• The KIPS Transactions:PartC
• /
• v.18C no.4
• /
• pp.243-250
• /
• 2011

Nowadays, the traffic type and behavior are extremely diverse due to the appearance of various services on Internet, which makes the need of traffic identification important for efficient operation and management of network. In recent years traffic identification methodology using statistical features of flow has been broadly studied. We also proposed a traffic identification methodology using payload size distribution in our previous work, which has a problem of low completeness. In this paper, we improved the completeness by solving the PSD conflict using IP and port. And we improved the accuracy by changing the distance measurement between flow and statistic signature from vector distance to per-packet distance. The feasibility of our methodology was proved via experimental evaluation on our campus network.

• The KIPS Transactions:PartC
• /
• v.14C no.3 s.113
• /
• pp.209-220
• /
• 2007

IPS(Intrusion Prevention Systems), which is installed in inline mode in a network, protects network from outside attacks by inspecting the incoming/outgoing packets and sessions, and dropping the packet or closing the sessions if an attack is detected in the packet. In the signature based filtering, the payload of a packet passing through IPS is matched with some attack patterns called signatures and dropped if matched. As the number of signatures increases, the time required for the pattern matching for a packet increases accordingly so that it becomes difficult to develop a high performance US working without packet delay. In this paper, we propose a high performance IPS based on signature hashing to make the pattern matching time independent of the number of signatures. We implemented the proposed scheme in a Linux kernel module in a PC and tested it using worm generator, packet generator and network performance measure instrument called smart bit. Experimental results show that the performance of existing method is degraded as the number of signatures increases whereas the performance of the proposed scheme is not degraded.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.40 no.11
• /
• pp.2160-2168
• /
• 2015

The SSL/TLS, one of the most popular encryption protocol, was developed as a solution of various network security problem while the network traffic has become complex and diverse. But the SSL/TLS traffic has been identified as its protocol name, not its used services, which is required for the effective network traffic management. This paper proposes a new method to generate service signatures automatically from SSL/TLS payload data and to classify network traffic in accordance with their application services. We utilize the certificate publication information field in the certificate exchanging record of SSL/TLS traffic for the service signatures, which occurs when SSL/TLS performs Handshaking before encrypt transmission. We proved the performance and feasibility of the proposed method by experimental result that classify about 95% SSL/TLS traffic with 95% accuracy for every SSL/TLS services.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.8B
• /
• pp.1170-1178
• /
• 2010

Recently as the number of users and application traffic is increasing on high speed network, the importance of application traffic classification is growing more and more for efficient network resource management. Although a number of methods and algorithms for traffic classification have been introduced, they have some limitations in terms of accuracy and completeness. In this paper we propose an application traffic classification based multi-level architecture which integrates several signature-based methods and behavior algorithm, and analyzes traffic using correlation among traffic flows. By strengthening the strength and making up for the weakness of individual methods we could construct a flexible and robust multi-level classification system. Also, by experiments with our campus network traffic we proved the performance and validity of the proposed mechanism.

• Bulletin of the Korean Space Science Society
• /
• 2008.10a
• /
• pp.27.1-27.1
• /
• 2008

KASI (Korea Astronomy and Space Science Institute) is developing a compact wide-field survey space telescope system, MIRIS (The Multi-purpose IR Imaging System) to be launched in 2010 as the main payload of the Korea Science and Technology Satellite 3. Through recent System Design Review (SDR) and Preliminary Design Review (PDR), most of the system design concept was reviewed and confirmed. The near IR imaging system adopted short F/2 optics for wide field low resolution observation at wavelength band 0.9~2.0 um minimizing the effect of attitude control system. The mechanical system is composed of a cover, baffle, optics, and detector system using a $256\times256$ Teledyne PICNIC FPA providing a $3.67\times3.67$ degree field of view with a pixel scale of 51.6 arcsec. We designed a support system to minimize heat transfer with Muti-Layer Insulation. The electronics of the MIRIS system is composed of 7 boards including DSP, control, SCIF. Particular attention is being paid to develop mission operation scenario for space observation to minimize IR background radiation from the Earth and Sun. The scientific purpose of MIRIS is to survey the Galactic plane in the emission line of Pa$\alpha$ ($1.88{\mu}m$) and to detect the cosmic infrared background (CIB) radiation. The CIB is being suspected to be originated from the first generation stars of the Universe and we will test this hypothesis by comparing the fluctuations in I (0.9~1.2 um) and H (1.2~2.0 um) bands to search the red shifted Lyman cutoff signature.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.36 no.2B
• /
• pp.131-140
• /
• 2011

As the number of Internet users and applications is increasing, the importance of application traffic classification is growing more and more for efficient network management. While a number of methods for traffic classification have been introduced, such as signature-based and machine learning-based methods, Skype application, which uses encrypted communication on its own P2P network, is known as one of the most difficult traffic to identify. In this paper we propose a novel method to identify Skype application traffic on the fly. The main idea is to setup a list of Skype host information {IP, port} by examining the packets generated in the Skype login process and utilizes the list to identify other Skype traffic. By implementing the identification system and deploying it on our campus network, we proved the performance and feasibility of the proposed method.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.36 no.8B
• /
• pp.921-928
• /
• 2011

The increase of Internet users and services has caused the upsurge of data traffic over the network. Nowadays, variety of Internet applications has emerged which generates complicated and diverse data traffic. For the efficient management of Internet traffic, many traffic classification methods have been proposed. But most of the methods focused on the application-level classification, not the function-level classification or state changes of applications. The functional classification of application traffic makes possible the in-detail understanding of application behavior as well as the fine-grained control of applications traffic. In this paper we proposed automata based functional classification method of IM application traffic. We verified the feasibility of the proposed method with function-level control experiment of IM application traffic.

• Journal of the Korea Society of Computer and Information
• /
• v.14 no.12
• /
• pp.157-167
• /
• 2009

Recently, the leakage of confidential information and personal information is taking place on the Internet more frequently than ever before. Most of such online security incidents are caused by attacks on vulnerabilities in web applications developed carelessly. It is impossible to detect an attack on a web application with existing firewalls and intrusion detection systems. Besides, the signature-based detection has a limited capability in detecting new threats. Therefore, many researches concerning the method to detect attacks on web applications are employing anomaly-based detection methods that use the web traffic analysis. Much research about anomaly-based detection through the normal web traffic analysis focus on three problems - the method to accurately analyze given web traffic, system performance needed for inspecting application payload of the packet required to detect attack on application layer and the maintenance and costs of lots of network security devices newly installed. The UTM(Unified Threat Management) system, a suggested solution for the problem, had a goal of resolving all of security problems at a time, but is not being widely used due to its low efficiency and high costs. Besides, the web filter that performs one of the functions of the UTM system, can not adequately detect a variety of recent sophisticated attacks on web applications. In order to resolve such problems, studies are being carried out on the web application firewall to introduce a new network security system. As such studies focus on speeding up packet processing by depending on high-priced hardware, the costs to deploy a web application firewall are rising. In addition, the current anomaly-based detection technologies that do not take into account the characteristics of the web application is causing lots of false positives and false negatives. In order to reduce false positives and false negatives, this study suggested a realtime anomaly detection method based on the analysis of the length of parameter value contained in the web client's request. In addition, it designed and suggested a WAF(Web Application Firewall) that can be applied to a low-priced system or legacy system to process application data without the help of an exclusive hardware. Furthermore, it suggested a method to resolve sluggish performance attributed to copying packets into application area for application data processing, Consequently, this study provide to deploy an effective web application firewall at a low cost at the moment when the deployment of an additional security system was considered burdened due to lots of network security systems currently used.