PyungKoo Park

An effective defense mechanism against DoS/DDoS attacks in flow-based routers

Due to proliferation of diverse network applications, DoS/DDoS attacks are evolving. Many studies have been performed and implemented in on/off-line network devices such as routers and IDS/IPS. While IDS/IPS is powerful enough to handle deep packet inspection (DPI) tasks, routers are better suited in real-time and line-speed processing requirements. Since the routers are designed to handle IP packet header information, if one can devise an DoS/DDoS detection/prevention methods that utilizes the router specific features it will be best for the in-line and real-time processing. We introduce a Flow based DoS/DDoS detection algorithm(FDDA) that detects Distributed Denial of Service (DDoS) attacks by monitoring TTL and ID fields of incoming packets IP header. As DDoS attacks are based on IP source address spoofing, the TTL and ID fields may have abnormal behavior. The device keeps track of 8-tuple flow table. The behavior of these two fields is monitored to determine DoS/DDoS attack situation. The effectiveness of our method is such that it is implemented flow-based routers and devices.

DDoS Detection Algorithm Using the Bidirectional Session

Due to the proliferation of smartphones and wireless internet, the number of DoS/DDoS attacks has increased significantly, and it creates a lot of network traffic. The DoS/DDoS attacks consume the resources of the service server so that the network and the continuity of service cannot be guaranteed [1,2,3]. Current studies on DoS/DDoS focus on a radical change of total traffic or traffic pattern. Results of these type of studies cannot react to ever changing attack patterns and service types [4,5]. This paper proposes a new algorithm to detect DoS/DDoS attacks based on the session information of the service. In this paper, we propose BSDDA(bidirectional session aware DDoS detection algorithm) that detects DoS/DDoS attacks by analyzing the session information that contains service requests as well as service replies. Since the algorithm consideres session information of service requests and responses, its effectiveness is experimentally shown the algorithm effectively responds to the ever changing attack patterns.

User-Centric Key Management Scheme for Personal Cloud Storage

For the Personal Cloud Storage, security is an important issue. There is latent threat when it comes to the data loss or leakage which may be committed by malicious Cloud Service Provider (CSP) employee. The most basic solution is to encrypt users data. However, when the encryption key is directly managed by CSP or users device, then there is latent threat, too. In this paper, we propose the User-Centric Key Management Scheme. This scheme enables user to store mandatory key fragment and enables only user to use the encryption key since optional key fragments are stored in a dispersed manner. Meanwhile, even when mandatory key fragment is lost, this prevents leakage of encryption key.

Survivable virtual topology design in multi-domain optical networks

We consider the problem of survivable virtual network mapping in a multi-domain optical network with the objective of minimizing total network link cost for a given virtual traffic demand. The survivability constraint guarantees the connectivity of virtual nodes after any single optical link failure. We propose a hierarchical software-defined networking-based control plane to exchange information between domains, and we propose heuristic approaches for mapping virtual links onto multi-domain optical links using partition and contraction mechanisms on the virtual topology. We provide an integer linear programming formulation to compare with our heuristic approaches. Numerical results show that our heuristic approach is effective in reducing total network cost and increasing the successful mapping rate.

Survivable virtual topology design in IP over WDM multi-domain networks

We consider survivable virtual network mapping in a multi-domain optical network with the objective of minimizing total network link cost for a given virtual traffic demand that is embedded over the multi-domain optical network. The survivability constraint guarantees the connectivity of virtual nodes after any single optical link failure. We propose a hierarchical software-defined networking (H-SDN)-based control plane to exchange information between domains, and we propose heuristic approaches for mapping virtual links onto multi-domain optical links using partition and contraction mechanisms (PCM) on the virtual topology. We show that the proposed PCM technique can reduce time complexity compared to traditional cut set graph theory approaches. Numerical results show that our heuristic approach is effective in reducing total network cost and increasing the successful mapping rate.

QoS support for advanced multimedia systems

An advanced multimedia system is being standardized in ITU-T SG16. One of the primary features of the multimedia system is the inclusion of QoS functions from the outset. This paper presents a possible QoS framework for the multimedia system, which permits multimedia applications to request and acquire QoS for its applications in multi-provider networks. The presented framework is independent of the QoS architecture, mechanisms and tools supported in the network domain. The intention is that irrespective of the QoS mechanisms deployed in the network, multimedia applications can negotiate and acquire QoS from the network in an end-to-end manner.

Service-Oriented DDoS Detection Mechanism Using Pseudo State in a Flow Router

As distributed denial-of-service (DDoS) attacks have caused serious economic and social problems. In this paper, we propose the Service-oriented DDoS Detection Mechanism using a Pseudo State (SDM-P), which runs on network devices to defend against DDoS attacks without sacrificing performance in terms of data forwarding. In addition, we verified the performance of the SDM-P mechanism by evaluating its performance using a DDoS attack similar to the one that occurred in Korea and the USA on July 7th, 2009.

A Lightweight and Stable Authentication Method for the Internet Access Control in Smartphones

Internet users’ platform move toward smart mobile devices like smartphones and tablet PCs, so the user authentication and access control for the mobile users are strongly required to support information securities. Mobile devices have weak points like low computing power, limited power, and restricted interfaces compared with the PC. So, these characteristics of mobile devices require light-weight and stable user authentication methods. This paper proposes user authentication LSAM (Lightweight & Stable Authentication Method) applicable to smart mobile devices (representatively Smartphone). LSAM gives a way to identify the users through random matrix displayed on smart mobile devices. Authentication Token used in LSAM is featured with variations on values of the matrix, so it is safe to replay attack and sniffing attack. LSAM does not need additional devices; it is just operated as the interface software on the mobile smartphone. We will show the evaluation criteria of the mainly used hacking techniques like the Challenger Variability, Replay Attack, Brute-force Attack, MITM (Man–In-The-Middle Attack) and measured the degree of defenses of our proposed authentication algorithm to these attacks.

A Service Protection mechanism Using VPN GW Hiding Techniques

The recent supply of smartphone and the late change in the internet environment had lead users to demand safe services. Especially, the VPN technology is being researched as a key technology for providing safe services within the cloud environment or the data-center environment. However, the openness of IP is a critical threat to the VPN technology, which provides service via sharing IP address of its gateway. The exposed IP address is venerable to many kinds of attacks, and thus VPN gateway and its service are also venerable to these threats. This paper proposes a VHSP mechanism, which prevents exposure of IP address by assigning temporal IP address for the VPN gateway and its services. VHSP assign temporal IP address per-user bases. Moreover, this paper had verified performance of VHSP and original VPN in various conditions.

A Service-oriented DDoS detection mechanism using pseudo state in a flow router

As distributed denial-of-service (DDoS) attacks have caused serious economic and social problems, there have been numerous researches to defend against them. The current DDoS defense system relies on a dedicated security device, which is located in front of the server it is required to protect. To detect DDoS attacks, this security device compares incoming traffic to known attack patterns. Since such a defense mechanism cannot prevent an influx of attack traffic into the network, and every packet must be compared against the known attack patterns, the mechanism often degrades the service. In this paper, we propose the Service-oriented DDoS Detection Mechanism using a Pseudo State (SDM-P), which runs on network devices to defend against DDoS attacks without sacrificing performance in terms of data forwarding. The SDM-P mechanism is suitable for both low- and high-rate attacks. In addition, we verified the performance of the SDM-P mechanism by evaluating its performance using a DDoS attack similar to the one that occurred in Korea and the USA on July 7th, 2009.