System and method for connection fingerprint generation and stepping-stone traceback based on netflow
First Claim
1. A method of connection fingerprint generation and stepping-stone traceback based on NetFlow, the method comprising operations of:
- (a) receiving, at a trace agent, a traceback request comprising IP packet attribute information of a victim and an attacker which corresponds to a target connection that is the last connection on a connection chain;
(b) generating a fingerprint for an associated connection based on the IP packet attribute information and flow records from a NetFlow collector, the fingerprint including a target ON/OFF time series generated using the flow records;
(c) detecting a stepping-stone connection to the target connection which is generated at the time of generation of the fingerprint and instructing to check whether sorted candidate connections are present on the same connection chain as the target connection, wherein detecting the stepping-stone connection includes;
generating a candidate ON/OFF time series of the stepping-stone connection, andperforming a correlation between the candidate ON/OFF time series and the target ON/OFF time series; and
(d) determining an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection,wherein each ON/OFF time series comprises a respective first ON time followed by one or more respective pairs of times, each pair of times including a respective OFF time and a respective ON time, the ON times corresponding to respective ON periods of the respective connections, and the OFF times corresponding to respective OFF periods of the respective connections.
1 Assignment
0 Petitions
Accused Products
Abstract
The method for tracking a cyber hacking is provided. The method of connection fingerprint generation and stepping-stone traceback based on NetFlow includes receiving a traceback request including IP packet attribute information of a victim and an attacker which corresponds to a target connection that is the last connection on a connection chain, generating a fingerprint for an associated connection based on the IP packet attribute information and requesting a NetFlow collector for relevant information, detecting a stepping-stone connection to the target connection which is generated at the time of generation of the fingerprint and instructing to check whether sorted candidate connections are present on the same connection chain as the target connection, and determining an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection.
-
Citations
20 Claims
-
1. A method of connection fingerprint generation and stepping-stone traceback based on NetFlow, the method comprising operations of:
-
(a) receiving, at a trace agent, a traceback request comprising IP packet attribute information of a victim and an attacker which corresponds to a target connection that is the last connection on a connection chain; (b) generating a fingerprint for an associated connection based on the IP packet attribute information and flow records from a NetFlow collector, the fingerprint including a target ON/OFF time series generated using the flow records; (c) detecting a stepping-stone connection to the target connection which is generated at the time of generation of the fingerprint and instructing to check whether sorted candidate connections are present on the same connection chain as the target connection, wherein detecting the stepping-stone connection includes; generating a candidate ON/OFF time series of the stepping-stone connection, and performing a correlation between the candidate ON/OFF time series and the target ON/OFF time series; and (d) determining an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection, wherein each ON/OFF time series comprises a respective first ON time followed by one or more respective pairs of times, each pair of times including a respective OFF time and a respective ON time, the ON times corresponding to respective ON periods of the respective connections, and the OFF times corresponding to respective OFF periods of the respective connections. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for connection fingerprint generation and stepping-stone traceback based on NetFlow, the system comprising:
-
a trace agent configured to receive a traceback request including IP packet attribute information corresponding to a target connection, generate a fingerprint for an associated connection based on the IP packet attribute information, and transmit a traceback instruction, wherein the fingerprint includes a target ON/OFF time series, and wherein the target connection is a last connection on a connection chain; and a NetFlow collector configured to collect and store NetFlow information from a router, receive the traceback instruction, detect a stepping-stone connection by checking whether sorted candidate connections are present on the same connection chain as the target connection by performing a correlation between the target ON/OFF time series and respective candidate ON/OFF time series of the candidate connections, and determines an order of the candidate connections based on an attacker host when the candidate connections are determined to be present on the same connection chain as the target connection, wherein each ON/OFF time series comprises a respective first ON time followed by one or more respective pairs of times, each pair of times including a respective OFF time and a respective ON time, the ON times corresponding to respective ON periods of the respective connections, and the OFF times corresponding to respective OFF periods of the respective connections. - View Dependent Claims (18, 19, 20)
-
Specification