• KIPS Transactions on Computer and Communication Systems
• /
• v.5 no.12
• /
• pp.471-480
• /
• 2016

Recently, the damage of cyber attack toward infra-system, national defence and security system is gradually increasing. In this situation, military recognizes the importance of cyber warfare, and they establish a cyber system in preparation, regardless of the existence of threaten. Thus, the study of Intrusion Detection System(IDS) that plays an important role in network defence system is required. IDS is divided into misuse and anomaly detection methods. Recent studies attempt to combine those two methods to maximize advantagesand to minimize disadvantages both of misuse and anomaly. The combination is called Hybrid IDS. Previous studies would not be inappropriate for near real-time network environments because they have computational complexity problems. It leads to the need of the study considering the structure of IDS that have high detection rate and low computational cost. In this paper, we proposed a Hybrid IDS which combines C4.5 decision tree(misuse detection method) and Weighted K-means algorithm (anomaly detection method) hierarchically. It can detect malicious network packets effectively with low complexity by applying mutual information and genetic algorithm based efficient feature selection technique. Also we construct upgraded the the hierarchical structure of IDS reusing feature weights in anomaly detection section. It is validated that proposed Hybrid IDS ensures high detection accuracy (98.68%) and performance at experiment section.

• Journal of the Korea Society of Computer and Information
• /
• v.19 no.1
• /
• pp.85-94
• /
• 2014

This paper studied the detection technique using file DNA-based behavior pattern analysis in order to minimize damage to user system by malicious programs before signature or security patch is released. The file DNA-based detection technique was applied to defend against zero day attack and to minimize false detection, by remedying weaknesses of the conventional network-based packet detection technique and process-based detection technique. For the file DNA-based detection technique, abnormal behaviors of malware were splitted into network-related behaviors and process-related behaviors. This technique was employed to check and block crucial behaviors of process and network behaviors operating in user system, according to the fixed conditions, to analyze the similarity of behavior patterns of malware, based on the file DNA which process behaviors and network behaviors are mixed, and to deal with it rapidly through hazard warning and cut-off.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2006.06a
• /
• pp.637-640
• /
• 2006

본 논문에서는 HTTP 요청, 응답 헤더정보 분석을 통해, 실시간으로 웹 공격을 탐지하는 시각화도구를 제안한다. 공격 탐지기법은 이상, 오용 탐지 기법을 통합한 방식이다. 이상 탐지는 헤더정보의 Refer와 Uri 필드를 이용한 베이지언 분포를 통한 확률 값을 이용하였으며, 오용탐지는 Snort의 공격 시그너쳐의 웹 공격부분을 사용하였다. 공격 탐지 정보의 효율적인 전달을 위해, 시각화를 GUI로 구현하였다. 본 논문에서는 사용자 에이전트의 비정상 행위 감시, 빈도 분석, 공격 에이전트 위치추적을 실시간으로 시각화하여 표현하는 기법을 제안한다.

• Proceedings of the IEEK Conference
• /
• 2007.07a
• /
• pp.59-60
• /
• 2007

Entropy, one of leading metrics on anomalous traffic, attracts researcher's attention since a packet sampling and a traffic volume impact little on entropy value. In this paper, we apply the entropy metric to a domestic network traffic trace which has real anomalous traffics. We used source IP address/port and destination IP address/port that are important attributes of a packet as entropy variable We found that entropy value of multiple-port DoS attack shows something related to a staircase fashion. Also, we show a Possibility of detection of anomalous traffic on small time scale.

• Proceedings of the Korean Information Science Society Conference
• /
• 2001.10a
• /
• pp.733-735
• /
• 2001

네트워크가 보편화되면서 사이버 공간을 이용한 테러가 전 세계적으로 발생하고 있다. TCP/IP 프로토콜은 현재 가장 많이 사용되고 있는 네트워크 기술중의 하나로 인터넷뿐만 아니라, 많은 소규모의 사설 컴퓨터네트워크에서도 많이 사용되고 있다. 그러나 TCP 자체가 가지고 있는 보안 취약점 때문에 SYN 공격, TCP Sequence Number 공격, IP Spoofing, TCP Connection hijacking, Sniffing 과 같은 다양한 해킹 기법이 등장하고 있다. 본 논문에서는 TCP/IP 프로토콜 취약점을 이용하여 공격할 경우 이를 탐지하거나 차단하지 못하는 경우에 대비하여 실시간 접근 로그 파일을 생성하여 시스템 관리자가 의사결정을 할 수 있는 것과 동시에 시스템 스스로 대처할 수 있는 시스템을 구현하여 타당성을 검증하고 그에 따른 기대효과를 제시 한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2020.05a
• /
• pp.142-145
• /
• 2020

캐시 부채널 공격은 캐시 기반의 공격 기법으로 개인정보 유출에 대한 위험성이 큰 보안 취약점이다. 해당 취약점을 막기 위해 실시간 공격 탐지 기법에 관한 연구들이 진행되고 있지만 사용자에게 이벤트값과 탐지 결과를 빠르고 편리하게 보여줄 필요성이 있다. 본 논문은 효율적인 캐시 부채널 공격 탐지를 위해 Intel PCM 과 기존의 탐지프로그램을 개선하여 탐지에 필요한 데이터들을 실시간으로 모니터링 및 경고를 보내주는 프레임워크를 제작했다. 해당 프레임워크는 캐시 부채널 공격을 실시간 탐지 및 관련 데이터들을 대시보드로 보여준다.

• Convergence Security Journal
• /
• v.23 no.1
• /
• pp.19-25
• /
• 2023

The current network environment provides a real-time interactive service from an initial one-way information prov ision service. Depending on the form of web-based information sharing, it is possible to provide various knowledge a nd services between users. However, in this web-based real-time information sharing environment, cases of damage by illegal attackers who exploit network vulnerabilities are increasing rapidly. In particular, for attackers who attempt a phishing attack, a link to the corresponding web page is induced after actively generating a forged web page to a user who needs a specific web page service. In this paper, we analyze whether users directly and actively forge a sp ecific site rather than a passive server-based detection method. For this purpose, it is possible to prevent leakage of important personal information of general users by detecting a disguised webpage of an attacker who induces illegal webpage access using traceback information

• Journal of the Korean Institute of Intelligent Systems
• /
• v.13 no.2
• /
• pp.169-174
• /
• 2003

The trial and success of malicious cyber attacks has been increased rapidly with spreading of Internet and the activation of a internet shopping mall and the supply of an online, or an offline internet, so it is expected to make a problem more and more. The goal of intrusion detection is to identify unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators in real time. In fact, the general security system based on Internet couldn't cope with the attack properly, if ever. other regular systems have depended on common vaccine softwares to cope with the attack. But in this paper, we will use the positive selection and negative selection mechanism of T-cell, which is the biologically distributed autonomous system, to develop the self/nonself recognition algorithm and AIS (Artificial Immune System) that is easy to be concrete on the artificial system. For making it come true, we will apply AIS to the network environment, which is a computer security system.

• The Journal of the Korea Contents Association
• /
• v.19 no.9
• /
• pp.637-645
• /
• 2019

The RFID group proof is an extension of the yoking proof proving that multiple tags are scanned by a reader simultaneously. Existing group proof schemes provide only delayed tag loss detection which detects loss of tag response in a verification phase. However, delayed tag loss detection is not suitable for real-time applications where tag loss must be detected immediately. In this study, I propose a tag response loss detection scheme which detects loss of tag response in the proof generation process quickly. In the proposed scheme, the tag responds with the sequence number assigned to the tag group, and the reader detects the loss of the tag response through the sequence number. Through an experiment for indistinguishability, I show that the sequence number is secure against an analyzing message attack to distinguish between specific tags and tag groups. In terms of efficiency, the proposed scheme requires fewer transmissions and database operations than existing techniques to determine which tags response is lost.

• Journal of the Korea Institute of Military Science and Technology
• /
• v.13 no.4
• /
• pp.528-533
• /
• 2010

This paper describes a calculation method of source level of a ship transient noise, which is one of the important elements for the ship detection. Aim of transient noise measurements is to evaluate of acoustic energy due to singular occurrence, which is therefore defined as non-periodic and short termed events like an attack periscope, a rudder and a torpedo door. In generally, in the case of randomly spaced impulse, the spectrum becomes a broadband random noise with no distinctive pattern. Therefore, frequency analysis is not particularly revealing for type of signal. In the paper, it is performed in time domain to analyze a transient noise. However, a source level of transient noise is required an investigation for multiple frequency band. So, in order to calculate a source level of transient noise, a design of exponential weighting function, convolution, band pass filtering, peak detection, root mean square, and parameter compensation are applied. The effectiveness of this calculation scheme is studied through computer simulations and a sea test. Furthermore, an application of the method is applied in a real case.