Network-based attack tracing system and method using distributed agent and manager system
First Claim
1. A network-based attack tracing system using a distributed attack detection agent and manager system, the system comprising:
- an agent for detecting an external attack, storing a result of detection in an alarm log DB, and performing a log analysis through a real-time monitoring of the alarm log DB, the agent changing analyzed log information to attack information, storing the attack information in an attack log DB, and then transmitting the attack information through a UDP communication;
a request manager for performing a search request of IP information included in the attack information received from the agent; and
a reply manager for searching an attack IP from the alarm log DB of an agent of a sub network to which the corresponding attack IP of its own network in accordance with the IP search request from the request manager, and transmitting a result of search to the request manager;
wherein if there is another passing IP, the request manager continuously requests the attack information search to a reply manager of another network, and if the above process is completed, the request manager stores a result of tracing a hacking path in a tracing result DB.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is a network-based attack tracing system and method using a distributed attack detection agent and manager system that can detect and trace an attack path of a hacker in real time on the whole network using distributed network-based attack detection agent, request manager, and reply manager. The agent detects an attack using a network-based intrusion detection system (NIDS), analyzes an alarm log that is judged to be the attack, changes the analyzed alarm log into attack information, and transmits the attack information to the request manager. The request manager performs a search of an attack IP based on the attack information received from the agent, stores a result of search in a tree structure, and if a final search is completed, extracts a hacking path using a binary search tree (BST) algorithm. The reply manager searches an alarm log DB located in the agent of its own network in response to the attack information search request from the request manager, and transmits a result of search to the request manager. The system and method can use the detection function of the existing NIDS at maximum, control unnecessary tracing requests during the process of judging many alarm logs as the attack logs, and broaden its application range in case of the authenticated network.
107 Citations
5 Claims
-
1. A network-based attack tracing system using a distributed attack detection agent and manager system, the system comprising:
-
an agent for detecting an external attack, storing a result of detection in an alarm log DB, and performing a log analysis through a real-time monitoring of the alarm log DB, the agent changing analyzed log information to attack information, storing the attack information in an attack log DB, and then transmitting the attack information through a UDP communication;
a request manager for performing a search request of IP information included in the attack information received from the agent; and
a reply manager for searching an attack IP from the alarm log DB of an agent of a sub network to which the corresponding attack IP of its own network in accordance with the IP search request from the request manager, and transmitting a result of search to the request manager;
wherein if there is another passing IP, the request manager continuously requests the attack information search to a reply manager of another network, and if the above process is completed, the request manager stores a result of tracing a hacking path in a tracing result DB.
-
-
2. A network-based attack tracing method using a distributed attack detection agent, request manager, and reply manager system, the method comprising the steps of:
-
an agent detecting an attack using a network-based intrusion detection system (NIDS), analyzing an alarm log that is judged to be the attack, changing the analyzed alarm log into attack information, and transmitting the attack information to the request manager;
a request manager performing a search of an attack IP based on the attack information received from the agent, storing a result of search in a tree structure, and if a final search is completed, extracting a hacking path using a binary search tree (BST) algorithm; and
a reply manager searching an alarm log DB located in the agent of its own network in response to the attack information search request from the request manager, and transmitting a result of search to the request manager. - View Dependent Claims (3, 4, 5)
-
Specification
-
- Resources
-
Current AssigneeElectronics and Telecommunications Research Institute
-
Original AssigneeElectronics and Telecommunications Research Institute
-
InventorsKang, Dong Ho, Choi, Byeong Cheol, Sohn, Sung Won, Seo, Dong Il, Park, Chee Hang, Choi, Yang Seo
-
Application NumberUS10/273,139Publication NumberTime in Patent OfficeDaysField of SearchUS Class Current713/201CPC Class CodesG06F 21/552 involving long-term monitor...H04L 2463/146 Tracing the source of attacksH04L 63/1425 Traffic logging, e.g. anoma...
