Research Article

An Enhancement of Optimized Detection Rule of Security Monitoring and Control for Detection of Cyberthreat in Location-Based Mobile System

Table 9

Optimization of Nonpayload Detection Rules 1.

Command format Selection of detection rule standardization

Nonpayload Detection (IP)ttlInspect IP Time-To-Live field
ip_protoInspect IP protocol field

Nonpayload Detection
(TCP)
flagsInspect TCP flag bit field

Nonpayload Detection
(ICMP)
itypeInspect ICMP type
icodeInspect ICMP code
icmp_idInspect ICMP identification field
icmp_seqInspect ICMP sequence number

Command format Excluded detection rules standardized/excluded reasons

Nonpayload Detection (IP)fragoffsetInspect IP fragment Offset fieldIt is excluded through consultation with related companies, Because it is not useful in creating detection rule
fragbitsCheck whether IP fragmentation and reserved bits are set
tosInspect IP Service type field
idInspect IP identification field
ipoptsInspect IP Options field
Nonpayload Detection (TCP)seqInspect TCP Sequence number
ackInspect TCP acknowledge number
windowInspect TCP window size