Kyunghee Choi

Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning

As the complexity of Internet is scaled up, it is likely for the Internet resources to be exposed to Distributed Denial of Service (DDoS) flooding attacks on TCP-based Web servers. There has been a lot of related work which focuses on analyzing the pattern of the DDoS attacks to protect users from them. However, none of these studies takes all the flags within TCP header into account, nor do they analyze relationship between the flags and the TCP packets. To analyze the features of the DDoS attacks, therefore, this paper presents a network traffic analysis mechanism which computes the ratio of the number of TCP flags to the total number of TCP packets. Based upon the calculation of TCP flag rates, we compile a pair of the TCP flag rates and the presence (or absence) of the DDoS attack into state-action rules using machine learning algorithms. We endow alarming agents with a tapestry of the compiled rules. The agents can then detect network flooding attacks against a Web server. We validate our framework with experimental results in a simulated TCP-based network setting. The experimental results show a distinctive and predictive pattern of the DDoS attacks, and our alarming agents can successfully detect various DDoS attacks.

Real-time scheduling of tasks that contain the external blocking intervals

Distributed systems, where the processes send and receive their messages remotely, are generally based on the message communications. The execution of a process is blocked until the process receives a response from an other process for a requested message. In this paper, we propose two real-time scheduling methods for the tasks with blocking intervals. It is proven that every task set that is schedulable by Mings method is also schedulable by one of the proposed methods. Also, the simulation shows that the schedulable ratios of task sets by the proposed methods are much higher than that obtained by Mings method.

Compiling network traffic into rules using soft computing methods for the detection of flooding attacks

The ability to dynamically collect and analyze network traffic and to accurately report the current network status is critical in the face of large-scale intrusions, and enables networks to continually function despite of traffic fluctuations. The paper presents a network traffic model that represents a specific network pattern and a methodology that compiles the network traffic into a set of rules using soft computing methods. This methodology based upon the network traffic model can be used to detect large-scale flooding attacks, for example, a distributed denial-of-service (DDoS) attack. We report experimental results that demonstrate the distinctive and predictive patterns of flooding attacks in simulated network settings, and show the potential of soft computing methods for the successful detection of large-scale flooding attacks.

A fast motion estimator for real-time system

We modify the three step search (TSS) algorithm to be applicable to real-time system, based on the statistics of motion vector distribution and propose a new architecture. The proposed technique includes a mechanism to stop the TSS algorithm anytime during its processing without degrading the accuracy of motion vector seriously. Thus, the anytime scheduling policy can be applied to the proposed algorithm for a less imprecise motion estimation in real-time application. The simple and regular architecture allows easy VLSI implementation, and minimizes the input data bandwidth. The performance is also analyzed in detail, and compared with those for other architectures.

Spam Filtering With Dynamically Updated URL Statistics

Many URL-based spam filters rely on white and black lists to classify email. The authors proposed URL-based spam filter instead analyzes URL statistics to dynamically calculate the probabilities of whether email with specific URLs are spam or legitimate, and then classifies them accordingly.

White Box Pairwise Test Case Generation

Pairwise testing is an intuitive approach to test case generation, and has already seen use in commercial tools and practical applications. Pairwise testing is black box, in the sense that the test selection is independent of the internal structure of the system. We present a white box extension which selects additional test cases for the system based on specifications for one or more internal sub- operations. We have developed a novel algorithm for generating test cases for the full system which achieve pairwise coverage of the sub-operations. We have evaluated the algorithm using a case study, which indicates the practicality and effectiveness of the approach.

Comment on "On-line scheduling policies for a class of IRIS real-time tasks"

Scheduling policies for real-time tasks which receive rewards that depend on the amount of service received were presented by Dey et al.(1996). The policies utilized heuristic approaches to maximize the total accrued reward. In this comment, we propose an extension of their work that may reduce the average computational complexity.

Fuzzing CAN Packets into Automobiles

There have been many warnings that automobiles are vulnerable to the attacks through the network, CAN which connects the ECUs (Electrical Control Units) embedded in the automobiles. Some previous studies showed that the warnings were actual treats. They analyzed the packets flowing on the network and used the packets constructed based on the analysis. We show that it is possible to attack automobiles without any in-depth knowledge about automobiles and specially designed tools to analyze the packets. Experiments are performed in two phases. In the first phase, the victims automobiles are attacked with the packets constructed with the CAN IDs gathered from the sniffed packets flowing in the automobiles. It is not a problem at all to gather CANIDs since CAN is an open simple standard protocol and there are many tools to sniff CAN packets in the Internet. In the second phase, the attack packets are constructed in a completely random manner without any previous information such as CAN IDs. The packets are injected into the network via Bluetooth, a wireless channel. Through the experiments, we show the network vulnerability of automobiles.

Simulating session distribution algorithms for switch with multiple outputs having finite size queues

We propose and simulate session distribution algorithms for switch with multiple output links. The proposed algorithms try to allocate a new session to an output link in a fashion that output link utilization can be maximized but packet delay difference between sessions in a service class be minimized. The simulation proves that SCDF (Shortest Class Delay First) shows the best performance in terms of maximizing link utilization and balancing packet delay difference between sessions.

Priority inversion handling in microkernel-based Real-Time Mike

We propose a resource management model to avoid priority inversion problem that may occur when two tasks attempt to send service requests to a server task, and then the server task sends a request to another server task in a nested fashion. In this model we introduce two new concepts: job identifier inheritance and priority ceiling inheritance. We also suggest a new resource locking condition of the priority ceiling protocol for the computational model of the microkernel-based real-time system, called Mike, in which both IPC and synchronization are utilized and client/server communication model is frequently used in a nested fashion. To see the effectiveness, the proposed model has been implemented in Real-Time Mike developed previously. The implemented system shows that the resource management model efficiently prevents the priority inversion problem and avoids deadlock and multiple blocking.