System for providing a real-time attacking connection traceback using a packet watermark insertion technique and method therefor
First Claim
1. A system for providing a real-time attacking connection traceback using of a packet watermark insertion technique, the system comprising:
- an intrusion detection unit for detecting an attack of a hacker;
a packet block unit for blocking a response of an attacked system on the basis of the attack of the hacker;
a path tracing unit for generating a policy to block a specific packet through the packet block unit by using information on the attack of the hacker provided from the intrusion detection unit and a watermark, collecting a response packet from the attacked system, inserting the generated watermark in the packet, transmitting the watermark-inserted packet to a system through which the attack of the hacker is transmitted and forming a traceback path by using watermark-inserted packet detection information, wherein the watermark-inserted packet detection information is transmitted by an external attacking connection traceback system detecting the watermark-inserted packet; and
a watermark detection unit for checking a received/transmitted packet in a network, extracting a corresponding watermark if there exists the watermark-inserted packet and transmitting the watermark-inserted packet detection information to an attacking connection traceback system that initially inserted the watermark into the packet.
1 Assignment
0 Petitions
Accused Products
Abstract
In a system for providing a real-time attacking connection traceback, an intrusion detection unit detects a hacker'"'"'s attack. A packet block unit blocks a response of an attacked system. A path block tracing unit generates a policy to block a specific packet, collects a response packet, inserts the generated watermark in the packet, transmits the watermark-inserted packet to a system and forms a traceback path. A watermark detection unit checks a received/transmitted packet in a network, extracts a corresponding watermark if there exists the watermark-inserted packet and transmits the watermark-inserted packet detection information to an attacking connection traceback system that initially inserted a watermark into a packet.
139 Citations
3 Claims
-
1. A system for providing a real-time attacking connection traceback using of a packet watermark insertion technique, the system comprising:
-
an intrusion detection unit for detecting an attack of a hacker;
a packet block unit for blocking a response of an attacked system on the basis of the attack of the hacker;
a path tracing unit for generating a policy to block a specific packet through the packet block unit by using information on the attack of the hacker provided from the intrusion detection unit and a watermark, collecting a response packet from the attacked system, inserting the generated watermark in the packet, transmitting the watermark-inserted packet to a system through which the attack of the hacker is transmitted and forming a traceback path by using watermark-inserted packet detection information, wherein the watermark-inserted packet detection information is transmitted by an external attacking connection traceback system detecting the watermark-inserted packet; and
a watermark detection unit for checking a received/transmitted packet in a network, extracting a corresponding watermark if there exists the watermark-inserted packet and transmitting the watermark-inserted packet detection information to an attacking connection traceback system that initially inserted the watermark into the packet.
-
-
2. A real-time attacking connection traceback method using of a packet watermark insertion technique in a real-time attacking connection traceback system having an intrusion detection unit, a packet block unit, a path tracing unit and a watermark detection unit, the method comprising the steps of:
-
(a) detecting by the intrusion detection unit a hacking attempt of a hacker to attack an object system via a plurality of intermediate systems;
(b) generating a policy to be used in the packet block unit by extracting an ID address of a system performing an attack and a port number thereof from hacking information detected by the intrusion detection unit;
(c) generating a watermark in the path tracing unit based on the detected hacking information;
(d) blocking by using the packet block unit a response of a damaged system generated due to the hacking attempt;
(e) collecting the response of the damaged system by the path tracing unit, inserting the watermark generated in the step (c) into the response packet and transmitting the watermark-inserted packet to the attacking system;
(f) checking whether there exists the watermark-inserted packet among packets received/transmitted in a network by the watermark detection unit and detecting the watermark-inserted packet, if there exists the watermark-inserted packet;
(g) extracting information from the detected watermark;
(h) transmitting the watermark-inserted packet and information on a connection corresponding to the watermark-inserted packet to the real-time attacking connection traceback system that initially inserted the watermark into the packet by using the information extracted from the watermark; and
(i) determining an attack path and an actual location of the hacker by using the received watermark detection information. - View Dependent Claims (3)
-
Specification