• Journal of Korean Society of Industrial and Systems Engineering
• /
• v.44 no.4
• /
• pp.169-176
• /
• 2021

Maritime monitoring requirements have been beyond human operators capabilities due to the broadness of the coverage area and the variety of monitoring activities, e.g. illegal migration, or security threats by foreign warships. Abnormal vessel movement can be defined as an unreasonable movement deviation from the usual trajectory, speed, or other traffic parameters. Detection of the abnormal vessel movement requires the operators not only to pay short-term attention but also to have long-term trajectory trace ability. Recent advances in deep learning have shown the potential of deep learning techniques to discover hidden and more complex relations that often lie in low dimensional latent spaces. In this paper, we propose a deep autoencoder-based clustering model for automatic detection of vessel movement anomaly to assist monitoring operators to take actions on the vessel for more investigation. We first generate gridded trajectory images by mapping the raw vessel trajectories into two dimensional matrix. Based on the gridded image input, we test the proposed model along with the other deep autoencoder-based models for the abnormal trajectory data generated through rotation and speed variation from normal trajectories. We show that the proposed model improves detection accuracy for the generated abnormal trajectories compared to the other models.

• Proceedings of the Korean Institute of Navigation and Port Research Conference
• /
• 2015.07a
• /
• pp.310-311
• /
• 2015

Ships' tracking data are being monitored and collected by vessel traffic service center in real time. In this paper, we intend to contribute to vessel traffic service operators' decision making through extracting ships' tracking patterns and models based on these data. Support Vector Machine algorithm was used for vessel track modeling to handle and process the data sets and k-fold cross validation was used to select the proper parameters. Proposed data processing methods could support vessel traffic service operators' decision making on case of anomaly detection, calculation ships' dead reckoning positions and etc.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.31 no.2A
• /
• pp.79-85
• /
• 2006

Generally, it is essential that high-speed routers, switches, and network security appliances should have an efficient packet classification scheme in order to achieve the high-speed packet forwarding capability. For the multi-gigabit packet-processing network equipment the high-speed content search hardware such as TCAM and search engine is recently used to support the content-based packet inspection. During the packet classification process, hundreds and thousands of rules are applied to provide the network security policies regarding traffic screening, traffic monitoring, and traffic shaping. In addition, these rules could be dynamically changed during operations of systems if anomaly traffic patterns would vary. Particularly, in the high-speed network, an efficient algorithm that updates and reorganizes the packet classification rules is critical so as not to degrade the performance of the network device. In this paper, we have proposed an efficient update algorithm using a partial-ordering that can relocate the dynamically changing rules at the TCAM. Experimental results should that our algorithm does not need to relocate existing rules feature until 70$\%$ of TCAM utilization.

• KIPS Transactions on Computer and Communication Systems
• /
• v.1 no.1
• /
• pp.55-60
• /
• 2012

Recent botnets are widely using the DNS services at the connection of C&C server in order to evade botnet's detection. It is necessary to study on DNS analysis in order to counteract anomaly-based technique using the DNS. This paper studies collection of DNS traffic for experimental data and supervised learning for DNS traffic-based malicious domain classification such as query of domain name corresponding to C&C server from zombies. Especially, this paper would aim to determine significant features of DNS-based classification system for malicious domain extraction by the Principal Component Analysis(PCA).

• Journal of the Institute of Electronics Engineers of Korea TC
• /
• v.45 no.6
• /
• pp.34-51
• /
• 2008

Today, the Internet is a part of our life. For that reason, we regard revealing characteristics of Internet traffic as an important research theme. However, Internet traffic cannot be easily manipulated because it usually occupy huge capacity. This problem is a serious obstacle to analyze Internet traffic. Many researchers use various sampling techniques to reduce capacity of Internet traffic. In this paper, we compare several famous sampling techniques, and propose efficient sampling scheme. We chose some sampling techniques such as Systematic Sampling, Simple Random Sampling and Stratified Sampling with some sampling intensities such as 1/10, 1/100 and 1/1000. Our observation focused on Traffic Volume, Entropy Analysis and Packet Size Analysis. Both the simple random sampling and the count-based systematic sampling is proper to general case. On the other hand, time-based systematic sampling exhibits relatively bad results. The stratified sampling on Transport Layer Protocols, e.g.. TCP, UDP and so on, shows superior results. Our analysis results suggest that efficient sampling techniques satisfactorily maintain variation of traffic stream according to time change. The entropy analysis endures various sampling techniques well and fits detecting anomalous traffic. We found that a traffic volume diminishment caused by bottleneck could induce wrong results on the entropy analysis. We discovered that Packet Size Distribution perfectly tolerate any packet sampling techniques and intensities.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.4
• /
• pp.617-629
• /
• 2020

In order to overcome the limitations of the rule-based intrusion detection system due to changes in Internet computing environments, the emergence of new services, and creativity of attackers, network anomaly detection (NAD) using machine learning and deep learning technologies has received much attention. Most of these existing machine learning and deep learning technologies for NAD use supervised learning methods to learn a set of training data set labeled 'normal' and 'attack'. This paper presents the feasibility of the unsupervised learning AutoEncoder(AE) to NAD from data sets collecting of secured network traffic without labeled responses. To verify the performance of the proposed AE mode, we present the experimental results in terms of accuracy, precision, recall, f1-score, and ROC AUC value on the NSL-KDD training and test data sets. In particular, we model a reference AE through the deep analysis of diverse AEs varying hyper-parameters such as the number of layers as well as considering the regularization and denoising effects. The reference model shows the f1-scores 90.4% and 89% of binary classification on the KDDTest+ and KDDTest-21 test data sets based on the threshold of the 82-th percentile of the AE reconstruction error of the training data set.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.809-817
• /
• 2012

One of the OSI 7 Layer DDoS Attack, HTTP POST DDoS can deny legitimate service by web server resource depletion. This Attack can be executed with less network traffic and legitimate TCP connections. Therefore, It is difficult to distinguish DDoS traffic from legitimate users. In this paper, I propose an anomaly HTTP POST traffic detection algorithm and http each page Content-Length field size limit with defense method for HTTP POST DDoS attack. Proposed method showed the result of detection and countermeasure without false negative and positive to use the r-u-dead-yet of HTTP POST DDoS attack tool and the self-developed attack tool.

• Journal of Information Technology Services
• /
• v.22 no.5
• /
• pp.99-108
• /
• 2023

As the computerization of hospitals becomes more advanced, security issues regarding data generated from various medical devices within hospitals are gradually increasing. For example, because hospital data contains a variety of personal information, attempts to attack it have been continuously made. In order to safely protect data from external attacks, each hospital has formed an internal team to continuously monitor whether the computer network is safely protected. However, there are limits to how humans can monitor attacks that occur on networks within hospitals in real time. Recently, artificial intelligence models have shown excellent performance in detecting outliers. In this paper, an experiment was conducted to verify how well an artificial intelligence model classifies normal and abnormal data in network traffic data generated from medical devices. There are several models used for outlier detection, but among them, Random Forest and Tabnet were used. Tabnet is a deep learning algorithm related to receive and classify structured data. Two algorithms were trained using open traffic network data, and the classification accuracy of the model was measured using test data. As a result, the random forest algorithm showed a classification accuracy of 93%, and Tapnet showed a classification accuracy of 99%. Therefore, it is expected that most outliers that may occur in a hospital network can be detected using an excellent algorithm such as Tabnet.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2006.05a
• /
• pp.901-904
• /
• 2006

인터넷 사용자들의 무선 네트워크의 활용빈도가 점차 높아지고 무선 네트워크의 보안시스템도 요구되면서 무선 네트워크의 안정적이고 원활한 활용과 사용자의 정보 노출의 위험을 줄이고자 유무선 통합형 IDS/IPS도 개발되고 있는 단계다. 본 논문에서는 무선랜 환경을 지원하는 유무선 IPS시스템을 구현하고, 비정상적인 트래픽 탐지의 효율성을 높여 IPS 시스템의 성능향상에 기여정도를 파악 및 분석하였다. 본 논문에서 구축한 IPS시스템은 하이브리드 형태로 구현하였으며 Snort-inline[11]과 Snort-wireless[12] 모듈을 사용하여 무선 랜 이상탐지 기능을 구현하였다. 네트워크 모니터링 시스템으로 네트워크의 트래픽 상황을 파악하여 비정상적인 트래픽이 증가되었을 경우, 제안한 IPS시스템에서 비정상 트래픽의 탐지 및 차단 기능을 기존 IPS와 성능을 비교/분석하였다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2006.05a
• /
• pp.1109-1112
• /
• 2006

DDoS(Distributed Denial-of-Service) 공격은 인터넷 침해가운데 가장 위협적인 공격들 중 하나이며 이러한 공격을 실시간으로 탐지하기 위한 연구는 활발히 이루어져 왔다. 하지만 기존의 탐지 메커니즘이 가지고 있는 높은 오탐지율은 여전히 보완해야할 과제로 남아 있다. 따라서 본 논문에서는 DDoS공격 탐지의 근거로 사용된 기존의 트래픽 볼륨(traffic volume), 엔트로피(entropy), 그리고 카이제곱(chi-square)을 이용한 비정상 행위탐지(Anomaly detection)방식의 침임탐지시스템이 가지는 오탐지율(false alarm rate)을 개선할 수 있는 방안을 제안한다. 또한 공격 탐지 시 프로토콜, TCP 플래그(flag), 그리고 포트 번호를 이용하여 네트워크 관리자에게 보다 자세한 공격 정보를 제공함으로써 효율적으로 공격에 대처할 수 있는 시스템을 설계한다.