• Journal of IKEEE
• /
• v.26 no.4
• /
• pp.614-621
• /
• 2022

This paper proposes RIDS (Random Forest-Based Intrusion Detection), which is an intrusion detection system to detect hacking attack based on random forest. RIDS detects three typical attacks i.e. DoS (Denial of service) attack, fuzzing attack, and spoofing attack. It detects hacking attack based on four parameters, i.e. time interval between data frames, its deviation, Hamming distance between payloads, and its diviation. RIDS was designed in memory-centric architecture and node information is stored in memories. It was designed in scalable architecture where DoS attack, fuzzing attack, and spoofing attack can be all detected by adjusting number and depth of trees. Simulation results show that RIDS has 0.9835 accuracy and 0.9545 F1 score and it can detect three attack types effectively.

• Journal of information and communication convergence engineering
• /
• v.7 no.1
• /
• pp.7-12
• /
• 2009

The advanced computer network and Internet technology enables connectivity of computers through an open network environment. Despite the growing numbers of security threats to networks, most intrusion detection identifies security attacks mainly by detecting misuse using a set of rules based on past hacking patterns. This pattern matching has a high rate of false positives and can not detect new hacking patterns, making it vulnerable to previously unidentified attack patterns and variations in attack and increasing false negatives. Intrusion detection and prevention technologies are thus required. We proposed a network based hybrid Probe Intrusion Detection model using Fuzzy cognitive maps (PIDuF) that detects intrusion by DoS (DDoS and PDoS) attack detection using packet analysis. A DoS attack typically appears as a probe and SYN flooding attack. SYN flooding using FCM model captures and analyzes packet information to detect SYN flooding attacks. Using the result of decision module analysis, which used FCM, the decision module measures the degree of danger of the DoS and trains the response module to deal with attacks. For the performance evaluation, the "IDS Evaluation Data Set" created by MIT was used. From the simulation we obtained the max-average true positive rate of 97.064% and the max-average false negative rate of 2.936%. The true positive error rate of the PIDuF is similar to that of Bernhard's true positive error rate.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.5
• /
• pp.69-78
• /
• 2004

The change of attack techniques paradigm was begun by fast extension of the latest Internet and new attack form appearing. But, Most intrusion detection systems detect only known attack type as IDS is doing based on misuse detection, and active correspondence is difficult in new attack. Therefore, to heighten detection rate for new attack pattern, the experiments to apply various techniques of anomaly detection are appearing. In this paper, we propose an behavior profiling method using Bayesian framework based on graphics from audit data and visualize behavior profile to detect/analyze anomaly behavior. We achieve simulation to translate host/network audit data into BF-XML which is behavior profile of semi-structured data type for anomaly detection and to visualize BF-XML as SVG.

• Journal of information and communication convergence engineering
• /
• v.9 no.6
• /
• pp.676-682
• /
• 2011

Sybil attack can disrupt proper operations of wireless sensor network by forging its sensor node to multiple identities. To protect the sensor network from such an attack, a number of countermeasure methods based on RSSI (Received Signal Strength Indicator) and LQI (Link Quality Indicator) have been proposed. However, previous works on the Sybil attack detection do not consider the fact that Sybil nodes can change their RSSI and LQI strength for their malicious purposes. In this paper, we present a Sybil attack detection method based on a transmission power range. Our proposed method initially measures range of RSSI and LQI from sensor nodes, and then set the minimum, maximum and average RSSI and LQI strength value. After initialization, monitoring nodes request that each sensor node transmits data with different transmission power strengths. If the value measured by monitoring node is out of the range in transmission power strengths, the node is considered as a malicious node.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.3 no.3
• /
• pp.251-265
• /
• 2009

VoIP service is the transmission of voice data using SIP protocol on an IP-based network. The SIP protocol has many advantages, such as providing IP-based voice communication and multimedia service with low communication cost. Therefore, the SIP protocol disseminated quickly. However, SIP protocol exposes new forms of vulnerabilities to malicious attacks, such as message flooding attack. It also incurs threats from many existing vulnerabilities as occurs for IP-based protocol. In this paper, we propose a new virtual proxy to cooperate with the existing Proxy Server to provide state monitoring and detect SIP message flooding attack with IP/MAC authentication. Based on a proposed virtual proxy, the proposed system enhances SIP attack detection performance with minimal latency of SIP packet transmission.

• ETRI Journal
• /
• v.41 no.5
• /
• pp.560-573
• /
• 2019

Two supervised learning algorithms, a basic neural network and a long short-term memory recurrent neural network, are applied to traffic including DDoS attacks. The joint effects of preprocessing methods and hyperparameters for machine learning on performance are investigated. Values representing attack characteristics are extracted from datasets and preprocessed by two methods. Binary classification and two optimizers are used. Some hyperparameters are obtained exhaustively for fast and accurate detection, while others are fixed with constants to account for performance and data characteristics. An experiment is performed via TensorFlow on three traffic datasets. Three scenarios are considered to investigate the effects of learning former traffic on sequential traffic analysis and the effects of learning one dataset on application to another dataset, and determine whether the algorithms can be used for recent attack traffic. Experimental results show that the used preprocessing methods, neural network architectures and hyperparameters, and the optimizers are appropriate for DDoS attack detection. The obtained results provide a criterion for the detection accuracy of attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.1
• /
• pp.83-97
• /
• 2021

Wireless sensors that make up the Wireless Sensor Network generally have extremely limited power and resources. The wireless sensor enters the sleep state at a certain interval to conserve power. The Sleep deflation attack is a deadly attack that consumes power by preventing wireless sensors from entering the sleep state, but there is no clear countermeasure. Thus, in this paper, using clustering-based binary search tree structure, the Sleep deprivation attack detection model is proposed. The model proposed in this paper utilizes one of the characteristics of both attack sensor nodes and normal sensor nodes which were classified using machine learning. The characteristics used for detection were determined using Long Short-Term Memory, Decision Tree, Support Vector Machine, and K-Nearest Neighbor. Thresholds for judging attack sensor nodes were then learned by applying the SVM. The determined features were used in the proposed algorithm to calculate the values for attack detection, and the threshold for determining the calculated values was derived by applying SVM.Through experiments, the detection model proposed showed a detection rate of 94% when 35% of the total sensor nodes were attack sensor nodes and improvement of up to 26% in power retention.

• Journal of Korea Multimedia Society
• /
• v.13 no.4
• /
• pp.594-600
• /
• 2010

Many studies are DDoS in Internet network, but the study is the fact that is not enough in a voice network. Therefore, we designed the extended TRW algorithm that was a DDoS attack traffic detection algorithm for the voice network which used an IP data network to solve upper problems in this article and evaluated it. The algorithm that is proposed in this paper analyzes TRW algorithm to detect existing DDoS attack in Internet network and, design connection and end connection to apply to a voice network, define probability function to count this. For inspect the algorithm, Set a threshold and using NS-2 Simulator. We measured detection rate by an attack traffic type and detection time by attack speed. At the result of evaluation 4.3 seconds for detection when transmitted INVITE attack packets per 0.1 seconds and 89.6% performance because detected 13,453 packet with attack at 15,000 time when transmitted attack packet.

• Journal of the Korea Society for Simulation
• /
• v.21 no.4
• /
• pp.91-102
• /
• 2012

Network port scan attack is the method for finding ports opening in a local network. Most existing IDSs(intrusion detection system) record the number of packets sent to a system per unit time. If port scan count from a source IP address is higher than certain threshold, it is regarded as a port scan attack. The degree of risk about source IP address performing network port scan attack depends on attack count recorded by IDS. However, the measurement of risk based on the attack count may reduce port scan detection rates due to the increased false negative for slow port scan. This paper proposes a method of summarizing 4 types of information to differentiate network port scan attack more precisely and comprehensively. To integrate the riskiness, we present a risk index that quantifies the risk of port scan attack by using PCA. The proposed detection method using risk index shows superior performance than Snort for the detection of network port scan.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.1
• /
• pp.71-77
• /
• 2006

Several network attacks, such as distributed denial of service (DDoS) attack, present a very serious threat to the stability of the internet. The threat posed by network attacks on large networks, such as the internet, demands effective detection method. Therefore, a simple intrusion detection system on large-scale backbone network is needed for the sake of real-time detection, preemption and detection efficiency. In this paper, in order to discriminate attack traffic from legitimate traffic on backbone links, we suggest a relatively simple statistical measure, entropy, which can track value frequency. Den is conspicuous distinction of entropy values between attack traffic and legitimate traffic. Therefore, we can identify what kind of attack it is as well as detecting the attack traffic using entropy value.