FAFS: A Fuzzy Association Feature Selection Method for Network Malicious Traffic Detection

( Yongxin Feng ),( Yingyun Kang ),( Hao Zhang ),( Wenbo Zhang ) 한국인터넷정보학회 2020 KSII Transactions on Internet and Information Syst Vol.14 No.1

Analyzing network traffic is the basis of dealing with network security issues. Most of the network security systems depend on the feature selection of network traffic data and the de-tection ability of malicious traffic in network can be improved by the correct method of feature selection. An FAFS method, which is short for Fuzzy Association Feature Selection method, is proposed in this paper for network malicious traffic detection. Association rules, which can reflect the relationship among different characteristic attributes of network traffic data, are mined by association analysis. The membership value of association rules are obtained by the calculation of fuzzy reasoning. The data features with the highest correlation intensity in network data sets are calculated by comparing the membership values in association rules. The dimension of data features are reduced and the detection ability of malicious traffic detection algorithm in network is improved by FAFS method. To verify the effect of malicious traffic feature selection by FAFS method, FAFS method is used to select data features of different dataset in this paper. Then, K-Nearest Neighbor algorithm, C4.5 Decision Tree algorithm and Naïve Bayes algorithm are used to test on the dataset above. Moreover, FAFS method is also compared with classical feature selection methods. The analysis of experimental results show that the precision and recall rate of malicious traffic detection in the network can be signifi-cantly improved by FAFS method, which provides a valuable reference for the establishment of network security system.

Flow based Sequential Grouping System for Malicious Traffic Detection

( Jee-tae Park ),( Ui-jun Baek ),( Min-seong Lee ),( Young-hoon Goo ),( Sung-ho Lee ),( Myung-sup Kim ) 한국인터넷정보학회 2021 KSII Transactions on Internet and Information Syst Vol.15 No.10

With the rapid development of science and technology, several high-performance networks have emerged with various new applications. Consequently, financially or socially motivated attacks on specific networks have also steadily become more complicated and sophisticated. To reduce the damage caused by such attacks, administration of network traffic flow in real-time and precise analysis of past attack traffic have become imperative. Although various traffic analysis methods have been studied recently, they continue to suffer from performance limitations and are generally too complicated to apply in existing systems. To address this problem, we propose a method to calculate the correlation between the malicious and normal flows and classify attack traffics based on the corresponding correlation values. In order to evaluate the performance of the proposed method, we conducted several experiments using examples of real malicious traffic and normal traffic. The evaluation was performed with respect to three metrics: recall, precision, and f-measure. The experimental results verified high performance of the proposed method with respect to first two metrics.

HTTP Outbound Traffic을 이용한 개선된 악성코드 탐지 기법

최병하(Byung-Ha Choi),조경산(Kyung-San Cho) 한국컴퓨터정보학회 2009 韓國컴퓨터情報學會論文誌 Vol.14 No.9

웹을 통해 유포되는 악성코드는 다양한 해킹 기법과 혼합되어 진화되고 있지만, 이의 탐지 기법은 해킹 기술의 발전과 신종 악성코드에 제대로 대응하지 못하고 있는 실정이다. 본 논문에서는 악성코드와 이의 유포 특성의 분석에 따라 탐지 시스템이 갖추어야 할 요구사항을 정의하고, 이를 기반으로 HTTP Outbound Traffic을 감시하여 악성코드의 유포를 실시간으로 탐지하는 개선된 탐지 기법을 제안한다. 제안 기법에서는 악성코드를 유포하는 것으로 입증된 HTML 태그와 자바스크립트 코드를 시그니쳐로 IDS에 설정한다. 실제 침입된 환경에서의 검증 분석을 통해 제안 기법이 기존 기법에 비해 요구 사항의 만족에 우수하고 악성코드에 대한 높은 탐지율을 보임을 제시한다. Malicious codes, which are spread through WWW are now evolved with various hacking technologies However, detecting technologies for them are seemingly not able to keep up with the improvement of hacking and newly generated malicious codes. In this paper, we define the requirements of detecting systems based on the analysis of malicious codes and their spreading characteristics, and propose an improved detection scheme which monitors HTTP Outbound traffic and detects spreading malicious codes in real time. Our proposed scheme sets up signatures in IDS with confirmed HTML tags and Java scripts which spread malicious codes. Through the verification analysis under the real-attacked environment, we show that our scheme is superior to the existing schemes in satisfying the defined requirements and has a higher detection rate for malicious codes.

메타 학습 기반 차량용 유해 트래픽 탐지 시스템

신종훈,박성배,홍충선 한국정보과학회 2022 정보과학회 컴퓨팅의 실제 논문지 Vol.28 No.10

As the number of features provided in cars increases, numbers of Electronic Control Unit (ECU)s and ECUs with networking capability in vehicles are also increasing. With the increase of both ECUs and vehicles with ECUs, the importance of security for the automotive domain increases. However, Controller Area Network (CAN), a de facto standard of the intra-vehicle network, lacks security features that raise alarms. In addition, automotive Ethernet, a technology considered as a replacement for CAN, has concerns that it might inherit an identical or similar weakness as Ethernet. There are multiple network intrusion detection systems for CAN protocol to mitigate its lack of security features. Since features included in a vehicle are different according to each line of vehicles and vendors, the nonuniformity is an issue. Collecting and training different models for each vendor and vehicle and updating for new attack types are too costly. They might include unnecessary detection categories, thus increasing computing power for detection systems. To mitigate these issues, this paper proposed a Few Shot learning model utilizing meta-learning based malicious traffic detection system that could detect both malicious traffic of CAN and Ethernet with the capability of setting different detection categories with considerably fewer data and effort for each vehicle and vendor. 네트워킹 기능이 요구되는 전자기기를 포함한 자동차의 수가 증가함에 따라 차량 통신 환경에서의 보안이 중요해지고 있다. 하지만 차내 네트워크의 실제적 표준인 Controller Area Network(CAN) 버스의 보안 기능의 부족과 이에 따른 사이버 공격에 대한 취약함과 또한 CAN을 대체할 차량용 이더넷(automotive ethernet)의 보안의 불확실성에 대한 우려가 커지고 있다. 현재 표준이라고 할 수 있는 CAN 프로토콜의 취약한 보안을 보완하기 위해 여러 개선 방안 및 탐지 시스템들이 있다, 그러나 제조업체와 차량의 기능의 다양성은 유해 트래픽 탐지에서 주요 문제점 중 하나이다. 제조사 및 차량의 기능에 따라 다른 항목을 훈련시키고 새로운 유해 트래픽이 나올 때 마다 새로 데이터를 수집 후 훈련을 시키기에 너무 많은 수고가 있고 또한 계속 탐지 카테고리가 추가됨에 불필요하게 탐지 항목이 늘 수 있다. 본 논문은 위의 문제를 완화하기 위해 각 제조사 별 또한 각 차량 별 탐지 항목을 다르게 설정할 수 있고 새로운 탐지 항목을 추가함에도 많은 데이터를 요구하지 않는 Few Shot Learning을 이용한 메타 학습 기반 CAN 프로토콜과 이더넷의 유해 트래픽 탐지 시스템을 제안한다.

전자우편을 이용한 악성코드 유포방법 분석 및 탐지에 관한 연구

양경철(Kyeong Cheol Yang),이수연(Su yeon Lee),박원형(Won Hyung Park),박광철(Kwang Cheol Park),임종인(Jong in Lim) 한국정보보호학회 2009 정보보호학회논문지 Vol.19 No.1

본 논문은 해커가 정보절취 등을 목적으로 전자우편에 악성코드를 삽입?유포하는 공격 대응방안에 관한 연구로, 악성코드가 삽입된 전자우편은 정보유출 時 트래픽을 암호화(Encoding)하는데 이를 복호화(Decoding) 하는 ‘분석모델’을 구현 및 제안한다. 또한 보안관제측면(네트워크)에서 해킹메일 감염時 감염PC를 신속하게 탐지할 수 있는 ‘탐지기술 제작 방법론’을 연구하여 탐지규칙을 제작, 시뮬레이션 한 결과 효율적인 탐지성과를 보였다. 악성코드 첨부형 전자우편에 대한 대응책으로 공공기관이나 기업의 정보보안 담당자?PC사용자가 각자의 전산망 환경에 맞게 적용 가능한 보안정책을 제안함으로써 해킹메일 피해를 최소화하는데 도움이 되고자 한다. This paper proposes the detection method of spreading mails which hacker injects malicious codes to steal the information. And I developed the ‘Analysis model' which is decoding traffics when hacker’s encoding them to steal the information. I researched ‘Methodology of intrusion detection techniques’ in the computer network monitoring. As a result of this simulation, I developed more efficient rules to detect the PCs which are infected malicious codes in the hacking mail. By proposing this security policy which can be applicable in the computer network environment including every government or company, I want to be helpful to minimize the damage by hacking mail with malicious codes.