| ÇѱÛÁ¦¸ñ(Korean Title) |
SVMÀ» ÀÌ¿ëÇÑ SNMP MIB¿¡¼ÀÇ Æ®·¡ÇÈ ÆøÁÖ °ø°Ý ŽÁö |
| ¿µ¹®Á¦¸ñ(English Title) |
Traffic Flooding Attack Detection on SNMP MIB Using SVM |
| ÀúÀÚ(Author) |
À¯ÀçÇÐ
¹ÚÁß»ó
ÀÌÇѼº
±è¸í¼·
¹Ú´ëÈñ
Jaehak Yu
Jun-Sang Park
Hansung Lee
Myung-Sup Kim
Daihee Park
|
| ¿ø¹®¼ö·Ïó(Citation) |
VOL 15-C NO. 05 PP. 0351 ~ 0358 (2008. 10) |
Çѱ۳»¿ë
(Korean Abstract) |
DoS/DDoS·Î ´ëÇ¥µÇ´Â Æ®·¡ÇÈ ÆøÁÖ °ø°ÝÀº ´ë»ó ½Ã½ºÅÛ»Ó¸¸ ¾Æ´Ï¶ó ³×Æ®¿öÅ© ´ë¿ªÆø ¹× ÇÁ·Î¼¼¼ 󸮴ɷÂ, ½Ã½ºÅÛ ÀÚ¿ø µîÀ» °í°¥½ÃÅ´À¸·Î½á ³×Æ®¿öÅ©¿¡ ½É°¢ÇÑ Àå¾Ö¸¦ À¯¹ßÇϱ⠶§¹®¿¡, ½Å¼ÓÇÑ Æ®·¡ÇÈ ÆøÁÖ °ø°ÝÀÇ Å½Áö´Â ¾ÈÁ¤ÀûÀÎ ¼ºñ½ºÀÇ Á¦°ø ¹× ½Ã½ºÅÛÀÇ ¿î¿µ¿¡ Çʼö¿ä°ÇÀÌ´Ù. ÀüÅëÀûÀÎ ÆÐŶ ¼öÁýÀ» ÅëÇÑ DoS/DDoSÀÇ Å½Áö¹æ¹ýÀº °ø°Ý¿¡ ´ëÇÑ »ó¼¼ÇÑ ºÐ¼®Àº °¡´ÉÇϳª ¼³Ä¡ÀÇ È®À强 ºÎÁ·, °í°¡ÀÇ °í¼º´É ºÐ¼®½Ã½ºÅÛÀÇ ¿ä±¸, ½Å¼ÓÇÑ Å½Áö¸¦ º¸ÀåÇÏÁö ¸øÇÏ´Â ¹®Á¦Á¡À» °®°í ÀÖ´Ù. º» ³í¹®¿¡¼´Â MIB Á¤º¸ °»½Å ½ÃÁ¡ ´ÜÀ§·Î ¼öÁýµÈ SNMP MIB °´Ã¼ Á¤º¸¸¦ ¹ÙÅÁÀ¸·Î Support Vector Data Description(SVDD)À» ÀÌ¿ëÇÏ¿© º¸´Ù ºü¸£°í Á¤È®ÇÑ Ä§ÀÔŽÁö¿Í ½¬¿î È®À强, Àúºñ¿ëŽÁö ¹× Á¤È®ÇÑ °ø°ÝÀ¯Çüº° ºÐ·ù¸¦ °¡´ÉÄÉ ÇÏ´Â »õ·Î¿î ½Ã½ºÅÛÀ» ¼³°è ¹× ±¸ÇöÇÏ¿´´Ù. ½ÇÇèÀ» ÅëÇÏ¿© ¸¸Á·½º·¯¿î ħÀÔ Å½ÁöÀ²°ú ¾ÈÀüÇÑ False Negative Rate(FNR), °ø°ÝÀ¯Çüº° ºÐ·ùÀ² ¼öÄ¡ µîÀ» È®ÀÎÇÔÀ¸·Î½á Á¦¾ÈµÈ ½Ã½ºÅÛÀÇ ¼º´ÉÀ» °ËÁõÇÏ¿´´Ù.
|
¿µ¹®³»¿ë
(English Abstract) |
Recently, as network flooding attacks such as DoS/DDoS and Internet Worm have posed devastating threats to network services, rapid detection and proper response mechanisms are the major concern for secure and reliable network services. However, most of the current Intrusion Detection Systems(IDSs) focus on detail analysis of packet data, which results in late detection and a high system burden to cope with high-speed network environment. In this paper we propose a lightweight and fast detection mechanism for traffic flooding attacks. Firstly, we use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links. Secondly, we use a machine learning approach based on a Support Vector Machine(SVM) for attack classification. Using MIB and SVM, we achieved fast detection with high accuracy, the minimization of the system burden, and extendibility for system deployment. The proposed mechanism is constructed in a hierarchical structure, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Using MIB data sets collected from real experiments involving a DDoS attack, we validate the possibility of our approaches. It is shown that network attacks are detected with high efficiency, and classified with low false alarms.
|
| Å°¿öµå(Keyword) |
ħÀÔŽÁö
SNMP
MIB
DoS/DDoS
Support Vector Machine
Intrusion Detection
SNMP
MIB
DoS/DDoS
Support Vector Machine
|
| ÆÄÀÏ÷ºÎ |
PDF ´Ù¿î·Îµå
|
