Mihui Kim

A Combined Data Mining Approach for DDoS Attack Detection

Recently, as the serious damage caused by DDoS attacks increases, the rapid detection and the proper response mechanisms are urgent. However, existing security mechanisms do not provide effective defense against these attacks, or the defense capability of some mechanisms is only limited to specific DDoS attacks. It is necessary to analyze the fundamental features of DDoS attacks because these attacks can easily vary the used port/protocol, or operation method. In this paper, we propose a combined data mining approach for modeling the traffic pattern of normal and diverse attacks. This approach uses the automatic feature selection mechanism for selecting the important attributes. And the classifier is built with the theoretically selected attribute through the neural network. And then, our experimental results show that our approach can provide the best performance on the real network, in comparison with that by heuristic feature selection and any other single data mining approaches.

A fast defense mechanism against IP spoofing traffic in a NEMO environment

The boundary of a distributed denial of service attack, one of the most threatening attacks in a wired network, now extends to wireless mobile networks, following the appearance of a DDoS attack tool targeted at mobile phones. Many protocols and architectures for mobile networks were designed without regard to the possibility of a DDoS attack. Moreover, the existing defense mechanisms against such attacks in a wired network are not effective in a wireless mobile network, because of differences in their characteristics. In this paper, we propose a fast defense mechanism against IP spoofing traffic for mobile networks. IP spoofing is one of the features of a DDoS attack against which it is most difficult to defend. Among the various mobile networks, we focus on the Network Mobility standard that is being established by the NEMO Working Group in the IETF. Our defense consists of the following five processes: speedy detection, filtering of attack packets, identification of attack agents, isolation of attack agents, and notification of neighboring routers. We simulated and analyzed the effects on normal traffic of moving attack agents, and the results of applying our defense to a mobile network. Our experimental results show that our mechanism provides a robust defense.

DMP: detouring using multiple paths against jamming attack for ubiquitous networking system.

To successfully realize the ubiquitous network environment including home automation or industrial control systems, it is important to be able to resist a jamming attack. This has recently been considered as an extremely threatening attack because it can collapse the entire network, despite the existence of basic security protocols such as encryption and authentication. In this paper, we present a method of jamming attack tolerant routing using multiple paths based on zones. The proposed scheme divides the network into zones, and manages the candidate forward nodes of neighbor zones. After detecting an attack, detour nodes decide zones for rerouting, and detour packets destined for victim nodes through forward nodes in the decided zones. Simulation results show that our scheme increases the PDR (Packet Delivery Ratio) and decreases the delay significantly in comparison with rerouting by a general routing protocol on sensor networks, AODV (Ad hoc On Demand Distance Vector), and a conventional JAM (Jammed Area Mapping) service with one reroute.

A scalable mutual authentication and key distribution mechanism in a NEMO environment

Long an issue of interest, network mobility technology is now being realized with the foundation of the NEMO(Network Mobility) Working Group (WG) in the IETF. Security problems for NEMO become more important because one or several MR(Mobile Router)s manage the mobility of an entire network as well as the nested mobile networks, but current NEMO lacks the defense mechanism against these problems. Thus, in this paper, we propose a scalable and ubiquitous mutual authentication and key distribution mechanism without TTP(Trusted Third Party) for a NEMO environment, that uses the threshold secret sharing technique for enhancing scalability and availability, and provides the low-processing for requirement of frequent mutual authentication by mobility. We simulated and analyzed our mechanism together with another general authentication mechanism in the view of scalability and processing delay. Our experimental results show that our mechanism provides a scalable security support for a NEMO environment.

Detection and Identification Mechanism against Spoofed Traffic Using Distributed Agents

Recently, as the serious damage caused by spoofed traffic like DDoS attacks increases, the rapid detection and the proper response mechanisms are urgent. However, existing security mechanisms do not provide effective defense against these attacks, and cannot especially identify the origin generating the spoofed traffic. In this paper, we describe a simple and practical solution that supports the immediate detection and identification for spoofing attack agent. Proposed agent needs only one per a router, and the modification of legacy routers is not required. So, if agents as many as routers are distributed, they can perfectly detect the spoofed traffic generated on themselves network, and directly identify the attack agent, regardless of spoofing level. We implement the proposed mechanism, experiment with strong DDoS tool on the real network, and confirm the effectiveness of our design.

Adaptive Data Mining Approach For Flow Redirection In Multihomed Mobile Router

On multihomed mobile router with several interfaces toward Internet, it is important to provide an efficient flow redirection (FR) method that changes the served interface according to each network status or user movement. However, currently as the mobile devices roams, the interface is selected as only the physical signal strength, thus efficient resource use or quality of service (QoS) support is not guaranteed. In this paper, we propose an adaptive data mining approach that provides the selection of influential attributes for FR and the proper FR decision model as the interface type. We analyze assuming network protocols in order to heuristically extract the FR candidate attributes for estimating the required QoS. We abstract theoretically the FR influential attributes through decision-tree algorithm, and finally obtain the proper FR decision models per each interface. Our simulation results show that our FR approach provides improved performances in comparison with current handover.

Overlapped detection via approximate entropy estimation against flooding attack in mobile sensor networks

To achieve security in sensor networks, it is important to be able to defend against flooding attack recently considered as an extremely threatening attack. In this paper, we propose a flooding attack detection method as the first defense step, through approximate entropy estimation reflecting resource constraints of sensors. Each detector performs both basic estimation for its own region and overlapped estimation for its own and neighbor regions, against the mobility of attack node. Also, in order to enhance the accuracy of detection even in the various deployments of attack agents, we deploy hierarchically detectors according to network topology. This detector by entropy estimation is simplified by only multiplication calculation instead of logarithm, in addition to providing higher estimation precision of entropy compared to the conventional entropy estimation. Our simulation results indicate that this hierarchical defense is a feasible method, being especially promising for accurate decision through overlapped detection even in frequent handoffs of mobile attack agents.

Adaptive Authentication Mechanism using Node Reputation on Mobile Medical Sensor Networks

As the importance of sensor networks for the realization of ubiquitous world is recognized, the various aspects research for static sensor networks, that does not support the mobility of node, is underway. Medical sensor network (MSN) assuming the mobility of node takes notice as one of the highlight USN applications, but the research on the security issue for the environments is not enough even though the issue is the most important point for the successful deployment. Thus, in this paper we propose an adaptive authentication mechanism taking consideration in the tradeoff between processing speed and the degree of security strength. Using threshold secret sharing, our authentication gives the proper reputation to sensor nodes according to their behavior pattern. Thus if a sensor node has the best reputation and its sensing information is urgent, then the sink node processes the sensing information at first and performs post-authentication. Our analytical results show that our authentication provides the efficient to MSN even in the severe node traffic.

A Flow Redirection Decision Mechanism using Data Mining on NEMO Environments

As constructing ubiquitous environment, the various researches for the integration of heterogeneous networks are now under way. Multihoming is one of important issues in these researches to provide effective mobility. In order to support high quality service and seamless connectivity, it is necessary to provide an efficient FR (Flow Redirection) for the integrated network. Especially, mobile router with multiple interfaces should decide FR based on network condition for the efficient use of resources. In this paper, we propose a FR decision mechanism on mobile network (NEMO) via combined data mining technologies with multiple attributes presenting network condition. We assume that the mobile router has WLAN and WiBro interface toward Internet. At first, in order to heuristically choose candidate attributes, we analyze the WLAN/WiBro specification documents [5][6] and the considered QoS parameters in these networks. Then, we apply various data obtaining from QualNet [12] in various cases to decision tree algorithm, in order to theoretically select the influential attributes in FR decision. Finally, we acquire a FR decision model through the neural network with data for chosen attributes. Our simulation results show that our FR can provide the improved performances in comparison with current handover using only signal strength.

A key setup mechanism utilizing dual key strings for secure sensor communication

For secure sensor communication, pairwise key establishment between sensor nodes is essential. In this paper, we cluster the network field in rectangular shape and preassign two different kinds of key information for each sensor according to its expected location. We utilize overlapped key string pool concept for our network architecture and every node uses the part of sub-strings for setting up pairwise keys with neighboring nodes in its own cluster and from different clusters according to respective position. Our proposal decreases the memory requirement and increases security level efficiently.