• Journal of Internet Computing and Services
• /
• v.8 no.6
• /
• pp.43-53
• /
• 2007

Intrusion detection system(IDS) has recently evolved while combining signature-based detection approach with anomaly detection approach. Although signature-based IDS tools have been commonly used by utilizing machine learning algorithms, they only detect network intrusions with already known patterns, Ideal IDS tools should always keep the signature database of your detection system up-to-date. The system needs to generate the signatures to detect new possible attacks while monitoring and analyzing incoming network data. In this paper, we propose a new outlier cluster detection algorithm with density (or influence) function, Our method assumes that an outlier is a kind of cluster with similar instances instead of a single object in the context of network intrusion, Through extensive experiments using KDD 1999 Cup Intrusion Detection dataset. we show that the proposed method outperform the conventional outlier detection method using Euclidean distance function, specially when attacks occurs frequently.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.12 no.7
• /
• pp.3191-3196
• /
• 2011

Smart home system are being installed in the most new construction of building for the convenience of living life. As smart home systems are becoming more common and their diffusion rates are faster, hacker's attack for the smart home system will be increased. In this paper, Risk level of smart home's to do respond to intrusion that occurred from the wired network and wireless network intrusion cases and attacks can occur in a virtual situation created scenarios to build a database. This is based on the smart home users vulnerable to security to know finding illegal intrusion traffic in real-time and attack prevent was designed the intrusion detection algorithm.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.12 no.1
• /
• pp.459-466
• /
• 2011

In this paper, we proposed a data mining framework for the management of alerts in order to improve the performance of the intrusion detection systems. The proposed alert data mining framework performs alert correlation analysis by using mining tasks such as axis-based association rule, axis-based frequent episodes and order-based clustering. It also provides the capability of classify false alarms in order to reduce false alarms. We also analyzed the characteristics of the proposed system through the implementation and evaluation of the proposed system. The proposed alert data mining framework performs not only the alert correlation analysis but also the false alarm classification. The alert data mining framework can find out the unknown patterns of the alerts. It also can be applied to predict attacks in progress and to understand logical steps and strategies behind series of attacks using sequences of clusters and to classify false alerts from intrusion detection system. The final rules that were generated by alert data mining framework can be used to the real time response of the intrusion detection system.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.5
• /
• pp.2732-2753
• /
• 2019

With the application of wireless sensor networks in the fields of ecological observation, defense military, architecture and urban management etc., the security problem is becoming more and more serious. Characteristics and constraint conditions of wireless sensor networks such as computing power, storage space and battery have brought huge challenges to protection research. Inspired by the danger theory in biological immune system, this paper proposes an intrusion detection model for wireless sensor networks. The model abstracts expressions of antigens and antibodies in wireless sensor networks, defines meanings and functions of danger signals and danger areas, and expounds the process of intrusion detection based on the danger theory. The model realizes the distributed deployment, and there is no need to arrange an instance at each sensor node. In addition, sensor nodes trigger danger signals according to their own environmental information, and do not need to communicate with other nodes, which saves resources. When danger is perceived, the model acquires the global knowledge through node cooperation, and can perform more accurate real-time intrusion detection. In this paper, the performance of the model is analyzed including complexity and efficiency, and experimental results show that the model has good detection performance and reduces energy consumption.

• Journal of Korea Society of Industrial Information Systems
• /
• v.6 no.1
• /
• pp.1-6
• /
• 2001

This paper proposes a method to reduce the timing gap which causes a type of attack to a network-based intrusion detection system. For this, an intrusion defection system is used in order to measure the round trip tin to the destination system, and the measured round trip time is used for estimation of packet's real arrival time to destination. Socket programings are used on the LAN environments to evaluate the performance of the proposed method. The test results show that an estimation method which uses the latest round trip time has the best performance, and the timing gap can be significantly reduced with small overheads.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.4
• /
• pp.111-121
• /
• 2004

With rapid growth of the Internet, network intrusions have greatly increased and damage of attacks has become more serious. Recently some kinds of Internet attacks cause significant damage to overall network performance. Current Intrusion Detection Systems are not capable of performing the real-time detection on the backbone network In this paper, we propose the broadband network intrusion detection system using the exponential smoothing method. We made an experiment with real backbone traffic data for 8 days. The results show that our proposed system detects big jumps of traffic volume well.

• Convergence Security Journal
• /
• v.18 no.5_1
• /
• pp.59-66
• /
• 2018

The performance of a network intrusion detection system using the machine learning method depends heavily on the composition and the size of the feature set. The detection accuracy, such as the detection rate or the false positive rate, of the system relies on the feature composition. And the time it takes to train and detect depends on the size of the feature set. Therefore, in order to enable the system to detect intrusions in real-time, the feature set to beused should have a small size as well as an appropriate composition. In this paper, we show that the size of the feature set can be further reduced without decreasing the detection rate through using Pearson correlation coefficient between features along with the multi-objective genetic algorithm which was used to shorten the size of the feature set in previous work. For the evaluation of the proposed method, the experiments to classify 10 kinds of attacks and benign traffic are performed against NSL_KDD data set.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2011.10a
• /
• pp.689-690
• /
• 2011

본 논문에서는 무선 센서네트워크 환경에 적용할 수 있는 불법 침입자를 감지하는 시스템으로 GPS의 위성시간과 단말기 노드 내부의 암호화 동기 시간 설정 알고리즘을 혼합하여 시간 중심의 암호화 인증시스템을 설계하여 불법적인 외부노드의 침입을 탐지하는 방법을 제안하고자 한다. 본 논문에서는 GPS의 시간 정보와 RTC(Real Time Clock) 칩과 동기화 하여 시간 정보를 실내에서도 사용할 수 있으며, 마이크로프로세서 내부 타이머 설정 시간 등을 고려하여 다중화된 시간 정보를 이용하여 보다 높은 수준의 침입 감지 시스템을 개발하여 효율성을 제시하고자 한다.

• The KIPS Transactions:PartC
• /
• v.14C no.1 s.111
• /
• pp.1-6
• /
• 2007

In order to operate a secure network, it is very important for the network to raise positive detection as well as lower negative detection for reducing the damage from network intrusion. By using SVM on the intrusion detection field, we expect to improve real-time detection of intrusion data. However, due to classification based on calculating values after having expressed input data in vector space by SVM, continuous data type can not be used as any input data. Therefore, we present the hybrid model between SVM and decision tree method to make up for the weak point. Accordingly, we see that intrusion detection rate, F-P error rate, F-N error rate are improved as 5.6%, 0.16%, 0.82%, respectively.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2003.07a
• /
• pp.121-125
• /
• 2003

In this paper, we propose a framework of Transmission Control Protocol with Software Rejuvenation methodology, which is applicable for network system survivability. This method is utilized to improve the survivability because it can limit the damage caused by successful attacks. The main objectives are to detect intrusions in real time, to characterize attacks, and to survive in face of attacks. To counter act the attacks' attempts or intrusions, we perform the Software Rejuvenation methods such as killing the intruders' processes in their tracks, halting abuse before it happens, shutting down unauthorized connection, and responding and restarting in real time. These slogans will really frustrate and deter the attacks, as the attacker can't make their progress. This is the way of survivability to maximize the deterrence against an attack in the target environment. We address a framework to model and analyze the critical intrusion tolerance problems ahead of intrusion detection on Transmission Control Protocol (TCP).