Myung-Sup Kim

A flow-based method for abnormal network traffic detection

One recent trend in network security attacks is an increasing number of indirect attacks which influence network traffic negatively, instead of directly entering a system and damaging it. In future, damages from this type of attack are expected to become more serious. In addition, the bandwidth consumption by these attacks influences the entire network performance. This paper presents an abnormal network traffic detecting method and a system prototype. By aggregating packets that belong to the identical flow, we can reduce processing overhead in the system. We suggest a detecting algorithm using changes in traffic patterns that appear during attacks. This algorithm can detect even mutant attacks that use a new port number or changed payload, while signature-based systems are not capable of detecting these types of attacks. Furthermore, the proposed algorithm can identify attacks that cannot be detected by examining only single packet information.

Towards automated application signature generation for traffic identification

Traditionally, Internet applications have been identified by using predefined well-known ports with questionable accuracy. An alternative approach, application-layer signature mapping, involves the exhaustive search of reliable signatures but with more promising accuracy. With a prior protocol knowledge, the signature generation can guarantee a high accuracy. As more applications use proprietary protocols, it becomes increasingly difficult to obtain an accurate signature while avoiding time-consuming and manual signature generation process. This paper proposes an automated approach for generating application-level signature, the LASER algorithm, that does not need to be preceded by an analysis of application protocols. We show that our approach is as accurate and efficient as the approach that uses preceding application protocol analysis.

Traffic flooding attack detection with SNMP MIB using SVM

Recently, as network flooding attacks such as DoS/DDoS and Internet Worm have posed devastating threats to network services, rapid detection and proper response mechanisms are the major concern for secure and reliable network services. However, most of the current Intrusion Detection Systems (IDSs) focus on detail analysis of packet data, which results in late detection and a high system burden to cope with high-speed network traffic. Little or no integration exists between IDS and SNMP-based network management, in spite of the extensive monitoring and statistical information provided by SNMP agents implemented on network devices and systems. In this paper we propose a lightweight and fast detection mechanism for traffic flooding attacks. Firstly, we use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links. The involved SNMP MIB variables are selected by an effective feature selection mechanism and gathered effectively by the MIB update time prediction mechanism. Secondly, we use a machine learning approach based on a Support Vector Machine (SVM) for attack classification. Using MIB and SVM, we achieved fast detection with high accuracy, the minimization of the system burden, and extendibility for system deployment. The proposed mechanism is constructed in a hierarchical structure, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Using MIB datasets collected from real experiments involving a DDoS attack, we validate the possibility of our approaches. It is shown that network attacks are detected with high efficiency, and classified with low false alarms.

Characteristic analysis of internet traffic from the perspective of flows

The necessity of network traffic monitoring and analysis is growing dramatically with increasing network usage demands from individual users as well as business communities. Most network traffic monitoring and analysis systems are based on flows. One key asset with these systems is to compress a significant amount of packet data into flows. However, the compression ratio is highly variable in the recent network environments due to the increased use of peer-to-peer file sharing applications and the frequent appearances of abnormal traffic caused by Internet worms, which negatively influences the performance of traffic analysis systems. The performance of traffic monitoring and analysis systems highly depends on the number of flows as well as link utilization and the pattern of packet arrival. This paper examines the characteristics of recent Internet traffic from the perspective of flows. We found that the frequent occurrence of flash flows highly affects the performance of the existing flow-based traffic monitoring systems. Using various flow-related metrics, we analyzed the IP traffic traces collected from the Internet junction at POSTECH, a university with over 6000 end hosts and servers.

Towards Peer-to-Peer Traffic Analysis Using Flows

One of the main problems with today’s Internet traffic analysis is caused by the large number of network-based applications whose types and traffic patterns are more complicated than in the past. Today, peer-to-peer (P2P), streaming media, and game traffic are continuously increasing. The difficulty the traffic analysis is that this newly emerging traffic is not as simple as past well-known port based traffic. This paper focuses on analyzing P2P traffic, which is the most complicated traffic among newly emerging Internet traffic. We describe the properties of P2P traffic and explain why P2P traffic analysis is more difficult than other types of Internet traffic analysis. Next, we propose a new algorithm suitable for P2P traffic analysis. The main idea of our algorithm is that flow grouping based on their relationships will increase the accuracy of P2P traffic analysis.

A load cluster management system using SNMP and web

Clustered servers for Internet service is a popular solution to cope with the explosive increase in client requests. The high probability of service failure in cluster servers make the cluster management system necessary to provide high availability and convenient administrator control. In this paper, we present the design and implementation of a load cluster management system (LCMS) based on SNMP and Web technology. Our LCMS implementation has been deployed on a commercial ultra-dense server.

The Architecture of NG-MON: A Passive Network Monitoring System for High-Speed IP Networks

This paper presents the design of a next generation network traffic monitoring and analysis system, called NG-MON (Next Generation MONitoring), for high-speed networks such as 10 Gbps and above. Packet capturing and analysis on such high-speed networks is very difficult using traditional approaches. Using distributed, pipelining and parallel processing techniques, we have designed a flexible and scalable monitoring and analysis system, which can run on off-the-shelf, cost-effective computers. The monitoring and analysis task in NG-MON is divided into five phases; packet capture, flow generation, flow store, traffic analysis, and presentation. Each phase can be executed on separate computer systems and cooperates with adjacent phases using pipeline processing. Each phase can be composed of a cluster of computers wherever the system load of the phase is higher than the performance of a single computer system. We have defined efficient communication methods and message formats between phases. Numerical analysis results of our design for 10 Gbps networks are also provided.

Virtual network approach to scalable IP service deployment and efficient resource management

As the Internet evolves into a global all-service communication infrastructure, a key consideration is providing quality of service guarantees over IP with efficient resource utilization in a scalable, flexible, and automatic way. In this article we present a virtual network (VN) based architecture for scalable IP service deployment and efficient network resource management. Particularly considering a DiffServ/MPLS III transport network supporting multiple VNs, we propose a dynamic approach for efficient bandwidth sharing among VNs. The bandwidth sharing is service-level-agreement-based; the spare capacity in underloaded VNs is adaptively and efficiently utilized, and SLA compliance for all the VNs involved is always guaranteed.

A Method on Multimedia Service Traffic Monitoring and Analysis

The use of multimedia service applications is growing rapidly on the Internet. These applications are generating a huge volume of network traffic, which has a great impact on network performance and planning. For various purposes, obtaining information on multimedia service traffic is important. However, traditional analysis methods based on well-known ports cannot be used to analyze such traffic. Because the majority of multimedia service applications use dynamically allocated port numbers, the traditional methods misidentify multimedia service traffic as unknown traffic. This paper presents a method for monitoring and analyzing multimedia service traffic. Our method detects transport protocol and port numbers for dynamically created sessions during a control session. We then use such information to analyze traffic generated by the most popular multimedia service applications, namely Windows Media, RealMedia, Quicktime, SIP and H.323. We also present a system architecture that uses our method to monitor and analyze multimedia service traffic.

Towards management of machine to machine networks

Machine to Machine (M2M) technology has the potential to increase the revenue, decrease the costs and improve the customer services of an organization. We have analyzed the management requirements of M2M systems, which are based on existing M2M network use cases and services. The most important characteristics including sleeping devices, low power lossy area networks, heterogeneous networks, device intelligence, mobility, two way communication, network dynamics, time sensitivity of data and data volume of M2M systems have been comprehensively investigated and reflected in management requirements discussed in this paper. The main management functionalities are fault, configuration, mobility, QoS and security management.