• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.7
• /
• pp.3093-3115
• /
• 2020

Network anomaly detection system plays an essential role in detecting network anomaly and ensuring network security. Anomaly detection system based machine learning has become an increasingly popular solution. However, due to the unbalance and high-dimension characteristics of network traffic, the existing methods unable to achieve the excellent performance of high accuracy and low false alarm rate. To address this problem, a new network anomaly detection method based on data balancing and recursive feature addition is proposed. Firstly, data balancing algorithm based on improved KNN outlier detection is designed to select part respective data on each category. Combination optimization about parameters of improved KNN outlier detection is implemented by genetic algorithm. Next, recursive feature addition algorithm based on correlation analysis is proposed to select effective features, in which a cross contingency test is utilized to analyze correlation and obtain a features subset with a strong correlation. Then, random forests model is as the classification model to detection anomaly. Finally, the proposed algorithm is evaluated on benchmark datasets KDD Cup 1999 and UNSW_NB15. The result illustrates the proposed strategies enhance accuracy and recall, and decrease the false alarm rate. Compared with other algorithms, this algorithm still achieves significant effects, especially recall in the small category.

• Journal of Trauma and Injury
• /
• v.31 no.3
• /
• pp.151-158
• /
• 2018

Purpose: The regional emergency medical centers manage the patients with major blunt trauma according to the process appropriate to each hospital rather than standardized protocol of the major trauma centers. The primary purpose of this study is to evaluate the effectiveness and influence on prognosis of additional cervical-thoracic-lumbar-spine computed tomography (CTL-spine CT) scan in diagnosis of spinal injury from the victim of major blunt trauma with impaired consciousness. Methods: The study included patients visited the urban emergency medical center with major blunt trauma who were over 18 years of age from January 2013 to December 2016. Data were collected from retrospective review of medical records. Sensitivity, specificity, positive predictive value, and negative predictive value were measured for evaluation of the performance of diagnostic methods. Results: One hundred patients with Glasgow coma scale ${\leq}13$ underwent additional CTL-spine CT scan. Mechanism of injury was in the following order: driver, pedestrian traffic accident, fall and passenger accident. Thirty-one patients were diagnosed of spinal injury, six of them underwent surgical management. The sensitivity of chest, abdomen and pelvis CT (CAP CT) was 72%, specificity 97%, false positive rate 3%, false negative rate 28% and diagnostic accuracy 87%. Eleven patients were not diagnosed of spinal injury with CAP CT and C-spine lateral view, but all of them were diagnosed of stable fractures. Conclusions: C-spine CT scan be actively considered in the initial examination process. When CAP CT scan is performed in major blunt trauma patients with impaired consciousness, CTL-spine CT scan or simple spinal radiography has no significant effect on the prognosis of the patient and can be performed if necessary.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.2
• /
• pp.313-320
• /
• 2015

While various phishing attacks are getting to be increased in constant, their response methods still stay on the stage of responding after identifying an attack. To detect a phishing site ahead of an attack, a method has been suggested with utilizing the Referer header field of HTTP. However, it has a limitation to implement a traffic gathering system for each of prospective target hosts. This paper presents a unknown phishing site detection method in the Interior network environment. Whenever a user try to connect a phishing site, its traffic is pre-processed with considering of the characteristics of HTTP protocol and phishing site. The phishing site detection phase detects a suspicious site under phishing with analysing HTTP content. To validate the proposed method, some evaluations were conducted with 100 phishing URLs along with 100 normal URLs. The experimental results show that our method achieves higher phishing site detection rate than that of existing detection methods, as 66% detection rate for the phishing URLs, and 0% false negative rate for the normal URLs.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2006.05a
• /
• pp.1109-1112
• /
• 2006

DDoS(Distributed Denial-of-Service) 공격은 인터넷 침해가운데 가장 위협적인 공격들 중 하나이며 이러한 공격을 실시간으로 탐지하기 위한 연구는 활발히 이루어져 왔다. 하지만 기존의 탐지 메커니즘이 가지고 있는 높은 오탐지율은 여전히 보완해야할 과제로 남아 있다. 따라서 본 논문에서는 DDoS공격 탐지의 근거로 사용된 기존의 트래픽 볼륨(traffic volume), 엔트로피(entropy), 그리고 카이제곱(chi-square)을 이용한 비정상 행위탐지(Anomaly detection)방식의 침임탐지시스템이 가지는 오탐지율(false alarm rate)을 개선할 수 있는 방안을 제안한다. 또한 공격 탐지 시 프로토콜, TCP 플래그(flag), 그리고 포트 번호를 이용하여 네트워크 관리자에게 보다 자세한 공격 정보를 제공함으로써 효율적으로 공격에 대처할 수 있는 시스템을 설계한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1043-1057
• /
• 2015

In order to recognize intelligent threats quickly and detect and respond to them actively, major public bodies and private institutions operate and administer an Intrusion Detection Systems (IDS), which plays a very important role in finding and detecting attacks. However, most IDS alerts have a problem that they generate false positives. In addition, in order to detect unknown malicious codes and recognize and respond to their threats in advance, APT response solutions or actions based systems are introduced and operated. These execute malicious codes directly using virtual technology and detect abnormal activities in virtual environments or unknown attacks with other methods. However, these, too, have weaknesses such as the avoidance of the virtual environments, the problem of performance about total inspection of traffic and errors in policy. Accordingly, for the effective detection of intrusion, it is very important to enhance security monitoring, consequentially. This study discusses a plan for the reduction of false positives as a plan for the enhancement of security monitoring. As a result of an experiment based on the empirical data of G, rules were drawn in three types and 11 kinds. As a result of a test following these rules, it was verified that the overall detection rate decreased by 30% to 50%, and the performance was improved by over 30%.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.11
• /
• pp.5568-5587
• /
• 2018

This research uses artificial intelligence methods for computer network intrusion detection system modeling. Primary classification is done using self-organized maps (SOM) in two levels, while the secondary classification of ambiguous data is done using Sugeno type Fuzzy Inference System (FIS). FIS is created by using Adaptive Neuro-Fuzzy Inference System (ANFIS). The main challenge for this system was to successfully detect attacks that are either unknown or that are represented by very small percentage of samples in training dataset. Improved algorithm for SOMs in second layer and for the FIS creation is developed for this purpose. Number of clusters in the second SOM layer is optimized by using our improved algorithm to minimize amount of ambiguous data forwarded to FIS. FIS is created using ANFIS that was built on ambiguous training dataset clustered by another SOM (which size is determined dynamically). Proposed hybrid model is created and tested using NSL KDD dataset. For our research, NSL KDD is especially interesting in terms of class distribution (overlapping). Objectives of this research were: to successfully detect intrusions represented in data with small percentage of the total traffic during early detection stages, to successfully deal with overlapping data (separate ambiguous data), to maximize detection rate (DR) and minimize false alarm rate (FAR). Proposed hybrid model with test data achieved acceptable DR value 0.8883 and FAR value 0.2415. The objectives were successfully achieved as it is presented (compared with the similar researches on NSL KDD dataset). Proposed model can be used not only in further research related to this domain, but also in other research areas.

• KIPS Transactions on Software and Data Engineering
• /
• v.3 no.9
• /
• pp.361-368
• /
• 2014

The LPR(License plate recognition) system has been developed to efficient control for complex traffic environment and currently be used in many places. However, because of light, noise, background changes, environmental changes, damaged plate, it only works limited environment, so it is difficult to use in real-time. This paper presents a heuristic segmentation algorithm for robust to noise and illumination changes and introduce a real-time license plate recognition system using it. In first step, We detect the plate utilized Haar-like feature and Adaboost. This method is possible to rapid detection used integral image and cascade structure. Second step, we determine the type of license plate with adaptive histogram equalization, bilateral filtering for denoise and segment accurate character based on adaptive threshold, pixel projection and associated with the prior knowledge. The last step is character recognition that used histogram of oriented gradients (HOG) and multi-layer perceptron(MLP) for number recognition and support vector machine(SVM) for number and Korean character classifier respectively. The experimental results show license plate detection rate of 94.29%, license plate false alarm rate of 2.94%. In character segmentation method, character hit rate is 97.23% and character false alarm rate is 1.37%. And in character recognition, the average character recognition rate is 98.38%. Total average running time in our proposed method is 140ms. It is possible to be real-time system with efficiency and robustness.

• Journal of Korea Multimedia Society
• /
• v.13 no.3
• /
• pp.417-429
• /
• 2010

Though background subtraction has been widely studied for last decades, it is still a poorly solved problem especially when it meets real environments. In this paper, we first address some common problems for background subtraction that occur in real environments and then those problems are resolved by improving an existing GMM-based background modeling method. First, to achieve low computations, fixed point operations are used. Because background model usually does not require high precision of variables, we can reduce the computation time while maintaining its accuracy by adopting fixed point operations rather than floating point operations. Secondly, to avoid erroneous backgrounds that are induced by high pedestrian traffic, static levels of pixels are examined using shot-time statistics of pixel history. By using a lower learning rate for non-static pixels, we can preserve valid backgrounds even for busy scenes where foregrounds dominate. Finally, to adapt rapid illumination changes, we estimated the intensity change between two consecutive frames as a linear transform and compensated learned background models according to the estimated transform. By applying the fixed point operation to existing GMM-based method, it was able to reduce the computation time to about 30% of the original processing time. Also, experiments on a real video with high pedestrian traffic showed that our proposed method improves the previous background modeling methods by 20% in detection rate and 5~10% in false alarm rate.

• Proceedings of the Korean Information Science Society Conference
• /
• 2008.06a
• /
• pp.124-127
• /
• 2008

DoS/DDoS로 대표되는 트래픽 폭주 공격은 대상 시스템뿐만 아니라 네트워크 대역폭, 프로세서 처리능력, 시스템 자원 등에 악영향을 줌으로써 네트워크에 심각한 장애를 유발할 수 있다. 따라서 신속한 트래픽 폭주 공격의 탐지는 안정적인 서비스 제공 및 시스템 운영에 필수요건이다. 전통적인 패킷 수집을 통한 DoS/DDoS의 탐지방법은 공격에 대한 상세한 분석은 가능하나 설치의 확장성 부족, 고가의 고성능 분석시스템의 요구, 신속한 탐지를 보장하지 못한다는 문제점을 갖고 있다. 본 논문에서는 15초 단위의 SNMP MIB 객체 정보를 바탕으로 SVDD(support vector data description)를 이용하여 보다 빠르고 정확한 침입탐지와 쉬운 확장성, 저비용탐지 및 정확한 공격유형별 분류를 가능케 하는 새로운 시스템을 설계 및 구현하였다. 실험을 통하여 만족스러운 침입 탐지율과 안전한 false negative rate, 공격유형별 분류율 수치 등을 확인함으로써 제안된 시스템의 성능을 검증하였다.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.29 no.7C
• /
• pp.931-936
• /
• 2004

GBFCM(DM), Gradient-based Fuzzy c-means with Divergence Measure, for efficient clustering of GPDF(Gaussian Probability Density Function) in MPEG VBR video data modeling is proposed in this paper. The proposed GBFCM(DM) is based on GBFCM( Gradient-based Fuzzy c-means) with the Divergence for its distance measure. In this paper, sets of real-time MPEG VBR Video traffic data are considered. Each of 12 frames MPEG VBR Video data are first transformed to 12-dimensional data for modeling and the transformed 12-dimensional data are Pass through the proposed GBFCM(DM) for classification. The GBFCM(DM) is compared with conventional FCM and GBFCM algorithms. The results show that the GBFCM(DM) gives 5∼15% improvement in False Alarm Rate over conventional algorithms such as FCM and GBFCM.