The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Malicious Traffic Detection Using K-means

K-평균 클러스터링을 이용한 네트워크 유해트래픽 탐지

  • Shin, Dong Hyuk (College of Information and Communication Engineering, Sungkyunkwan Univ.) ;
  • An, Kwang Kue (Business Development Engineer at ELUON) ;
  • Choi, Sung Chune (Business Development Engineer at ELUON) ;
  • Choi, Hyoung-Kee (College of Information and Communication Engineering, Sungkyunkwan Univ.)
  • Received : 2015.10.31
  • Accepted : 2016.01.13
  • Published : 2016.02.29
Download PDF
⟨ Previous Next ⟩

Abstract

Various network attacks such as DDoS(Distributed Denial of service) and orm are one of the biggest problems in the modern society. These attacks reduce the quality of internet service and caused the cyber crime. To solve the above problem, signature based IDS(Intrusion Detection System) has been developed by network vendors. It has a high detection rate by using database of previous attack signatures or known malicious traffic pattern. However, signature based IDS have the fatal weakness that the new types of attacks can not be detected. The reason is signature depend on previous attack signatures. In this paper, we propose a k-means clustering based malicious traffic detection method to complement the problem of signature IDS. In order to demonstrate efficiency of the proposed method, we apply the bayesian theorem.

인터넷 서비스의 질을 떨어뜨리고 온라인 범죄를 유발시키는 네트워크 공격들은 오늘날 현대 사회에서 해결해야 될 문제 중 하나이다. 이러한 문제 해결을 위해 시그니처 IDS(Intrusion Detection System)라는 침입 탐지 시스템이 개발되었지만 이들은 기존에 알려진 유형의 공격만 탐지해 낸다. 결과적으로 알려지지 않은 공격들에 대해서는 탐지하지 못하기 때문에 네트워크 공격 탐지를 위한 근본적인 해결책이라 할 수 없다. 본 논문에서는 시그니처 IDS의 단점을 보완하고자 K-평균 알고리즘 기반의 네트워크 유해트래픽 탐지 방법을 제안한다.

Keywords

References

  1. M. Roesch, "Snort-Lightweight intrusion detection for networks," in Proc. USENIX LISA 99, vol. 99, no. 1, Washington, USA, Nov. 1999.
  2. V. Paxon, "Bro: A system for detecting network intruders in real-time," in Proc. 7th USENIX Security Symp., San Antonio, TX, Jan. 1998.
  3. S.-H. Yoon and M.-S. Kim, "Behavior based signature extraction method for internet application traffic identification," J. KICS, vol. 38, no. 5, pp. 368-376, May 2013.
  4. K.-S. Shim, S.-H. Yoon, S.-K. Lee, S.-M. Kim, W.-S. Jung, and M.-S. Kim, "Automatic generation of snort content rule for network traffic analysis," J. KICS, vol. 40, no. 4, pp. 666-672, Apr. 2015. https://doi.org/10.7840/kics.2015.40.4.666
  5. W.-S. Jung, J.-S. Park, and M.-S. Kim, "Performance improvement of traffic identification by categorizing signature matching type," J. KICS, vol. 40, no. 7, pp. 1339-1346, Jul. 2015. https://doi.org/10.7840/kics.2015.40.7.1339
  6. L. I. Smith, A tutorials on Principal Components Analysis, Retrieved Oct., 14, 2015, from http://www.cs.otago.ac.nz.
  7. O. Carugo and F. Eisenhaber, Data Mining Techniques for the Life Sciences, Humana Press, vol. 609, 2010.
  8. E. Philippe and C. Agon, "Time series data mining," ACM Computing Surveys (CSUR), vol 45, no. 12, pp. 1-34, Nov. 2012.
  9. M. E. Celebi, H. A. Kingravi, and P. A. Vela, "A comparative study of efficient initialization methods for the k-means clustering algorithm," J. Elsevier, vol. 40, no. 1, pp. 200-210, Jan. 2013.
  10. A. Lakhina, M. Crovella, and C. Diot, "Diagnosing network-wide traffic anomalies," SIGCOMM '04, pp. 219-230, Portland, USA, Aug. 2004.
  11. H. Ringberg, A. Soule, J. Rexford, and C. Diot, "Sensitivity of PCA for traffic anomaly detection," SIGMETRICS '07, pp. 109-120, San Diego, USA, Jun. 2007.
  12. L. Khan, M. Awad, and B. Thuraisingham, "A new intrusion detection system using support vector machines and hierarchical clustering," J. VLDB, vol. 16, no.4, pp. 507-521, Oct. 2007. https://doi.org/10.1007/s00778-006-0002-5
  13. T. Shon, Y. Kim, C. Lee, and J. Moon, "A machine learning framework for network anomaly detection using SVM and Ga," IAW '05, pp. 176-183, New York, USA, Jun. 2005.
  14. J. D. Brutlag, "Aberrant behavior detection in time series for network monitoring," in Proc. LISA, vol. 14, pp. 139-146, New Orleans, USA, Dec. 2000.
  15. G. Münz, S. Li, and G. Carle, "Traffic anomaly detection using k-means clustering," GI/ITG Workshop MMBnet 2007, Hamburg, Germany, Sept. 2007.
  16. K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim, "DDoS attack detection method using cluster analysis," J. Elsevier, vol. 34, no. 3, pp. 1659-1665, Apr. 2008.
  17. R. Braga, E. Mota, and A. Passito, "Lightweight DDoS flooding attack detection using NOX/OpenFlow," 2010 IEEE LCN, pp. 408-415, Denver, CO, Oct. 2015.
  18. G. R. Zargar and P. Kabiri, "Advances in data mining: Applications and theoretical aspects," in Proc. 10th Ind. Conf., ICDM 2010, Berlin, Germany, Jul. 2010.
  19. F. Silveira, C. Diot, N. Taft, and R. Govindan, "ASTUTE: Detecting a different class of traffic anomalies," in Proc. ACM SIGCOMM '10, pp. 267-278, New Delhi, India, Aug. 2010.
  20. http://data.caida.org
  21. http://mawi.nezu.wide.ad.jp

Cited by

  1. 풍향과 풍속의 특징을 이용한 SVR기반 단기풍력발전량 예측 vol.42, pp.5, 2016, https://doi.org/10.7840/kics.2017.42.5.1085
  2. 단어 임베딩(Word Embedding) 기법을 적용한 키워드 중심의 사회적 이슈 도출 연구: 장애인 관련 뉴스 기사를 중심으로 vol.35, pp.1, 2016, https://doi.org/10.3743/kosim.2018.35.1.231
  3. K-Means 군집모형과 계층적 군집(교차효율성 메트릭스에 의한 평균연결법, Ward법)모형 및 혼합모형을 이용한 컨테이너항만의 클러스터링 측정에 대한 실증적 비교 및 검증에 관한 연구 vol.34, pp.3, 2016, https://doi.org/10.38121/kpea.2018.09.34.3.17
  4. Intrusion Detection System in the Advanced Metering Infrastructure: A Cross-Layer Feature-Fusion CNN-LSTM-Based Approach vol.21, pp.2, 2016, https://doi.org/10.3390/s21020626
  5. Analysis of Research Trends Based on Text Mining in the Journal of Korean Society of Environmental Engineering vol.43, pp.2, 2016, https://doi.org/10.4491/ksee.2021.43.2.101