Ho-Seok Kang

Improved clustering for intrusion detection by principal component analysis with effective noise reduction

PCA (Principal Component Analysis) is one of the most wildly used dimension reduction technique, which is often applied to identify patterns in complex data of high dimension [1]. In GA-KM [2], we have proposed GA-KM algorithm and have experimented using KDD-99 data set. The result showed GA-KM is efficient for intrusion detection. However, due to the hugeness of the data set, the experiment needs to take a long time to finish. To solve this deficiency, we combine PCA and GA-KM in this paper. The goal of PCA is to remove unimportant information like the noise in data sets which have high dimension, and retain the variation present in the original dataset as much as possible. The experimental results show that, compared to GA-KM [2], the proposed method is better in computational expense and time (through dimension reduction) and is also better in intrusion detection ratios (through noise reduction).

Automatic Ransomware Detection and Analysis Based on Dynamic API Calls Flow Graph

In recent cyber incidents, Ransom software (ransomware) causes a major threat to the security of computer systems. Consequently, ransomware detection has become a hot topic in computer security. Unfortunately, current signature-based and static detection model is often easily evadable by obfuscation, polymorphism, compress, and encryption. For overcoming the lack of signature-based and static ransomware detection approach, we have proposed the dynamic ransomware detection system using data mining techniques such as Random Forest (RF), Support Vector Machine (SVM), Simple Logistic (SL) and Naive Bayes (NB) algorithms for detecting known and unknown ransomware. We monitor the actual (dynamic) behaviors of software to generate API calls flow graphs (CFG) and transfer it in a feature space. Thereafter, data normalization and feature selection were applied to select informative features which are the best for discriminating between various categories of software and benign software. Finally, the data mining algorithms were used for building the detection model for judging whether the software is benign software or ransomware. Our experimental results show that our proposed system can be more effective to improve the performance for ransomware detection. Especially, the accuracy and detection rate of our proposed system with Simple Logistic (SL) algorithm can achieve to 98.2% and 97.6%, respectively. Meanwhile, the false positive rate also can be reduced to 1.2%.

sShield: small DDoS defense system using RIP-based traffic deflection in autonomous system

DDoS (distributed denial of service) attacks have gradually increased and have become more sophisticated. There have been several methods for defending against these attacks. However, because the types and scales of DDoS attacks have been diversified, it has become important to defend against DDoS attacks not only in main networks, but also in small scale networks such as AS (autonomous system). We have designed a DDoS defense system working inside AS without either changing the network structure or modifying the router. For this purpose, we have applied the Shield mechanism, which deals with the location problem in DDoS defense, and utilizes the routing updates protocol called RIP (routing information protocol), a representative protocol of IGP (interior gateway protocol). Moreover, we have also conducted experiments by using simulations to find the optimal number and locations of deployed systems.

Improved signature based intrusion detection using clustering rule for decision tree

Malicious network data are becoming more and more serious nowadays. To deal with this problem, IDSs are used popularly as a security technology that helps to discover, determine and identify unauthorized use of information systems. However, the attacking technologies are becoming more complicated and require more time to detect. In order to make sure that IDS can work efficiently and accurately, novel algorithms need to be applied to adapt to the quick change of attacking technologies. There are many algorithms that are proposed to work on the matching process. Kruegel et al. generated a decision tree that is utilized to find malicious input items using as few redundant comparisons as possible [1]. In this paper, we improve Kruegels algorithm by changing the clustering strategy for building the decision tree. The experiments show that the quality of the output decision tree could be significantly improved.

Improving a hierarchical pattern matching algorithm using cache-aware Aho-Corasick automata

Enhanced Hierarchical Multipattern Matching Algorithm (EHMA) is an efficient pattern matching algorithm that divides the matching process into two phases so that it may reduce the number of the external memory accesses. But when the number of the patterns increases, the algorithm may not work well. In this paper we propose a method to solve this problem by combining EHMA algorithm with the Aho-Corasick algorithm. We also take into consideration the effect of cache memory in the network equipment by implementing a cache-aware algorithm that exploits the frequency of the characters in the network payload and the transition probability of links in the Aho-Corasick automata. The experiments show that our improvement can help to significantly reduce the number of the external memory access, compared to the original EHMA.

A malware detection system based on heterogeneous information network

In this era of information networks, more and more malware (malicious software) poses a serious threat to security. How to detect malware attacks in a timely and effective manner becomes particularly important. The increasingly sophisticated malware calls for new defense technologies to detect and combat novelty attack and threats. In this paper, we propose a novel malware detection method that not only depends on API calls, further analyze the relationship between them and creates higher-level semantics to avoid attackers evading detection. We construct a heterogeneous information network (HIN) through their rich relationships between software and related APIs, and then use meta-path-based methods to describe the semantic relevance to software and APIs. We use each meta-path to calculate similarities between software and aggregate different similarities with Multi-kernel Learning (MKL) to construct a malware detection system. We collected real sample data and conducted a comprehensive experiment. Through experiments we have obtained a relatively high detection rate and a relatively low false detection rate, shows the effectiveness of our proposed method.

Intrusion Detection System based on Complex Event Processing in RFID middleware

Radio Frequency Identification (RFID) technology has been applied in many fields, such as tracking product through the supply chains, electronic passport (ePassport), proximity card, etc. Most companies will choose low-cost RFID tags. However, these RFID tags are almost no security mechanism so that criminals can easily clone these tags and get the user permissions. In this paper, we aim at more efficient detection proximity card be cloned and design a real-time intrusion detection system based on one tool of Complex Event Processing (Esper) in the RFID middleware. We will detect the cloned tags through training our system with the users habits. When detected anomalous behavior which may clone tags have occurred, and then send the notification to user. We discuss the reliability of this intrusion detection system and describes in detail how to work.