이란 공격자가 침입대상 시스템의 시스템 자원과 네트워크 자원을 악의적인 목적으로 소모시키기 위하여 대량의 패킷을 보냄으로써 정상 사용자로 하여금 시스템이 제공하는 서비스를 이용하지 못하도록 하는 공격을 의미한다. 기존 연구에서는 시스템과 네트워크가 수신한 패킷을 분석한 후 네트워크 세션정보를 생성하여 DoS 공격을 탐지하였다. 그러나 이 기법은 공격자가 분산서비스거부공격(DDoS Attack: Distributed DoS Attack)을 하게 되면 분산된 세션정보가 생성되기 때문에 침입을 실시간으로 탐지하기에는 부적절하다. 본 논문에서는 시스템이 가지고 있는 자윈 중에서 DDoS 공격을 밭을 때 가장 민감하게 반응하는 시스템 자원을 모니터링 함으로써 DDoS 공격을 실시간으로 탐지할 수 있는 모델을 제안한다 제안 모델은 시스템이 네트워크에서 수신한 패킷을 처리하는 과정에서 소모되는 커널 메모리 소비량을 감사자료로 이용한 네트워치기반 비정상행위탐지(networked-based anomaly detection)모델이다.

• KIPS Transactions on Software and Data Engineering
• /
• v.3 no.5
• /
• pp.169-178
• /
• 2014

In this paper, we present a research utilizing decentralized LTL specifications for ensuring a quality for interaction-centralized system. In this system, for ensuring the quality, we need to validate interactions between modules of the system and then we should check whether the system achieves the expected requirements. This task remains difficult and labor-intensive and requires an expert. In this paper, we present a method to assist such a task. First of all, the requirements of the system is written as multiple LTL specifications. Interactions between modules mean that behaviors of one module are related with other one's behavior. We generate the automaton model fully achieving specification through GR(1) synthesis. And we simulate them using the simulator based on the software agent for checking behaviors of the system. Finally, we validate the whole system whether it achieves given requirements.

• The Journal of the Korea Contents Association
• /
• v.6 no.11
• /
• pp.202-216
• /
• 2006

A number of process algebras are not well suitable for real-time navigation/delivery systems due to the following reasons: 1) lack of representation of process distributivity over some geographical space and 2) the indistinction of representation of process mobility from process distributivity over the space. To make the process algebra suitable to the systems, it seems to be necessary to separate the space representation from the mobility representation. This paper presents a formal method for this purpose, namely, Calculus of Abstract Real-Time Distribution, Mobility, and Interaction (CARDMI). For analysis and verification of behavioral properties, CARDMI defines a set of the spatial, temporal and the interactive deduction rules and a set of equivalence relations. The rules and equivalences can be abstracted hierarchically due to the spatial abstraction, too. CARDMI can be applied to virtual navigation/delivery system for contents, too.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2003.11c
• /
• pp.1835-1838
• /
• 2003

주요 정보통신기반 시설에 대한 분산화되고 지능화되는 침해 행위 및 위협이 급속도록 증가하고 있다. 따라서 여러 보안 제품을 연동하여 해커의 침입 탐지, 차단, 대응 및 역 추적을 위한 통합 보안 관리의 필요성이 대두되고 있다. 그러나 통합 보안 관리의 특성상 다양한 보안 제품에서 전송된 이벤트와 침입 경보의 양이 많아 분석이 어려워 서버에 부담이 되고 있다. 본 연구에서는 이러한 문제를 해결하고자 보호 도메인 정보를 초기에 에이전트에 설정하여 침입경보 중복 발생을 감소시켰다. 도메인 정보를 이용한 침입경보 감소 기법은 개발중인 통합 보안 관리 시스템과 침입경보 연관성 연구를 위해 사용된다.

• Journal of KIISE:Computing Practices and Letters
• /
• v.12 no.6
• /
• pp.339-348
• /
• 2006

Recently, many researches on detecting and responding worms due to the fatal infrastructural damages explosively damaged by automated attack tools, particularly worms. Network service vulnerability exploiting worms have high propagation velocity, exhaust network bandwidth and even disrupt the Internet. Previous worm researches focused on signature-based approaches however these days, approaches based on behavioral features of worms are more highlighted because of their low false positive rate and the attainability of early detection. In this paper, we propose a Distributed Worm Detection Model based on packet marking. The proposed model detects Worm Cycle and Infection Chain among which the behavior features of worms. Moreover, it supports high scalability and feasibility because of its distributed reacting mechanism and low processing overhead. We virtually implement worm propagation environment and evaluate the effectiveness of detecting and responding worm propagation.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.13 no.2
• /
• pp.397-404
• /
• 2018

As the usage of internet is increasing, a lot of user behavior are written in a log file and the researches and industries using the log files are getting activated recently. This paper uses the Hadoop based on open source distributed computing platform and proposes a customized tourism system by analyzing user behaviors in the log files. The proposed system uses Google Analytics to get user's log files from the website that users visit, and stores search terms extracted by MapReduce to HDFS. Also it gathers features about the sight-seeing places or cities which travelers want to tour from travel guide websites by Octopus application. It suggests the customized cities by matching the search terms and city features. NBP(next bit permutation) algorithm to rearrange the search terms and city features is used to increase the probability of matching. Some customized cities are suggested by analyzing log files for 39 users to show the performance of the proposed system.

• KIPS Transactions on Computer and Communication Systems
• /
• v.8 no.2
• /
• pp.35-40
• /
• 2019

Traditional Malware Detection is susceptible for detecting malware which is modified by polymorphism or obfuscation technology. By learning patterns that are embedded in malware code, machine learning algorithms can detect similar behaviors and replace the current detection methods. Data must collected continuously in order to learn malicious code patterns that change over time. However, the process of storing and processing a large amount of malware files is accompanied by high space and time complexity. In this paper, an HDFS-based distributed processing system is designed to reduce space complexity and accelerate feature extraction time. Using a distributed processing system, we extract two API features based on filtering basis, 2-gram feature and APICFG feature and the generalization performance of ensemble learning models is compared. In experiments, the time complexity of the feature extraction was improved about 3.75 times faster than the processing time of a single computer, and the space complexity was about 5 times more efficient. The 2-gram feature was the best when comparing the classification performance by feature, but the learning time was long due to high dimensionality.

• Journal of Digital Convergence
• /
• v.10 no.1
• /
• pp.371-378
• /
• 2012

Through sensor nodes it can obtain behavior, condition, location of objects. Generally speaking, sensor nodes are very limited because they have a battery power supply. Therefore, for collecting sensor data, efficient energy management is necessary in order to prolong the entire network survival. In this paper, we propose a method that increases energy efficiency to be self-configuring by distributed sensor nodes per cluster. The proposed method is based on the ANTCLUST. After measuring the similarity between two objects it is method that determine own cluster. It applies a colonial closure model of ant. The result of an experiment, it showed that the number of alive nodes increased 27% than existing clustering methods.

• Journal of KIISE:Computing Practices and Letters
• /
• v.14 no.5
• /
• pp.517-521
• /
• 2008

A worm is a malware that propagates quickly from host to host without any human intervention. Need of early worm detection has changed research paradigm from signature based worm detection to the behavioral based detection. To increase effectiveness of proposed solution, in this paper we present mechanism of detection and prevention of worm in distributed fashion. Furthermore, to minimize the worm destruction; upon worm detection we propagate the possible attack aleγt to neighboring nodes in secure and organized manner. Considering worm behavior, our proposed mechanism detects worm cycles and infection chains to detect the sudden change in network performance. And our model neither needs to maintain a huge database of signatures nor needs to have too much computing power, that is why it is very light and simple. So, our proposed scheme is suitable for the ubiquitous environment. Simulation results illustrate better detection and prevention which leads to the reduction of infection rate.