ETRI-Knowledge Sharing Plaform

KOREAN
논문 검색
Type SCI
Year ~ Keyword

Detail

Journal Article Validation Methods of Suspicious Network Flows for Unknown Attack Detection
Cited - time in scopus Download 7 time Share share facebook twitter linkedin kakaostory
Authors
Ik Kyun Kim, Dae Won Kim, Yang Seo Choi, Koo Hong Kang, Jin Tae Oh, Jong Soo Jang
Issue Date
2009-03
Citation
International Journal of Computers, v.1, no.3, pp.104-114
ISSN
2367-8895
Language
English
Type
Journal Article
Project Code
09MS5300, Development of Anti-DDoS Technology, Jong Soo Jang
Abstract
The false rate of the detection methods which are based on abnormal traffic behavior is a little high and the accuracy of the signature generation is relatively low. Moreover, it is not suitable to detect exploits and generate its signature. In this paper, we have presented ZASMIN (Zeroday-Attack Signature Management Infrastructure) system, which is developed for novel network attack detection. This system provides early warning at the moment the attacks start to spread on the network and to block the spread of the cyber attacks by automatically generating a signature that could be used by the network security appliance such as IPS. This system have adopted various technologies—suspicious traffic monitoring, attack validation, polymorphic worm recognition, signature generation—for unknown network attack detection. Especially, the validation functions in ZASMIN have to able to cover 1) polymorphism, which is an encrypted attack code at the penetration and operation step, 2) executables, which are any binary functions at each step, and 3) malicious string. And also, we introduce two concepts to validate the preprocessing of the suspicious traffic. The one is attack-based validation and the other is signature-based validation. These validation functions can reduce the false rate of the unknown attack detection. In order to check the feasibility of the validation functions in ZASMIN, we have installed it on real honeynet environment, then we have analyzed the result about detection of unknown attack. Even though short–period analysis is not enough long to detect various unknown attacks, we confirmed that ZASMIN can detect some attacks without any well-known signature.
KSP Keywords
AND operation, Abnormal traffic, Cyber attacks, Detection Method, Network attack detection, Network flow, Signature-based, Validation methods, attack code, attack signatures, binary functions