Journal of Digital Contents Society (디지털콘텐츠학회 논문지)

Digital Contents Society (한국디지털콘텐츠학회)
권호 표지
DOI QR코드

DOI QR Code

Study on Outbound Traffic Monitoring with Bloom Filter

블룸필터를 이용한 아웃바운드 트래픽 모니터링 방안 연구

  • Kang, Seong-Jung (Department of Big Data Application and Security, Korea University) ;
  • Kim, Hyoung-Joong (Department of Big Data Application and Security, Korea University)
  • 강성중 (고려대학교 빅데이터응용및보안학과) ;
  • 김형중 (고려대학교 빅데이터응용및보안학과)
  • Received : 2017.11.21
  • Accepted : 2018.02.26
  • Published : 2018.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

When a PC is infected with a malicious code, it communicates with the control and command (C&C) server and, by the attacker's instructions, spreads to the internal network and acquires information. The company focuses on preventing attacks from the outside in advance, but malicious codes aiming at APT attacks are infiltrated into the inside somehow. In order to prevent the spread of the damage, it is necessary to perform internal monitoring to detect a PC that is infected with malicious code and attempts to communicate with the C&C server. In this paper, a destination IP monitoring method is proposed in this paper using Bloom filter to quickly and effectively check whether the destination IP of many packets is in the blacklist.

PC가 악성코드에 감염되면 C&C서버와 통신하며 공격자의 명령에 따라 내부 네트워크에 확산, 정보획득 등의 과정을 거쳐 최종적인 악성행위를 하게 된다. 기업은 외부로부터의 공격을 사전에 차단하는데 중점을 두고 있으나 APT공격을 목적으로 한 악성코드는 어떤 형대로든 내부로 유입된다. 이때 피해의 확산을 방지하기 위하여 악성코드에 감염되어 C&C서버와 통신을 시도하는 PC를 찾아내는 내부 모니터링이 필요하다. 본 논문에서 수많은 패킷들의 목적지IP가 블랙리스트 IP인지 여부를 빠르고 효과적으로 대조하기 위한 블룸필터를 이용한 목적지 IP 모니터링 방안을 제시한다.

Keywords

References

  1. S.B. Han and S.K. Hong, "A countermeasure against the APT attack in the financial sector," Review of KIISC, vol. 23, no. 1, pp. 44-53, 2013.
  2. S.C. Noh and K.C. Bang, "A Study on Methodology for Protection of Malicious Traffic in groupware Network System," Journal of Digital Contents Society, vol. 8, no. 1, pp. 69-76, 2007.
  3. W.G. Kim and S.G. Lee, "An improvement of server diffusion prevention of APT attack through the end-point detection and blocking," in Proceedings of the Korean Society of Computer Information Conference, vol. 25, no. 1, pp. 133-134, 2017.
  4. D.S. Moon, H.S. Lee, and I.K. Kim. "Host based feature description method for detecting APT attack," Journal of the Korea Institute of Information Security & Cryptology, vol. 24, no. 5, pp. 839-850, 2014. https://doi.org/10.13089/JKIISC.2014.24.5.839
  5. K.H. Son, T.J. Lee, and D.H. Won. "Design for zombie PCs and APT attack detection based on traffic analysis," Journal of the Korea Institute of Information Security & Cryptology, vol. 24, no. 3, pp. 491-498, 2014. https://doi.org/10.13089/JKIISC.2014.24.3.491
  6. M.G. Lee and C.S. Bae, "A study for the principle cases of advanced persistent threat attacks," in Proceeding of The Institute of Electronics Engineers of Korea, pp. 939-942, 2013.
  7. Korea Communications Commission, Report of Investigation for Privacy Leakage at Interpark, Available : http://www.kcc.go.kr/user.do?mode=view&page=A05030000&dc=K00000001&boardId=1113&boardSeq=42740
  8. Burton Bloom, "Space/time tradeoffs in hash coding with allowable errors," Communications of the ACM, vol. 13, no. 7, pp. 422-426. 1970. https://doi.org/10.1145/362686.362692
  9. S.Y. Kim and J.H. Kim, "An analysis on the error probability of a Bloom filter," Journal of the Korea Institute of Information Security & Cryptology, vol. 24, no. 5, pp. 809-815, 2014. https://doi.org/10.13089/JKIISC.2014.24.5.809
  10. E.S. Jung, S.W. Yoo, C.H. Han, and E.J. Park. "Effective detecting DoS attack and scanning at Internet backbone using Bloom filter," in Proceedings of Symposium of the Korean Institute of Communications and Information Sciences, pp. 1298-1301, 2003.
  11. B.J. Choi, M.H. Jeong, S.W. Yoo, B.H. Roh, and K.H. Kim, "Optimized web-server defense against DDoS attack by Bloom filter," Journal of Korean Society for Internet Information, vol. 6, no. 1, pp. 33-36, 2005.
  12. S.J. Moon, "Server Management Prediction System based on Network Log and SNMP," Journal of Digital Contents Society, vol. 18, no. 4, pp. 747-751, 2017. https://doi.org/10.9728/DCS.2017.18.4.747