• Proceedings of the IEEK Conference
• /
• 2006.06a
• /
• pp.207-208
• /
• 2006

Intrusion detection technology is highlighted in order to establish a safe information-oriented environment. Intrusion detection system can be categorized into anomaly detection and misuse detection according to intrusion detection pattern. In this paper, we propose an architecture to make up for the defect of conventional anomaly intrusion detection. This architecture reduces additional resource consumption and cost by placing the agent in the strategic location in Internet.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.4
• /
• pp.1307-1323
• /
• 2014

With the exhaustion of global IPv4 addresses, IPv6 technologies have attracted increasing attentions, and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics obtained from IPv4 networks. Traditional models obtained from IPv4 cannot be used for IPv6 network monitoring directly and there is a need to investigate those changes. In this paper, we explore the flow features of IPv6 traffic and compare its difference with that of IPv4 traffic from flow level. Firstly, we analyze the differences of the general flow statistical characteristics and users' behavior between IPv4 and IPv6 networks. We find that there are more elephant flows in IPv6, which is critical for traffic engineering. Secondly, we find that there exist many one-way flows both in the IPv4 and IPv6 traffic, which are important information sources for abnormal behavior detection. Finally, in light of the challenges of analyzing massive data of large-scale network monitoring, we propose a group flow model which can greatly reduce the number of flows while capturing the primary traffic features, and perform a comparative measurement analysis of group users' behavior dynamic characteristics. We find there are less sharp changes caused by abnormity compared with IPv4, which shows there are less large-scale malicious activities in IPv6 currently. All the evaluation experiments are carried out based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network), and the results reveal the detailed flow characteristics of IPv6, which are useful for traffic management and anomaly detection in IPv6.

• Journal of Internet Computing and Services
• /
• v.8 no.2
• /
• pp.55-65
• /
• 2007

BcN is a high-quality broadband network for multimedia services integrating telecommunication, broadcasting, and Internet seamlessly at anywhere, anytime, and using any device. BcN is Particularly vulnerable to intrusion because it merges various traditional networks, wired, wireless and data networks. Because of this, one of the most important aspects in BcN is security in terms of reliability. So, in this paper, we suggest the sharing mechanism of security data among various service networks on the BcN. This distributed, hierarchical architecture enables BcN to be robust of attacks and failures, controls data traffic going in and out the backbone core through IP edge routers integrated with IDRS. Our proposed anomaly detection scheme on IDRS for BcN service also improves detection rate compared to the previous conventional approaches.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.10 no.4
• /
• pp.811-817
• /
• 2009

The rapid growth of network based IT systems has resulted in continuous research of security issues. Probe intrusion detection is an area of increasing concerns in the internet community. Recently, a number of probe intrusion detection schemes have been proposed based on various technologies. However, the techniques, which have been applied in many systems, are useful only for the existing patterns of probe intrusion. They can not detect new patterns of probe intrusion. Therefore, it is necessary to develop a new Probe Intrusion Detection technology that can find new patterns of probe intrusion. In this paper, we proposed a new network based probe intrusion detector(NePID) using anomaly traffic analysis and fuzzy cognitive maps that can detect intrusion by the denial of services attack detection method utilizing the packet analyses. The probe intrusion detection using fuzzy cognitive maps capture and analyze the packet information to detect syn flooding attack. Using the result of the analysis of decision module, which adopts the fuzzy cognitive maps, the decision module measures the degree of risk of denial of service attack and trains the response module to deal with attacks. For the performance evaluation, the "IDS Evaluation Data Set" created by MIT was used. From the simulation we obtained the max-average true positive rate of 97.094% and the max-average false negative rate of 2.936%. The true positive error rate of the NePID is similar to that of Bernhard's true positive error rate.

• The KIPS Transactions:PartC
• /
• v.14C no.3 s.113
• /
• pp.199-208
• /
• 2007

In a ubiquitous network environment, detecting the leakage of personal information is very important. The leakage of personal information might cause severe problem such as impersonation, cyber criminal and personal privacy violation. In this paper, we have proposed a detection method of personal information leakage based on network traffic characteristics. The experimental results indicate that the traffic character of a real campus network shows the self-similarity and Proposed method can detect the anomaly of leakage of personal information by malicious code.

• Journal of Chest Surgery
• /
• v.11 no.1
• /
• pp.112-116
• /
• 1978

A congenital agenesis of right diaphragm which is very rare diaphragmatic anomaly was experienced in a 7-year old male patient who was very well until receiving traffic accident on Nov. 1, 1977. Congenital agenesis of diaphragm have been reported only 3 cases in the world, and no one have been reported in Korea. The surgical result of this patient was successful and the review of the literature was made.

• Review of KIISC
• /
• v.17 no.2
• /
• pp.80-89
• /
• 2007

네트워크 트래픽에서 비정상(anomaly)을 탐지하는 것은 아주 중요하지만 아직 완전히 해결되지 않은 문제이다. 비정상 유형을 관찰하기 위하여 일반적으로 트래픽 플로(traffic flow)를 감시한다. 트래픽 플로는 여러 가지 네트워크 트래픽의 형태를 제시한다. 이런 트래픽 플로의 집합에 대한 분석은 매우 복잡한 문제이고, 또한 트래픽 플로 수집을 위해서는 많은 자원이 소요된다. 본 논문에서는 비정상 트래픽 유형을 공격 형태 및 트래픽 플로 두 가지의 다른 측면에서 제시하고 그 특성을 기술한다. 그리고 앞으로 나타날 새로운 웜 공격 유형에 대하여도 제시한다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.2 no.3
• /
• pp.135-149
• /
• 2008

Traditional attack detection schemes based on packets or flows have very high computational complexity. And, network based anomaly detection schemes can reduce the complexity, but they have a limitation to figure out the pattern of the distributed global scale network attack. In this paper, we propose an efficient and fast method for detecting distributed global-scale network attack symptoms in high-speed backbone networks. The proposed method is implemented at the aggregate traffic level. So, our proposed scheme has much lower computational complexity, and is implemented in very high-speed backbone networks. In addition, the proposed method can detect attack patterns, such as attacks in which the target is a certain host or the backbone infrastructure itself, via collaboration of edge routers on the backbone network. The effectiveness of the proposed method are demonstrated via simulation.

• Journal of KIISE:Information Networking
• /
• v.33 no.3
• /
• pp.201-217
• /
• 2006

In this paper, we collected the physical traces from high speed Internet backbone traffic and analyze the various characteristics of the underlying packet traces. Particularly, our work is focused on analyzing the characteristics of an anomalous traffic. It is found that in our data, the anomalous traffic is caused by UDP session traffic and we determined that it was one of the Denial of Service attacks. In this work, we adopted the unsupervised machine learning algorithm to classify the network flows. We apply the k-means clustering algorithm to train the learner. Via the Cramer-Yon-Misses test, we confirmed that the proposed classification method which is able to detect anomalous traffic within 1 second can accurately predict the class of a flow and can be effectively used in determining the anomalous flows.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.12
• /
• pp.1841-1848
• /
• 2013

In this paper, the plans for improvement of real-time security monitoring accuracy and expansion of control region were investigated through comprehensive and systematic collection and analysis of the anomalous activities that inflow and outflow in the network on a large scale in order to overcome the existing security monitoring system based on stylized detection patterns which could correspond to only very limited cyber attacks. This study established an anomaly observation system to collect, store and analyze a diverse infringement threat information flowing into the darknet network, and presented the information classification system of cyber threats, unknown anomalies and high-risk anomalous activities through the statistics based trend analysis of hacking. If this security monitoring system utilizing darknet traffic as presented in the study is applied, it was indicated that detection of all infringement threats was increased by 12.6 percent compared with conventional case and 120 kinds of new type and varietal attacks that could not be detected in the past were detected.