• Convergence Security Journal
• /
• v.9 no.4
• /
• pp.7-12
• /
• 2009

It is very difficult to completely block the DDoS attack, which paralyzes services by depleting resources or occupying the network bandwidth by transmitting a vast amount of traffic to the specific website or server from normal users' PCs that have been already infected by an outside attacker. In order to defense or endure the DDoS attack, we usually use various solutions such as IDS (Intrusion Detection System), IPS (Intrusion Prevention System), ITS (Intrusion Tolerance System), FW (Firewall), and the dedicated security equipment against DDoS attack. However, diverse types of security appliances cause the cost problem, besides, the full function of the equipments are not performed well owing to the unproper setting without considering connectivity among systems. In this paper, we present the effective connectivity of security equipments and countermeasure methodology against DDoS attack. In practice, it is approved by experimentation that this designed methdology is better than existing network structure in the efficiency of block and endurance. Therefore, we would like to propose the effective security control measures responding and enduring against discriminated DDoS attacks through this research.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.7
• /
• pp.3714-3732
• /
• 2019

With the rapid development of network, Intrusion Detection System(IDS) plays a more and more important role in network applications. Many data mining algorithms are used to build IDS. However, due to the advent of big data era, massive data are generated. When dealing with large-scale data sets, most data mining algorithms suffer from a high computational burden which makes IDS much less efficient. To build an efficient IDS over big data, we propose a classification algorithm based on data clustering and data reduction. In the training stage, the training data are divided into clusters with similar size by Mini Batch K-Means algorithm, meanwhile, the center of each cluster is used as its index. Then, we select representative instances for each cluster to perform the task of data reduction and use the clusters that consist of representative instances to build a K-Nearest Neighbor(KNN) detection model. In the detection stage, we sort clusters according to the distances between the test sample and cluster indexes, and obtain k nearest clusters where we find k nearest neighbors. Experimental results show that searching neighbors by cluster indexes reduces the computational complexity significantly, and classification with reduced data of representative instances not only improves the efficiency, but also maintains high accuracy.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.26 no.3
• /
• pp.233-238
• /
• 2016

In this paper, we propose the algorithms of processing the uncertainty data using data fusion for the next generation intrusion detection. In the next generation intrusion detection, a lot of data are collected by many of network sensors to discover knowledge from generating information in cyber space. It is necessary the data fusion process to extract knowledge from collected sensors data. In this paper, we have proposed method to represent the uncertainty data, by classifying where is a confidence interval in interval of uncertainty data through feature analysis of different data using inference method with Dempster-Shafer Evidence Theory. In this paper, we have implemented a detection experiment that is classified by the confidence interval using IRIS plant Data Set for anomaly detection of uncertainty data. As a result, we found that it is possible to classify data by confidence interval.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.11
• /
• pp.5568-5587
• /
• 2018

This research uses artificial intelligence methods for computer network intrusion detection system modeling. Primary classification is done using self-organized maps (SOM) in two levels, while the secondary classification of ambiguous data is done using Sugeno type Fuzzy Inference System (FIS). FIS is created by using Adaptive Neuro-Fuzzy Inference System (ANFIS). The main challenge for this system was to successfully detect attacks that are either unknown or that are represented by very small percentage of samples in training dataset. Improved algorithm for SOMs in second layer and for the FIS creation is developed for this purpose. Number of clusters in the second SOM layer is optimized by using our improved algorithm to minimize amount of ambiguous data forwarded to FIS. FIS is created using ANFIS that was built on ambiguous training dataset clustered by another SOM (which size is determined dynamically). Proposed hybrid model is created and tested using NSL KDD dataset. For our research, NSL KDD is especially interesting in terms of class distribution (overlapping). Objectives of this research were: to successfully detect intrusions represented in data with small percentage of the total traffic during early detection stages, to successfully deal with overlapping data (separate ambiguous data), to maximize detection rate (DR) and minimize false alarm rate (FAR). Proposed hybrid model with test data achieved acceptable DR value 0.8883 and FAR value 0.2415. The objectives were successfully achieved as it is presented (compared with the similar researches on NSL KDD dataset). Proposed model can be used not only in further research related to this domain, but also in other research areas.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.5
• /
• pp.191-198
• /
• 2013

It is required to transmit data through shorter path between sensor and base node for real time intrusion detection in wireless sensor networks (WSN) with a mobile base node. Because minimum Wiener index spanning tree (MWST) based routing approach guarantees lower average hop count than that of minimum spanning tree (MST) based routing method in WSN, it is known that MWST based routing is appropriate for real time intrusion detection. However, the minimum Wiener index spanning tree problem which aims to find a spanning tree which has the minimum Wiener index from a given weighted graph was proved to be a NP-hard. And owing to its high dependency on certain nodes, minimum Wiener index tree based routing method has a shorter network lifetime than that of minimum spanning tree based routing method. In this paper, we propose a multi-objective ant colony optimization algorithm to tackle these problems, so that it can be used to detect intrusion in real time in wireless sensor networks with a mobile base node. And we compare the results of our proposed method with MST based routing and MWST based routing in respect to average hop count, network energy consumption and network lifetime by simulation.

• The KIPS Transactions:PartA
• /
• v.12A no.2 s.92
• /
• pp.87-94
• /
• 2005

Pattern matching is one of critical parts of Network Intrusion Prevention Systems (NIPS) and computationally intensive. To handle a large number of attack signature fattens increasing everyday, a network intrusion prevention system requires a multi pattern matching method that can meet the line speed of packet transfer. In this paper, we analyze Snort, a widely used open source network intrusion prevention/detection system, and its pattern matching characteristics. A multi pattern matching method for NIPS should efficiently handle a large number of patterns with a wide range of pattern lengths and case insensitive patterns matches. It should also be able to process multiple input characters in parallel. We propose a multi pattern matching hardware accelerator based on Shift-OR pattern matching algorithm. We evaluate the performance of the pattern matching accelerator under various assumptions. The performance evaluation shows that the pattern matching accelerator can be more than 80 times faster than the fastest software multi-pattern matching method used in Snort.

• Journal of Internet Computing and Services
• /
• v.19 no.1
• /
• pp.1-10
• /
• 2018

Network threats such as Internet worms and computer viruses have been significantly increasing. In particular, APTs(Advanced Persistent Threats) and ransomwares become clever and complex. IDSes(Intrusion Detection Systems) have performed a key role as information security solutions during last few decades. To use an IDS effectively, IDS rules must be written properly. An IDS rule includes a key signature and is incorporated into an IDS. If so, the network threat containing the signature can be detected by the IDS while it is passing through the IDS. However, it is challenging to find a key signature for a specific network threat. We first need to analyze a network threat rigorously, and write a proper IDS rule based on the analysis result. If we use a signature that is common to benign and/or normal network traffic, we will observe a lot of false alarms. In this paper, we propose a scheme that analyzes a network threat and extracts key signatures corresponding to the threat. Specifically, our proposed scheme quantifies the degree of correspondence between a network threat and a signature using the LDA(Latent Dirichlet Allocation) algorithm. Obviously, a signature that has significant correspondence to the network threat can be utilized as an IDS rule for detection of the threat.

• Journal of KIISE:Information Networking
• /
• v.31 no.5
• /
• pp.438-449
• /
• 2004

With the growing deployment of network and internet, the importance of security is also increased. But, recent intrusion detection systems which have an important position in security countermeasure can't provide proper analysis and effective defence mechanism. Instead, they have overwhelmed human operator by large volume of intrusion detection alerts. In this paper, we propose an efficient alert analysis system that can produce high level information by analyzing and processing the large volume of alerts and can detect large-scale attacks such as DDoS in early stage. And we have measured processing rate of each elementary module and carried out a scenario-based test in order to analyzing efficiency of our proposed system.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.12 no.11
• /
• pp.5238-5244
• /
• 2011

Recently, wireless sensor networks have become increasingly interesting areas over extensive application fields such as military, ecological, and health-related areas. Almost sensor networks have mission-critical tasks that requires very high security. Therefore, extensive work has been done for securing sensor networks from outside attackers, efficient cryptographic systems, secure key management and authorization, but little work has yet been done to protect these networks from inside threats. This paper proposed an method to select which nodes should activate their idle nodes as detectors to be able to watch all packets in the sensor network. Suggested method is modeled as optimization equation, and heuristic Greedy algorithm based simulation results are presented to verify my approach.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.14 no.4
• /
• pp.451-456
• /
• 2004

Signature based intrusion detection system (IDS), having stored rules for detecting intrusions at the library, judges whether new inputs are intrusion or not by matching them with the new inputs. However their policy has two restrictions generally. First, when they couldn't make rules against new intrusions, false negative (FN) errors may are taken place. Second, when they made a lot of rules for maintaining diversification, the amount of resources grows larger proportional to their amount. In this paper, we propose the learning algorithm which can evolve the competent of anomaly detectors having the ability to detect anomalous attacks by genetic algorithm. The anomaly detectors are the population be composed of by following the negative selection procedure of the biological immune system. To show the effectiveness of proposed system, we apply the learning algorithm to the artificial network environment, which is a computer security system.