• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.4
• /
• pp.669-677
• /
• 2020

As the number of Internet users exploded, attacks on the web increased. In addition, the attack patterns have been diversified to bypass existing defense techniques. Traditional web firewalls are difficult to detect attacks of unknown patterns.Therefore, the method of detecting abnormal behavior by artificial intelligence has been studied as an alternative. Specifically, attempts have been made to apply natural language processing techniques because the type of script or query being exploited consists of text. However, because there are many unknown words in scripts and queries, natural language processing requires a different approach. In this paper, we propose a new classification model which uses byte pair encoding (BPE) technology to learn the embedding vector, that is often used for web attack payloads, and uses an attention mechanism-based Bi-GRU neural network to extract a set of tokens that learn their order and importance. For major web attacks such as SQL injection, cross-site scripting, and command injection attacks, the accuracy of the proposed classification method is about 0.9990 and its accuracy outperforms the model suggested in the previous study.

• Convergence Security Journal
• /
• v.14 no.7
• /
• pp.53-58
• /
• 2014

MANET can quickly build a network because it is configured with only the mobile node and it is very popular today due to its various application range. However, MANET should solve vulnerable security problem that dynamic topology, limited resources of each nodes, and wireless communication by the frequent movement of nodes have. In this paper, we propose a domain-based distributed cooperative intrusion detection techniques that can perform accurate intrusion detection by reducing overhead. In the proposed intrusion detection techniques, the local detection and global detection is performed after network is divided into certain size. The local detection performs on all the nodes to detect abnormal behavior of the nodes and the global detection performs signature-based attack detection on gateway node. Signature DB managed by the gateway node accomplishes periodic update by configuring neighboring gateway node and honeynet and maintains the reliability of nodes in the domain by the trust management module. The excellent performance is confirmed through comparative experiments of a multi-layer cluster technique and proposed technique in order to confirm intrusion detection performance of the proposed technique.

• The Transactions of The Korean Institute of Electrical Engineers
• /
• v.63 no.6
• /
• pp.850-854
• /
• 2014

Analyzing dynamic performance between pantograph and contact wire depends on mechanical and electrical conditions such as contact force, currents, aerodynamics of pantograph and tension of overhead contact wire. For the characteristic of dynamic performance between pantograph and overhead contact wire, various evaluation systems are used to measuring of the interaction of the contact line and the pantograph. Among the various methods, the contact force and percentage of arcing are intended to prove the safety and the quality of the current collection system on the train. However, these methods are only capable of measuring on the train which are installed measurement systems. Therefore in this paper, a track-side monitoring system was implemented to measure electrical characteristics from active overhead contact wire systems in order to constantly estimate current collection performance of railway operation. In addition, a method to analyze loss of contact phenomena was proposed. According to simulation results, the proposed system was capable of measuring abnormal electrical behavior of pantograph and contact wires on the track-side. The advantage of the proposed system is possible to detect loss of contact or any other electrical abnormalities of all types of trains within sections from sub to sub without the need to install any on-board equipment on trains.

• Journal of Digital Contents Society
• /
• v.9 no.3
• /
• pp.491-498
• /
• 2008

The leakage of sensitive information by an insider within the organization becomes a serious threat nowadays. Sometimes, these insider threats are more harmful to an organization than external attack. Companies cannot afford to continue ignoring the potential of insider attacks. The purpose of this study is to design an integrated log analysis system that can detect various types of information leakages. The system uses threat rules generated through risk analysis, and monitors every aspect of the online activities of authorized insider. Not only should system have the ability to identify abnormal behavior, they should also be able to predict and even help to prevent potential risk. The system is composed of three modules, which are log collector, log analyzer and report generator.

• The Korean Journal of Applied Statistics
• /
• v.34 no.1
• /
• pp.25-38
• /
• 2021

Recently the need for network surveillance to detect abnormal behavior within dynamic social networks has increased. We consider a dynamic version of the degree corrected stochastic block model (DCSBM) to simulate dynamic social networks and to monitor for a significant structural change in these networks. To apply a control charting procedure to network surveillance, in-control model parameters must be estimated from the Phase I data, that is from historical data. In network surveillance, however, there are many situations where sufficient relevant historical data are unavailable. In this paper we propose a self-starting Shewhart control charting procedure for detecting change in the dynamic networks. This procedure can be a very useful option when we have only a few initial samples for parameter estimation. Simulation results show that the proposed procedure has good in-control performance even when the number of initial samples is very small.

• Journal of Internet Computing and Services
• /
• v.19 no.6
• /
• pp.41-51
• /
• 2018

Recently, in the field of video surveillance, deep learning based learning method is applied to intelligent video surveillance system, and various events such as crime, fire, and abnormal phenomenon can be robustly detected. However, since occlusion occurs due to the loss of 3d information generated by projecting the 3d real-world in 2d image, it is need to consider the occlusion problem in order to accurately detect the object and to estimate the pose. Therefore, in this paper, we detect moving objects by solving the occlusion problem of object detection process by adding depth information to existing RGB information. Then, using the convolution neural network in the detected region, the positions of the 14 keypoints of the human joint region can be predicted. Finally, in order to solve the self-occlusion problem occurring in the pose estimation process, the method for 3d human pose estimation is described by extending the range of estimation to the 3d space using the predicted result of 2d keypoint and the deep neural network. In the future, the result of 2d and 3d pose estimation of this research can be used as easy data for future human behavior recognition and contribute to the development of industrial technology.

• Journal of the Society of Disaster Information
• /
• v.17 no.4
• /
• pp.733-746
• /
• 2021

Purpose: This study was conducted for the purpose of selecting important events from among various events that may pose a risk to railway passengers. For this purpose, opinions of various railroad vehicle passengers and railway operator workers were investigated and analyzed. Method: The survey was conducted on 1,000 men and women in their 20s and 60s and 429 workers at 11 company across the country. A survey was conducted on the dangerous situations that may occur in subways, general railroads and high-speed rail vehicles targeting passengers. For railway operator workers, the questionnaire is limited to subway vehicles. Result: Among the passenger risk factors(abnormal behavior and dangerous situations) selected based on the frequency and importance of occurrence of passenger risk factors, the main risk factors are selected 'car door jamming', 'sexual harassment', 'intoxicating behavior', 'fighting' /assault', 'wandering around', and 'not wearing a mask'. Conclusion: The major risk factors affecting passengers were selected by surveying passengers and railway operators. we plan to develop a CCTV detection system with AI technology that can quickly and continuously detect the major risk factors of railway vehicles selected as a result of this study.

• Journal of the Korea institute for structural maintenance and inspection
• /
• v.27 no.5
• /
• pp.40-48
• /
• 2023

In this paper, a sensor-based monitoring system was established to analyze the long-term behavioral characteristics of the caisson quay wall, a representative structural type in port facilities. Data was collected over a period of approximately 10 months. Based on existing literature, anomalous behaviors of port facilities were classified, and a measurement system was selected to detect them. Monitoring systems were installed on-site to periodically collect data. The collected data was transmitted and stored on a server through LTE network. Considering the site conditions, inclinometers for measuring slope and crack meters for measuring spacing and settlement were installed. They were attached to two caissons for comparison between different caissons. The correlation among measured data, temperature, and tidal level was examined. The temperature dominated the spacing and settlement data. When the temperature changed by approximately 50 degrees, the spacing changed by 10 mm, the settlement by 2 mm, and the slope by 0.1 degrees. On the other hand, there was no clear relationship with tidal level, indicating a need for more in-depth analysis in the future. Based on the characteristics of these collected database, it will be possible to develop algorithms for detecting abnormal states in gravity-type quay walls. The acquisition and analysis of long-term data enable to evaluate the safety and usability of structures in the event of disasters and emergencies.

• Journal of KIISE:Computing Practices and Letters
• /
• v.16 no.4
• /
• pp.405-414
• /
• 2010

According to the statistics of SecurityFocus in 2008, client-side attacks through the Microsoft Internet Explorer have increased by more than 50%. In this paper, we have implemented a behavior-based malicious web page detection system and a blacklist-based malicious web page filtering system. To do this, we first efficiently collected the target URLs by constructing a crawling system. The malicious URL detection system, run on a specific server, visits and renders actively the collected web pages under virtual machine environment. To detect whether each web page is malicious or not, the system state changes of the virtual machine are checked after rendering the page. If abnormal state changes are detected, we conclude the rendered web page is malicious, and insert it into the blacklist of malicious web pages. The malicious URL filtering system, run on the web client machine, filters malicious web pages based on the blacklist when a user visits web sites. We have enhanced system performance by automatically handling message boxes at the time of ULR analysis on the detection system. Experimental results show that the game sites contain up to three times more malicious pages than the other sites, and many attacks incur a file creation and a registry key modification.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.4B
• /
• pp.566-575
• /
• 2010

In recent, artificial immune system has become an important research direction in the anomaly detection of networks. The conventional artificial immune systems are usually based on the negative selection that is one of the computational models of self/nonself discrimination. A main problem with self and non-self discrimination is the determination of the frontier between self and non-self. It causes false positive and false negative which are wrong detections. Therefore, additional functions are needed in order to detect potential anomaly while identifying abnormal behavior from analogous symptoms. In this paper, we design novel network attack detection and response schemes based on artificial immune system, and evaluate the performance of the proposed schemes. We firstly generate detector set and design detection and response modules through adopting the interaction between dendritic cells and T-cells. With the sequence of buffer occupancy, a set of detectors is generated by negative selection. The detection module detects the network anomaly with a set of detectors and generates alarm signal to the response module. In order to reduce wrong detections, we also utilize the fuzzy number theory that infers the degree of threat. The degree of threat is calculated by monitoring the number of alarm signals and the intensity of alarm occurrence. The response module sends the control signal to attackers to limit the attack traffic.