• Proceedings of the Korean Information Science Society Conference
• /
• 2003.10a
• /
• pp.697-699
• /
• 2003

최근의 네트워크 공격의 주류는 DoS (denial-of-service)와 DDoS (distributed DoS) 공격이다. 이러한 공격들은 공격자가 침입 대상 시스템의 자원을 완전히 소모시켜서 시스템이 정상적인 서비스를 할 수 없도록 하는 것이다. 각 시스템의 관리자들은 이러한 침입이나 공격을 막기 위한 방편 중에 하나로 IDS(Intrusion detection system)를 사용하고 있다. 그러나 IDS의 높은 false-positive(정상적인 사용을 공격으로 잘못 판단하는 경우)의 발생빈도는 심각한 문제점 중의 하나는 이다. 이런 false-positive의 발생빈도를 줄이고자 본 논문에서는 한번의 판단만으로 연결(connection)을 차단시키지 않고, trust라는 개념을 도입하여 trust의 값에 따라서 사용자에게 차등 서비스를 제공하는 기법을 제안한다. 즉, trust를 이용하는 기법은 각 사용자를 한번에 공격자인지 일반 사용자인지 결정하지 않고, 한 번 더 검사하여 false-positive의 발생빈도를 감소시키는 기법이다.

• Review of KIISC
• /
• v.13 no.1
• /
• pp.22-31
• /
• 2003

NIDS(Network Intrusion Detection System)은 실시간에 침입을 탐지하는 방안을 제시하는 시스템이지만 침입에 대한 탐지보다 더 많은 false positives 정보를 발생시키고 있다. 많은 false positives로부터 실제 침입을 찾아내는 것은 NIDS를 효율적으로 운영하기 위해서 필요한 새로운 일이 되고 있다. 본 논문은 NIDS에서의 false positive를 줄이기 위한 동적인 중요도 계산 모델을 제시한다. 제안된 방법은 공격의 4가지 특성(공격 의도, 공격자의 지식정도, 공격의 영향 그리고 공격의 성공 가능성)을 이용한다. 만약 공격자가 공격의 의도가 크거나 많은 지식을 가지고 있다면, 보통의 경우보다 공격에 성공할 확률이 높다. 또한 공격의 대상이 특정 공격에 취약하거나 특정 공격이 대상 시스템에 미칠 영향이 큰 경우에는 더욱더 중요한 공격이 된다고 할 수 있다. 이런 4가지의 특성을 이용하여 제시한 본 논문은 결과는 상당히 많은 부분에 대한 false positives를 줄이는 효과를 가지고 왔으며, 또한 공격에 대한 중요도의 정확성을 향상시켜서 NIDS의 관리를 쉽게 할 수 있도록 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.16 no.6
• /
• pp.111-121
• /
• 2006

As Internet lastly grows, network attack techniques are transformed and new attack types are appearing. The existing network-based intrusion detection systems detect well known attack, but the false-positive or false-negative against unknown attack is appearing high. In addition, The existing network-based intrusion detection systems is difficult to real time detection against a large network pack data in the network and to response and recognition against new attack type. Therefore, it requires method to heighten the detection rate about a various large dataset and to reduce the false-positive. In this paper, we propose method to reduce the false-positive using multi-level detection algorithm, that is combine the multidimensional Apriori algorithm and the modified Negative Selection algorithm. And we apply this algorithm in intrusion detection and, to be sure, it has a good performance.

• Journal of the Korea Society of Computer and Information
• /
• v.14 no.5
• /
• pp.65-75
• /
• 2009

The development of IT technology, Internet popularity is increasing geometrically. However, as its side effect, the intrusion behaviors such as information leakage for key system and infringement of computation network etc are also increasing fast. The attack traffic detection method which is suggested in this study utilizes the Snort, traditional NIDS, filters the packet with false positive among the detected attack traffics using Nmap information. Then, it performs the secondary filtering using nessus vulnerability information and finally performs correlation analysis considering appropriateness of management system, severity of signature and security hole so that it could reduce false positive alarm message as well as minimize the errors from false positive and as a result, it raised the overall attack detection results.

• Analytical Science and Technology
• /
• v.35 no.3
• /
• pp.124-128
• /
• 2022

Blood-sensitive reagents may exhibit false positives or negatives under the influence of substances other than blood. Since these reactions lead to the misinterpretation of blood evidence, it is essential to investigate the possibility of false-positive and -negative reactions of blood-sensitive reagents. Acidic hydrogen peroxide (AHP) is a recently discovered blood-sensitive reagent, and it is not yet known whether it causes false-positive or -negative reactions. To confirm this, 20 µL of blood was placed on metal surfaces, plastic surfaces, paper surfaces, paint surfaces, foods, vegetable oils, detergents, and petroleum hydrocarbons, and then AHP was applied. The blood was observed through an orange filter under a 505-nm light source, and no false-positive or false-negative reactions were observed with any of the substances/materials. However, it was confirmed that polyethylene terephthalate surfaces, polyvinylchloride surfaces, some paint surfaces, and foods exhibit their own photoluminescence under the conditions of blood observation, which interferes with blood observation.

• Journal of IKEEE
• /
• v.9 no.2 s.17
• /
• pp.108-114
• /
• 2005

While E-mail has become an important way of communications in IT societies, it creates various social problems due to increase of spam mails. Even though many organizations and corperations have been doing researches to develop spam mail blocking technologies, more cost and system complexities are required because of varieties of blocking technologies. In case of adopting spam blocking technologies, system reliability largely relies on the False-positive error rate with the order of employing spam blocking filters. In this paper, a False-positive mail recovery technique based on privacy information is proposed and implemented in order to improve the reliability of spam locking filters. Through the implemented prototype, recovery procedure for False-positive mails is verified and the results are summarized and analyzed.

• BMB Reports
• /
• v.35 no.2
• /
• pp.248-250
• /
• 2002

Discrimination between the amplification of mRNA and contaminating genomic DNA is a common problem when performing a reverse transcriptase-polymerase chain reaction (RT-PCR). Even after treatment of the samples with DNAse, it is possible that negative controls (samples in which no reverse transcriptase was added) will give positive results. This indicates that there was amplification of DNA, which was not generated during the reverse transcriptase step. The possibility exists that Taq DNA polymerase acts as a reverse transcriptase, generating cDNA from RNA during the PCR step. In order to test this hypothesis, we incubated samples with a DNAse-free RNAse after the cDNA synthesis. Comparison of the results that were obtained from these samples (incubated with or without DNAse-free RNAse) confirms that the reverse transcriptase activity of Taq DNA polymerase I is a possible source of false positive results when performing RT-PCR from intronless genes. Moreover, we describe here a simple and rapid method to overcome the false positive results that originate by this activity of Taq polymerase.

• Journal of the Korea Society for Simulation
• /
• v.19 no.4
• /
• pp.139-149
• /
• 2010

Internet was designed for network scalability and best-effort service which makes all hosts connected to Internet to be vulnerable against attack. Many papers have been proposed about attack detection algorithms against the attack using IP spoofing and DoS/DDoS attack. Purpose of DoS/DDoS attack is achieved in short period after the attack begins. Therefore, DoS/DDoS attack should be detected as soon as possible. Attack detection algorithms using false alarm rates consist of the false negative rate and the false positive rate. Moreover, they are important metrics to evaluate the attack detections. In this paper, we analyze the performance of the attack detection algorithms using the impact of false negative rate and false positive rate variation to the normal traffic and the attack traffic by simulations. As the result of this, we find that the number of passed attack packets is in the proportion to the false negative rate and the number of passed normal packets is in the inverse proportion to the false positive rate. We also analyze the limits of attack detection due to the relation between the false negative rate and the false positive rate. Finally, we propose a solution to minimize the limits of attack detection algorithms by defining the network state using the ratio between the number of packets classified as attack packets and the number of packets classified as normal packets. We find the performance of attack detection algorithm is improved by passing the packets classified as attacks.

• Journal of The Korean Society of Clinical Toxicology
• /
• v.19 no.1
• /
• pp.24-30
• /
• 2021

Purpose: In Korea, it is predicted that the proportion of drug abusers among patients visiting the emergency room will soon increase. Several emergency medical institutions in Korea are conducting field urine screening tests for poisoning. In this study, we investigated the characteristics and usefulness of urine toxicology screening tests. Methods: The medical records of patients with positive results for tetrahydrocannabinol and methamphetamine from urine toxicology screening tests at a tertiary university hospital from August 2016 to August 2019 were reviewed retrospectively. The subjects were classified into positive and false-positive groups, and their clinical characteristics were compared and analyzed. Results: Of the 2,026 patients surveyed, 823 patients (40.6%) tested positive for one or more drugs. Among them, 12 cases (0.6%) were positive for methamphetamine and 40 cases (2.0%) were positive for tetrahydrocannabinol. The positive and the false-positive rates for methamphetamine were 66.7% and 33.3%, respectively. The positive and the false-positive rates for tetrahydrocannabinol were 2.5% and 97.5%, respectively. Conclusion: Methamphetamine showed a relatively low false-positive rate in our study. Therefore, this test seemed to assist in diagnosing methamphetamine poisoning when considered together with the present illness and physical examination results. On the other hand, the high false-positive rate for tetrahydrocannabinol tests indicates that this test was unlikely to assist in diagnosing tetrahydrocannabinol poisoning. However, considering the growing trend of illegal drug abusers in Korea, it may still be useful as a diagnostic tool for identifying drug users.

• Journal of Information Processing Systems
• /
• v.15 no.3
• /
• pp.550-569
• /
• 2019

We propose approaches for improving Bloom filter in terms of false positive probability and membership query speed. To reduce the false positive probability, we propose special type of additional Bloom filters that are used to handle false positives caused by the original Bloom filter. Implementing the proposed approach for a routing table lookup, we show that our approach reduces the routing table lookup time by up to 28% compared to the original Bloom filter by handling most false positives within the fast memory. We also introduce an approach for improving the membership query speed. Taking the hash table-like approach while storing only values, the proposed approach shows much faster membership query speed than the original Bloom filter (e.g., 34 times faster with 10 subsets). Even compared to a hash table, our approach reduces the routing table lookup time by up to 58%.