• International Journal of Computer Science & Network Security
• /
• v.23 no.1
• /
• pp.46-52
• /
• 2023

With billions of IoT (Internet of Things) devices populating various emerging applications across the world, detecting anomalies on these devices has become incredibly important. Advanced Intrusion Detection Systems (IDS) are trained to detect abnormal network traffic, and Machine Learning (ML) algorithms are used to create detection models. In this paper, the NSL-KDD dataset was adopted to comparatively study the performance and efficiency of IoT anomaly detection models. The dataset was developed for various research purposes and is especially useful for anomaly detection. This data was used with typical machine learning algorithms including eXtreme Gradient Boosting (XGBoost), Support Vector Machines (SVM), and Deep Convolutional Neural Networks (DCNN) to identify and classify any anomalies present within the IoT applications. Our research results show that the XGBoost algorithm outperformed both the SVM and DCNN algorithms achieving the highest accuracy. In our research, each algorithm was assessed based on accuracy, precision, recall, and F1 score. Furthermore, we obtained interesting results on the execution time taken for each algorithm when running the anomaly detection. Precisely, the XGBoost algorithm was 425.53% faster when compared to the SVM algorithm and 2,075.49% faster than the DCNN algorithm. According to our experimental testing, XGBoost is the most accurate and efficient method.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2005.05a
• /
• pp.1103-1106
• /
• 2005

IPv4 프로토콜의 주소 고갈 문제를 해결하기 위하여 IPv6 프로토콜이 제안되었고 한국전산원의 발표에 의하면 2010년 이후에는 IPv6 프로토콜이 광범위하게 사용될 것이라고 한다. 이러한 IPv6 프로토콜은 IPv4 프로토콜의 단점들을 해결하기 위하여 ND(Neighbor Discovery) 메커니즘, 주소자동설정, IPsec 등의 기술을 지원하며, 특히 IPv6 프로토콜은 보안 문제를 해결하기 위해서 인증, 데이터 무결성 보호를 위한 IPsec 기술을 사용한다. 이러한 IPsec 기술은 패킷 정보를 보호하기 위한 목적으로 사용되기 때문에 불특정 다수의 사용자를 대상으로 하는 네트워크에 행해지는 분산 서비스 거부 공격과 같은 비정상 대용량 트래픽에 대한 탐지 및 차단에 어려움이 있다. 현재 IPv6 프로토콜을 지원하는 네트워크 공격 대응 기술로 IPv6 네트워크용 방화벽/침입탐지 시스템이 개발되어 제품으로 판매되고 있지만, 대용량의 비정상 트래픽 대응 기술을 탐지하고 차단하기에는 한계가 있다. 본 논문에서는 IPv6 네트워크 환경에서 이러한 대용량의 비정상 트래픽을 제어할 수 있는 프레임워크를 제시한다.

• Journal of the Korea Convergence Society
• /
• v.10 no.5
• /
• pp.35-42
• /
• 2019

Recently, as the Internet and various wearable devices have appeared, Internet technology has contributed to obtaining more convenient information and doing business. However, as the internet is used in various parts, the attack surface points that are exposed to attacks are increasing, Attempts to invade networks aimed at taking unfair advantage, such as cyber terrorism, are also increasing. In this paper, we propose a feature selection method to improve the classification performance of the class to classify the abnormal behavior in the network traffic. The UNSW-NB15 dataset has a rare class imbalance problem with relatively few instances compared to other classes, and an undersampling method is used to eliminate it. We use the SVM, k-NN, and decision tree algorithms and extract a subset of combinations with superior detection accuracy and RMSE through training and verification. The subset has recall values of more than 98% through the wrapper based experiments and the DT_PSO showed the best performance.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.4B
• /
• pp.566-575
• /
• 2010

In recent, artificial immune system has become an important research direction in the anomaly detection of networks. The conventional artificial immune systems are usually based on the negative selection that is one of the computational models of self/nonself discrimination. A main problem with self and non-self discrimination is the determination of the frontier between self and non-self. It causes false positive and false negative which are wrong detections. Therefore, additional functions are needed in order to detect potential anomaly while identifying abnormal behavior from analogous symptoms. In this paper, we design novel network attack detection and response schemes based on artificial immune system, and evaluate the performance of the proposed schemes. We firstly generate detector set and design detection and response modules through adopting the interaction between dendritic cells and T-cells. With the sequence of buffer occupancy, a set of detectors is generated by negative selection. The detection module detects the network anomaly with a set of detectors and generates alarm signal to the response module. In order to reduce wrong detections, we also utilize the fuzzy number theory that infers the degree of threat. The degree of threat is calculated by monitoring the number of alarm signals and the intensity of alarm occurrence. The response module sends the control signal to attackers to limit the attack traffic.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.38C no.7
• /
• pp.630-642
• /
• 2013

To transmit vital signal stream of mobile patients remotely, it requires mobility of patient and watcher, sensing function of patient's abnormal symptom and self-organizing service binding of related computing resources. In the existing relative researches, the vital signal stream is transmitted as a centralized approach which exposure the single point of failure itself and incur data traffic to central server although it is localized service. Self-organizing middleware platform based on heterogenous overlay network is a middleware platform which can transmit real-time data from sensor device(including vital signal measure devices) to Smartphone, TV, PC and external system through overlay network applied self-organizing mechanism. It can transmit and save vital signal stream from sensor device autonomically without arbitration of management server and several receiving devices can simultaneously receive and display through interaction of nodes in real-time.

• The Journal of the Korea Contents Association
• /
• v.20 no.4
• /
• pp.396-405
• /
• 2020

In this study, we used the big data of Voice of Customer (VOC) related to high-speed Internet products to look at the causes of perceived quality and the possibility of proactive service. In order to verify the possibility of proactive service, we collected VOC data from 13 facilities and equipment of a mobile communication service company, and then conducted 𝒙² test to verify that there was a statistically significant difference between the actual VOC observation values and expected values. We found statistical evidence that proactive service is possible through real-time monitoring for the six disability alarms among the 13 facilities and equipment, which are FTTH-R Equipment ON/OFF, FTTH-EV Line Error Detection, Port Faulty, FTTH-R Line Error Detection, Network Loop Detection, and Abnormal Limiting Traffic. Companies are able to adopt the proactive service to improve their market share and to reduce customer service costs. The results of this study are expected to contribute to the actual application of industry in that it has diagnosed the possibility of proactive service in the telecommunication service sector and further suggested suggestions on how to provide effective proactive service.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1043-1057
• /
• 2015

In order to recognize intelligent threats quickly and detect and respond to them actively, major public bodies and private institutions operate and administer an Intrusion Detection Systems (IDS), which plays a very important role in finding and detecting attacks. However, most IDS alerts have a problem that they generate false positives. In addition, in order to detect unknown malicious codes and recognize and respond to their threats in advance, APT response solutions or actions based systems are introduced and operated. These execute malicious codes directly using virtual technology and detect abnormal activities in virtual environments or unknown attacks with other methods. However, these, too, have weaknesses such as the avoidance of the virtual environments, the problem of performance about total inspection of traffic and errors in policy. Accordingly, for the effective detection of intrusion, it is very important to enhance security monitoring, consequentially. This study discusses a plan for the reduction of false positives as a plan for the enhancement of security monitoring. As a result of an experiment based on the empirical data of G, rules were drawn in three types and 11 kinds. As a result of a test following these rules, it was verified that the overall detection rate decreased by 30% to 50%, and the performance was improved by over 30%.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.17 no.10
• /
• pp.732-742
• /
• 2016

This study suggests methods of defense against low-level high-bandwidth DDoS attacks by adding a solution with a time limit factor (TLF) to an existing high-bandwidth DDoS defense system. Low-level DDoS attacks cause faults to the service requests of normal users by acting as a normal service connection and continuously positioning the connected session. Considering this, the proposed method makes it possible for users to show a down-related session by considering it as a low-level DDoS attack if the abnormal flow is detected after checking the amount of traffic. However, the service might be blocked when misjudging a low-level DDoS attack in the case of a communication fault resulting from a network fault, even with a normal connection status. Thus, we made it possible to reaccess the related information through a certain period of blocking instead of a drop through blacklist. In a test of the system, it was unable to block the session because it recognized sessions that are simply connected with a low-level DDoS attack as a normal communication.

• Journal of Intelligence and Information Systems
• /
• v.26 no.2
• /
• pp.131-145
• /
• 2020

In line with the trend of industrial innovation, IoT technology utilized in a variety of fields is emerging as a key element in creation of new business models and the provision of user-friendly services through the combination of big data. The accumulated data from devices with the Internet-of-Things (IoT) is being used in many ways to build a convenience-based smart system as it can provide customized intelligent systems through user environment and pattern analysis. Recently, it has been applied to innovation in the public domain and has been using it for smart city and smart transportation, such as solving traffic and crime problems using CCTV. In particular, it is necessary to comprehensively consider the easiness of securing real-time service data and the stability of security when planning underground services or establishing movement amount control information system to enhance citizens' or commuters' convenience in circumstances with the congestion of public transportation such as subways, urban railways, etc. However, previous studies that utilize image data have limitations in reducing the performance of object detection under private issue and abnormal conditions. The IoT device-based sensor data used in this study is free from private issue because it does not require identification for individuals, and can be effectively utilized to build intelligent public services for unspecified people. Especially, sensor data stored by the IoT device need not be identified to an individual, and can be effectively utilized for constructing intelligent public services for many and unspecified people as data free form private issue. We utilize the IoT-based infrared sensor devices for an intelligent pedestrian tracking system in metro service which many people use on a daily basis and temperature data measured by sensors are therein transmitted in real time. The experimental environment for collecting data detected in real time from sensors was established for the equally-spaced midpoints of 4×4 upper parts in the ceiling of subway entrances where the actual movement amount of passengers is high, and it measured the temperature change for objects entering and leaving the detection spots. The measured data have gone through a preprocessing in which the reference values for 16 different areas are set and the difference values between the temperatures in 16 distinct areas and their reference values per unit of time are calculated. This corresponds to the methodology that maximizes movement within the detection area. In addition, the size of the data was increased by 10 times in order to more sensitively reflect the difference in temperature by area. For example, if the temperature data collected from the sensor at a given time were 28.5℃, the data analysis was conducted by changing the value to 285. As above, the data collected from sensors have the characteristics of time series data and image data with 4×4 resolution. Reflecting the characteristics of the measured, preprocessed data, we finally propose a hybrid algorithm that combines CNN in superior performance for image classification and LSTM, especially suitable for analyzing time series data, as referred to CNN-LSTM (Convolutional Neural Network-Long Short Term Memory). In the study, the CNN-LSTM algorithm is used to predict the number of passing persons in one of 4×4 detection areas. We verified the validation of the proposed model by taking performance comparison with other artificial intelligence algorithms such as Multi-Layer Perceptron (MLP), Long Short Term Memory (LSTM) and RNN-LSTM (Recurrent Neural Network-Long Short Term Memory). As a result of the experiment, proposed CNN-LSTM hybrid model compared to MLP, LSTM and RNN-LSTM has the best predictive performance. By utilizing the proposed devices and models, it is expected various metro services will be provided with no illegal issue about the personal information such as real-time monitoring of public transport facilities and emergency situation response services on the basis of congestion. However, the data have been collected by selecting one side of the entrances as the subject of analysis, and the data collected for a short period of time have been applied to the prediction. There exists the limitation that the verification of application in other environments needs to be carried out. In the future, it is expected that more reliability will be provided for the proposed model if experimental data is sufficiently collected in various environments or if learning data is further configured by measuring data in other sensors.