• The Journal of the Korea Contents Association
• /
• v.10 no.3
• /
• pp.101-112
• /
• 2010

The recent trend of the hacking deals with all the IT infrastructure related to the profit of the companies. Presently, they attack the service itself, the source of the profit, while they tried to access to the service infrastructure through the non-service port in the past. Although they affect the service directly, it is difficult to block them with the old security solution or the old system and they threaten more and more companies with the demand of money menacing the protection of customers and the sustainable management. This paper aims to design and implement multi-platform network packet scanner targeting the exception handling network intrusion detection system which determines normal, abnormal by traffic. Linux and unix have the various network intrusion detection and packet management tools like ngrep, snort, TCPdump, but most of them are based on CUI (Character based User Interface) giving users discomfort who are not used to it. The proposed system is implemented based on GUI(Graphical User Interface) to support the intuitive and easy-to-use interface to users, and using Qt(c++) language that supports multi-platform to run on any operating system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.3
• /
• pp.545-552
• /
• 2012

The rapid development of information technology is making large changes in our lives today. Also the infrastructure and services are combinding with information technology which predicts another huge change in our environment. However, the development of information technology brings various types of side effects and these side effects not only cause financial loss but also can develop into a nationwide crisis. Therefore, the detection and quick reaction towards these side effects is critical and much research is being done. Intrusion detection systems can be an example of such research. However, intrusion detection systems mostly tend to focus on judging whether particular traffic or files are malicious or not. Also it is difficult for intrusion detection systems to detect newly developed malicious codes. Therefore, this paper proposes a method which determines whether the present network model is normal or abnormal by comparing it with past network situations.

• International Journal of Computer Science & Network Security
• /
• v.23 no.1
• /
• pp.46-52
• /
• 2023

With billions of IoT (Internet of Things) devices populating various emerging applications across the world, detecting anomalies on these devices has become incredibly important. Advanced Intrusion Detection Systems (IDS) are trained to detect abnormal network traffic, and Machine Learning (ML) algorithms are used to create detection models. In this paper, the NSL-KDD dataset was adopted to comparatively study the performance and efficiency of IoT anomaly detection models. The dataset was developed for various research purposes and is especially useful for anomaly detection. This data was used with typical machine learning algorithms including eXtreme Gradient Boosting (XGBoost), Support Vector Machines (SVM), and Deep Convolutional Neural Networks (DCNN) to identify and classify any anomalies present within the IoT applications. Our research results show that the XGBoost algorithm outperformed both the SVM and DCNN algorithms achieving the highest accuracy. In our research, each algorithm was assessed based on accuracy, precision, recall, and F1 score. Furthermore, we obtained interesting results on the execution time taken for each algorithm when running the anomaly detection. Precisely, the XGBoost algorithm was 425.53% faster when compared to the SVM algorithm and 2,075.49% faster than the DCNN algorithm. According to our experimental testing, XGBoost is the most accurate and efficient method.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2005.05a
• /
• pp.1103-1106
• /
• 2005

IPv4 프로토콜의 주소 고갈 문제를 해결하기 위하여 IPv6 프로토콜이 제안되었고 한국전산원의 발표에 의하면 2010년 이후에는 IPv6 프로토콜이 광범위하게 사용될 것이라고 한다. 이러한 IPv6 프로토콜은 IPv4 프로토콜의 단점들을 해결하기 위하여 ND(Neighbor Discovery) 메커니즘, 주소자동설정, IPsec 등의 기술을 지원하며, 특히 IPv6 프로토콜은 보안 문제를 해결하기 위해서 인증, 데이터 무결성 보호를 위한 IPsec 기술을 사용한다. 이러한 IPsec 기술은 패킷 정보를 보호하기 위한 목적으로 사용되기 때문에 불특정 다수의 사용자를 대상으로 하는 네트워크에 행해지는 분산 서비스 거부 공격과 같은 비정상 대용량 트래픽에 대한 탐지 및 차단에 어려움이 있다. 현재 IPv6 프로토콜을 지원하는 네트워크 공격 대응 기술로 IPv6 네트워크용 방화벽/침입탐지 시스템이 개발되어 제품으로 판매되고 있지만, 대용량의 비정상 트래픽 대응 기술을 탐지하고 차단하기에는 한계가 있다. 본 논문에서는 IPv6 네트워크 환경에서 이러한 대용량의 비정상 트래픽을 제어할 수 있는 프레임워크를 제시한다.

• Journal of the Korea Convergence Society
• /
• v.10 no.5
• /
• pp.35-42
• /
• 2019

Recently, as the Internet and various wearable devices have appeared, Internet technology has contributed to obtaining more convenient information and doing business. However, as the internet is used in various parts, the attack surface points that are exposed to attacks are increasing, Attempts to invade networks aimed at taking unfair advantage, such as cyber terrorism, are also increasing. In this paper, we propose a feature selection method to improve the classification performance of the class to classify the abnormal behavior in the network traffic. The UNSW-NB15 dataset has a rare class imbalance problem with relatively few instances compared to other classes, and an undersampling method is used to eliminate it. We use the SVM, k-NN, and decision tree algorithms and extract a subset of combinations with superior detection accuracy and RMSE through training and verification. The subset has recall values of more than 98% through the wrapper based experiments and the DT_PSO showed the best performance.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.35 no.4B
• /
• pp.566-575
• /
• 2010

In recent, artificial immune system has become an important research direction in the anomaly detection of networks. The conventional artificial immune systems are usually based on the negative selection that is one of the computational models of self/nonself discrimination. A main problem with self and non-self discrimination is the determination of the frontier between self and non-self. It causes false positive and false negative which are wrong detections. Therefore, additional functions are needed in order to detect potential anomaly while identifying abnormal behavior from analogous symptoms. In this paper, we design novel network attack detection and response schemes based on artificial immune system, and evaluate the performance of the proposed schemes. We firstly generate detector set and design detection and response modules through adopting the interaction between dendritic cells and T-cells. With the sequence of buffer occupancy, a set of detectors is generated by negative selection. The detection module detects the network anomaly with a set of detectors and generates alarm signal to the response module. In order to reduce wrong detections, we also utilize the fuzzy number theory that infers the degree of threat. The degree of threat is calculated by monitoring the number of alarm signals and the intensity of alarm occurrence. The response module sends the control signal to attackers to limit the attack traffic.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.38C no.7
• /
• pp.630-642
• /
• 2013

To transmit vital signal stream of mobile patients remotely, it requires mobility of patient and watcher, sensing function of patient's abnormal symptom and self-organizing service binding of related computing resources. In the existing relative researches, the vital signal stream is transmitted as a centralized approach which exposure the single point of failure itself and incur data traffic to central server although it is localized service. Self-organizing middleware platform based on heterogenous overlay network is a middleware platform which can transmit real-time data from sensor device(including vital signal measure devices) to Smartphone, TV, PC and external system through overlay network applied self-organizing mechanism. It can transmit and save vital signal stream from sensor device autonomically without arbitration of management server and several receiving devices can simultaneously receive and display through interaction of nodes in real-time.

• The Journal of the Korea Contents Association
• /
• v.20 no.4
• /
• pp.396-405
• /
• 2020

In this study, we used the big data of Voice of Customer (VOC) related to high-speed Internet products to look at the causes of perceived quality and the possibility of proactive service. In order to verify the possibility of proactive service, we collected VOC data from 13 facilities and equipment of a mobile communication service company, and then conducted 𝒙² test to verify that there was a statistically significant difference between the actual VOC observation values and expected values. We found statistical evidence that proactive service is possible through real-time monitoring for the six disability alarms among the 13 facilities and equipment, which are FTTH-R Equipment ON/OFF, FTTH-EV Line Error Detection, Port Faulty, FTTH-R Line Error Detection, Network Loop Detection, and Abnormal Limiting Traffic. Companies are able to adopt the proactive service to improve their market share and to reduce customer service costs. The results of this study are expected to contribute to the actual application of industry in that it has diagnosed the possibility of proactive service in the telecommunication service sector and further suggested suggestions on how to provide effective proactive service.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1043-1057
• /
• 2015

In order to recognize intelligent threats quickly and detect and respond to them actively, major public bodies and private institutions operate and administer an Intrusion Detection Systems (IDS), which plays a very important role in finding and detecting attacks. However, most IDS alerts have a problem that they generate false positives. In addition, in order to detect unknown malicious codes and recognize and respond to their threats in advance, APT response solutions or actions based systems are introduced and operated. These execute malicious codes directly using virtual technology and detect abnormal activities in virtual environments or unknown attacks with other methods. However, these, too, have weaknesses such as the avoidance of the virtual environments, the problem of performance about total inspection of traffic and errors in policy. Accordingly, for the effective detection of intrusion, it is very important to enhance security monitoring, consequentially. This study discusses a plan for the reduction of false positives as a plan for the enhancement of security monitoring. As a result of an experiment based on the empirical data of G, rules were drawn in three types and 11 kinds. As a result of a test following these rules, it was verified that the overall detection rate decreased by 30% to 50%, and the performance was improved by over 30%.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.17 no.10
• /
• pp.732-742
• /
• 2016

This study suggests methods of defense against low-level high-bandwidth DDoS attacks by adding a solution with a time limit factor (TLF) to an existing high-bandwidth DDoS defense system. Low-level DDoS attacks cause faults to the service requests of normal users by acting as a normal service connection and continuously positioning the connected session. Considering this, the proposed method makes it possible for users to show a down-related session by considering it as a low-level DDoS attack if the abnormal flow is detected after checking the amount of traffic. However, the service might be blocked when misjudging a low-level DDoS attack in the case of a communication fault resulting from a network fault, even with a normal connection status. Thus, we made it possible to reaccess the related information through a certain period of blocking instead of a drop through blacklist. In a test of the system, it was unable to block the session because it recognized sessions that are simply connected with a low-level DDoS attack as a normal communication.