Hyogon Kim

BotGAD: detecting botnets by capturing group activities in network traffic

Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented BotGAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.

Fast detection and visualization of network attacks on parallel coordinates

This article presents what we call the parallel coordinate attack visualization (PCAV) for detecting unknown large-scale Internet attacks including Internet worms, DDoS attacks and network scanning activities. PCAV displays network traffic on the plane of parallel coordinates using the flow information such as the source IP address, destination IP address, destination port and the average packet length in a flow. The parameters are used to draw each flow as a connected line on the plane, where a group of polygonal lines form a particular shape in case of attack. From the observation that each attack type of significance forms a unique pattern, we develop nine signatures and their detection mechanism based on an efficient hashing algorithm. Using the graphical signatures, PCAV can quickly detect new attacks and enable network administrators to intuitively recognize and respond to the attacks. Compared with existing visualization works, PCAV can handle hyper-dimensions, i.e., can visualize more than 3 parameters if necessary, which significantly reduces false positives. As a consequence, Internet worms are more precisely detectable by machine and more easily recognizable by human. Another strength of PCAV is handling flows instead of packets. Per-flow visualization greatly reduces the processing time and further provides compatibility with legacy routers which export flow information, e.g., as NetFlow does in Cisco routers. We demonstrate the effectiveness of PCAV using real-life Internet traffic traces. The PCAV program is publicly available.

Performance Evaluation of IEEE 802.15.4 MAC with Different Backoff Ranges in Wireless Sensor Networks

The IEEE 802.15.4 MAC (medium access control) is a protocol used in many applications including the wireless sensor network. Yet the IEEE 802.15.4 MAC layer cannot support different throughput performance for individual nodes with the current specifications. However, if certain nodes are sending data more frequently compared to others, with the standard MAC, it is hard to achieve network efficiency. Therefore, we modified the IEEE 802.15.4 MAC and additionally proposed a new state transition scheme. By adjusting the minBE value of some nodes to a smaller value and by dynamically changing the value depending on the transmission conditions, we shortened the backoff delay of nodes with frequent transmission. It was observed through our simulations that the throughput of the node with a lower minBE value increased significantly, compared to nodes with the original BE range of 3 to 5. Also by the use of the state transition scheme the total network efficiency increased leading to increase in throughput performance

Application-Level Frequency Control of Periodic Safety Messages in the IEEE WAVE

The basic safety message (BSM, also called a “beacon”) is the most fundamental building block that enables proximity awareness in the IEEE Wireless Access in Vehicular Environments. For driving safety and agile networking, the frequency of the BSM transmissions should be maintained at the maximum allowable level, but at the same time, rampant BSM proliferation needs to be curbed to leave room for higher priority messages and other applications that share what small bandwidth we have in the 5.9-GHz Dedicated Short-Range Communications band. In this paper, we describe an application-level messaging frequency estimation scheme called frequency adjustment with random epochs (FARE), which significantly improves the BSM throughput while using less bandwidth than the bare 802.11p delivery. FARE can be implemented purely on the application layer and uses neither cross-layer optimization nor explicit feedback from neighboring vehicles. It is only a few lines of code; therefore, it can easily be embedded in the BSM application program executed in the onboard unit.

Real-time visualization of network attacks on high-speed links

This article shows that malicious traffic flows such as denial-of-service attacks and various scanning activities can be visualized in an intuitive manner. A simple but novel idea of plotting a packet using its source IP address, destination IP address, and the destination port in a 3-dimensional space graphically reveals ongoing attacks. Leveraging this property, combined with the fact that only three header fields per each packet need to be examined, a fast attack detection and classification algorithm can be devised.

Towards Zero Retransmission Overhead: A Symbol Level Network Coding Approach to Retransmission

We present SYNC, a physical layer transmission scheme that drastically reduces the cost of retransmission by introducing network coding concepts to symbol level operation. It piggybacks a new packet on each retransmitted packet, and exploits the previously received packet (possibly with error) at the receiver to recover both the retransmitted packet and the piggybacked packet. The piggybacking is achieved through higher modulation, but it does not decrease the decodability of the mixed packets owing to the previously received packet at the receiver, which can be analytically shown. SYNC works independently of other PHY level performance boosting schemes such as channel coding and spatial diversity. The proof-of-concept SYNC prototype has been implemented on a software defined radio (SDR) platform. The measurement data shows that under the same channel condition SYNC achieves 110 percent and 42 percent median throughput gain over traditional retransmission and SOFT, respectively. We also show that SYNC can be used proactively where the feedback as to the success of the previous transmission is not available, such as in broadcast.

Multi-Room IPTV Delivery through Pseudo-Broadcast over IEEE 802.11 Links

The IEEE 802.11 wireless LAN (WLAN) is a timetested technology, but it is still evolving towards even higher speeds and richer features. For multi-room IPTV delivery, where multiple IPTVs are fed from a main set-top box (STB), the IEEE 802.11 WLAN is an attractive choice for wirelessly connecting the STB and the IPTVs. In this paper, however, we first show that both the standard 802.11 unicast and broadcast/multicast delivery mechanisms have efficiency and reliability issues when they are applied to the multi-room IPTV delivery. In order to resolve the issues, we propose to use so called the pseudo-broadcast, where a unicast transmission is promiscuously received by multiple receivers. By dynamically changing the unicast destination based on the 802.11k measurement, the scheme also minimizes losses experienced by the promiscuous receivers. The scheme can be implemented without any change in the 802.11 standard, and provides a cost-effective solution to high-reliability and highefficiency multi-room IPTV delivery.

Boosting Video Capacity of IEEE 802.11n through Multiple Receiver Frame Aggregation

The technology based on the IEEE 802.11 standard has been hugely successful, and is evolving towards even higher speeds and richer features. In particular, the 802.11n amendment of the standard aims to achieve the physical layer (PHY) rate of 600 Mbps. Although the 802.11n offers sufficient bandwidth to support high-resolution video applications such as high definition TV (HDTV), we find that the number of video streams that can be supported on the IEEE 802.11n networks depends heavily on how the frame aggregation is implemented. In addition to the frame aggregation scheme stipulated in the amendment, we explore a multiple-receiver frame aggregation scheme for video traffic. The comparative study reveals through extensive simulation that the proposed multiple-receiver aggregation scheme increases the number of supported video streams by a factor of 2 or higher. We also shed light on the qualitative difference in the dynamics of the two approaches. Whereas the aggregation efficiency worsens with traffic increase in the point-to-point aggregation (which is highly undesirable), the proposed multiple- receiver aggregation exhibits resiliency against congestion, by matching the aggregation efficiency to the traffic load.

A Feasibility Study and Development Framework Design for Realizing Smartphone-Based Vehicular Networking Systems

Designing and distributing effective vehicular safety applications can help significantly reduce the number of car accidents and assure the safety of many precious lives. However, despite the efforts from standardization bodies and industrial manufacturers, many studies suggest that it will take more than a decade for full deployment. We start this work with the hypothesis that smartphones may be suitable platforms for catalyzing the distribution of vehicular safety systems. Specifically, smartphones connected to their respective cellular networks can report sensing data to back-end application servers and exchange safety-related messages. This paper first evaluates the performance of the vehicular ad-hoc networking standards and the hardware platforms that implement them. Next, we perform empirical evaluations on the performance of cellular networks to confirm their applicability in vehicular networking. Based on our observations, we present the VoCell application development framework. VoCell, comprehends a set of components that eases the development of smartphone applications for vehicular networking applications. Using VoCell, developers can easily access internal and external sensing components and share this data to servers. We present a number of example applications developed using VoCell and evaluate their effectiveness in local and highway environments using a pilot deployment. We envision that VoCell can act as a building block for enabling new smartphone-based systems for vehicular networking applications.

Collision Control of Periodic Safety Messages With Strict Messaging Frequency Requirements

For safety messages in a vehicular networking environment, strict messaging frequency requirements exist. For instance, six out of eight cooperative vehicular safety applications, as chosen by the National Highway Traffic Safety Administration and the Crash Avoidance Metrics Partnership, require a minimum of 10 Hz, whereas the precrash sensing application requires an even higher frequency of 50 Hz, for messages that convey the positions of vehicles. Currently, the collisions of periodic safety message broadcasts for the IEEE Wireless Access in Vehicular Environment (WAVE) system are left to the IEEE 802.11p medium access control (MAC) to resolve. With small contention window sizes stipulated in the 802.11p amendment, however, the MAC offers only limited relief to the collision problem, particularly toward the beginning of the control channel (CCH) interval. In this paper, we show that application-level control of the message transmission phase is desirable, when the frequency adaptation is not allowed due to the application requirement. We demonstrate through simulation and analysis that the proposed technique achieves up to 50% higher message reception probability compared with that relying only on the 802.11p MAC. The proposed method works in the safety applications themselves; therefore, the existing standards need not be modified.