• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.4
• /
• pp.1307-1323
• /
• 2014

With the exhaustion of global IPv4 addresses, IPv6 technologies have attracted increasing attentions, and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics obtained from IPv4 networks. Traditional models obtained from IPv4 cannot be used for IPv6 network monitoring directly and there is a need to investigate those changes. In this paper, we explore the flow features of IPv6 traffic and compare its difference with that of IPv4 traffic from flow level. Firstly, we analyze the differences of the general flow statistical characteristics and users' behavior between IPv4 and IPv6 networks. We find that there are more elephant flows in IPv6, which is critical for traffic engineering. Secondly, we find that there exist many one-way flows both in the IPv4 and IPv6 traffic, which are important information sources for abnormal behavior detection. Finally, in light of the challenges of analyzing massive data of large-scale network monitoring, we propose a group flow model which can greatly reduce the number of flows while capturing the primary traffic features, and perform a comparative measurement analysis of group users' behavior dynamic characteristics. We find there are less sharp changes caused by abnormity compared with IPv4, which shows there are less large-scale malicious activities in IPv6 currently. All the evaluation experiments are carried out based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network), and the results reveal the detailed flow characteristics of IPv6, which are useful for traffic management and anomaly detection in IPv6.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.29 no.5B
• /
• pp.491-497
• /
• 2004

In this Paper, we W a Hovel global traffic control architecture to isolate malicious network attacks and protect network infrastructure in Internet backbone networks. Unlike existing methods based on individual packets or flows, since the proposed detection and control methods are operated on the aggregate traffic level, the computational complexity can k significantly reduced, and they are applicable to develop a global defense architecture against network attack. Experimental results show that the proposed scheme can detect the network attack symptoms very exactly and quickly and protect the network resources as well as the normal traffic flows very efficiently.

• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06a
• /
• pp.57-59
• /
• 2012

본 논문은 유해 트래픽을 탐지하는 보안 장비와 그에 따른 탐지 또는 차단 기법들을 분석한다. 즉 서버측의 방화벽, 침입 탐지 시스템과 웹 방화벽의 순서로 보안 장비의 배치와 클라이언트 측의 보안 시스템을 보여주고 이들의 탐지 기법들을 소개한다. 이후 이 장비들의 유해트래픽의 방향에 따른 탐지 기법들을 분석하고 유해트래픽 방향에 따라 침입을 탐지할 수 있는 탐지 기법들을 분석한다. 또한 유해 트래픽의 방향에 따라 탐지기법이 부족한 방향을 제시한다.

• Journal of the Korea Society of Computer and Information
• /
• v.26 no.12
• /
• pp.123-132
• /
• 2021

Malicious activities of Botnets are responsible for huge financial losses to Internet Service Providers, companies, governments and even home users. In this paper, we try to confirm the possibility of detecting botnet traffic by applying the deep learning model Convolutional Neural Network (CNN) using the CTU-13 botnet traffic dataset. In particular, we classify three classes, such as the C&C traffic between bots and C&C servers to detect C&C servers, traffic generated by bots other than C&C communication to detect bots, and normal traffic. Performance metrics were presented by accuracy, precision, recall, and F1 score on classifying both known and unknown botnet traffic. Moreover, we propose a stackable botnet detection system that can load modules for each botnet type considering scalability and operability on the real field.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.3
• /
• pp.545-552
• /
• 2012

The rapid development of information technology is making large changes in our lives today. Also the infrastructure and services are combinding with information technology which predicts another huge change in our environment. However, the development of information technology brings various types of side effects and these side effects not only cause financial loss but also can develop into a nationwide crisis. Therefore, the detection and quick reaction towards these side effects is critical and much research is being done. Intrusion detection systems can be an example of such research. However, intrusion detection systems mostly tend to focus on judging whether particular traffic or files are malicious or not. Also it is difficult for intrusion detection systems to detect newly developed malicious codes. Therefore, this paper proposes a method which determines whether the present network model is normal or abnormal by comparing it with past network situations.

• Journal of KIISE
• /
• v.44 no.1
• /
• pp.1-12
• /
• 2017

The continuously growing internet service requirements has resulted in a multitier system structure consisting of web server and database (DB) server. In this multitier structure, the existing intrusion detection system (IDS) detects known attacks by matching misused traffic patterns or signatures. However, malicious change to the contents at DB server through hypertext transfer protocol (HTTP) requests at the DB server cannot be detected by the IDS at the DB server's end, since the DB server processes structured query language (SQL) without knowing the associated HTTP, while the web server cannot identify the response associated with the attacker's SQL query. To detect these types of attacks, the malicious user is tracked using knowledge on interaction between HTTP request and SQL query. However, this is a practical challenge because system's source code analysis and its application logic needs to be understood completely. In this study, we proposed a scheme to find the HTTP request associated with a given SQL query using only system log files. We first generated an HTTP request-SQL query map from system log files alone. Subsequently, the HTTP request associated with a given SQL query was identified among a set of HTTP requests using this map. Computer simulations indicated that the proposed scheme finds the HTTP request associated with a given SQL query with 94% accuracy.

• International Journal of Computer Science & Network Security
• /
• v.24 no.5
• /
• pp.111-118
• /
• 2024

In general network-based intrusion detection system is designed to detect malicious behavior directed at a network or its resources. The key goal of this paper is to look at network data and identify whether it is normal traffic data or anomaly traffic data specifically for accounting information systems. In today's world, there are a variety of principles for detecting various forms of network-based intrusion. In this paper, we are using supervised machine learning techniques. Classification models are used to train and validate data. Using these algorithms we are training the system using a training dataset then we use this trained system to detect intrusion from the testing dataset. In our proposed method, we will detect whether the network data is normal or an anomaly. Using this method we can avoid unauthorized activity on the network and systems under that network. The Decision Tree and K-Nearest Neighbor are applied to the proposed model to classify abnormal to normal behaviors of network traffic data. In addition to that, Logistic Regression Classifier and Support Vector Classification algorithms are used in our model to support proposed concepts. Furthermore, a feature selection method is used to collect valuable information from the dataset to enhance the efficiency of the proposed approach. Random Forest machine learning algorithm is used, which assists the system to identify crucial aspects and focus on them rather than all the features them. The experimental findings revealed that the suggested method for network intrusion detection has a neglected false alarm rate, with the accuracy of the result expected to be between 95% and 100%. As a result of the high precision rate, this concept can be used to detect network data intrusion and prevent vulnerabilities on the network.

• Journal of Internet Computing and Services
• /
• v.20 no.2
• /
• pp.9-19
• /
• 2019

Service and users over the Internet are increasing rapidly. Cyber attacks are also increasing. As a result, information leakage and financial damage are occurring. Government, public agencies, and companies are using security systems that use signature-based detection rules to respond to known malicious codes. However, it takes a long time to generate and validate signature-based detection rules. In this paper, we propose and develop signature based detection rule generation and verification systems using the signature extraction scheme developed based on the LDA(latent Dirichlet allocation) algorithm and the traffic analysis technique. Experimental results show that detection rules are generated and verified much more quickly than before.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.7
• /
• pp.2512-2531
• /
• 2014

We propose a new Distributed Denial of Service (DDoS) defense mechanism that protects http web servers from application-level DDoS attacks based on the two methodologies: whitelist-based admission control and busy period-based attack flow detection. The attack flow detection mechanism detects attach flows based on the symptom or stress at the server, since it is getting more difficult to identify bad flows only based on the incoming traffic patterns. The stress is measured by the time interval during which a given client makes the server busy, referred to as a client-induced server busy period (CSBP). We also need to protect the servers from a sudden surge of attack flows even before the malicious flows are identified by the attack flow detection mechanism. Thus, we use whitelist-based admission control mechanism additionally to control the load on the servers. We evaluate the performance of the proposed scheme via simulation and experiment. The simulation results show that our defense system can mitigate DDoS attacks effectively even under a large number of attack flows, on the order of thousands, and the experiment results show that our defense system deployed on a linux machine is sufficiently lightweight to handle packets arriving at a rate close to the link rate.

• KIPS Transactions on Software and Data Engineering
• /
• v.12 no.2
• /
• pp.99-110
• /
• 2023

This study proposed a classification of malicious network traffic using the cyber threat framework(Mitre ATT&CK) and machine learning to solve the real-time traffic detection problems faced by current security monitoring systems. We applied a network traffic dataset called UNSW-NB15 to the Mitre ATT&CK framework to transform the label and generate the final dataset through rare class processing. After learning several boosting-based ensemble models using the generated final dataset, we demonstrated how these ensemble models classify network traffic using various performance metrics. Based on the F-1 score, we showed that XGBoost with no rare class processing is the best in the multi-class traffic environment. We recognized that machine learning ensemble models through Mitre ATT&CK label conversion and oversampling processing have differences over existing studies, but have limitations due to (1) the inability to match perfectly when converting between existing datasets and Mitre ATT&CK labels and (2) the presence of excessive sparse classes. Nevertheless, Catboost with B-SMOTE achieved the classification accuracy of 0.9526, which is expected to be able to automatically detect normal/abnormal network traffic.