• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.10 no.4
• /
• pp.811-817
• /
• 2009

The rapid growth of network based IT systems has resulted in continuous research of security issues. Probe intrusion detection is an area of increasing concerns in the internet community. Recently, a number of probe intrusion detection schemes have been proposed based on various technologies. However, the techniques, which have been applied in many systems, are useful only for the existing patterns of probe intrusion. They can not detect new patterns of probe intrusion. Therefore, it is necessary to develop a new Probe Intrusion Detection technology that can find new patterns of probe intrusion. In this paper, we proposed a new network based probe intrusion detector(NePID) using anomaly traffic analysis and fuzzy cognitive maps that can detect intrusion by the denial of services attack detection method utilizing the packet analyses. The probe intrusion detection using fuzzy cognitive maps capture and analyze the packet information to detect syn flooding attack. Using the result of the analysis of decision module, which adopts the fuzzy cognitive maps, the decision module measures the degree of risk of denial of service attack and trains the response module to deal with attacks. For the performance evaluation, the "IDS Evaluation Data Set" created by MIT was used. From the simulation we obtained the max-average true positive rate of 97.094% and the max-average false negative rate of 2.936%. The true positive error rate of the NePID is similar to that of Bernhard's true positive error rate.

• Proceedings of the Korea Contents Association Conference
• /
• 2003.11a
• /
• pp.105-108
• /
• 2003

The recent hacking trend is a traffic flooding attack against a bandwidth in the network grows more and more. On the other hand, technology, which extracts attack traffic in the network from these threats, is still short. Therefore, we propose methodology which can measure traffic that threaten network services, and algorithm which can detect DDoS attacks effectively.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2005.05a
• /
• pp.1327-1330
• /
• 2005

서비스 거부공격(Denial of Sevice)이란 서버의 자원을 고갈시켜 더이상 정상적인 서비스를 할 수 없도록 하는 공격이다. DoS 공격 중에서 SYN Flooding DoS Attack을 받은 웹 서버는 외부로부터 들어온 공격 패킷에 의해 back log를 소모하게 된다. 그 결과 정상적인 연결 요청에 대해 서비스를 제공하지 못하게 된다. Dos 공격에 관한 다양한 연구가 진행되고 있지만, 본 논문에서는 서비스 거부공격이 TCP 상태 전이에 미치는 영향에 관한 연구를 하였다. 웹 서버의 Tcp 상태정보를 얻기 위해 GetTcpinfo 프로세스를 실행한 후 정상적인 접속을 시도해 보고 정상적인 접속이 진행되고 있는 상태에서 DoS 공격을 시도한다. GetTcpinfo 프로세스에 의해 파일로 저장된 TCP 상태전이 값을 분석하여 DoS 공격이 TCP 상태 전이에 미치는 영향에 대해 알아본다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.1
• /
• pp.155-163
• /
• 2014

To enhance network efficiency, content-centric networking (CCN) proposes that intermediated network nodes on a content-delivery path temporally cache transmitted contents. Then if an intermediated node receives a content request message (Interest) for previously cached content, the node directly transmits the cached content as a response message (Data) to requestors and finishes the transmission of the received Interest. Since Interest is performed by intermediated network nodes, it is possible to efficiently transmit contents and to effectively solve a network congestion problem caused around contents sources. For that, CCN utilizes both content store to temporarily cache content and pending Interest table (PIT) to record Interest incoming Face. However, it has mentioned the possibility of denial service attack using both the limitation of PIT resource and fake Interests. In this paper, we briefly describe the presented PIT flooding attack utilizing fake Interest. Then we introduce new attack possibility using fake Data and propose a countermeasure for the proposed attack. Also we evaluate the performance of our proposal.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.14 no.1
• /
• pp.203-209
• /
• 2014

Today, Distributed denial of service (DDoS) attack present a very serious threat to the stability of the internet. The DDoS attack, which is consuming all of the computing or communication resources necessary for the service, is known very difficult to protect. The DDoS attack usually transmits heavy traffic data to networks or servers and they cannot handle the normal service requests because of running out of resources. It is very hard to prevent the DDoS attack. Therefore, an intrusion detection system on large network is need to efficient real-time detection. In this paper, we propose the detection mechanism using analysis of flow information against DDoS attacks in order to guarantee the transmission of normal traffic and prevent the flood of abnormal traffic. The OPNET simulation results show that our ideas can provide enough services in DDoS attack.

• KIPS Transactions on Computer and Communication Systems
• /
• v.7 no.1
• /
• pp.19-26
• /
• 2018

Recently, DDoS amplification attacks using servers that provide Microsoft Active Directory information using CLDAP protocol are increasing. Because CLDAP is an open standard application that allows a wide range of directory information to be accessed and maintained in a network, the server is characterized by its openness to the Internet. This can be exploited by the Reflector server to perform an amplification attack by an attacker. In addition, this attack can be attacked with a packet that is amplified 70 times more than the conventional UDP-based flooding attack, and it can block service to small and medium sized server. Therefore, in this paper, we propose an algorithm that can reduce the DDoS amplification attack using CLDAP server and implement the corresponding CLDAP server environment virtually, and implement and demonstrate the corresponding algorithm. This provides a way to ensure the availability of the server.

• Journal of KIISE:Computing Practices and Letters
• /
• v.15 no.12
• /
• pp.998-1002
• /
• 2009

In IPTV multicast architecture, the IGMP(Internet Group Management Protocol) is used for access networks. This protocol supports the functionality of join or leave for a specific multicast channel group. But, malicious attackers can disturb legitimate users being served appropriately. By using spoofed IGMP messages, attackers can hi-jack the premium channel, wasting bandwidth and exhausting the IGMP router's resources. To prevent the message spoofing, we can introduce the packet-level authentication methods. But, it causes the additional processing overhead to an IGMP processing router, so that the router is more susceptible to the flooding attacks. In this paper, we propose the two-level authentication scheme in order to mitigate the IGMP flooding attack.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2018.10a
• /
• pp.152-155
• /
• 2018

Over the past years, Link Flooding Attacks (LFAs) have been introduced as new network threats. LFAs are indirect DDoS attacks that selectively flood intermediate core links, while legacy DDoS attacks directly targets end points. Flooding bandwidth in the core links results in that a wide target area is affected by the attack. In the traditional network, mitigating LFAs is a challenge since an attacker can easily construct a link map that contains entire network topology via traceroute. Security researchers have proposed many solutions, however, they focused on reactive countermeasures that respond to LFAs when attacks occurred. We argue that this reactive approach is limited in that core links are already exposed to an attacker. In this paper, we present SDHoneyNet that prelocates vulnerable links by computing static and dynamic property on Software-defined Networks (SDN). SDHoneyNet deploys Honey Topology, which is obfuscated topology, on the nearby links. Using this approach, core links can be hidden from attacker's sight, which leads to effectively building proactive method for mitigating LFAs.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.36 no.11B
• /
• pp.1297-1304
• /
• 2011

SIP(Session Initiation Protocol) has some security vulnerability because it works on the Internet. Therefore, the proxy server can be affected by the flooding attack such as DoS and service interruption. However, traditional schemes to corresponding Denial of Service attacks have some limitation. These schemes have high complexity and cannot protect to the variety of Denial of Service attack. In this paper, we newly define the normal user who makes a normal session observed by verifier module. Our method provides continuous service to the normal users in the various situations of Denial of Service attack as constructing a whitelist using normal user information. Various types of attack/normal traffic are modeled by using OPNET simulator to verify our scheme. The simulation results show that our proposed scheme can prevent DoS attack and achieve a low false rate and fast searching time.

• The Journal of the Korea Contents Association
• /
• v.5 no.5
• /
• pp.172-181
• /
• 2005

The latest attack type against network traffic appeared by worm and bot that are advanced in DDoS. It is difficult to detect them because they are diversified, intelligent, concealed and automated. The exisiting traffic analysis method using SNMP has a vulnerable problem; it considers normal P2P and other application program to be harmful traffic. It also has limitation that does not analyze advanced programs such as worm and bot to harmful traffic. Therefore, we analyzed harmful traffic out Protocol and Port analysis. We also classified traffic by protocol, well-known port, P2P port, existing attack port, and specification port, apply singularity weight to detect, and analyze attack availability. As a result of simulation, it is proved that it can effectively detect P2P application, worm, bot, and DDoS attack.