TY  - JOUR
T1  - A Study on Dynamic Configuration of Attacker Blocking Time through Linux Log Analysis
AU  - Jo, Jinyong 
AU  - Park, Ju-Won 
AU  - Kim, Seung-Hae 
AU  - Cho, Buseung 
JO  - The Journal of Korean Institute of Communications and Information Sciences
PY  - 2024
DA  - 2024/1/1
DO  - 10.7840/kics.2024.49.10.1397
KW  - Log analysis
KW  - firewall
KW  - security automation
KW  - ACL configuration
KW  - attack protection
AB  - Network firewalls are a key security element that protects internal resources from security attacks. However, as the number of firewall rules increases, the performance of firewalls degrades and the management burden increases. In particular, small-capacity firewalls can accommodate only a limited number of rules, making it difficult to defend against persistent attacks. This study proposes the MALP (More Attack, Longer Penalty) algorithm that can dynamically set the attack blocking time to mitigate the lack of rule capacity and performance degradation problems. MALP adaptively increases the blocking time when subsequent attacks are detected during the penalty time. It leverages data features such as attack intervals, obtained by Linux logs collected from a host-based intrusion detection system. Computer simulation showed that the proposed algorithm yielded an 81.22% performance improvement, effectively blocking attacks with a small number of firewall rules.