• The Journal of the Korea Contents Association
• /
• v.8 no.6
• /
• pp.54-65
• /
• 2008

When DDoS attack is achieved, malicious host discovering is more difficult on wireless network than existing wired network environment. Specially, because wireless network is weak on wireless user authentication attack and packet spoofing attack, advanced technology should be studied in reply. Integrated Access Device (IAD) that support VoIP communication facility etc with wireless routing function recently is developed and is distributed widely. IAD is alternating facility that is offered in existent AP. Therefore, advanced traffic classification function and real time attack detection function should be offered in IAD on wireless network environment. System that is presented in this research collects client information of wireless network that connect to IAD using AirSensor. And proposed mechanism also offers function that collects the wireless client's attack packet to monitoring its legality. Also the proposed mechanism classifies and detect the attack packet with W-TMS system that was received to IAD. As a result, it was possible for us to use IAD on wireless network service stably.

• The Journal of the Korea Contents Association
• /
• v.7 no.1
• /
• pp.103-115
• /
• 2007

The vulnerability issue on IEEE 802.1x wireless LAN has been permits the malicious attack such as Auth/Deauth flooding more serious rather than we expected. Attacker can generate huge volume of malicious traffic as the same methods on existing wired network. The objective of wireless IP Traceback is to determine the real attack sources, as well as the full path taken by the wireless attack packets. Existing IP Traceback methods can be categorized as proactive or reactive tracing. But, these existing schemes did not provide enhanced performance against DoS attack on wireless traffic. In this paper, we propose a 'TTL based advanced Packet Marking' mechanism for wireless IP Packet Traceback with wireless Classification function. Proposed mechanism can detect and control DoS traffic on AP and can generate marked packet for reconstructing on the real path from the non-spoofed wireless attack source, by which we can construct secure wireless network based on AP with enhance traceback performance.

• Journal of Information Processing Systems
• /
• v.1 no.1 s.1
• /
• pp.14-21
• /
• 2005

Even though mainly statistical methods have been used in anomaly network intrusion detection, to detect various attack types, machine learning based anomaly detection was introduced. Machine learning based anomaly detection started from research applying traditional learning algorithms of artificial intelligence to intrusion detection. However, detection rates of these methods are not satisfactory. Especially, high false positive and repeated alarms about the same attack are problems. The main reason for this is that one packet is used as a basic learning unit. Most attacks consist of more than one packet. In addition, an attack does not lead to a consecutive packet stream. Therefore, with grouping of related packets, a new approach of group-based learning and detection is needed. This type of approach is similar to that of multiple-instance problems in the artificial intelligence community, which cannot clearly classify one instance, but classification of a group is possible. We suggest group generation algorithm grouping related packets, and a learning algorithm based on a unit of such group. To verify the usefulness of the suggested algorithm, 1998 DARPA data was used and the results show that our approach is quite useful.

• Journal of KIISE:Databases
• /
• v.34 no.6
• /
• pp.473-482
• /
• 2007

Network-based IDS(Intrusion Detection System) gathers network packet data and analyzes them into attack or normal. They raise alarm when possible intrusion happens. But they often output a large amount of low-level of incomplete alert information. Consequently, a large amount of incomplete alert information that can be unmanageable and also be mixed with false alerts can prevent intrusion response systems and security administrator from adequately understanding and analyzing the state of network security, and initiating appropriate response in a timely fashion. So it is important for the security administrator to reduce the redundancy of alerts, integrate and correlate security alerts, construct attack scenarios and present high-level aggregated information. False alarm rate is the ratio between the number of normal connections that are incorrectly misclassified as attacks and the total number of normal connections. In this paper we propose a false alarm classification model to reduce the false alarm rate using classification analysis of data mining techniques. The proposed model can classify the alarms from the intrusion detection systems into false alert or true attack. Our approach is useful to reduce false alerts and to improve the detection rate of network-based intrusion detection systems.

• The KIPS Transactions:PartC
• /
• v.9C no.4
• /
• pp.473-480
• /
• 2002

Although many researches on IDS (Intrusion Detection System) have been performed, the most of them are limited to the algorithm of detection software. However, even an IDS with superior algorithm can not detect intrusion, if it loses packets which nay have a clue of intrusions. In this paper, we suggest an efficient wav to improve the performance of IDS by reducing packet losses occurred due to hardware limitation and abundant processing overhead introduced by massive detection software itself. The reduction in packet losses is achieved by dropping hacking-free packets. The result shows that this decrease of packet losses leads an IDS to improve the detection rate of real attack.

• Journal of Internet Computing and Services
• /
• v.7 no.5
• /
• pp.59-69
• /
• 2006

Generally, network attacks are based on a scenario composed of a series of single-attacks, scenario attacks are launched over a wide network environment and their targets are not apparent. it is required to analyze entire packets captured on the network. This method makes it difficult to detect accurate patterns of attacks because it unnecessarily analyzes even packets unrelated to attacks. In this paper, we design and implement a simulation system for attacks scenario, which helps packet classification connected with attacks. The proposed system constitutes a target network for analysis in a virtual simulation environment, and it simulates dumping TCPDUMP packets including scenario attacks under the constructed virtual environment, We believe that our proposed simulation system will be a useful tool when security administrators perform the analysis of patterns of attack scenarios.

• The Journal of the Korea Contents Association
• /
• v.7 no.3
• /
• pp.93-100
• /
• 2007

Internet had spread in all fields with the fast speed during the last 10 years. Lately, wireless network is also spreading rapidly. Also, number of times that succeed attack attempt and invasion for wireless network is increasing rapidly TMS system was developed to overcome these threat on wireless network. Existing TMS system supplies active confrontation mechanism on these threats. However, existent TMS has limitation that new form of attack do not filtered efficiently. Therefor this paper proposes a new method that it automatically compute the threat from the imput packets with vector space model and detect anomaly detection of wireless network. Proposed mechanism in this research analyzes similarity degree between packets, and detect something wrong symptom of wireless network and then classify these threats automatically.

• Journal of the Korea Society of Computer and Information
• /
• v.12 no.1 s.45
• /
• pp.127-135
• /
• 2007

As the Internet is used widely, criminal offense that use computer is increasing, and an information security technology to remove this crime is becoming competitive power of the country. In this paper, we suggest network-based intrusion detection system that use fuzzy expert system. This system can decide quick intrusion decision from attack pattern applying fuzzy rule through the packet classification method that is done similarity of protocol and fixed time interval. Proposed system uses fuzzy logic to detect attack from network traffic, and gets analysis result that is automated through fuzzy reasoning. In present network environment that must handle mass traffic, this system can reduce time and expense of security

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.2
• /
• pp.259-266
• /
• 2012

Malicious rogue AP has been used for variety attacks such as packet sniffing and Man-In-The-Middle Attack. It is used for the purpose of data leakage via 3G network within companies, and the unauthorized AP could be a reason of security incidents even though it is not intended. In this paper, we propose the method for detecting unauthorized access point over 3G networks throughout the RTT (Round Trip Time) value for classification. Through the experiments, we show that the method can classify the AP which is installed by normal way and the AP over 3G networks successfully.

• The KIPS Transactions:PartC
• /
• v.15C no.5
• /
• pp.351-358
• /
• 2008

Recently, as network flooding attacks such as DoS/DDoS and Internet Worm have posed devastating threats to network services, rapid detection and proper response mechanisms are the major concern for secure and reliable network services. However, most of the current Intrusion Detection Systems(IDSs) focus on detail analysis of packet data, which results in late detection and a high system burden to cope with high-speed network environment. In this paper we propose a lightweight and fast detection mechanism for traffic flooding attacks. Firstly, we use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links. Secondly, we use a machine learning approach based on a Support Vector Machine(SVM) for attack classification. Using MIB and SVM, we achieved fast detection with high accuracy, the minimization of the system burden, and extendibility for system deployment. The proposed mechanism is constructed in a hierarchical structure, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Using MIB data sets collected from real experiments involving a DDoS attack, we validate the possibility of our approaches. It is shown that network attacks are detected with high efficiency, and classified with low false alarms.