Sunoh Choi

Network abnormal behaviour analysis system

As cyber attacks have increased in recent years, network forensics, which collects and analyses network packets as well as digital forensics, has been studied. However, high-speed networks such as 1 or 10 Gbps networks have many network flows. For example, a 1 Gbps network has hundreds of millions of network flows per day. Analysing network traffic in this situation is very difficult and time-consuming. In this paper, we propose a system that can analyse network abnormal behaviour quickly and easily. We first propose a system that stores the TCP flag when generating network flows. Second, we present some ways to use the TCP flag in network flows to analyse network anomalies such as persistent outbound connections.

Performance Comparison of Relational Databases and Columnar Databases Using Bitmap Index for Fast Search of 10Gbps Network Flows

Recently a lot of Cyber Attacks are done. In order to prevent these Cyber Attacks, first we should be able to analyze attacks from network traffic like packets and flows. However, in high speed network like 10Gbps, there are millions of packets and tens of thousands of flows per second. So, it is very difficult just to find a flow which a security investigator wants to see within a short time. To make search fast, we have to use indexes used in databases. In this paper, we show loading time and search time in relational database and columnar database using bitmap index.

Hierarchical network signature clustering and generation

Nowadays we face a lot of malware. When we access web sites, they are secretly downloaded by drive-by-download and when we receive emails, the attached files contain malware. The malware cause a lot of damage to the infected hosts and networks. So, detecting malware is very important. However, recent malware are made not to be detected by an Intrusion Detection System (IDS). In order to prevent this problem, it is very crucial to generate new signatures fast when new malware are discovered. This paper proposes a method to make a hierarchical signature cluster tree from the existing network signatures and suggests a scheme to make new signatures fast by comparing with the hierarchical signature cluster tree when new malware are discovered.

Traffic storing and related information generation system for cyber attack analysis

As the sophisticated attacks are increased continuously, the attack analysis technologies are getting more important. It is needed to collect attack related information or data first for the attack analysis. But attackers make an effort to get rid of all the attack related information that they can find and adopt anti-forensic technologies as well, so it is quite difficult to collect sufficient information for attack analysis. For further analysis network traffic could be a good candidate. It could not be removed by the attackers and has a lot of information about what the attackers were doing. However, network traffic is volatile information and only exist while they are being transmitted. Therefore, in order to collect network packets they have to be stored while they are being transmitted in real time. Besides, network traffic is huge amount of volatile data so it should be captured and stored on a mass storage device. For that we propose a Traffic storing and Related Information Generation system for cyberattack analysis, TRIG, which can store 20Gbps network traffic in real time and generate various traffic related information at the same time for further analysis.

Transmitted file extraction and reconstruction from network packets

When hackers try to attack a target system, their first goal is to install a malware to the target system. It is because hackers can do anything what they want if a malware is installed. In the past, most of the malwares were Microsoft PE files, however they have been changed to various file formats such as pdf, jpg, doc, jar and so on. Under this circumstances some network security systems such as network forensics systems have to reconstruct those malwares from network packets to analyze the malwares. For that, we propose a file type signature and network protocol analysis based transmitted file reconstruction technique which can reconstruct various file types from network packets. In this paper, we show the implementation and file reconstruction results.