System and method for defending against distributed denial-of-service attack on active network

US 20040098618A1
Filed: 08/14/2003
Published: 05/20/2004
Est. Priority Date: 11/14/2002
Status: Active Grant

First Claim

Patent Images

1. A system for defending against a distributed denial-of-service attack comprising:

an intrusion detection system for generating alert data if a denial-of-service attack is detected;

an active security management system for managing a domain, analyzing the alert data to determine whether the denial-of-service attack is the distributed denial-of-service attack, generating and transmitting a backtracking sensor for backtracking an attacker of the distributed denial-of-service attack in a case of the distributed denial-of-service attack, transmitting mobile sensors to a host backtracked by the backtracking sensor to remove a master or an agent program within the host, generating and transmitting a backtracking sensor by using an IP address of a host that has transmitted a packet to the removed master or agent program; and

an active security node located at a boundary of the domain, executing the transmitted backtracking sensor to backtrack an attacking host of the distributed denial-of-service attack and, if the backtracked host is determined as a real attacker, intercepting a traffic generated from the real attacker.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for defending against a distributed denial-of-service attack includes an intrusion detection system, an active security management system and an active security node. The intrusion detection system generates alert data if a denial-of-service attack is detected. The active security management system manages a domain, analyzes the alert data, generates and transmits a backtracking sensor in a case of the distributed denial-of-service attack, transmits mobile sensors to a host backtracked by the backtracking sensor to remove a master or an agent program within the host; and generates and transmits a backtracking sensor by using an IP address of a host that has transmitted a packet to the removed master or agent program. The active security node executes the transmitted backtracking sensor to backtrack an attacking host of the distributed denial-of-service attack and, if the backtracked host is determined as a real attacker, intercepts a traffic generated from the real attacker.

104 Citations

16 Claims

1. A system for defending against a distributed denial-of-service attack comprising:
- an intrusion detection system for generating alert data if a denial-of-service attack is detected;
  
  an active security management system for managing a domain, analyzing the alert data to determine whether the denial-of-service attack is the distributed denial-of-service attack, generating and transmitting a backtracking sensor for backtracking an attacker of the distributed denial-of-service attack in a case of the distributed denial-of-service attack, transmitting mobile sensors to a host backtracked by the backtracking sensor to remove a master or an agent program within the host, generating and transmitting a backtracking sensor by using an IP address of a host that has transmitted a packet to the removed master or agent program; and
  
  an active security node located at a boundary of the domain, executing the transmitted backtracking sensor to backtrack an attacking host of the distributed denial-of-service attack and, if the backtracked host is determined as a real attacker, intercepting a traffic generated from the real attacker.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the active security management system includes:
    - an alert data collector for collecting the alert data provided from the intrusion detection system;
      
      an alert data analyzer for extracting an IP address and a MAC address of the attacker of the distributed denial-of-service attack from the collected alert data;
      
      a sensor generator for generating a backtracking sensor having the IP address and the MAC address; and
      
      a sensor transmitter for transmitting the backtracking sensor to the IP address of the attacker of the distributed denial-of-service attack.
  - 3. The system of claim 1, wherein the active security node has a mapping table in which a MAC address is recorded and wherein the active security node extracts an IP address corresponding to the MAC address contained in the backtracking sensor if the IP address in the backtracking sensor is not coincident with the MAC address recorded in the mapping table and, then, blocks off traffic generated from the extracted IP address.
  - 4. The system of claim 1, wherein the active security management system sends an IP interception release command to the active security node after deleting the master or the agent program.
  - 5. The system of claim 4, wherein the active security node generates a backtracking completion sensor after releasing the interception of the traffic generated from the host in response to the IP interception release command from the active security management system and then transmits the backtracking completion sensor to the active security management system.
  - 6. The system of claim 1, wherein the mobile sensors include a scanning sensor, a monitoring sensor, and a removing sensor for extracting an agent or a master program installed at the host and used for the distributed denial-of-service attack.
  - 7. The system of claim 6, wherein the scanning sensor searches for an agent or a master program for use in a distributed denial-of-service attack installed at the backtracked host by performing scanning depending on various types of the distributed denial-of-service attack.
  - 8. The system of claim 6, wherein the removing sensor deletes an agent or a master program for use in a distributed denial-of-service attack which is found by the scanning sensor.
  - 9. The system of claim 6, wherein the monitoring sensor observes packets arriving at the deleted agent or master program.
  - 10. The system of claim 1, wherein the active security node has a reporting function for reporting execution result data corresponding to a host backtracked by the backtracking sensor.

11. A method for defending against a distributed denial-of-service attack by using an active security management system for backtracking and intercepting an attacker of the distributed denial-of-service attack based on alert data received from an intrusion detection system, the method comprising the steps of:
- extracting an IP address and a MAC address of a host from the alert data;
  
  generating a backtracking sensor for backtracking the host and transmitting the backtracking sensor to an active security node corresponding to the IP address of the host;
  
  executing the backtracking sensor by the active security node to backtrack the host;
  
  deleting an agent or a master program installed at the backtracked host;
  
  observing packets arriving at the deleted agent or master program, generating a backtracking sensor for backtracking a host transmitting the packets, and transmitting the backtracking sensor to the active security node;
  
  determining whether the host backtracked by the backtracking sensor is the real attacker; and
  
  blocking off traffic generated from an IP address of the real attacker if the backtracked host is the real attacker.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, wherein the host backtracking step includes the steps of:
    - checking whether the IP address of the host is coincident with a MAC address in a mapping table of the active security node; and
      
      intercepting or releasing traffic generated from the IP address if the IP address is coincident with the MAC address and sending result data to the active security management system.
  - 13. The method of claim 12, wherein, if the IP address is not coincident with the MAC address, the active security node extracts a real IP address of a host based on the MAC address contained in the backtracking sensor and intercepting or releasing traffic generated from the extracted IP address.
  - 14. The method of claim 11, wherein the active security node generates a backtracking completion sensor and transmits the backtracking completion sensor to the active security management system if the backtracked host is the real attacker.
  - 15. The method of claim 11, further comprising the steps of:
    - transmitting mobile sensors to the backtracked host in order to delete an agent or a master program installed therein if the backtracked host is not the real attacker;
      
      deleting the agent or the master program by executing the mobile sensors and extracting a source IP address of a packet arriving at the deleted agent or master program; and
      
      generating a backtracking sensor based on the source IP address and transmitting the backtracking sensor to an active security node corresponding to the source IP address to backtrack an attacking host of the distributed denial-of-service attack.
  - 16. The method of claim 15, wherein the mobile sensors include a scanning sensor for searching for an agent or a master program used in the distributed denial-of-service attack, a removing sensor for deleting the agent or the master program, and a monitoring sensor for monitoring a packet arriving at the deleted agent or master program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Na, Jung-Chan, Sohn, Sung Won, Kim, Hyun Joo

Granted Patent

US 7,200,866 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1458 Denial of Service

System and method for defending against distributed denial-of-service attack on active network

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

104 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for defending against distributed denial-of-service attack on active network

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links