Hansung Lee

Traffic flooding attack detection with SNMP MIB using SVM

Recently, as network flooding attacks such as DoS/DDoS and Internet Worm have posed devastating threats to network services, rapid detection and proper response mechanisms are the major concern for secure and reliable network services. However, most of the current Intrusion Detection Systems (IDSs) focus on detail analysis of packet data, which results in late detection and a high system burden to cope with high-speed network traffic. Little or no integration exists between IDS and SNMP-based network management, in spite of the extensive monitoring and statistical information provided by SNMP agents implemented on network devices and systems. In this paper we propose a lightweight and fast detection mechanism for traffic flooding attacks. Firstly, we use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links. The involved SNMP MIB variables are selected by an effective feature selection mechanism and gathered effectively by the MIB update time prediction mechanism. Secondly, we use a machine learning approach based on a Support Vector Machine (SVM) for attack classification. Using MIB and SVM, we achieved fast detection with high accuracy, the minimization of the system burden, and extendibility for system deployment. The proposed mechanism is constructed in a hierarchical structure, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Using MIB datasets collected from real experiments involving a DDoS attack, we validate the possibility of our approaches. It is shown that network attacks are detected with high efficiency, and classified with low false alarms.

Real-time classification of internet application traffic using a hierarchical multi-class SVM

In this paper, we propose a hierarchical application traffic classification system as an alternative means to overcome the limitations of the port number and payload based methodologies, which are traditionally considered traffic classification methods. The proposed system is a new classification model that hierarchically combines a binary classifier SVM and Support Vector Data Descriptions (SVDDs). The proposed system selects an optimal attribute subset from the bi-directional traffic flows generated by our traffic analysis system (KU-MON) that enables real-time collection and analysis of campus traffic. The system is composed of three layers: The first layer is a binary classifier SVM that performs rapid classification between P2P and non-P2P traffic. The second layer classifies P2P traffic into file-sharing, messenger and TV, based on three SVDDs. The third layer performs specialized classification of all individual application traffic types. Since the proposed system enables both coarse- and fine-grained classification, it can guarantee efficient resource management, such as a stable network environment, seamless bandwidth guarantee and appropriate QoS. Moreover, even when a new application emerges, it can be easily adapted for incremental updating and scaling. Only additional training for the new part of the application traffic is needed instead of retraining the entire system. The performance of the proposed system is validated via experiments which confirm that its recall and precision measures are satisfactory.

A unified scheme of shot boundary detection and anchor shot detection in news video story parsing

In this paper, we propose an efficient one-pass algorithm for shot boundary detection and a cost-effective anchor shot detection method with search space reduction, which are unified scheme in news video story parsing. First, we present the desired requirements for shot boundary detection from the perspective of news video story parsing, and propose a new shot boundary detection method, based on singular value decomposition, and a newly developed algorithm, viz., Kernel-ART, which meets all of these requirements. Second, we propose a new anchor shot detection system, viz., MASD, which is able to detect anchor person cost-effectively by reducing the search space. It consists of skin color detector, face detector, and support vector data descriptions with non-negative matrix factorization sequentially. The experimental results with the qualitative analysis illustrate the efficiency of the proposed method.

Intrusion detection system based on multi-class SVM

In this paper, we propose a new intrusion detection system: MMIDS (Multi-step Multi-class Intrusion Detection System), which alleviates some drawbacks associated with misuse detection and anomaly detection. The MMIDS consists of a hierarchical structure of one-class SVM, novel multi-class SVM, and incremental clustering algorithm: Fuzzy-ART. It is able to detect novel attacks, to give detail informations of attack types, to provide economic system maintenance, and to provide incremental update and extension with a system.

A Cost-Effective Pigsty Monitoring System Based on a Video Sensor

Automated activity monitoring has become important in many applications. In particular, automated monitoring is an important issue in large-scale management of group-housed livestock because it can save a significant part of farm workers’ time or minimize the damage caused by livestock problems. In this paper, we propose an automated solution for measuring the daily-life activities of pigs by using video data in order to manage the group-housed pigs. Especially, we focus on the circadian rhythm of group-housed pigs under windowless and 24-hour light-on conditions. Also, we derive a cost-effective solution within the acceptable range of quality for the activity monitoring application. From the experimental results with the video monitoring data obtained from two pig farms, we believe our method based on circadian rhythm can be applied for detecting management problems of group-housed pigs in a cost-effective way.

Adaptive Intrusion Detection System Based on SVM and Clustering

In this paper, we propose a new adaptive intrusion detection algorithm based on clustering: Kernel-ART, which is composed of the on-line clustering algorithm, ART (adaptive resonance theory), combining with mercer-kernel and concept vector. Kernel-ART is not only satisfying all desirable characteristics in the context of clustering-based IDS but also alleviating drawbacks associated with the supervised learning IDS. It is able to detect various types of intrusions in real-time by means of generating clusters incrementally.

Hierarchical Internet Application Traffic Classification using a Multi-class SVM

본 논문에서는 인터넷 애플리케이션 트래픽 분류방법으로 대표되는 포트 번호 및 페이로드 정보를 이용하는 방법론의 한계점을 극복하는 대안으로서, SVM을 기반으로 한 계층적 인터넷 애플리케이션 트래픽 분류 시스템을 제안한다. 제안된 시스템은 이진 분류기인 SVM과 단일클래스 SVM의 대표적 모델인 SVDD를 계층적으로 결합한 새로운 트래픽 분류 모델로서, 학내에서 수집된 양방향 트래픽 플로우 데이터에 대한 최적의 속성 부분집합을 선택한 후, P2P 트래픽과 non-P2P 트래픽을 빠르게 분류하는 첫 번째 계층, P2P 트래픽들을 파일공유, 메신저, TV로 분류하는 두 번째 계층, 그리고 전체 16가지 애플리케이션 트래픽별로 세분화 분류하는 세 번째 계층으로 구성된다. 제안된 시스템은 인터넷 애플리케이션 트래픽을 coarse 혹은 fine하게 분류함으로써 효율적인 시스템의 자원 관리, 안정적인 네트워크 환경의 지원, 원활한 대역폭의 사용, 그리고 적절한 QoS를 보장할 수 있다. 또한, 새로운 애플리케이션 트래픽이 추가되더라도 전체 시스템을 재학습시킬 필요 없이 새로운 애플리케이션 트래픽만을 추가 학습함으로써 시스템의 점증적 갱신 및 확장성도 가능하다. 실험을 통하여 제안된 시스템의 성능을 검증한다.In this paper, we introduce a hierarchical internet application traffic classification system based on SVM as an alternative overcoming the uppermost limit of the conventional methodology which is using the port number or payload information. After selecting an optimal attribute subset of the bidirectional traffic flow data collected from the campus, the proposed system classifies the internet application traffic hierarchically. The system is composed of three layers: the first layer quickly determines P2P traffic and non-P2P traffic using a SVM, the second layer classifies P2P traffics into file-sharing, messenger, and TV, based on three SVDDs. The third layer makes specific classification of the entire 16 application traffics. By classifying the internet application traffic finely or coarsely, the proposed system can guarantee an efficient system resource management, a stable network environment, a seamless bandwidth, and an appropriate QoS. Also, even a new application traffic is added, it is possible to have a system incremental updating and scalability by training only a new SVDD without retraining the whole system. We validate the performance of our approach with computer experiments.

In-depth Analysis of Soccer Game via Webcast and Text Mining

As the role of soccer game analyst who analyzes soccer games and creates soccer wining strategies is emphasized, it is required to have high-level analysis beyond the procedural ones such as main event detection in the context of IT based broadcasting soccer game research community. In this paper, we propose a novel approach to generate the high-level in-depth analysis results via real-time text based soccer Webcast and text mining. Proposed method creates a metadata such as attribute, action and event, build index, and then generate available knowledges via text mining techniques such as association rule mining, event growth index, and pathfinder network analysis using Webcast and domain knowledges. We carried out a feasibility experiment on the proposed technique with the Webcast text about Spain team`s 2010 World Cup games.

Traffic Flooding Attack Detection on SNMP MIB Using SVM

Recently, as network flooding attacks such as DoS/DDoS and Internet Worm have posed devastating threats to network services, rapid detection and proper response mechanisms are the major concern for secure and reliable network services. However, most of the current Intrusion Detection Systems(IDSs) focus on detail analysis of packet data, which results in late detection and a high system burden to cope with high-speed network environment. In this paper we propose a lightweight and fast detection mechanism for traffic flooding attacks. Firstly, we use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links. Secondly, we use a machine learning approach based on a Support Vector Machine(SVM) for attack classification. Using MIB and SVM, we achieved fast detection with high accuracy, the minimization of the system burden, and extendibility for system deployment. The proposed mechanism is constructed in a hierarchical structure, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Using MIB data sets collected from real experiments involving a DDoS attack, we validate the possibility of our approaches. It is shown that network attacks are detected with high efficiency, and classified with low false alarms.

A New Anchor Shot Detection System for News Video Indexing

In this paper, we present a new anchor shot detection system which is a core step of the preprocessing process for the news video analysis. The proposed system is composed of four modules and operates sequentially: 1) skin color detection module for reducing the candidate face regions; 2) face detection module for finding the key-frames with a facial data; 3) vector representation module for the key-frame images using a non-negative matrix factorization; 4) anchor shot detection module using a support vector data description. According to our computer experiments, the proposed system shows not only the comparable accuracy to the recent other results, but also more faster detection rate than others.