• Journal of Internet Computing and Services
• /
• v.5 no.4
• /
• pp.23-33
• /
• 2004

In this paper, we propose a novel traffic measurement based detection of network attack symptoms on high speed Internet backbone links. In order to do so, we characterize the traffic patterns from the normal and the network attacks appeared on Internet backbone links, and we derive two efficient measures for representing the network attack symptoms at aggregate traffic level. The two measures are the power spectrum and the ratio of packet counts to traffic volume of the aggregate traffic. And, we propose a new methodology to detect networks attack symptoms by measuring those traffic measures. Experimental results show that the proposed scheme can detect the network attack symptoms very exactly and quickly. Unlike existing methods based on Individual packets or flows, since the proposed method is operated on the aggregate traffic level. the computational complexity can be significantly reduced and applicable to high speed Internet backbone links.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.13 no.12
• /
• pp.2555-2562
• /
• 2009

The algorithm that is proposed in this paper defined a probability function to count connection process and connection-end process to apply TRW algorithm to voice network. Set threshold to evaluate the algorithm that is proposed, Based on the type of connection attack traffic changing the probability to measure the effectiveness of the algorithm, and Attack packets based on the speed of attack detection time was measured. At the result of evaluation, proposed algorithm shows that DDoS attack starts at 10 packets per a second and it detects the attack after 1.2 seconds from the start. Moreover, it shows that the algorithm detects the attack in 0.5 second if the packets were 20 per a second.

• Asia pacific journal of information systems
• /
• v.31 no.3
• /
• pp.335-357
• /
• 2021

As reproduction of images can be done with ease, copy detection has increasingly become important. In the duplication process, image modifications are likely to occur and some alterations are deliberate and can be viewed as attacks. A wide range of copy detection techniques has been proposed. In our study, content-based copy detection, which basically applies DCT-based features for images, namely, pixel values, edges, texture information and frequency-domain component distribution, is employed. Experiments are carried out to evaluate robustness and sensitivity of DCT-based features from attacks. As different types of DCT-based features hold different pieces of information, how features and attacks are related can be shown in their robustness and sensitivity. Rather than searching for proper features, use of robustness and sensitivity is proposed here to realize how the attacked features have changed when an image attack occurs. The experiments show that, out of ten attacks, the neural networks are able to detect seven attacks namely, Gaussian noise, S&P noise, Gamma correction (high), blurring, resizing (big), compression and rotation with mostly related to their sensitive features.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.3
• /
• pp.527-545
• /
• 2022

In order to effectively detect APT attacks performed by well-organized adversaries, we implemented a system to detect attacks by reconstructing attack chains of APT attacks. Our attack chain-based APT attack detection system consists of 'events collection and indexing' part which collects various events generated from hosts and network monitoring tools, 'unit attack detection' part which detects unit-level attacks defined in MITRE ATT&CK^® techniques, and 'attack chain reconstruction' part which reconstructs attack chains by performing causality analysis based on provenance graphs. To evaluate our system, we implemented a test-bed and conducted several simulated attack scenarios provided by MITRE ATT&CK Evaluation program. As a result of the experiment, we were able to confirm that our system effectively reconstructed the attack chains for the simulated attack scenarios. Using the system implemented in this study, rather than to understand attacks as fragmentary parts, it will be possible to understand and respond to attacks from the perspective of progress of attacks.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.9 no.1
• /
• pp.296-308
• /
• 2015

Advanced Encryption Standard (AES) is widely used for protecting wireless sensor network (WSN). At the Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2012, G$\acute{e}$rard et al. proposed an optimized collision attack and break a practical implementation of AES. However, the attack needs at least 256 averaged power traces and has a high computational complexity because of its byte wise operation. In this paper, we propose a novel double sieve collision attack based on bitwise collision detection, and an improved version with an error-tolerant mechanism. Practical attacks are successfully conducted on a software implementation of AES in a low-power chip which can be used in wireless sensor node. Simulation results show that our attack needs 90% less time than the work published by G$\acute{e}$rard et al. to reach a success rate of 0.9.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.3
• /
• pp.479-490
• /
• 2013

Recently, the number of attacks by malicious application has significantly increased, targeting Android-platform mobile terminal such as Samsung Galaxy Note and Galaxy Tab 10.1. The malicious application can be distributed to currently used mobile devices through open market masquerading as an normal application. An attacker inserts malicious code into an application, which might threaten privacy by rooting attack. Once the rooting attack is successful, malicious code can collect and steal private data stored in mobile terminal, for example, SMS messages, contacts list, and public key certificate for banking. To protect the private information from the malicious attack, malicious code detection, rooting attack detection and countermeasure method are required. To meet this end, this paper investigates rooting attack mechanism for Android-platform mobile terminal. Based on that, this paper proposes countermeasure system that enables to extract and collect events related to attacks occurring from mobile terminal, which contributes to active protection from malicious attacks.

• Journal of the Korea Society of Computer and Information
• /
• v.21 no.7
• /
• pp.1-8
• /
• 2016

Nowadays, distributed denial of service (DDoS) attacks on web sites reward attackers financially or politically because our daily lifes tightly depends on web services such as on-line banking, e-mail, and e-commerce. One of DDoS attacks to web servers is called HTTP-GET flood attack which is becoming more serious. Most existing techniques are running on the application layer because these attack packets use legitimate network protocols and HTTP payloads; that is, network-level intrusion detection systems cannot distinguish legitimate HTTP-GET requests and malicious requests. In this paper, we propose a practical detection technique against HTTP-GET flood attacks, based on the access behavior of inline objects in a webpage using NetFlow data. In particular, our proposed scheme is working on the network layer without any application-specific deep packet inspections. We implement the proposed detection technique and evaluate the ability of attack detection on a simple test environment using NetBot attacker. Moreover, we also show that our approach must be applicable to real field by showing the test profile captured on a well-known e-commerce site. The results show that our technique can detect the HTTP-GET flood attack effectively.

• Journal of Digital Contents Society
• /
• v.10 no.3
• /
• pp.479-484
• /
• 2009

Security system of wireless network take on importance as use of wireless network increases. Detection and opposition about that is difficult even if attack happens because MANET is composed of only moving node. And it is difficult that existing security system is applied as it is because of migratory nodes. Therefore, system is protected from malicious attack of intruder in this environment and it has to correspond to attack immediately. In this paper, we propose intrusion detection system using cluster head in order to detect malicious attack and use resources efficiently. we used method that gathering of rules is defined and it judges whether it corresponds or not to detect intrusion more exactly. In order to evaluate performance of proposed method, we used blackhole, message negligence, jamming attack.

• International Journal of Computer Science & Network Security
• /
• v.21 no.12
• /
• pp.213-218
• /
• 2021

This paper proposes a technique for detecting a significant threat that attempts to get sensitive and confidential information such as usernames, passwords, credit card information, and more to target an individual or organization. By definition, a phishing attack happens when malicious people pose as trusted entities to fraudulently obtain user data. Phishing is classified as a type of social engineering attack. For a phishing attack to happen, a victim must be convinced to open an email or a direct message [1]. The email or direct message will contain a link that the victim will be required to click on. The aim of the attack is usually to install malicious software or to freeze a system. In other instances, the attackers will threaten to reveal sensitive information obtained from the victim. Phishing attacks can have devastating effects on the victim. Sensitive and confidential information can find its way into the hands of malicious people. Another devastating effect of phishing attacks is identity theft [1]. Attackers may impersonate the victim to make unauthorized purchases. Victims also complain of loss of funds when attackers access their credit card information. The proposed method has two major subsystems: (1) Data collection: different websites have been collected as a big data corresponding to normal and phishing dataset, and (2) distributed detection system: different artificial algorithms are used: a neural network algorithm and machine learning. The Amazon cloud was used for running the cluster with different cores of machines. The experiment results of the proposed system achieved very good accuracy and detection rate as well.

• Journal of KIISE
• /
• v.45 no.2
• /
• pp.106-112
• /
• 2018

Recently, the number of cyber attacks using malicious code has increased. Various types of malicious code detection techniques have been researched for several years as the damage has increased. In recent years, profiling techniques have been used to identify attack groups. This paper focuses on the identification of attack groups using a detection technique that does not involve malicious code detection. The attacker is identified by using a string or a code signature of the malicious code. In addition, the detection rate is increased by adding a technique to confirm the packing file. We use Yara as a detection technique. We have research about RAT (remote access tool) that is mainly used in attack groups. Further, this paper develops a ruleset using malicious code and packer main feature signatures for RAT which is mainly used by the attack groups. It is possible to detect the attacker by detecting RAT based on the newly created ruleset.