• 한국지능시스템학회:학술대회논문집
• /
• 한국퍼지및지능시스템학회 2003년도 ISIS 2003
• /
• pp.660-663
• /
• 2003

The advanced computer network technology enables connectivity of computers through an open network environment. There has been growing numbers of security threat to the networks. Therefore, it requires intrusion detection and prevention technologies. In this paper, we propose a network based intrusion detection model using Fuzzy Cognitive Maps(FCM) that can detect intrusion by the Denial of Service(DoS) attack detection method adopting the packet analyses. A DoS attack appears in the form of the Probe and Syn Flooding attack which is a typical example. The Sp flooding Preventer using Fuzzy cognitive maps(SPuF) model captures and analyzes the packet information to detect Syn flooding attack. Using the result of analysis of decision module, which utilized FCM, the decision module measures the degree of danger of the DoS and trains the response module to deal with attacks. The result of simulating the "KDD ′99 Competition Data Set" in the SPuF model shows that the Probe detection rates were over 97 percentages.

• 한국지능시스템학회논문지
• /
• 제13권2호
• /
• pp.148-153
• /
• 2003

서비스 거부 공격은 침입을 위한 침입시도 형태로 나타나며 대표적인 공격으로 Syn Flooding 공격이 있다. Syn Flooding 공격은 신뢰성 및 연결 지향적 전송서비스인 TCP의 종단간에 3-way handshake의 취약점을 이용한 공격이다. 본 논문에서는 네트워크 기반의 지능적 침입 방지 모델을 제안한다. 제안하는 모델은 Syn Flooding 공격을 탐지하기 위하여 패킷 정보를 수집하고 분석한다. 이 모델은 퍼지인식도(Fuzzy Cognitive Maps)를 적용한 결정모듈의 분석 결과를 활용하여 서비스 거부 공격의 위험도를 측정하고 공격에 대응하도록 대응모듈을 학습시킨다. 제안하는 모델은 Syn Flooding 공격의 위험을 격감 또는 방지하는 네트워크 기반의 지능적 침입 방지 모델이다.

• 한국멀티미디어학회논문지
• /
• 제17권8호
• /
• pp.988-994
• /
• 2014

Software Defined Network (SDN) is a new technology in computer network area which enables user to centralize control plane. The security issue is important in computer network to protect system from attackers. SYN flooding attack is one of Distributed Denial of Service attack methods which are popular to degrade availability of targeted service on Internet. There are many methods to protect system from attackers, i.e. firewall and IDS. Even though firewall is designed to protect network system, but it cannot mitigate DDoS attack well because it is not designed to do so. To improve performance of DDOS mitigation we utilize another mechanism by using SDN technology such as OpenFlow and sFlow. The methodology of sFlow to detect attacker is by capturing and sum cumulative traffic from each agent to send to sFlow collector to analyze. When sFlow collector detect some traffics as attacker, OpenFlow controller will modify the rule in OpenFlow table to mitigate attacks by blocking attack traffic. Hence, by combining sum cumulative traffic use sFlow and blocking traffic use OpenFlow we can detect and mitigate SYN flooding attack quickly and cheaply.

• ETRI Journal
• /
• 제44권2호
• /
• pp.346-354
• /
• 2022

The SYN flooding attack is widely used in cyber attacks because it paralyzes the network by causing the system and bandwidth resources to be exhausted. This paper proposed a self-information approach for detecting the SYN flooding attack and provided a detection algorithm with a hierarchical policy on a detection time domain. Compared with other detection methods of entropy measurement, the proposed approach is more efficient in detecting the SYN flooding attack, providing low misjudgment, hierarchical detection policy, and low time complexity. Furthermore, we proposed a detection algorithm with limiting system resources. Thus, the time complexity of our approach is only (log n) with lower time complexity and misjudgment rate than other approaches. Therefore, the approach can detect the denial-of-service/distributed denial-of-service attacks and prevent SYN flooding attacks.

• Journal of information and communication convergence engineering
• /
• 제7권1호
• /
• pp.7-12
• /
• 2009

The advanced computer network and Internet technology enables connectivity of computers through an open network environment. Despite the growing numbers of security threats to networks, most intrusion detection identifies security attacks mainly by detecting misuse using a set of rules based on past hacking patterns. This pattern matching has a high rate of false positives and can not detect new hacking patterns, making it vulnerable to previously unidentified attack patterns and variations in attack and increasing false negatives. Intrusion detection and prevention technologies are thus required. We proposed a network based hybrid Probe Intrusion Detection model using Fuzzy cognitive maps (PIDuF) that detects intrusion by DoS (DDoS and PDoS) attack detection using packet analysis. A DoS attack typically appears as a probe and SYN flooding attack. SYN flooding using FCM model captures and analyzes packet information to detect SYN flooding attacks. Using the result of decision module analysis, which used FCM, the decision module measures the degree of danger of the DoS and trains the response module to deal with attacks. For the performance evaluation, the "IDS Evaluation Data Set" created by MIT was used. From the simulation we obtained the max-average true positive rate of 97.064% and the max-average false negative rate of 2.936%. The true positive error rate of the PIDuF is similar to that of Bernhard's true positive error rate.

• 제어로봇시스템학회:학술대회논문집
• /
• 제어로봇시스템학회 2005년도 ICCAS
• /
• pp.1568-1570
• /
• 2005

The internet is already a part of life. It is very convenient and people can do almost everything with internet that should be done in real life. Along with the increase of the number of internet user, various network attacks through the internet have been increased as well. Also, Large-scale network attacks are a cause great concern for the computer security communication. These network attack becomes biggest threat could be down utility of network availability. Most of the techniques to detect and analyze abnormal traffic are statistic technique using mathematical modeling. It is difficult accurately to analyze abnormal traffic attack using mathematical modeling, but network simulation technique is possible to analyze and simulate under various network simulation environment with attack scenarios. This paper performs modeling and simulation under virtual network environment including $NGSS^{1}$ system to analyze abnormal traffic-flooding attack.

• 한국지능시스템학회논문지
• /
• 제13권4호
• /
• pp.491-498
• /
• 2003

The advanced computer network technology enables connectivity of computers through an open network environment. There has been growing numbers of security threat to the networks. Therefore, it requires intrusion detection and prevention technologies. In this paper, we propose a network based intrusion detection model using FCM(Fuzzy Cognitive Maps) that can detect intrusion by the DoS attack detection method adopting the packet analyses. A DoS attack appears in the form of the Probe and Syn Flooding attack which is a typical example. The SPuF(Syn flooding Preventer using Fussy cognitive maps) model captures and analyzes the packet informations to detect Syn flooding attack. Using the result of analysis of decision module, which utilized FCM, the decision module measures the degree of danger of the DoS and trains the response module to deal with attacks. For the performance comparison, the "KDD′99 Competition Data Set" made by MIT Lincoln Labs was used. The result of simulating the "KDD′99 Competition Data Set" in the SPuF model shows that the probe detection rates were over 97 percentages.

• 스마트미디어저널
• /
• 제4권4호
• /
• pp.24-32
• /
• 2015

최근 SDN은 데이터센터 네트워크로 활발히 사용되고 있으며, 그 사용범위를 점진적으로 늘려나가고 있다. 이러한 새로운 네트워크 환경 변화와 함께, 네트워크 보안시스템을 SDN 환경 상에서 구축하는 연구들이 진행되고 있다. 특히 OpenFlow Switch의 포트를 통과하는 패킷들을 지속적으로 관찰함으로써 네트워크 플러딩 공격 등을 탐지하기 위한 시스템들이 제안되었다. 하지만 다수의 스위치를 중앙집중형 컨트롤러에서 관리하는 SDN의 특성상 지속적인 네트워크 트래픽 관찰은 상당한 오버헤드로 작용할 수 있다. 이 논문에서는 이러한 지속적인 네트워크 트래픽 관찰에 따른 오버헤드를 줄이면서도 네트워크 플러딩 공격을 효과적으로 탐지 및 방어 할 수 있는, 샘플링 기반 네트워크 플러딩 공격 탐지 및 방어 시스템을 제안한다. 제안된 시스템은 네트워크 트래픽을 주어진 샘플링 조건에 맞추어 주기적으로 관찰하고, 샘플링 패킷들을 분석하여 네트워크 플러딩 공격을 탐지하며, 탐지된 공격을 OpenFlow Switch의 플로우 엔트리관리를 통해 능동적으로 차단하다. 네트워크 트래픽 샘플링을 위해 sFlow agent를 활용하고, 샘플링된 패킷 정보를 소프트웨어적으로 분석하여 공격을 탐지하기 위해 오픈소스 기반 IDS인 snort을 사용하였다. 탐지된 공격의 자동화된 방어 기작의 구현을 위해 OpenDaylight SDN 컨트롤러용 어플리케이션을 개발하여 적용하였다. 제안된 시스템은 OVS (Open Virtual Switch)를 활용한 로컬 테스트베드 상에서 그 동작을 검증하였고, 다양한 샘플링 조건에 따른 제안된 시스템의 성능 및 오버헤드를 분석하였다.

• Journal of Communications and Networks
• /
• 제12권4호
• /
• pp.375-381
• /
• 2010

A flooding attack, such as DoS or Worm, can be easily created or even downloaded from the Internet, thus, it is one of the main threats to servers on the Internet. This paper presents an online real-time network response system, which can determine whether a LAN is suffering from a flooding attack within a very short time unit. The detection engine of the system is based on the incremental mining of fuzzy association rules from network packets, in which membership functions of fuzzy variables are optimized by a genetic algorithm. The incremental mining approach makes the system suitable for detecting, and thus, responding to an attack in real-time. This system is evaluated by 47 flooding attacks, only one of which is missed, with no false positives occurring. The proposed online system belongs to anomaly detection, not misuse detection. Moreover, a mechanism for dynamic firewall updating is embedded in the proposed system for the function of eliminating suspicious connections when necessary.

• 한국멀티미디어학회논문지
• /
• 제18권1호
• /
• pp.35-41
• /
• 2015

SDN(Software Defined Networking) has been considered as a new future computer network architecture and DDoS(Distributed Denial of Service) is the biggest threat in the network security. In SDN architecture, we present the technique to defend the DDoS SYN Flooding attack that is one of the DDoS attack method. First, we monitor the Backlog queue in order to reduce the unnecessary monitoring resources. If the Backlog queue of the certain server is occupied over 70%, the sFlow performs packet sampling with the server address as the destination address. To distinguish between the attacker and the normal user, we use the source address. We decide the SYN packet threshold using the remaining Backlog queue that possible to allow the number of connections. If certain sources address send the SYN packet over the threshold, we judge that this address is attacker. The controller will modify the flow table entry to block attack traffics. By using this method, we reduce the resource consumption about the unnecessary monitoring and the protection range is expanded to all switches. The result achieved from our experiment show that we can prevent the SYN Flooding attack before the Backlog queue is fully occupied.