Projects

Projects

Statistics-based Network Behavior Modeling

2018-05-01 ~ 2018-10-31

We focused on statistical-based network behavior modeling to develop technology that efficiently classifies network traffic and detects unusual signs that deviate from normal patterns. To overcome the limitations of traditional port-based and payload-based traffic classification methods, we used host behavior analysis and Latent Dirichlet Allocation (LDA) techniques to identify traffic characteristics and patterns, which increased our classification accuracy. For user convenience, we developed a GUI-based traffic classification tool and added an x.509 certificate analysis feature to extract certificate information from SSL communication traffic. Using real-world laboratory data and public datasets, we analyzed various network behaviors, including server, client, and attack traffic. We then visually verified the anomalies using BLINC graphs and Radar charts. check

Traffic Measurement in Anonymity Networks

2017-04-01 ~ 2017-10-31

We studied methods for collecting network traffic from anonymity networks, specifically the Tor network. It researched how to collect traffic, analyzed the collected data, and reviewed existing attacks on anonymity networks. The study focused on setting up a Tor Exit Node to collect unencrypted traffic, including the full packet payload. Data was also collected from a client's perspective, which confirmed that Tor circuits typically consist of relays from different countries and are frequently re-established to maintain user anonymity.

Characterization and Automatic Labeling of Malicious Traffic in Control System Networks

2017-04-01 ~ 2017-10-31

We proposes an automated method for classifying specialized network traffic in Industrial Control Systems (ICS), also known as SCADA. To address the limitations of existing traffic classification tools, which struggle to identify the unique traffic patterns in these critical systems, we leveraged Latent Dirichlet Allocation (LDA), a probabilistic text modeling technique. By treating a network traffic flow as a document and its payload data as words, the LDA model automatically extracts hidden "topics" (traffic signatures) to classify the flows. Applied to real-world water resource control system traffic data (approx. 44 GB), our method successfully classified 96.3% of the traffic that existing tools failed to identify, demonstrating its effectiveness and applicability in specialized SCADA environments.

Network Traffic Classification for Intrusion Detection

2015-06-01 ~ 2015-12-31

We aim to build a system for identifying threatening traffic by classifying network traffic. It proposes an automated signature detection method based on Latent Dirichlet Allocation (LDA) to solve problems with existing application traffic analysis. The system can automatically analyze traffic content without prior knowledge or signatures, allowing it to detect and classify traffic signatures from new applications.