• The KIPS Transactions:PartC
• /
• v.10C no.6
• /
• pp.717-726
• /
• 2003

In this paper, we analyze the associated rule based deductive algorithm which creates the rules automatically for intrusion detection from the vast packet data. Based on the result, we also suggest the deductive algorithm which creates the rules of intrusion pattern fast in order to apply the intrusion detection systems. The deductive algorithm proposed is designed suitable to the concept of clustering which classifies and deletes the large data. This algorithm has direct relation with the method of pattern generation and analyzing module of the intrusion detection system. This can also extend the appication range and increase the detection speed of exiting intrusion detection system as the rule database is constructed for the pattern management of the intrusion detection system. The proposed pattern generation technique of the deductive algorithm is used to the algorithm is used to the algorithm which can be changed by the supporting rate of the data created from the intrusion detection system. Fanally, we analyze the possibility of the speed improvement of the rule generation with the algorithm simulation.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.11 no.12
• /
• pp.2287-2297
• /
• 2007

The proposed ANIDS(Advanced Network Intrusion Detection System) which is network-based IDS using Association Rule Mining, collects the packets on the network, analyze the associations of the packets, generates the pattern graph by using the highly associated packets using Association Rule Mining, and detects the intrusion by using the generated pattern graph. ANIDS consists of PMM(Packet Management Module) collecting and managing packets, PGGM(Pattern Graph Generate Module) generating pattern graphs, and IDM(Intrusion Detection Module) detecting intrusions. Specially, PGGM finds the candidate packets of Association Rule large than $Sup_{min}$ using Apriori algorithm, measures the Confidence of Association Rule, and generates pattern graph of association rules large than $Conf_{min}$. ANIDS reduces the false positive by using pattern graph even before finalizing the new pattern graph, the pattern graph which is being generated is compared with the existing one stored in DB. If they are the same, we can estimate it is an intrusion. Therefore, this paper can reduce the speed of intrusion detection and the false positive and increase the detection ratio of intrusion.

• Journal of the Korea Society for Simulation
• /
• v.12 no.4
• /
• pp.25-40
• /
• 2003

With the growing usage of the networks, the world-wide Internet has become the main means to exchange data and carry out transactions. It has also become the main means to attack hosts. To solve the security problems which occur in the network such as Internet, we import software products of network security elements like an IDS (Intrusion Detection System) and a firewall. In this paper, we have designed and constructed the general simulation environment of network security model composed of multiple IDSes and a firewall which coordinate by CNP (Contract Net Protocol) for the effective detection of the intrusion. The CNP, the methodology for efficient integration of computer systems on heterogeneous environment such as distributed systems, is essentially a collection of agents, which cooperate to resolve a problem. Command console in the CNP is a manager who controls the execution of agents or a contractee, who performs intrusion detection. In the network security model, each model of simulation environment is hierarchically designed by DEVS(Discrete Event system Specification) formalism. The purpose of this simulation is that the application of rete pattern-matching algorithm speeds up the inference cycle phases of the intrusion detection expert system and we evaluate the characteristics and performance of CNP architecture with rete pattern-matching algorithm.

• Proceedings of the KAIS Fall Conference
• /
• 2003.11a
• /
• pp.197-206
• /
• 2003

With the growing usage of the networks, the world-wide Internet has become the main means to exchange data and carry out transactions. It has also become the main means to attack hosts. To solve the security problems which occur in the network such as Internet, we import software products of network security elements like an IDS (Intrusion Detection System) and a firewall. In this paper, we have designed and constructed the General Simulation Environment of Network Security model composed of multiple IDSes and a firewall which coordinate by CNP (Contract Net Protocol) for the effective detection of the intrusion. The CNP, the methodology for efficient integration of computer systems on heterogeneous environment such as distributed systems, is essentially a collection of agents, which cooperate to resolve a problem. Command console in the CNP is a manager who controls tie execution of agents or a contractee, who performs intrusion detection. In the Network Security model, each model of simulation environment is hierarchically designed by DEVS (Discrete EVent system Specification) formalism. The purpose of this simulation is to evaluate the characteristics and performance of CNP architecture with rete pattern matching algorithm and the application of rete pattern matching algorithm for the speeding up the inference cycle phases of the intrusion detection expert system.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.5 no.2
• /
• pp.371-384
• /
• 2001

In these days, it is continuously increased to the intrusion of system in internet environment. The methods of intrusion detection can be largely classified into anomaly detection and misuse detection. The former uses statistical methods, features selection method in order to detect intrusion, the latter uses conditional probability, expert system, state transition analysis, pattern matching. The existing studies for IDS(intrusion detection system) use combined methods. In this paper, we propose a new intrusion detection algorithm combined both state transition analysis and association mining techniques. For the intrusion detection, the first step is generated state table for transmitted commands through the network. This method is similar to the existing state transition analysis. The next step is decided yes or no for intrusion using the association mining technique. According to this processing steps, we present the automated generation algorithm of the penetration scenarios.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.10
• /
• pp.5023-5038
• /
• 2017

Big data is an emerging technology which deals with wide range of data sets with sizes beyond the ability to work with software tools which is commonly used for processing of data. When we consider a huge network, we have to process a large amount of network information generated, which consists of both normal and abnormal activity logs in large volume of multi-dimensional data. Intrusion Detection System (IDS) is required to monitor the network and to detect the malicious nodes and activities in the network. Massive amount of data makes it difficult to detect threats and attacks. Sequential Pattern mining may be used to identify the patterns of malicious activities which have been an emerging popular trend due to the consideration of quantities, profits and time orders of item. Here we propose a sequential pattern mining algorithm with fuzzy logic feature selection and fuzzy weighted support for huge volumes of network logs to be implemented in Apache Hadoop YARN, which solves the problem of speed and time constraints. Fuzzy logic feature selection selects important features from the feature set. Fuzzy weighted supports provide weights to the inputs and avoid multiple scans. In our simulation we use the attack log from NS-2 MANET environment and compare the proposed algorithm with the state-of-the-art sequential Pattern Mining algorithm, SPADE and Support Vector Machine with Hadoop environment.

• Journal of Internet of Things and Convergence
• /
• v.9 no.1
• /
• pp.77-87
• /
• 2023

Applying various association rule mining algorithms to the network intrusion detection task involves two critical issues: too large size of generated rule set which is hard to be utilized for IoT systems and hardness of control of false negative/positive rates. In this research, we propose an association rule mining algorithm based on the newly defined measures called coverage and exclusion. Coverage shows how frequently a pattern is discovered among the transactions of a class and exclusion does how frequently a pattern is not discovered in the transactions of the other classes. We compare our algorithm experimentally with the Apriori algorithm which is the most famous algorithm using the public dataset called KDDcup99. Compared to Apriori, the proposed algorithm reduces the resulting rule set size by up to 93.2 percent while keeping accuracy completely. The proposed algorithm also controls perfectly the false negative/positive rates of the generated rules by parameters. Therefore, network analysts can effectively apply the proposed association rule mining to the network intrusion detection task by solving two issues.

• Journal of Internet Computing and Services
• /
• v.5 no.5
• /
• pp.93-103
• /
• 2004

The main function of the intrusion Detection System (IDS) usee to be more or less passive detection of the intrusion evidences, but recently it is developed with more diverse types and methodologies. Especially, it is required that the IDS should process large system audit data fast enough. Therefore the data mining or neural net algorithm is being focused on, since they could satisfy those situations. In this study, we first surveyed and analyzed the several recent intrusion trends and types. And then we designed and implemented an IDS using back-propagation algorithm of the neural net, which could provide more effective solution. The distinctive feature of our study could be stated as follows. First, we designed the system that allows both the Anomaly dection and the Misuse detection. Second, we carried out the intrusion analysis experiment by using the reliable KDD Cup ‘99 data, which would provide us similar results compared to the real data. Finally, we designed the system based on the object-oriented concept, which could adapt to the other algorithms easily.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.8
• /
• pp.4043-4060
• /
• 2017

Network Intrusion Detection (NID), an important topic in the field of information security, can be viewed as a pattern recognition problem. The existing pattern recognition methods can achieve a good performance when the number of training samples is large enough. However, modern network attacks are diverse and constantly updated, and the training samples have much smaller size. Furthermore, to improve the learning ability of SVM, the research of kernel functions mainly focus on the selection, construction and improvement of kernel functions. Nonetheless, in practice, there are no theories to solve the problem of the construction of kernel functions perfectly. In this paper, we effectively integrate the advantages of the radial basis function kernel and the polynomial kernel on the notion of the game theory and propose a novel kernel SVM algorithm with game theory for NID, called GTNID-SVM. The basic idea is to exploit the game theory in NID to get a SVM classifier with better learning ability and generalization performance. To the best of our knowledge, GTNID-SVM is the first algorithm that studies ensemble kernel function with game theory in NID. We conduct empirical studies on the DARPA dataset, and the results demonstrate that the proposed approach is feasible and more effective.

• The KIPS Transactions:PartC
• /
• v.11C no.6 s.95
• /
• pp.719-724
• /
• 2004

Recently, since the number of internet users is increasing rapidly and, by using the public hacking tools, general network users can intrude computer systems easily, the hacking problem is getting more serious. In order to prevent the intrusion, it is needed to detect the sign in advance of intrusion in a positive prevention by detecting the various foms of hackers' intrusion trials to know the vulnerability of systems. The existing network-based anomaly detection algorithms that cope with port- scanning and the network vulnerability scans have some weakness in intrusion detection. they can not detect slow scans and coordinated scans. therefore, the new concept of algorithm is needed to detect effectively the various forms of abnormal accesses for intrusion regardless of the intrusion methods. In this paper, SPAD(Session Pattern Anomaly Detector) is presented, which detects the abnormal service patterns by comparing them with the ordinary normal service patterns.