The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Optimal thresholds of algorithm and expansion of Application-layer attack detection block ALAB in ALADDIN

ALADDIN의 어플리케이션 계층 공격 탐지 블록 ALAB 알고리즘의 최적 임계값 도출 및 알고리즘 확장

  • Received : 2011.01.16
  • Accepted : 2011.03.28
  • Published : 2011.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Malicious botnet has been used for more malicious activities, such as DDoS attacks, sending spam messages, steal personal information, etc. To prevent this, many studies have been preceded. But malicious botnets have evolved and evaded detection systems. In particular, HTTP GET Request attack that exploits the vulnerability of the application layer is used. ALAB of ALADDIN proposed by ETRI is DDoS attack detection system that HTTP GET, Incomplete GET request flooding attack detection algorithm is applied. In this paper, we extend Incomplete GET detection algorithm of ALAB and derive the optimal configuration parameters to verify the validity of the algorithm ALAB by the study of the normal and attack packets.

악성 봇넷은 DDoS(Distributed Denial of Service) 공격이나 각종 스팸 메시지 발송, 개인 정보 탈취, 클릭 사기 등 많은 악성 행위에 이용되고 있다. 이를 방지하기 위해 많은 연구가 선행되었지만 악성 봇넷 또한 진화하여 탐지 시스템을 회피하고 있다. 특히 최근에는 어플리케이션 계층의 취약성을 공략한 HTTP GET 공격이 주로 사용되고 있다. 한국전자통신연구원에서 개발한 ALADDIN 시스템의 ALAB(Application Layer Attack detection Block)는 서비스 거부 공격 HTTP GET, Incomplete GET Request flooding 공격을 탐지하는 알고리즘이 적용된 탐지 시스템이다. 본 논문에서는 ALAB 탐지 알고리즘의 Incomplete GET 탐지 알고리즘을 확장하고 장기간 조사한 정상적인 패킷 및 공격 패킷들의 분석을 통해 최적 threshold를 도출하여 ALAB 알고리즘의 유효성을 검증한다.

Keywords

References

  1. Markus J, Zulfikar R., "Crimeware: Understanding New Attacks and Defenses", Addison Wesley Professional, ISBN 0-321-50195-0, April, 2008.
  2. Takeshi Yatagai, et al., "A HTTP Flooding Detection Method Based on Browser Behavior", 2007.
  3. Jinghe Jin, Nazarov Nodir, Chaetae Im, Seung Yeob Nam, "Mitigating HTTP GET Flooding Attacks through Modified NetFPGA Reference Router", 1st Asia NetFPGA Developers Workshop, Daejeon, Korea, June 14, 2010.
  4. Maxion Roy A, "Anomaly detection for diagnosis", in Proceedings of the 20 th Internationl symposium Fault-Tolerant computing(FTCS-20), 1990. 20-27. https://doi.org/10.1109/FTCS.1990.89362
  5. http://www.winpcap.org/
  6. Jun LV, Tong Li, Xing Li, "Network Traffic Prediction Algorithm and its Practical Application in real network", Network and Parallel Computing Workshops, 2007. NPC Workshops. IFIP International Conference, 18-21 Sept., 2007. https://doi.org/10.1109/NPC.2007.141
  7. Wei-Zhou Lu, Shun-Zheng Yu, "An HTTP Flooding Detection Method Based on Browser Behavior", Computational Intelligence and Security, 2006 International Conference, 1151-1154, 3-6 Nov., 2006. https://doi.org/10.1109/ICCIAS.2006.295444