• 한국인터넷방송통신학회논문지
• /
• 제14권1호
• /
• pp.203-209
• /
• 2014

오늘날 DDoS 공격은 인터넷 안정성에 매우 중요한 위협을 가하고 있다. DDoS 공격은 대량의 트래픽을 네트워크에 전송함으로써 자원을 고갈시키고 정상적인 서비스 제공을 불가능하게 하며 사전 탐지가 힘들고 효율적인 방어가 매우 어렵다. 인터넷과 같은 대규모 망을 대상으로 한 네트워크 공격은 효과적인 탐지 방법이 요구된다. 그러므로 대규모 망에서 침입 탐지 시스템은 효율적인 실시간 탐지가 필요하다. 본 논문에서는 DDoS 공격에 따른 비정상적인 트래픽 범람을 방지하고 합법적인 트래픽 전송을 보장하기 위하여 플로우 정보 분석을 이용한 DDoS 공격 대응 기법을 제안한다. OPNET을 이용해 구현한 결과 DDoS 공격중에 원활한 서비스를 제공할 수 있는 것을 확인하였다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제6권7호
• /
• pp.1831-1853
• /
• 2012

By sending periodically short bursts of traffic to reduce legit transmission control protocol (TCP) traffic, the low-rate denial of service (LDoS) attacks are hard to be detected and may endanger covertly a network for a long period. Traditionally, LDoS detecting methods mainly concentrate on the attack stream with feature matching, and only a limited number of attack patterns can be detected off-line with high cost. Recent researches divert focus from the attack stream to the traffic anomalies induced by LDoS attacks, which can detect more kinds of attacks with higher efficiency. However, the limited number of abnormal characteristics and the inadequacy of judgment rules may cause wrong decision in some particular situations. In this paper, we address the problem of detecting LDoS attacks and present a scheme based on the fluctuant features of legit TCP and acknowledgment (ACK) traffic. In the scheme, we define judgment criteria which used to identify LDoS attacks in real time at an optimal detection cost. We evaluate the performance of our strategy in real-world network topologies. Simulations results clearly demonstrate the superiority of the method proposed in detecting LDoS attacks.

• 한국통신학회논문지
• /
• 제33권7B호
• /
• pp.592-600
• /
• 2008

In this paper, a Hybrid Scaling based DTW (HS-DTW) mechanism is proposed for detection of periodic shrew TCP attacks. A low-rate TCP attack which is a type of shrew DoS (Denial of Service) attacks, was reported recently, but it is difficult to detect the attack using previous flooding DoS detection mechanisms. A pattern matching method with DTW (Dynamic Time Warping) as a type of defense mechanisms was shown to be reasonable method of detecting and defending against a periodic low-rate TCP attack in an input traffic link. This method, however, has the problem that a legitimate link may be misidentified as an attack link, if the threshold of the DTW value is not reasonable. In order to effectively discriminate between attack traffic and legitimate traffic, the difference between their DTW values should be large as possible. To increase the difference, we analyze a critical problem with a previous algorithm and introduce a scaling method that increases the difference between DTW values. Four kinds of scaling methods are considered and the standard deviation of the sampling data is adopted. We can select an appropriate scaling scheme according to the standard deviation of an input signal. This is why the HS-DTW increases the difference between DTW values of legitimate and attack traffic. The result is that the determination of the threshold value for discrimination is easier and the probability of mistaking legitimate traffic for an attack is dramatically reduced.

• 한국지능시스템학회논문지
• /
• 제13권4호
• /
• pp.491-498
• /
• 2003

The advanced computer network technology enables connectivity of computers through an open network environment. There has been growing numbers of security threat to the networks. Therefore, it requires intrusion detection and prevention technologies. In this paper, we propose a network based intrusion detection model using FCM(Fuzzy Cognitive Maps) that can detect intrusion by the DoS attack detection method adopting the packet analyses. A DoS attack appears in the form of the Probe and Syn Flooding attack which is a typical example. The SPuF(Syn flooding Preventer using Fussy cognitive maps) model captures and analyzes the packet informations to detect Syn flooding attack. Using the result of analysis of decision module, which utilized FCM, the decision module measures the degree of danger of the DoS and trains the response module to deal with attacks. For the performance comparison, the "KDD′99 Competition Data Set" made by MIT Lincoln Labs was used. The result of simulating the "KDD′99 Competition Data Set" in the SPuF model shows that the probe detection rates were over 97 percentages.

• ETRI Journal
• /
• 제42권3호
• /
• pp.433-445
• /
• 2020

A denial-of-service (DoS) attack is a serious attack that targets web applications. According to Imperva, DoS attacks in the application layer comprise 60% of all the DoS attacks. Nowadays, attacks have grown into application- and business-layer attacks, and vulnerability-analysis tools are unable to detect business-layer vulnerabilities (logic-related vulnerabilities). This paper presents the business-layer dynamic application security tester (BLDAST) as a dynamic, black-box vulnerability-analysis approach to identify the business-logic vulnerabilities of a web application against DoS attacks. BLDAST evaluates the resiliency of web applications by detecting vulnerable business processes. The evaluation of six widely used web applications shows that BLDAST can detect the vulnerabilities with 100% accuracy. BLDAST detected 30 vulnerabilities in the selected web applications; more than half of the detected vulnerabilities were new and unknown. Furthermore, the precision of BLDAST for detecting the business processes is shown to be 94%, while the generated user navigation graph is improved by 62.8% because of the detection of similar web pages.

• 디지털산업정보학회논문지
• /
• 제6권4호
• /
• pp.117-130
• /
• 2010

Paper is on defense for so-called internet crisis, the attack of DDoS (Distributed Denial of Service) which was targeted to the central government ministries, financial sector, and portal sites of chief counties including Korea on June 7th, 2009 as its start. By conducting attack with various DDoS attacking methods in the lab environment and dividing networks targeted by the attack by layers, this paper records and analyzes the chief information for attack, destination information of packets, defense policy setting, and the flow of packet attack with the subjects of the networks separated. This study suggests CFC system using multiple firewalls applying defense policy corresponding to the target layer for ultimate attack and tests it according to the result of analyzing the attack packet information and its amount, log analysis, access recording port, and MAC and IT information, etc. by layers. This article is meaningful in that it analyzes the attack by layers, establishes firewall policy for protecting each layer, and secures accurate mechanism for detect and defense.

• 시스템엔지니어링학술지
• /
• 제12권2호
• /
• pp.101-114
• /
• 2016

A model-based systems engineering (MBSE) approach to implementing hardware-based network cybersecurity controls for APR1400 non-safety data network is presented in this work. The proposed design was developed by implementing packet filtering and deep packet inspection functions to control the unauthorized traffic and malicious contents. Denial-of-Service (DoS) attack was considered as a potential cybersecurity issue that may threaten the data availability and integrity of DCS gateway servers. Logical design architecture was developed to simulate the behavior of functions flow. HDL-based physical architecture was modelled and simulated using Xilinx ISE software to verify the design functionality. For effective modelling process, enhanced function flow block diagrams (EFFBDs) and schematic design based on FPGA technology were together developed and simulated to verify the performance and functional requirements of network security controls. Both logical and physical design architectures verified that hardware-based cybersecurity controls are capable to maintain the data availability and integrity. Further works focus on implementing the schematic design to an FPGA platform to accomplish the design verification and validation processes.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제13권7호
• /
• pp.3671-3689
• /
• 2019

Software defined networking brings unique security risks such as control plane saturation attack while enhancing the performance of wireless sensor networks. The attack is a new type of distributed denial of service (DDoS) attack, which is easy to launch. However, it is difficult to detect and hard to defend. In response to this, the attack threat model is discussed firstly, and then a DDoS attack prevention extension, called FuzzyGuard, is proposed. In FuzzyGuard, a control network with both the protection of data flow and the convergence of attack flow is constructed in the data plane by using the idea of independent routing control flow. Then, the attack detection is implemented by fuzzy inference method to output the current security state of the network. Different probabilistic suppression modes are adopted subsequently to deal with the attack flow to cost-effectively reduce the impact of the attack on the network. The prototype is implemented on SDN-WISE and the simulation experiment is carried out. The evaluation results show that FuzzyGuard could effectively protect the normal forwarding of data flow in the attacked state and has a good defensive effect on the control plane saturation attack with lower resource requirements.

• 한국콘텐츠학회:학술대회논문집
• /
• 한국콘텐츠학회 2003년도 춘계종합학술대회논문집
• /
• pp.223-226
• /
• 2003

DDoS(Distributed Denial of Service) 공격으로부터 시스템 자원을 보호하기 위한 최선의 방법은 공격자에 의해 전송되어진 패킷의 경로를 역추적하여 공격자의 근원지로부터 근본적인 DDoS 공격을 차단하는 것이다. 기존의 패킷 마킹 기법은 IP 식 별자필드를 마킹필드로 사용함으로써 ICMP의 사용이 불가능하고, 라우터 토를 이용한 역추적기법은 라우터의 수가 증가할 경우 마킹필드의 크기가 증가하는 문제점을 가지고 있다. 본 논문에서 제안한 역추적 기법은 IP 헤더의 옵션필드를 마킹필드로 사용하여 ICMP를 사용을 가능하게 하였고, 라우터 IP주소를 태R 연산하여 얻어진 값을 마크정보로 사용함으로써 라우터 수의 증가에도 마크정보의 크기가 변하지 않도록 제안하였다.

• Journal of Communications and Networks
• /
• 제15권1호
• /
• pp.31-37
• /
• 2013

Mobile ad hoc networks (MANET) refers to a network designed for special applications for which it is difficult to use a backbone network. In MANETs, applications are mostly involved with sensitive and secret information. Since MANET assumes a trusted environment for routing, security is a major issue. In this paper we analyze the vulnerabilities of a pro-active routing protocol called optimized link state routing (OLSR) against a specific type of denial-of-service (DOS) attack called node isolation attack. Analyzing the attack, we propose a mechanism called enhanced OLSR (EOLSR) protocol which is a trust based technique to secure the OLSR nodes against the attack. Our technique is capable of finding whether a node is advertising correct topology information or not by verifying its Hello packets, thus detecting node isolation attacks. The experiment results show that our protocol is able to achieve routing security with 45% increase in packet delivery ratio and 44% reduction in packet loss rate when compared to standard OLSR under node isolation attack. Our technique is light weight because it doesn't involve high computational complexity for securing the network.