• Journal of the Korea Society of Computer and Information
• /
• v.17 no.5
• /
• pp.33-40
• /
• 2012

In this paper we propose an anomaly detection scheme to detect new attack paths or new attack methods without false positives by monitoring HTTP Outbound Traffic after efficient training. Our proposed scheme detects web-based attacks by comparing tags or javascripts of HTTP Outbound Traffic with normal behavioral models which apply HMM(Hidden Markov Model). Through the verification analysis under the real-attacked environment, we show that our scheme has superior detection capability of 0.0001% false positive and 96% detection rate.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2016.10a
• /
• pp.759-761
• /
• 2016

ICMP(Internet Control Message Protocol) supports the processing of error in the communication network based TCP/IP. If a problem is occurred in a data transmission process, router or receiving host sends ICMP message containing the error cause to sending host. However, in this process an attacker sends a fake ICMP message to the host so that the communication between the hosts can be abnormally terminated. In this paper, we performed a study to prevent several attacks related to ICMP. To this, we have designed outbound traffic controller so that attack packet is not transmitted to network in operating system of host.

• Journal of the Korea Society of Computer and Information
• /
• v.14 no.9
• /
• pp.47-54
• /
• 2009

Malicious codes, which are spread through WWW are now evolved with various hacking technologies However, detecting technologies for them are seemingly not able to keep up with the improvement of hacking and newly generated malicious codes. In this paper, we define the requirements of detecting systems based on the analysis of malicious codes and their spreading characteristics, and propose an improved detection scheme which monitors HTTP Outbound traffic and detects spreading malicious codes in real time. Our proposed scheme sets up signatures in IDS with confirmed HTML tags and Java scripts which spread malicious codes. Through the verification analysis under the real-attacked environment, we show that our scheme is superior to the existing schemes in satisfying the defined requirements and has a higher detection rate for malicious codes.

• Journal of the Korea Society of Computer and Information
• /
• v.16 no.1
• /
• pp.125-132
• /
• 2011

A hierarchical Web Security System, which is a solution to various web-based attacks, seemingly is not able to keep up with the improvement of detoured or compound attacks. In this paper, we suggest an efficient detecting scheme for web-based attacks like Malware, XSS, Creating Webshell, URL Spoofing, and Exposing Private Information through monitoring HTTP outbound traffics in real time. Our proposed scheme detects web-based attacks by comparing the outbound traffics with the signatures of HTML tag or Javascript created by the attacks. Through the verification analysis under the real-attacked environment, we show that our scheme installed in a hierarchical web security system has superior detection capability for detoured web-based attacks.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.21 no.3
• /
• pp.549-557
• /
• 2017

ICMP(Internet Control Message Protocol) is a main protocol in TCP/IP protocol stack. ICMP compensates the disadvantages of the IP that does not support error reporting. If any transmission problem occurred, a router or receiving host sends ICMP message containing the error cause to sending host. However, in this process, an attacker sends a fake ICMP messages to the host so that the communication can be terminated abnormally. An attacker host can paralyzes system of victim host by sending a large number of messages to the victim host at a high rate of speed. To solve this problem, we have designed and implemented outbound traffic controller that prevents various ICMP attacks. By preventing the transmission of attack messages in different ways according to each case, various network attacks can be prevented. In addition, unnecessary network traffic can be filtered before transmitted.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.5
• /
• pp.1129-1140
• /
• 2017

Unidirectional data transmission system, which allows physical one way transmission, removes the backward link physically to prevent the intrusion from the outside through the network. However, the system is difficult to apply to the environment requiring either backward transmissions or bi-directional communications. In this paper, we proposed Limited Two-way communications system, called as LimTway, which only allows outbound TCP two-way communications. LimTway uses two one-way links(forward, backward). While the forward one-way link is staying to be activated so that an allowed outbound UDP traffic could be transmitted one-way always, the backward one-way link is activated while allowed outbound TCP sessions are established. In order to prevent the intrusion from the outside during the period, the software of LimTway is designed to allow only the transmissions of both outbound TCP two-way communication traffics and outbound UDP traffics.

• Convergence Security Journal
• /
• v.6 no.4
• /
• pp.75-82
• /
• 2006

Internet worm gives various while we paralyze the network and flow the information out damages. In this paper, I suggest the method to prevent this. This method detect internet worm in PC first. and present the method to do an automatic confrontation. This method detect a traffic foundation network scanning of internet worm which is the feature and accomplish the confrontation. This method stop the process to be infected at the internet worm and prevent that traffic is flowed out to the outside. and This method isolate the execution file to be infected at the internet worm and move at a specific location for organizing at the postmortem so that we could accomplish the investigation about internet worm. Such method is useful to the radiation detection indication and computation of unknown internet worm. therefore, Stable network operation is possible through this method.

• Journal of the Korean Society of Marine Environment & Safety
• /
• v.21 no.5
• /
• pp.501-506
• /
• 2015

This study seeks to analyze ships traffic characteristics according to water time in order to provide the necessary data for efficient traffic management development. To analyze maritime traffic volume according to water time, 1 year amount of solar calendar data were converted into lunar calendar, and then applied the traditional water time system of West Sea by using AIS(Automatic Identification System) observation data gathered in Mokpo port for a year of 2013. As a result, it was found herein that the number of outbound ships was larger on the $2^{nd}-3^{nd}$ water times than the $7^{th}$ water times by 23-24 %. And the number of inbound ships was higher on the $12^{th}-13^{th}$ water times than the $9^{th}$ water time by 29-33 %. The hourly variation index of inbound and outbound ships according to time, in particular, was found to change in the form of sine function model. This study is expected to serve as a necessary basic material for development of maritime traffic management according to water time.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.30 no.11B
• /
• pp.750-757
• /
• 2005

This paper reports on the study of P2P traffic behaviors in a high-speed campus network under a simple firewall which drops packets with default port numbers for the well-blown P2P applications. Among several ways of detecting P2P traffic, the easiest method is to filter out packets with the default port number of each P2P application. After deploying the port-based firewall against P2P-traffic, it is expected that the amount of P2P traffic will be decreased. However, during the eight-month measurement period, three new commercial P2P applications have been identified and their traffic usages have reached up to $30/5.6\%$ of the total outbound/inbound traffic volumes at the end of the measurement period. In addition, the most famous P2P application, eDonkey, has adapted and has escaped detection through port hopping. The measurement result shows that the amount of eDonkey traffic is around $6.7/4.0\%$ of the total outbound/inbound traffic volume. From the measurement results, it is observed that the port-based firewall is not effective to limit the usage of P2P applications and that the P2P traffic is steadily growing due to not only the evolution of existing P2P applications such as port hopping but also appearances of new P2P applications.

• Journal of Navigation and Port Research
• /
• v.31 no.6
• /
• pp.447-454
• /
• 2007

To assess the port development and maritime traffic environment, the future traffic volume has been estimated using the number of inbound and outbound vessel for a specific port. The estimation of future traffic volume should be considered as an important factor to establish the degree of fairway congestion, the determination of fairway width and the operational role. Until now, the number of in and out vessel for the port has been only estimated mainly, but the type and size of inbound and outbound ships are different depending on the port's characteristics. So, it is difficult to estimate the future traffic volume using the change of only one item. This paper calculates the future traffic volume using the marine traffic characteristic factors as the number of coastal ship and ocean-going ship, the size of ship and the change of cargo volume per a ship etc. And it compared with the results of Artificial Neural Network(ANN) for accurate identification of nonlinear system.