Jongsoo Jang

A security framework with trust management for sensor networks

Wireless sensor networks are prone to security attacks, which are either common to conventional networks or unique for themselves due to the resource-constraint, susceptibility to physical capture, and wireless nature. Security solutions using crypto schemes are not enough, and sometimes not efficient. In this paper, we develop a security framework with trust management, i.e. establishment of trustworthy network environment, to secure sensor networks. For trust management, we explore a distributed trust model, enabling recommendation-based trust and trust-based recommendation, to build reasonable trust relationship among network entities, represented by numerical values, i.e. trust values. And our security framework fully relies on the values to execute security-related actions aiming at the tradeoff between security and network performance.

D-SAT: detecting SYN flooding attack by two-stage statistical approach

We propose D-SAT (detecting SYN flooding attack by two-stage statistical approach) system that is simple and robust approach to detect SYN flooding attacks by observing network traffic. Instead of managing all ongoing traffic on the network, D-SAT only monitors SYN count and ratio between SYN and other TCP packets at first time. And it detects SYN flooding and finds victims more accurately in its second stage. To make the detection mechanism robustly and easily, D-SAT uses CUSUM (cumulative sum) approach in SPC (statistical process control) (H. Wang et al., 2002) (D.C. Montgomery, 2001) (D.M. Hawkins et al., 1998). It makes the detection mechanism much more generally applicable and easier to implement. D-SAT also employed AFM (aggregation flow management) for finding victims quickly and accurately. The trace-driven simulation results demonstrate that D-SAT system is efficient and simple to implement and prove that it detects SYN flooding accurately and finds attack in a very short detection time.

Integrated DDoS Attack Defense Infrastructure for Effective Attack Prevention

Currently attackers are trying to paralyze servers and networks with various types of DDoS attacks. For example, on 7th July in 2009, a DDoS attack occurred against 48 web sites in South Korea and U.S.A. In this attack, the attack traffic pattern and the botnet construction methods are different from that of previous version. Due to the differences of the attack patterns, the 7.7 DDoS attack was not detected easily. These days, such new types of sophisticated attacks occur and it???s not easy to detect those attacks effectively. In fact, it???s been more than ten years since DDoS attacks discovered in late 1990s. However, DDoS attack is still one of the biggest threats in Internet infrastructure and IT environment. It is because almost all the DDoS defense techniques are not focused on general characteristics and infrastructure but on specific characteristics in each attack. In order to develop a general purpose DDoS defense technology, all the attack process and general characteristics should be analyzed. Furthermore, based on the each attack phases and location of network topology also have to be analyzed. For that, in this paper, we show a general DDoS attack process and each phase in this process. For each phase, we propose DDoS attack prevention requirements and finally suggest the integrated DDoS attack defense infrastructure. For the detailed explanation, we classify attack detection techniques into three categories.

Memory-efficient content filtering hardware for high-speed intrusion detection systems

Content filtering-based Intrusion Detection Systems have been widely deployed in enterprise networks, and have become a standard measure to protect networks and network users from cyber attacks. Although several solutions have been proposed recently, finding an efficient solution is considered as a difficult problem due to the limitations in resources such as a small memory size, as well as the growing link speed. In this paper, we present a novel content filtering technique called Table-driven Bottom-up Tree (TBT), which was designed i) to fully exploit hardware parallelism to achieve real-time packet inspection, ii) to require a small memory for storing signatures, iii) to be flexible in modifying the signature database, and iv) to support complex signature representation such as regular expressions. We configured TBT considering the hardware specifications and limitations, and implemented it using a FPGA. Simulation based performance evaluations showed that the proposed technique used only 350 Kilobytes of memory for storing the latest version of SNORT rule consisting of 2770 signatures. In addition, unlike many other hardware-based solutions, modification to signature database does not require hardware re-compilation in TBT.

An Efficient Rerouting Scheme for MPLS-Based Recovery and Its Performance Evaluation

The path recovery in MPLS is the technique to reroute traffic around a failure or congestion in a LSP. Currently, there are two kinds of model for path recovery: rerouting and protection switching. The existing schemes based on rerouting model have the disadvantage of more difficulty in handling node failures or concurrent node faults. Similarly, the existing schemes based on protection switching model have some difficulty in solving problem such as resource utilization and protection of recovery path. This paper proposes an efficient rerouting scheme to establish a LSP along the least-cost recovery path of all possible alternative paths that can be found on a working path, which is calculated by the upstream LSR that has detected a failure. The proposed scheme can increase resource utilization, establish a recovery path relatively fast, support almost all failure types such as link failures, node failures, failures on both a working path and its recovery path, and concurrent faults. Through simulation, the performance of the proposed scheme is measured and compared with the existing schemes.

Policy-Based Intrusion Detection and Automated Response Mechanism

Automated response to intrusions has become a major issue in defending critical systems. Because the adversary can take actions at computer speeds, systems need the capability to react without human intervention. Policy-based network simplifies the many tasks associated with coordinating the resources and capabilities of the network with the business-level goals of the network administrator. This paper provides policy-based security management architecture enabling network-wide intrusion detection and automated response. And this paper provides required functionality to realize the automated response mechanism. This paper also presents security policies to facilitate security management functions in policy-based networks.

AIGG Threshold Based HTTP GET Flooding Attack Detection

Distributed denial-of-service (DDoS) attacks still pose unpredictable threats to the Internet infrastructure and Internet-based businesses. As the attackers focus on economic gain, the HTTP GET Flooding attacks against the business web servers become one of the most frequently attempted attacks. Furthermore, the attack is becoming more sophisticated. In order to detect those attacks, several algorithms are developed. However, even though the developed technologies can detect the sophisticated attacks some of them need lots of system resources [12,13]. Sometimes due to the time consuming processes the whole performance of DDoS defense systems is degraded and it becomes another problem. For that, we propose a simple threshold based HTTP GET flooding attack detection algorithm. The threshold is generated from the characteristics of HTTP GET Request behaviors. In this algorithm, based on the defined monitoring period (MP) and Time Slot (TS), we calculate the Average Inter-GET_Request_Packet_Exist_TS-Gap (AIGG). The AIGG is used for threshold extraction. For effective detection, the optimized MP, TS and the threshold value, are extracted. In addition, the proposed algorithm doesn’t need to analyze every HTTP GET request packet so it needs less CPU resources than the algorithms which have to analyze all the request packets.

Public Key Management Framework for Two-tier Super Peer Architecture

Many Internet applications use public key infrastructure (PKI) to enable the secure transaction of confidential messages. However, the use of PKI is not consistent with the ideas of peer-to-peer networks. In this paper, we propose public key management framework to distribute public key safely without PKI infrastructure for two-tier super peer architecture. In this framework, each peer self-generates and distributes public/private key pairs. In general case, this kind of mechanism is vulnerable to man-in-the- middle attack during the public key distribution process. But the proposed mechanism can easily avoid this kind of attack.

High performance session state management scheme for stateful packet inspection

This paper relates to a method for performing Stateful Packet Inspection(SPI) in real time using a session table management scheme that allows more efficient generation of session state information. SPI is an important technique to reduce false positive alerts in network intrusion detection system(NIDS). As the number of session increases, this technique requires a higher processing speed, thereby causing performance problems. However, existing software-based solutions cannot perform real-time packet inspection ensuring the wire speed. To guarantee both performance and functionality with respect to statefulness, we designed and implemented SPI-based intrusion detection module in a FPGA to help alleviating a bottleneck in network intrusion detection systems in this paper.

Supporting interoperability to heterogeneous IDS in secure networking framework

On 22 October 2002, ICANN, the Internets main governing body, acknowledged that a massive distributed denial-of-service attack briefly shut down seven of the 13 central Domain Name Services servers that manage Internet traffic worldwide. Prompt action by DNS server operators minimized the duration and impact of the attack, which had little effect on overall Internet performance. Intrusion detection systems are researched and developed to detect attacks from outside world since 1980. Intrusion detection systems create an alert data or log data when detect an intrusion. But Many IDS uses heterogeneous data set, so these data must be mapped to another format. IDWG in IETF proposed IDMEF. This paper designs an alert data format compatible IDMEF. The secure networking framework is consisted of SGS and CPCS. SGS acts as an intrusion detection system on edge of network ingress point, and CPCS acts as a higher-level server. SGS makes an alert data compatible IDMEF and sends it to CPCS. CPCS parses an IDMEF alert data and makes an alert object for using correlation analysis. SGS can see its area only, but CPCS can see wide network area. CPCS can detect more complex attacks as well as support integrated management through cooperating each other. In the view of alert processing we converted raw alert data to Ladon-alert data to support interoperability. We use IDMEF-compatible alert datat structure. We have designed and developed integrated IDS on gateway, and security control server on higher-level class. Then this framework offers cooperative intrusion detection, policy based controlling.