• Annual Conference of KIPS
• /
• 2010.11a
• /
• pp.1285-1288
• /
• 2010

SIP 프로토콜은 멀티미디어 통신 세션을 생성, 삭제, 변경할 수 있는 프로토콜로 높은 간결성, 확장성 등 장점을 가지고 있다. 최근 인터넷전화의 대부분이 SIP 프로토콜을 사용하는 등 SIP 프로토콜의 사용이 많이 보편화 되었으나 그만큼 보안에 대한 위협 또한 중요한 문제가 되고있다. SIP는 응용계층 프로토콜로, 기존의 IP기반 보안 기술로는 공격 탐지/차단에 한계가 있을 수 있어 SIP 전용의 보안 기술 및 장비의 개발이 필요하다. 본 논문에서는 SIP 트래픽의 응용계층 정보 통계를 통하여 DDoS 공격트래픽 행위 특성을 분석하고 이를 정상 트래픽과 구분, 탐지하는 탐지 기법을 제안한다. 제안된 기법은 자체 테스트 망 구축과 SIP DDoS 공격 에뮬레이션을 통해 검증한다.

• Annual Conference of KIPS
• /
• 2020.11a
• /
• pp.354-357
• /
• 2020

DDoS(Distributed Denial of Service) 공격은 현재의 인터넷 환경뿐만 아니라 NDN에서도 정상적인 서비스를 저해시키는 주요 문제이며 이에 관련된 다양한 연구들이 진행되고 있다. 본 논문에서는 DDoS 공격이 가해질 때 NDN 라우터의 PIT(Pending Interest Table) 가용성 저해로 인해 발생하는 문제 해결에 중점을 둔다. 이를 위한 방안으로 RED(Random Early Detection) 알고리즘을 기반으로 하는 기법을 적용하고, 시뮬레이션을 통한 측정 결과를 보여준다.

• Journal of the Optical Society of Korea
• /
• v.20 no.5
• /
• pp.557-562
• /
• 2016

In this paper, for the first time, the transmission performances of long-haul 100-Gb/s direct detection optical OFDM (DDO-OFDM) and coherent optical OFDM (CO-OFDM) wavelength division multiplexing (WDM) systems are compared by simulation. It provides specific guides for system parameter selection to get a high-performance and cost-effective OFDM WDM system. Specifically, the comparison involves three aspects: launched power is investigated to achieve better system performance; laser linewidth is numerically investigated to choose cost-effective laser; system dispersion tolerances with different laser linewidths are analyzed to further reveal the advantages and disadvantages of these two detecting methods, direct detection and coherent detection, in long-haul OFDM WDM system.

• Journal of information and communication convergence engineering
• /
• v.7 no.1
• /
• pp.7-12
• /
• 2009

The advanced computer network and Internet technology enables connectivity of computers through an open network environment. Despite the growing numbers of security threats to networks, most intrusion detection identifies security attacks mainly by detecting misuse using a set of rules based on past hacking patterns. This pattern matching has a high rate of false positives and can not detect new hacking patterns, making it vulnerable to previously unidentified attack patterns and variations in attack and increasing false negatives. Intrusion detection and prevention technologies are thus required. We proposed a network based hybrid Probe Intrusion Detection model using Fuzzy cognitive maps (PIDuF) that detects intrusion by DoS (DDoS and PDoS) attack detection using packet analysis. A DoS attack typically appears as a probe and SYN flooding attack. SYN flooding using FCM model captures and analyzes packet information to detect SYN flooding attacks. Using the result of decision module analysis, which used FCM, the decision module measures the degree of danger of the DoS and trains the response module to deal with attacks. For the performance evaluation, the "IDS Evaluation Data Set" created by MIT was used. From the simulation we obtained the max-average true positive rate of 97.064% and the max-average false negative rate of 2.936%. The true positive error rate of the PIDuF is similar to that of Bernhard's true positive error rate.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.1
• /
• pp.147-153
• /
• 2015

Since the DoS(Denial of Service) attack is still an important vulnerable element in many web service sites, sites including public institution should try their best in constructing defensive systems. Recently, DDoS(Distributed Denial of Service) has been raised by prompting mass network traffic that uses NTP's monlist function or DoS attack has been made related to the DNS infrastructure which is impossible for direct defense. For instance, in June 2013, there has been an outbreak of an infringement accident where Computing and Information Agency was the target. There was a DNS application DoS attack which made the public institution's Information System impossible to run its normal services. Like this, since there is a high possibility in having an extensive damage due to the characteristics of DDoS in attacking unspecific information service and not being limited to a particular information system, efforts have to be made in order to minimize cyber threats. This thesis proposes a method for using TTL (Time To Live) value in IP header to detect DDoS attack with IP spoofing, which occurs when data is transmitted under the agreed regulation between the international and domestic information system.

• Journal of the Korea Society for Simulation
• /
• v.21 no.3
• /
• pp.17-24
• /
• 2012

This paper suggests Effectiveness Evaluation Methods of DDoS attacks countermeasures model by simulation. According to the security objectives that are suggested by NIST(National Institute of Standards and Technology), It represents a hierarchical Effectiveness Evaluation Model. we calculated the weights of factors that security objectives, security controls, performance indicator through AHP(Analytic Hierarchy Process) analysis. Subsequently, we implemented Arena Simulation Model for the calculation of function points at the performance indicator. The detection and protection algorithm involve methods of critical-level setting, signature and anomaly(statistic) based detection techniques for Network Layer 4, 7 attacks. Proposed Effectiveness Evaluation Model can be diversely used to evaluate effectiveness of countermeasures and techniques for new security threats each organization.

• Journal of the Korea Society for Simulation
• /
• v.19 no.4
• /
• pp.151-159
• /
• 2010

Currently, by using the Internet, We can do varius things such as Web surfing, email, on-line shopping, stock trading on your home or office. However, as being out of the concept of security from the beginning, it is the big social issues that malicious user intrudes into the system through the network, on purpose to steal personal information or to paralyze system. In addition, network intrusion by ordinary people using network attack tools is bringing about big worries, so that the need for effective and powerful intrusion detection system becomes very important issue in our Internet environment. However, it is very difficult to prevent this attack perfectly. In this paper we proposed the algorithm for the detection of DoS attacks, and developed attack detection tools. Through learning in a normal state on Step 1, we calculate thresholds, the number of packets that are coming to each port, the median and the average utilization of each port on Step 2. And we propose values to determine how to attack detection on Step 3. By programing proposed attack detection algorithm and by testing the results, we can see that the difference between the median of packet mounts for unit interval and the average utilization of each port number is effective in detecting attacks. Also, without the need to look into the network data, we can easily be implemented by only using the number of packets to detect attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.1
• /
• pp.71-77
• /
• 2006

Several network attacks, such as distributed denial of service (DDoS) attack, present a very serious threat to the stability of the internet. The threat posed by network attacks on large networks, such as the internet, demands effective detection method. Therefore, a simple intrusion detection system on large-scale backbone network is needed for the sake of real-time detection, preemption and detection efficiency. In this paper, in order to discriminate attack traffic from legitimate traffic on backbone links, we suggest a relatively simple statistical measure, entropy, which can track value frequency. Den is conspicuous distinction of entropy values between attack traffic and legitimate traffic. Therefore, we can identify what kind of attack it is as well as detecting the attack traffic using entropy value.

• Proceedings of the Korean Information Science Society Conference
• /
• 2011.06d
• /
• pp.215-218
• /
• 2011

VoIP(Voice over Internet Protocol) 서비스는 기존의 음성전화 서비스(Public Switched Telephone Network, PSTN)와 달리 IP 프로토콜을 이용한 저렴한 통신비용 등의 장점이 있는 음성통신 기술로써, 기존의 아날로그 음성전화 서비스를 대신하는 서비스이며, 새로운 인터넷 융합서비스로 많은 사용자가 이용하고 있다. 하지만 VoIP 서비스가 인터넷망을 이용함으로 IP Spoofing, DoS (Denial of Server) / DDoS(Distributed Denial of Service), 등의 여러 가지 보안의 문제점을 가지고 있다. VoIP 서비스에서 DDoS 공격은 Proxy 서버 등에 대량의 공격 메시지를 보냄으로써 서버의 자원을 고갈시켜 정상적인 서비스를 하지 못하게 한다. DoS, DDoS 공격 중 Invite Flooding 공격은 1분에 수천 개의 Invite 메시지를 보내 회선의 자원을 고갈시키는 공격이다. 특히 IP/Port 위조하여 공격 경우 공격 패킷 탐지하기 어려우므로 차단할 수 없다. 따라서 본 논문에서는 VoIP의 DoS/DDoS 중 하나인 Invite Flooding 공격 시 SIP Proxy Server에서 메시지 분산시키는 방법과 MAC Address와 사용자 번호 등 IP 이외의 고정적인 사용자 정보를 확인하여 공격을 탐지하고, 공격 Agent에 감염된 Phone을 공격차단서비스로 보내 복구시키는 방법을 제안한다.

• Journal of the Korea Society of Computer and Information
• /
• v.11 no.6 s.44
• /
• pp.185-192
• /
• 2006

By mistaking normal packets for harmful traffic, it may not offer service according to the intention of attacker with harmful traffic, because it is not easy to classify network traffic for normal service and it for DUoS(Distributed DoS) attack like the Internet worm. And in the IPv6 environment these researches on harmful traffic are weak. In this dissertation, hosts in the IPv6 environment are attacked by NETWIB and their attack traffic is monitored, then the statistical information of the traffic is obtained from MIB(Management Information Base) objects used in the IPv6. By adapting the ESM(Exponential Smoothing Method) to this information, a normal traffic boundary, i.e., a threshold is determined. Input traffic over the threshold is thought of as attack traffic.