System and method for connection fingerprint generation and stepping-stone traceback based on netflow

US 10,264,004 B2
Filed: 11/07/2016
Issued: 04/16/2019
Est. Priority Date: 11/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method of connection fingerprint generation and stepping-stone traceback based on NetFlow, the method comprising operations of:

(a) receiving, at a trace agent, a traceback request comprising IP packet attribute information of a victim and an attacker which corresponds to a target connection that is the last connection on a connection chain;

(b) generating a fingerprint for an associated connection based on the IP packet attribute information and flow records from a NetFlow collector, the fingerprint including a target ON/OFF time series generated using the flow records;

(c) detecting a stepping-stone connection to the target connection which is generated at the time of generation of the fingerprint and instructing to check whether sorted candidate connections are present on the same connection chain as the target connection, wherein detecting the stepping-stone connection includes;

generating a candidate ON/OFF time series of the stepping-stone connection, andperforming a correlation between the candidate ON/OFF time series and the target ON/OFF time series; and

(d) determining an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection,wherein each ON/OFF time series comprises a respective first ON time followed by one or more respective pairs of times, each pair of times including a respective OFF time and a respective ON time, the ON times corresponding to respective ON periods of the respective connections, and the OFF times corresponding to respective OFF periods of the respective connections.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The method for tracking a cyber hacking is provided. The method of connection fingerprint generation and stepping-stone traceback based on NetFlow includes receiving a traceback request including IP packet attribute information of a victim and an attacker which corresponds to a target connection that is the last connection on a connection chain, generating a fingerprint for an associated connection based on the IP packet attribute information and requesting a NetFlow collector for relevant information, detecting a stepping-stone connection to the target connection which is generated at the time of generation of the fingerprint and instructing to check whether sorted candidate connections are present on the same connection chain as the target connection, and determining an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection.

Citations

20 Claims

1. A method of connection fingerprint generation and stepping-stone traceback based on NetFlow, the method comprising operations of:
- (a) receiving, at a trace agent, a traceback request comprising IP packet attribute information of a victim and an attacker which corresponds to a target connection that is the last connection on a connection chain;
  
  (b) generating a fingerprint for an associated connection based on the IP packet attribute information and flow records from a NetFlow collector, the fingerprint including a target ON/OFF time series generated using the flow records;
  
  (c) detecting a stepping-stone connection to the target connection which is generated at the time of generation of the fingerprint and instructing to check whether sorted candidate connections are present on the same connection chain as the target connection, wherein detecting the stepping-stone connection includes;
  
  generating a candidate ON/OFF time series of the stepping-stone connection, andperforming a correlation between the candidate ON/OFF time series and the target ON/OFF time series; and
  
  (d) determining an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection,wherein each ON/OFF time series comprises a respective first ON time followed by one or more respective pairs of times, each pair of times including a respective OFF time and a respective ON time, the ON times corresponding to respective ON periods of the respective connections, and the OFF times corresponding to respective OFF periods of the respective connections.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein operation (a) comprises receiving attack start time, an attack end time, an attack source IP address, an attack source port number, a destination IP address, a destination port number, and layer 3 protocol information as the IP packet attribute information.
  - 3. The method of claim 1, wherein in operation (b), the generating of the fingerprint comprises operations of:
    - (b-1) checking datagram;
      
      (b-2) performing sequencing of datagram;
      
      (b-3) checking datagram loss;
      
      (b-4) acquiring layer 4 connection information;
      
      (b-5) performing ON time merging on the flow records;
      
      (b-6) generating the target ON/OFF time series using flow records sorted through the ON-time merging; and
      
      (b-7) generating the fingerprint by taking into account the generated target ON/OFF time series.
  - 4. The method of claim 3, wherein operation (b-1) comprises checking a version and a size of each of NetFlows collected by the NetFlow collector using version and count fields contained in a header format.
  - 5. The method of claim 3, wherein operation (b-2) comprises performing sequencing of the collected NetFlows using SysUptime field in a header format.
  - 6. The method of claim 3, wherein operation (b-3) comprises checking whether the datagram loss occurs, using count and flow_sequence fields contained in a header format.
  - 7. The method of claim 3, wherein operation (b-4) comprises acquiring the layer 4 connection information using attack source IP address, destination IP address, attack source port number, destination port number, and protocol fields contained in a flow record format.
  - 8. The method of claim 7, wherein operation (b-4) comprises sorting the connections for each layer 4 using a TCP flag with respect to a plurality of target layer 4 connections between attack start time and attack end time.
  - 9. The method of claim 3, wherein operation (b-5) comprises sorting the flow records by comparing ON time of each flow record with a predetermined time, and removing a flow record whose ON time is shorter than the predetermined time.
  - 10. The method of claim 3, wherein operation (b-6) comprises generating a respective ON/OFF time series for each layer 4 with respect to the sorted flow records.
  - 11. The method of claim 10, wherein operation (b-7) comprises selecting as the target ON/OFF time series a time series with the longest length from the plurality of generated ON/OFF time series and generating the fingerprint by taking into account setup time of the target ON/OFF time series.
  - 12. The method of claim 1, wherein operation (c) comprises sorting layer 4 connections which are maintained from connection start time to connection end time, generating a candidate ON/OFF time series of each of the sorted layer 4 connections, comparing the generated candidate ON/OFF time series with the target ON/OFF time series of the fingerprint generated in operation (b), and detecting the stepping-stone connection based on a result of the comparison.
  - 13. The method of claim 12, wherein operation (c) comprises checking whether the candidate connection and the target connection are present on the same connection chain by performing a similarity detection algorithm using Min/Max Sum Ratio (MMS).
  - 14. The method of claim 13, wherein operation (c) comprises calculating a similarity while increasing a correlation offset, and after a maximum value thereof is defined as a correlation value, checking whether the candidate connection and the target connection are present on the same connection chain by comparing a maximum value of the correlation value with a threshold value.
  - 15. The method of claim 1, wherein operation (d) comprises checking whether a mutual inclusion relation is established between any two of the candidate connections in terms of connection start times and connection end times thereof, and determining a connection that is positioned close to the attacker host.
  - 16. The method of claim 15, wherein operation (d) comprises determining a connection with a relatively small correlation value to be falsely detected in the case of the absence of mutual inclusion relation and removing the connection.

17. A system for connection fingerprint generation and stepping-stone traceback based on NetFlow, the system comprising:
- a trace agent configured to receive a traceback request including IP packet attribute information corresponding to a target connection, generate a fingerprint for an associated connection based on the IP packet attribute information, and transmit a traceback instruction, wherein the fingerprint includes a target ON/OFF time series, and wherein the target connection is a last connection on a connection chain; and
  
  a NetFlow collector configured to collect and store NetFlow information from a router, receive the traceback instruction, detect a stepping-stone connection by checking whether sorted candidate connections are present on the same connection chain as the target connection by performing a correlation between the target ON/OFF time series and respective candidate ON/OFF time series of the candidate connections, and determines an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection,wherein each ON/OFF time series comprises a respective first ON time followed by one or more respective pairs of times, each pair of times including a respective OFF time and a respective ON time, the ON times corresponding to respective ON periods of the respective connections, and the OFF times corresponding to respective OFF periods of the respective connections.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the target ON/OFF time series is generated according to a flow record.
  - 19. The system of claim 17, wherein the NetFlow collector sorts a layer whose connection is maintained from connection start time to connection end time, generates a candidate ON/OFF time series of the sorted layer, and detects a stepping-stone connection by comparing the generated candidate ON/OFF time series with the target ON/OFF time series of the fingerprint.
  - 20. The system of claim 17, wherein, when some of the candidate connections are detected to be present on the same chain, a connection order based on an attacker host is determined or a falsely detected connection is checked by taking into account inclusion relations between the candidate connections in terms of connection times thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Kim, Jung Tae, Kang, Koo Hong, Kim, Ik Kyun
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Holmes, Angela R

Application Number

US15/345,354
Publication Number

US 20170134413A1
Time in Patent Office

890 Days
Field of Search

726 22
US Class Current
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for connection fingerprint generation and stepping-stone traceback based on netflow

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for connection fingerprint generation and stepping-stone traceback based on netflow

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links