• 한국정보통신설비학회:학술대회논문집
• /
• 2008.08a
• /
• pp.364-367
• /
• 2008

Many different types of network equipments are deployed in a large-scale IP network. In this operating environment, network service providers suffer from difficulty in controlling various equipments simultaneously in case network faults happen in their overall or regional network due to physical link failure or abnormal traffic. This paper presents a policy-based methodology to control many different types of network equipments at the same time in abnormal cases. The key idea is that NMS(Network Management System) keeps vendor-neutral control policies in normal times and that when an abnormal case occurs in network, NMS transforms the selected policy into vendor-specific control commands and enforces them to various equipments simultaneously.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.5
• /
• pp.21-28
• /
• 2012

Recently, the necessity for good techniques of detecting network traffic attack has increased. In this paper, we suggest a new method of detecting abnormal patterns of network traffic data by visualizing their IP and port information into two dimensional images. The proposed approach first generates four 2D images from IP data of transmitters and receivers, and makes one 2D image from port data. Analyzing those images, it then extracts their major features such as linear patterns or high intensity values, and determines if traffic data contain DDoS or DoS Attacks. To comparatively evaluate the performance of the proposed algorithm, we show that our abnormal pattern detection method outperforms the existing algorithm in terms of accuracy and speed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.1
• /
• pp.55-63
• /
• 2006

Recently, there is much abnormal traffic driven by several worms, such as Nimda, Code Red, SQL Stammer, and so on, making badly severe damage to networks. Meanwhile, diverse prevention schemes for defeating abnormal traffic have been studied in the academic and commercial worlds. In this paper, we present the structure of a stepwise intrusion prevention system that is designed with the feature of putting limitation on the network bandwidth of each network traffic and dropping abnormal traffic, and then compare the proposed scheme with a pre-existing scheme, which is a True/False based an anomaly prevention scheme for several worm-patterns. There are two criteria for comparison of the schemes, which are Normal Traffic Rate (NTR) and False Positive Rate (FPR). Assuming that the abnormal traffic rate of a specific network is $\beta$ during a predefined time window, it is known that the average NTR of our stepwise intrusion prevention scheme increases by the factor of (1+$\beta$)/2 than that of True/False based anomaly prevention scheme and the average FPR of our scheme decrease by the factor of (1+$\beta$)/2.

• Journal of the Korean Data and Information Science Society
• /
• v.16 no.4
• /
• pp.979-987
• /
• 2005

In this research we study conventional and new statistical methods to analyse and detect outliers in network traffic and we apply the nonlinear time series model to make better performance of detecting abnormal traffic rather the linear time series model to compare the performances of the two models.

• Journal of Information Processing Systems
• /
• v.20 no.3
• /
• pp.375-390
• /
• 2024

Edge computing architecture has effectively alleviated the computing pressure on cloud platforms, reduced network bandwidth consumption, and improved the quality of service for user experience; however, it has also introduced new security issues. Existing anomaly detection methods in big data scenarios with cloud-edge computing collaboration face several challenges, such as sample imbalance, difficulty in dealing with complex network traffic attacks, and difficulty in effectively training large-scale data or overly complex deep-learning network models. A lightweight deep-learning model was proposed to address these challenges. First, normalization on the user side was used to preprocess the traffic data. On the edge side, a trained Wasserstein generative adversarial network (WGAN) was used to supplement the data samples, which effectively alleviates the imbalance issue of a few types of samples while occupying a small amount of edge-computing resources. Finally, a trained lightweight deep learning network model is deployed on the edge side, and the preprocessed and expanded local data are used to fine-tune the trained model. This ensures that the data of each edge node are more consistent with the local characteristics, effectively improving the system's detection ability. In the designed lightweight deep learning network model, two sets of convolutional pooling layers of convolutional neural networks (CNN) were used to extract spatial features. The bidirectional long short-term memory network (BiLSTM) was used to collect time sequence features, and the weight of traffic features was adjusted through the attention mechanism, improving the model's ability to identify abnormal traffic features. The proposed model was experimentally demonstrated using the NSL-KDD, UNSW-NB15, and CIC-ISD2018 datasets. The accuracies of the proposed model on the three datasets were as high as 0.974, 0.925, and 0.953, respectively, showing superior accuracy to other comparative models. The proposed lightweight deep learning network model has good application prospects for anomaly traffic detection in cloud-edge collaborative computing architectures.

• Korean Journal of Artificial Intelligence
• /
• v.11 no.2
• /
• pp.19-27
• /
• 2023

In recent times, an exponential increase in Internet traffic has been observed as a result of advancing development of the Internet of Things, mobile networks with sensors, and communication functions within various devices. Further, the COVID-19 pandemic has inevitably led to an explosion of social network traffic. Within this context, considerable attention has been drawn to research on network traffic analysis based on machine learning. In this paper, we design and develop a new machine learning framework for network traffic analysis whereby normal and abnormal traffic is distinguished from one another. To achieve this, we combine together well-known machine learning algorithms and network traffic analysis techniques. Using one of the most widely used datasets KDD CUP'99 in the Weka and Apache Spark environments, we compare and investigate results obtained from time series type analysis of various aspects including malicious codes, feature extraction, data formalization, network traffic measurement tool implementation. Experimental analysis showed that while both the logistic regression and the support vector machine algorithm were excellent for performance evaluation, among these, the logistic regression algorithm performs better. The quantitative analysis results of our proposed machine learning framework show that this approach is reliable and practical, and the performance of the proposed system and another paper is compared and analyzed. In addition, we determined that the framework developed in the Apache Spark environment exhibits a much faster processing speed in the Spark environment than in Weka as there are more datasets used to create and classify machine learning models.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2018.10a
• /
• pp.362-364
• /
• 2018

Predicting network traffic volume has become a popular topic recently due to its support in many situations such as detecting abnormal network activities and provisioning network services. Especially, predicting the volume of the next upcoming traffic from the series of observed recent traffic volume is an interesting and challenging problem. In past, various techniques are researched by using time series forecasting methods such as moving averaging and exponential smoothing. In this paper, we propose a long short-term memory neural network (LSTM) based network traffic volume prediction method. The proposed method employs the changing rate of observed traffic volume, the corresponding time window index, and a seasonality factor indicating the changing trend as input features, and predicts the upcoming network traffic. The experiment results with real datasets proves that our proposed method works better than other time series forecasting methods in predicting upcoming network traffic.

• Journal of Korea Society of Industrial Information Systems
• /
• v.11 no.3
• /
• pp.34-39
• /
• 2006

This paper introduces a network security situation awareness tool using a traffic pattern map which facilitates recognizing a current network status by extracting and analyzing predetermined traffic features and displaying an abnormal or harmful traffic which deteriorates network performance. The traffic pattern-map consists of $26{\times}26$ intersections, on which the occupancy rate of the port having maximum occupancy is displayed as a bar graph. In general, in case of the Internet worm, the source address section on the traffic pattern map is activated. In case of DDoS the destination address section is activated.

• Journal of the Korea Society of Computer and Information
• /
• v.14 no.4
• /
• pp.69-76
• /
• 2009

The construction of Internet IP-based Network is composed of router and switch models in a variety of companies. The construction by various models causes the complexity of the management and control as different types of CLI is used by different company to filter out abnormal traffics like worm, virus, and DDoS. To improve this situation, IETF is working on enacting XML based configuration standards from NETCONF working group, but currently few commands processing at the level of operation layer on NETCONF are only standardized and it's hard for unified control operation process between different make of system as different company has different XML command to filter out abnormal traffics. This thesis proposes ways to prevent abnormal attacks and increase efficiency of network by re-routing the abnormal traffics coming thru unified control for different make of systems into Sinkhole router and designing a control system to efficiently prevent various attacks after checking the possibility of including abnormal traffics from unified control operation.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.4
• /
• pp.1307-1323
• /
• 2014

With the exhaustion of global IPv4 addresses, IPv6 technologies have attracted increasing attentions, and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics obtained from IPv4 networks. Traditional models obtained from IPv4 cannot be used for IPv6 network monitoring directly and there is a need to investigate those changes. In this paper, we explore the flow features of IPv6 traffic and compare its difference with that of IPv4 traffic from flow level. Firstly, we analyze the differences of the general flow statistical characteristics and users' behavior between IPv4 and IPv6 networks. We find that there are more elephant flows in IPv6, which is critical for traffic engineering. Secondly, we find that there exist many one-way flows both in the IPv4 and IPv6 traffic, which are important information sources for abnormal behavior detection. Finally, in light of the challenges of analyzing massive data of large-scale network monitoring, we propose a group flow model which can greatly reduce the number of flows while capturing the primary traffic features, and perform a comparative measurement analysis of group users' behavior dynamic characteristics. We find there are less sharp changes caused by abnormity compared with IPv4, which shows there are less large-scale malicious activities in IPv6 currently. All the evaluation experiments are carried out based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network), and the results reveal the detailed flow characteristics of IPv6, which are useful for traffic management and anomaly detection in IPv6.