Tai-Myung Chung

Design of Network Security Control System for Cooperative Intrusion Detection

As intrusions and other attacks become more widespread and more sophisticated, it becomes more difficult to detect them at a single intrusion detection system(IDS). Therefore, IDSs have become focused on various intrusions (and/or attacks) in large scale network environments. But, it is not easy to detect various intrusions, since the design of early IDSs are based on analyzing the audit trails supported just a single host. Here we have made effort to design and implement IDS which can detect more complex attacks as well as support security management through cooperating each others. In this paper, we present the architecture of our system that detects various intrusions in large scale network environments as well as supports flexibility, portability, and extensibility for policy based security management.

Reducing Communication Overhead for Nested NEMO Networks: Roaming Authentication and Access Control Structure

In this paper, we present a practical public key certificate structure that is combined with an authentication protocol for roaming across different wireless Internet service providers (ISPs). The design rationale is to enable the mutual authentication between the roaming mobile device (MD) and the visited network to be locally performed without invoking the MDs home ISP. The mutual authentication ensures that the visited network has authenticity as well as a mechanism for establishing the appropriate revenue stream for the roaming MD. The proposed scheme guarantees that the overhead associated with the authentication time is significantly reduced and that the impact of this overhead on the roaming MD is also minimized, although the nested depth of the network mobility is increased. In this paper, we use analytical comparisons to show that the proposed scheme creates less overhead than that of the previous approaches in terms of security and communication performance.

New binding update method using GDMHA in hierarchical mobile IPv6

Mobile IPv6 is a protocol that guarantees mobility of mobile node within the IPv6 environment. However current Mobile IPv6 supports simple the mobility of the mobile nodes and does not offer any special mechanism to reduce the handoff delay. For the purpose of reducing the handoff delay, Hierarchical Mobile IPv6 has been studied. However Hierarchical Mobile IPv6 supports the micro mobility only in the area managed by mobility anchor point. Therefore, the handoff delay problem still has been unsolved when mobile node moves to another mobility anchor point. In this paper, we propose GDMHA (Geographically Distributed Multiple HAs) mechanism to provide macro mobility between the mobility anchor points. Using this mechanism, a mobile node performs Binding Update with the nearest Home Agent, so that the delay of Binding Update process can be reduced. It also reduces the handoff delay.

The Vulnerability Assessment for Active Networks; Model, Policy, Procedures, and Performance Evaluations

Active Networks (ANs) are novel approaches to providing flexibility in the both network and service. ANs are realized with deployment of active nodes over network. For composing an active node, new components are required but may invite potential vulnerabilities. Many network-based attacks using vulnerabilities of new components can easily spread over network, because of the mobility of active packets. In order to prevent those attacks at the early stages, vulnerability assessment model for active networks is required. Because existing vulnerability models have limitations to be applied in ANs, we propose the Scalable Vulnerability Assessment Model (SVAM) that can efficiently manage vulnerable nodes in ANs. This approach provides good scalability by distributed vulnerability scanning mechanism based on policy and fast adaptability by automated deployment of new vulnerability scanning code.

Mobile IP using private IP address through stateful network address translation

Mobile networking is becoming popular. The increase in mobile communication makes the lacking problem in number of addresses for IPv4 more serious. To solve this problem, this paper proposes an approach to fulfill a mobile JP protocol by using a stateful NAT (Network address Translation) technology. This approach is able to communicate through information sharing by the NAT address mapping between HA and FA. Therefore, the preferred protocol is not requiring an additional procedure between HA and FA for processing, which relate the mobiIity and its showing a normal procedure of the mobile IP. This paper presents a detailed design of the statful NAT approach.

Generation of pseudo random processes with given marginal distribution and autocorrelation function

In this paper a new algorithm for generating a random process with a given marginal distri- bution and autocorrelation function is presented. By using the truncated distribution instead of the order statistics used in the earlier algorithm, the proposed algorithm achieves signiiScant speed up and accuracy. We also develop a scheme for deciding the transition probability matrix based on the Newton optimization technique, that is one of the key steps in the proposed algo-rithm. The experiment for 16 state randomized Markov chain shows about 14 times accelera-tion in comparison with the earher algorithm. The storage requirement is also much smaller.

Policy based handoff in MIPv6 networks

As the requirements on high-availability for multimedia intensified new applications increase the pressure for the higher bandwidth on wireless networks, just upgrading to the high capacity network is essential. However, that is not especially for solving the handoff-related problems. Policy-based network (PBN) technologies help MIPv6 networks ensure that network users get the QoS, security, and other capabilities they need. PBN has the intelligence, in the form of business policies, needed to manage network operations. In this paper, we propose the Policy Based Handoff (PBH) mechanism in mobile IPv6 (MIPv6) networks to have more flexible management capability on MNs. PBH employs dual routing policy so that it reduces the fault rate of handoff up to about 87% based on the same network parameters and solves the ping-pong problem. Experimental results presented in this paper shows that our proposal has superior performance comparing to other schemes.

A Design of Preventive Integrated Security Management System Using Security Labels and a Brief Comparison with Existing Models

Many organizations operate and manage their security systems using the ISM technology to secure their network environment effectively. However, the current ISM is passive and behaves in a post-event manner. To reduce costs and resources for managing security and to remove the possibility of an intruder succeeding in attacks, the preventive security management technology is strongly required. In this paper, we propose a PRISM model that performs preventive security management before security incidents occur. PRISM model employs security labels to deploy differentiated security measure to achieve this.

A Policy Propagation Model Using Mobile Agents in Large-Scale Distributed Network Environments

With the growing number of attacks on network infrastructures, we need better techniques to detect and prevent these attacks. Each security system in the distributed network requires different security rules to protect from these attacks efficiently. So the propagation of security rules is needed. Therefore, we introduce mobile agents that propagate security rules by constantly moving around the Internet as a solution to propagation of security rules. This paper describes a new approach for propagation of security rules in large-scale networks, in which mobile agent mechanisms are used. To evaluate the proposed approach, we simulated a policy propagation model using a NS-2 (Network Simulator). Our new approach presents advantages in terms of spreading rules rapidly and increasing scalability.

The design of XML-based internet security integrated system architecture

To protect networks from intrusions and attacks, many vendors have developed various security systems. Managing these systems individually demands much work and high cost. To decrease these overheads, we have developed an Internet Security Integrated System(ISIS). This system is composed of several security systems and applies the security policy to each security system to establish the security zone. But we have some problems in standard forms of platform interfaces, operating methods, log formats, and message structure required in integrating security systems. So, we propose a message exchange scheme among the security systems using XML. This approach presents significant advantages in terms of increasing simplicity and scalability, supporting ease of maintenance, and providing fast information retrieval.