Eung Ki Park

Patch management system for multi-platform environment

Patch management is one of the most important processes to fix vulnerabilities of softwares and to ensure a security of systems. Since an institute or a company has distributed hierarchical structure and the structure consists of many heterogeneous systems, it is not easy to update patches timely. In this paper, we propose a patch management framework with patch profiling mechanism and patch dependency solving mechanism. We implemented the proposed patch management framework with JAVA environments. We argue that the proposed framework can improve the patch management processes.

An alert reasoning method for intrusion detection system using attribute oriented induction

The intrusion detection system (IDS) is used as one of the solutions against the Internet attack. However the IDS reports extremely many alerts as compared with the number of the real attack. Thus the operator suffers from burden tasks that analyze floods of alerts and identify the root cause of them. The attribute oriented induction (AOI) is a kind of clustering method. By generalizing the attributes of raw alerts, it creates several clusters that include a set of alerts having similar or the same cause. However, if the attributes are excessively abstracted, the administrator does not identify the root cause of the alert. In this paper, we describe about the over generalization problem because of the unbalanced generalization hierarchy. We also discuss the solution of the problem and propose an algorithm to solve the problem.

Y-AOI: Y-means based attribute oriented induction identifying root cause for IDSs

The attribute oriented induction (AOI) is a kind of aggregation method. By generalizing the attributes of the alert, it creates several clusters that includes a set of alerts having similar or the same cause. However, if the attributes are excessively abstracted, the administrator does not identify the root cause of the attack. In addition, deciding time interval of clustering and deciding min_size are one of the most critical problems. In this paper, we describe about the over-generalization problem because of the unbalanced generalization hierarchy and discuss the solution of the problem. We also discuss problem to decide time interval and meaningful min_size, and propose reasonable method to solve these problems.

An effective method for analyzing intrusion situation through IP-Based classification

Due to a false alert or mass alerts by current intrusion detection systems, the system administrators have difficulties in real-time analysis of an intrusion. In order to solve this problem, it has been studied to analyze the intrusion situation or correlation. However, the existing situation analysis method is grouping with the similarity of measures, and it makes hard to respond appropriately to an elaborate attack. Also, the result of the method is so abstract that the raw information before reduction must be analyzed to realize the intrusion. In this paper, we reduce the number of alerts using the aggregation and correlation and classify the alerts by IP addresses and attack types. Through this method, our tool can find a cunningly cloaked attack flow as well as general attack situation, and more, they are visualized. So an administrator can easily understand the correct attack flow.

Adaptation enhanced mechanism for web survivability

There are increasing needs of undisturbed web services despite of attacks. In this paper, we proposed adaptation mechanism for a web-server intrusion tolerant system. Our proposed adaptation mechanism allows the system to provide continuous web services using various techniques, such as intrusion tolerant types, replication degree, server allocation mechanism, adaptive access control method and so on.

A cost-optimized detection system location scheme for DDoS attack

DDoS attack presents a very serious threat to the stability of the Internet. In this paper, we propose cost-optimized detection system location scheme based on the zero-one linear programming model. The performance of proposed model is evaluated based on a manually created network topology. From the evaluation results, we present that the total location cost increases exponentially according to the number of detection system, and the number of hop is reduced by adapting relative weights to the scheme.