• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.6
• /
• pp.1181-1190
• /
• 2013

The GOOSE(Generic Object Oriented Substation Event) is used as a network protocol to communicate between IEDs(Intelligent Electronic Devices) in international standard IEC 61850 of substation automation system. Nevertheless, the GOOSE protocol is facing many similar threats used in TCP/IP protocol due to ethernet-based operation. In this paper, we develop a IDS(Intrusion Detection System) for secure GOOSE Protocol using open software-based IDS Snort. In this IDS, two security functions for keyword search and DoS attack detection are implemented through improvement of decoding and preprocessing component modules. And we also implement the GOOSE IDS and verify its accuracy using GOOSE packet generation and communication experiment.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2004.05a
• /
• pp.88-92
• /
• 2004

Most studies in the past in testing and benchmarking on Intrusion Detection System (IDS) were conducted as comparisons, rather than evaluation, on different IDSs. This paper presents the evaluation of the performance of one of the open source IDS, snort, in an inexpensive high availability system configuration. Redundancy and fault tolerance technology are used in deploying such IDS, because of the possible attacks that can make snort exhaust resources, degrade in performance and even crash. Several test data are used in such environment and yielded different results. CPU speed, Disk usage, memory utilization and other resources of the IDS host are also monitored. Test results with the proposed system configuration environment show much better system availability and reliability, especially on security systems.

• Proceedings of the Korea Society of Information Technology Applications Conference
• /
• 2005.11a
• /
• pp.259-262
• /
• 2005

This paper addresses the problem of protecting security policies in security mechanisms, such as the detection policy of an Intrusion Detection System. Unauthorized disclosure of such information might reveal the fundamental principles and methods for the protection of the whole network. In order to avoid this risk, we suggest two schemes for protecting security policies in Snort using the symmetric cryptosystem, Triple-DES.

• Proceedings of the Korean Information Science Society Conference
• /
• 2004.04a
• /
• pp.292-294
• /
• 2004

본 논문에서는 룰 기반의 침입탐지 시스템을 위한 새로운 룰 보호기법을 제안한다. 오랫동안, 룰 기반의 침입탐지 시스템에서는 침입탐지 시스템의 룰 자체에 대한 보호기법은 고려하지 않았다. 최근에 손등 ［1］은 Snort를 기반으로 하는 룰 보호기법을 제시하였다. 이 기법에서는 룰의 헤더정보에 대한 보호기법은 제시하지만 패킷의 내용(Contents) 부분에 대한 보호기법은 제시하지 못했다. 이러한 문제를 해결하기 위해서 본 논문에서는 Snort 뿐만 아니라 모든 룰 기반의 침입탐지 시스템에서 룰을 보호할 수 있는 새로운 룰 보호기법을 제시한다.

• The KIPS Transactions:PartA
• /
• v.12A no.2 s.92
• /
• pp.87-94
• /
• 2005

Pattern matching is one of critical parts of Network Intrusion Prevention Systems (NIPS) and computationally intensive. To handle a large number of attack signature fattens increasing everyday, a network intrusion prevention system requires a multi pattern matching method that can meet the line speed of packet transfer. In this paper, we analyze Snort, a widely used open source network intrusion prevention/detection system, and its pattern matching characteristics. A multi pattern matching method for NIPS should efficiently handle a large number of patterns with a wide range of pattern lengths and case insensitive patterns matches. It should also be able to process multiple input characters in parallel. We propose a multi pattern matching hardware accelerator based on Shift-OR pattern matching algorithm. We evaluate the performance of the pattern matching accelerator under various assumptions. The performance evaluation shows that the pattern matching accelerator can be more than 80 times faster than the fastest software multi-pattern matching method used in Snort.

• Journal of the Speleological Society of Korea
• /
• no.73
• /
• pp.15-19
• /
• 2006

• Proceedings of the Korea Information Processing Society Conference
• /
• 2006.05a
• /
• pp.901-904
• /
• 2006

인터넷 사용자들의 무선 네트워크의 활용빈도가 점차 높아지고 무선 네트워크의 보안시스템도 요구되면서 무선 네트워크의 안정적이고 원활한 활용과 사용자의 정보 노출의 위험을 줄이고자 유무선 통합형 IDS/IPS도 개발되고 있는 단계다. 본 논문에서는 무선랜 환경을 지원하는 유무선 IPS시스템을 구현하고, 비정상적인 트래픽 탐지의 효율성을 높여 IPS 시스템의 성능향상에 기여정도를 파악 및 분석하였다. 본 논문에서 구축한 IPS시스템은 하이브리드 형태로 구현하였으며 Snort-inline[11]과 Snort-wireless[12] 모듈을 사용하여 무선 랜 이상탐지 기능을 구현하였다. 네트워크 모니터링 시스템으로 네트워크의 트래픽 상황을 파악하여 비정상적인 트래픽이 증가되었을 경우, 제안한 IPS시스템에서 비정상 트래픽의 탐지 및 차단 기능을 기존 IPS와 성능을 비교/분석하였다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.4 no.5
• /
• pp.956-967
• /
• 2010

Rapid growth of internet applications has increased the importance of intrusion detection system (IDS) performance. String matching is the most computation-consuming task in IDS. In this paper, a new algorithm for multiple string matching is proposed. This proposed algorithm is based on the canonical Aho-Corasick algorithm and it utilizes a bidirectional and parallel processing structure to accelerate the matching speed. The proposed string matching algorithm was implemented and patched into Snort for experimental evaluation. Comparing with the canonical Aho-Corasick algorithm, the proposed algorithm has gained much improvement on the matching speed, especially in detecting multiple keywords within a long input text string.

• The Journal of the Korea Contents Association
• /
• v.7 no.11
• /
• pp.94-101
• /
• 2007

We introduce the way to detect the mutation worm. We implemented the program that can generate signature using LCSeq(Longest Common Subsequence) technique in Suffix Tree studied as pattern recognition algorithm. We also showed the process to detect the mutation of CodeRed worm and Nimda worm and evaluated signatures generated by snort and LCSeq.

• The KIPS Transactions:PartC
• /
• v.12C no.4 s.100
• /
• pp.503-510
• /
• 2005

With the increasing importance of network protection from cyber threats, it is requested to develop a multi-gigabit rate pattern matching method for protecting against malicious attacks in high-speed network. This paper devises a high-speed pattern matching algorithm with TCAM by using an m-byte jumping window pattern matching scheme. The proposed algorithm significantly reduces the number of TCAM lookups per payload by m times with the marginally enlarged TCAM size which can be implemented by cascading multiple TCAMs. Due to the reduced number of TCAM lookups, we can easily achieve multi-gigabit rate for scanning the packet payload. It is shown by simulation that for the Snort nile with 2,247 patterns, our proposed algorithm supports more than 10 Gbps rate with a 9Mbit TCAM.