• Journal of the Korea Society for Simulation
• /
• v.21 no.4
• /
• pp.91-102
• /
• 2012

Network port scan attack is the method for finding ports opening in a local network. Most existing IDSs(intrusion detection system) record the number of packets sent to a system per unit time. If port scan count from a source IP address is higher than certain threshold, it is regarded as a port scan attack. The degree of risk about source IP address performing network port scan attack depends on attack count recorded by IDS. However, the measurement of risk based on the attack count may reduce port scan detection rates due to the increased false negative for slow port scan. This paper proposes a method of summarizing 4 types of information to differentiate network port scan attack more precisely and comprehensively. To integrate the riskiness, we present a risk index that quantifies the risk of port scan attack by using PCA. The proposed detection method using risk index shows superior performance than Snort for the detection of network port scan.

• The Transactions of The Korean Institute of Electrical Engineers
• /
• v.56 no.5
• /
• pp.980-986
• /
• 2007

Boundary scan test structure(JTAG IEEE 1149.1 standard) that supports an internal scan chain is generally being used to test CUT(circuit under test). Since the internal scan chain can only have a single scan-in port and a single scan-out port; however, existing boundary test methods can not be used when multiple scan chains are present in CUT. Those chains must be stitched to form a single scan chain as shown in this paper. We propose an efficient boundary scan test structure that adds a circuit called Clock Group Register(CGR) for multiple clocks testing within the design of multiple scan chains. The proposed CGR has the function of grouping clocks. By adding CGR to a previously existing boundary scan design, the design is modified. This revised scan design overcomes the limitation of supporting a single scan-in port and out port, and it bolsters multiple scan-in ports and out ports. Through our experiments, the effectiveness of CGR is proved. With this, it is possible to test more complicated designs that have high density with a little effort. Furthermore, it will also benefit in designing those complicated circuits.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.3
• /
• pp.65-76
• /
• 2006

This paper deals with an effective algerian aimed at improving the port scan detection in an intrusion detection system (IDS). In particular, a detection correlation algerian is proposed to maximize the detection capability in the network-based IDS whereby the 'misuse' is flagged for analysis to establish intrusion profile in relation to the overall port scan detection process. In addition, we establish an appropriate system maintenance policy for port scan detection as preprocessor for improved port scan in IDS, thereby achieving minimum false positive in the misuse detection engine while enhancing the system performance.

• Journal of Advanced Information Technology and Convergence
• /
• v.9 no.1
• /
• pp.1-10
• /
• 2019

In recent years, information collection of attacks through stealth port scanning technology has become more sophisticated. The most commonly used Nmap port scanner supports a variety of stealth scanning technologies along with the existing scanning techniques. Nmap also supports Idle scan that is different from conventional stealth scans. This is a more sophisticated stealth scan technique by applying the SYN scan and ACK scan techniques. In previous studies, the detection of Idle scanning was on zombie system, but was not on victim system. In this paper, we propose an effective detection method of Idle scan on victim system. The Idle scanning is composed of two stages; they are probing the zombie and victim system and scanning the victim system. We analyzed the characteristics of the two stages. The characteristics, we captured, are that SYN and RST packets are different from normal packet. We applied them to detection method, then Idle scanning is detected effectively.

• Proceedings of the KIEE Conference
• /
• 2007.07a
• /
• pp.1850-1851
• /
• 2007

To the Boundary Scan, this architecture in Scan testing of design under the control of boundary scan is used in boundary scan design to support the internal scan chain. The internal scan chain has single scan-in port and single scan-out port that multiple scan chain cannot be used. Internal scan design has multiple scan chains, those chains must be stitched to form a scan chain as this paper. We propose an efficient Boundary Scan test structure for multiple clock testing in design.

• Proceedings of the KIEE Conference
• /
• 2007.07a
• /
• pp.1840-1841
• /
• 2007

To the Boundary Scan, this architecture in Scan testing of design under the control of boundary scan is used in boundary scan design to support the internal scan chain. The internal scan chain has single scan-in port and single scan-out port that multiple scan chain cannot be used. Internal scan design has multiple scan chains, those chains must be stitched to form a scan chain as this paper. We propose an efficient Boundary Scan test structure for multiple clock testing in design.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.18 no.5
• /
• pp.679-684
• /
• 2008

The slow port scan attack detection is the one of the important topics in the network security. We suggest an abnormal traffic control framework to detect slow port scan attacks using fuzzy rules. The abnormal traffic control framework acts as an intrusion prevention system to suspicious network traffic. It manages traffic with a stepwise policy: first decreasing network bandwidth and then discarding traffic. In this paper, we show that our abnormal traffic control framework effectively detects slow port scan attacks traffic using fuzzy rules and a stepwise policy.

• Convergence Security Journal
• /
• v.7 no.1
• /
• pp.63-75
• /
• 2007

Most of computer systems to be connected to network have been exposed to some network attacks and became to targets of system attack. System managers have established the IDS to prevent the system attacks over network. The previous IDS have decided intrusions detecting the requested connection packets more than critical values in order to detect attacks. This techniques have False Positive possibilities and have difficulties to detect the slow scan increasing the time between sending scan probes and the coordinated scan originating from multiple hosts. We propose the port scan detection rules detecting the RST/ACK flag packets to request some abnormal connections and design the data structures capturing some of packets. This proposed system is decreased a False Positive possibility and can detect the slow scan, because a few data can be maintained for long times. This system can also detect the coordinated scan effectively detecting the RST/ACK flag packets to be occurred the target system.

• Journal of KIISE:Information Networking
• /
• v.31 no.2
• /
• pp.171-178
• /
• 2004

Port scanning detection systems should rather satisfy a certain level of the requirement for system performance like a low rate of “False Positive” and “False Negative”, and requirement for convenience for users to be easy to manage the system security with detection systems. However, public domain Real Time Scan Detection Systems have high rate of false detection and have difficulty in detecting various scanning techniques. In addition, as current real time scan detection systems are based on command interface, the systems are poor at user interface and thus it is difficult to apply them to the system security management. Hence, we propose TkRTSD(Tcl/Tk Real Time Scan Detection System) that is able to detect various scan attacks based on port scanning techniques by applying a set of new filter rules, and minimize the rate of False Positive by applying proposed ABP-Rules derived from attacker's behavioral patterns. Also a GUI environment for TkRTSD is implemented by using Tcl/Tk for user's convenience of managing network security.

• Journal of Korea Multimedia Society
• /
• v.4 no.6
• /
• pp.570-578
• /
• 2001

Boundary scan architecture test methodology was introduced to facilitate the testing of complex printed circuit board. The boundary scan architecture has a tremendous potential for real time monitoring of the operational status of a system without interference of normal system operation. In this paper, a new type of embedded controller for real time monitoring of the operational status of a system is proposed and designed by using boundary scan architecture. The proposed real time monitoring embedded controller consists of test access port controller and an embedded controller proposed real time monitoring embedded controller using boundary scan architecture can save the hard-wire resource and can easily interface with boundary scan architecture chip. Experimental results show that the real time monitoring using proposed embedded controller is more effective then the real time monitoring using host computer.