• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.6
• /
• pp.129-140
• /
• 2003

Recently viruses and various hacking tools that threat hosts on a network becomes more intelligent and cleverer, and so the various security mechanisms against them have ken developed during last decades. To detect these network attacks, many NIPSs(Network-based Intrusion Prevention Systems) that are more functional than traditional NIDSs are developed by several companies and organizations. But, many previous NIPSS are hewn to have some weakness in protecting important hosts from network attacks because of its incorrectness and post-management aspects. The aspect of incorrectness means that many NIPSs incorrectly discriminate between normal and attack network traffic in real time. The aspect of post-management means that they generally respond to attacks after the intrusions are already performed to a large extent. Therefore, to detect network attacks in realtime and to increase the capability of analyzing packets, faster and more active responding capabilities are required for NIPS frameworks. In this paper, we propose a framework for real-time intrusion prevention. This framework consists of packet filtering component that works on netfilter in Linux kernel and traffic control component that have a capability of step-by-step control over abnormal network traffic with the CBQ mechanism.

• Proceedings of the Korean Information Science Society Conference
• /
• 2006.10d
• /
• pp.128-131
• /
• 2006

IPv6 프로토콜은 현재 인터넷 프로토콜로 사용되고 있는 IPv4 프로토콜이 가지고 있는 주소 부족 문제, 미흡한 QoS의 제공, 다양한 보안 문제 등을 해결하도록 설계된 차세대 인터넷 표준이다. IPv4에서 IPv6로의 전환이 이루어지고 있는 과정이지만, 아직까지 IPv6가 많이 사용되고 있지는 않고 있어 IPv6 트래픽 모니터링 도구 및 침입대응 장비도 많이 나와 있지 않다. 그러나, IPv6 네트워크가 점진적으로 등장하고 전환이 됨에 따라 IPv6에서 발생할 수 있는 각종 인터넷 침해사고에 대한 대비가 필요하다. 이미 IPv6 프로토콜의 허점을 이용한 서비스 거부공격, 디폴트 라우터 위장공격 등 IPv4에서 발생했던 이상트래픽, IPv6 확장헤더를 이용한 이상트래픽 및 IPv6-over-IPv4 터널링 등의 이상트래픽 발생이 보고되고 있다. 이에 본 논문은 IPv6 프로토콜에서 발생할 수 있는 이상트래픽에 대해 살펴보고, 이러한 이상트래픽의 탐지를 위해 IETF 표준인 IPFIX 템플릿을 이상 트래픽 탐지가 가능하게 제안한다. 제안된 IPFIX 플로우 메시지를 이용하여 간단하게 IPv6 이상 트래픽을 분류하는 방법도 제시하였다.

• Journal of Information Processing Systems
• /
• v.6 no.4
• /
• pp.481-500
• /
• 2010

The Internet explosion and the increase in crucial web applications such as ebanking and e-commerce, make essential the need for network security tools. One of such tools is an Intrusion detection system which can be classified based on detection approachs as being signature-based or anomaly-based. Even though intrusion detection systems are well defined, their cooperation with each other to detect attacks needs to be addressed. Consequently, a new architecture that allows them to cooperate in detecting attacks is proposed. The architecture uses Software Agents to provide scalability and distributability. It works in two modes: learning and detection. During learning mode, it generates a profile for each individual system using a fuzzy data mining algorithm. During detection mode, each system uses the FuzzyJess to match network traffic against its profile. The architecture was tested against a standard data set produced by MIT's Lincoln Laboratory and the primary results show its efficiency and capability to detect attacks. Finally, two new methods, the memory-window and memoryless-window, were developed for extracting useful parameters from raw packets. The parameters are used as detection metrics.

• Journal of KIISE:Information Networking
• /
• v.32 no.3
• /
• pp.279-290
• /
• 2005

Recently, as the serious damage caused by DDoS attacks increases, the rapid detection and the proper response mechanisms are urgent. However, existing security mechanisms do not effectively defend against these attacks, or the defense capability of some mechanisms is only limited to specific DDoS attacks. In this paper, we propose a detection architecture against DDoS attack using data mining technology that can classify the latest types of DDoS attack, and can detect the modification of existing attacks as well as the novel attacks. This architecture consists of a Misuse Detection Module modeling to classify the existing attacks, and an Anomaly Detection Module modeling to detect the novel attacks. And it utilizes the off-line generated models in order to detect the DDoS attack using the real-time traffic. We gathered the NetFlow data generated at an access router of our network in order to model the real network traffic and test it. The NetFlow provides the useful flow-based statistical information without tremendous preprocessing. Also, we mounted the well-known DDoS attack tools to gather the attack traffic. And then, our experimental results show that our approach can provide the outstanding performance against existing attacks, and provide the possibility of detection against the novel attack.

• Journal of Trauma and Injury
• /
• v.19 no.2
• /
• pp.201-205
• /
• 2006

Tension viscerothorax (gastrothorax) is rare life-threatening disease which is caused by air trapped in viscera. A distended viscera in the hemi-thorax shifts the mediastinal structures and causes extra-cardiac obstructive shock. A defective diaphragm is caused by abdominal trauma or a congenital anomaly. Traumatic diaphragmatic injury can be missed until herniation develops several years after blunt trauma. In our case, a 10-year old boy developed hemodynamic compromise in the emergency department. Three years earlier, he had suffered blunt abdominal trauma during a pedestrian traffic accident, but there was no evidence of diaphragmatic injury at that time. He was successfully resuscitated by gastric decompression and an emergent thoracic operation. The operation finding revealed a traumatic diaphragmatic injury. Tension viscerothorax is a rare, but catastrophic, condition, so we suggest that addition of tension viscerothorax to the Advanced Trauma and Life Support (ATLS) guidelines may be helpful.

• Proceedings of the Korea Society of Information Technology Applications Conference
• /
• 2005.11a
• /
• pp.161-164
• /
• 2005

As the power of influence of the Internet grows steadily, attacks against the Internet can cause enormous monetary damages nowadays. A worm can not only replicate itself like a virus but also propagate itself across the Internet. So it infects vulnerable hosts in the Internet and then downgrades the overall performance of the Internet or makes the Internet not to work. To response this, worm detection and prevention technologies are developed. The worm detection technologies are classified into two categories, host based detection and network based detection. Host based detection methods are a method which checks the files that worms make, a method which checks the integrity of the file systems and so on. Network based detection methods are a misuse detection method which compares traffic payloads with worm signatures and anomaly detection methods which check inbound/outbound scan rates, ICMP host/port unreachable message rates, and TCP RST packet rates. However, single detection methods like the aforementioned can't response worms' attacks effectively because worms attack the Internet in the distributed fashion. In this paper, we propose a design of distributed worm detection system to overcome the inefficiency. Existing distributed network intrusion detection systems cooperate with each other only with their own information. Unlike this, in our proposed system, a worm detection system on a network in which worms select targets and a worm detection system on a network in which worms propagate themselves cooperate with each other with the direction-aware information in terms of worm's lifecycle. The direction-aware information includes the moving direction of worms and the service port attacked by worms. In this way, we can not only reduce false positive rate of the system but also prevent worms from propagating themselves across the Internet through dispersing the confirmed worm signature.

• KSCE Journal of Civil and Environmental Engineering Research
• /
• v.33 no.3
• /
• pp.1077-1086
• /
• 2013

Recent huge losses of both life and property have occurred by unexpected natural disasters. We studied snow damages, an important natural disaster issue because it happens more frequently in recent years. This study tries to select vulnerable areas of snowfall in advance and then establish climate change adaptation policy for minimizing unexpected snowfall damage. Busan, where is our study area, has hilly in downtown areas so that topography characteristics of the roads such as slope, elevation and aspect are vulnerable to snowfall. The sudden snowfall in Busan causes traffic jam and causes some schools in hilly to close some schools. At this moment, the adaptation policy has to be established for infrastructure (such as roads) in advance, because prediction of anomaly climate due to global warming is so difficult beside the damage of natural disaster is huge. Therefore, the purpose of this study is contribute to selecting and assessing vulnerable zones of snow damage focusing topography characteristics of the roads and then evaluating the degree of risk of vulnerable zones.

• Journal of Chest Surgery
• /
• v.22 no.6
• /
• pp.1025-1035
• /
• 1989

Since we first performed open heart surgery on December 30, 1986, 126 cases were operated on up to August 31, 1989. Among the 126 cases, 65 cases were congenital heart disease of which 63 were acyanotic disease, and 61 cases were acquired heart disease, most of which were valvular heart disease. The age distribution of congenital heart disease was from 1 years 2 months to 48 years, and males had a slightly higher incidence. The age of acquired heart disease was from a minimum of 15 years to a maximum of 68 years, and the male to female ratio was 1;1.5. Midsternotomy was performed in all cases, and the aortic cannula was inserted through ascending aorta and the venous cannula inserted into the SVC and IVC through the right atrium. Vent was inserted through the right superior pulmonary vein. Cardioplegia solution was used in all cases; it was composed of sodium bicarbonate 3.5 ampule, KCL 14 mEq, 2% lidocaine 2.5 ml, 20 % albumin 50 ml and heparin 1000 units mixed to 950 ml with Hartman solution, and was made to 4oC and infused 10 ml per Kg every 20 minutes. The congenital heart disease had a variety of VSD in 32 cases, ASD 23 cases, PS 6 cases, PDA 2 cases, and one case each of Ebsteins anomaly and tricuspid atresia. The operations performed for acquired heart disease were 4 cases of OMC, 33 cases of MVR, and 5 cases of AVR, and 1 case of AVR with CABG. DVR was perfomed in 13 cases, and triple valve replacement was done in 1 case. Other than these, excision of LA myxoma was 2 cases, and repair of traumatic VSD and removal of a pulmonary embolism were one case each. The surgical mortality was 5 cases[4%], all of which occurred in valve replacement cases. Follow-up study revealed 2 late deaths. One died after a traffic accident and one died due to sepsis after he had received a gastrectomy for ulcer bleeding. The remaining patients were in good condition.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.13 no.3
• /
• pp.482-488
• /
• 2009

Mobile Ad-hoc Networks provide communication without a centralized infrastructure, which makes them suitable for communication in disaster areas or when quick deployment is needed. On the other hand, they are susceptible to malicious exploitation and have to face different challenges at different layers due to its open Ad-hoc network structure which lacks previous security measures. Denial of service (DoS) attack is one that interferes with the radio transmission channel causing a jamming attack. In this kind of attack, an attacker emits a signal that interrupts the energy of the packets causing many errors in the packet currently being transmitted. In harsh environments where there is constant traffic, a jamming attack causes serious problems; therefore measures to prevent these types of attacks are required. The objective of this paper is to carry out the simulation of the jamming attack on the nodes and determine the DoS attacks in OPNET so as to obtain better results. We have used effective anomaly detection system to detect the malicious behaviour of the jammer node and analyzed the results that deny channel access by jamming in the mobile Ad-hoc networks.

• Journal of KIISE:Information Networking
• /
• v.36 no.3
• /
• pp.173-183
• /
• 2009

We present a real-time monitoring system for detecting anomalous network events using the entropy. The entropy accounts for the effects of disorder in the system. When an abnormal factor arises to agitate the current system the entropy must show an abrupt change. In this paper we deliberately model the Internet to measure the entropy. Packets flowing between these two networks may incur to sustain the current value. In the proposed system we keep track of the value of entropy in time to pinpoint the sudden changes in the value. The time-series data of entropy are transformed into the two-dimensional domains to help visually inspect the activities on the network. We examine the system using network traffic traces containing notorious worms and DoS attacks on the testbed. Furthermore, we compare our proposed system of time series forecasting method, such as EWMA, holt-winters, and PCA in terms of sensitive. The result suggests that our approach be able to detect anomalies with the fairly high accuracy. Our contributions are two folds: (1) highly sensitive detection of anomalies and (2) visualization of network activities to alert anomalies.