Attack defending system and attack defending method
First Claim
1. An attack defending system provided at an interface between an internal network and an external network, comprising a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein the decoy device comprises:
- an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, and the firewall device comprises;
a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and
a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device.
1 Assignment
0 Petitions
Accused Products
Abstract
An attack defending system allows effective defense against attacks from external networks even when a communication system uses a communication path encryption technique such as SSL. A firewall device and a decoy device are provided. The firewall device refers to the header of an input IP packet and, when it is determined that the input IP packet is suspicious, it is guided into the decoy device. The decoy device monitors a process providing a service to detect the presence or absence of attacks. When an attack has been detected, an alert including the attack-source IP address is sent to the firewall device so as to reject subsequent packets from attack source.
-
Citations
112 Claims
-
1. An attack defending system provided at an interface between an internal network and an external network, comprising a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the decoy device comprises: -
an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, and the firewall device comprises;
a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and
a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An attack defending system provided at an interface between an internal network and an external network, comprising a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the firewall device comprises: -
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a distribution condition; and
a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets, wherein the destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. An attack defending system provided at an interface between an internal network and an external network, comprising a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the firewall device comprises: -
a first destination selector;
a second destination selector; and
a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets, wherein the first destination selector selects one of the second destination selector and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a first predetermined condition; and
the second destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies a second predetermined condition. - View Dependent Claims (31, 32, 33, 34, 35, 36)
-
-
37. An attack defending method using a decoy device in a firewall device provided at an interface between an internal network and an external network, comprising:
-
preparing a filtering condition and a distribution condition for input IP packets;
determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on the header information of the input IP packet and the distribution condition;
detecting presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and
managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. An attack defending method using a decoy device in a firewall device provided at an interface between an internal network and an external network, comprising:
-
preparing a distribution condition of IP packets;
holding confidence levels for source IP addresses of a plurality of input IP packets;
selecting one of the internal network and the decoy device as a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. A firewall device connected to a decoy device, provided at an interface between an internal network and an external network, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, comprising:
-
a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and
a filtering condition manager for managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether the attack detector detects an attack based on the input IP packet.
-
-
60. A firewall device connected to a decoy device, provided at an interface between an internal network and an external network, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, comprising:
-
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a distribution condition; and
a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets, wherein the destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition.
-
-
61. A firewall device connected to a decoy device, provided at an interface between an internal network and an external network, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, comprising:
-
a first destination selector;
a second destination selector; and
a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets, wherein the first destination selector selects one of the second destination selector and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a first predetermined condition; and
the second destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies a second predetermined condition.
-
-
62. A firewall device connected to a decoy device, provided at an interface between an internal network and an external network, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, comprising:
-
a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition;
a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets; and
a filtering condition manager for managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether the attack detector detects an attack based on the input IP packet, wherein the destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition.
-
-
63. A program for implementing an attack defending system on a computer, the attack defending system including a decoy device and a firewall device, which are provided at an interface between an internal network and an external network, the program comprising:
-
preparing a set of filtering conditions and a distribution condition of IP packets;
determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on the header information of the input IP packet and the distribution condition;
detecting presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and
managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet.
-
-
64. A program for implementing an attack defending system on a computer, the attack defending system including a decoy device and a firewall device, which are provided at an interface between an internal network and an external network, the program comprising:
-
preparing a distribution condition of IP packets;
holding confidence levels for source IP addresses of a plurality of input IP packets;
selecting one of the internal network and the decoy device as a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition.
-
-
65. A program for implementing a firewall device on a computer, wherein the firewall is connected to a decoy device and is provided at an interface between an internal network and an external network, the program comprising:
-
preparing a set of filtering conditions and a distribution condition of IP packets;
determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on the header information of the input IP packet and the distribution condition;
instructing the decoy device to detect presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and
managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet.
-
-
66. A program for implementing a firewall device on a computer, wherein the firewall is connected to a decoy device and is provided at an interface between an internal network and an external network, the program comprising:
-
preparing a distribution condition of IP packets;
holding confidence levels for source IP addresses of a plurality of input IP packets;
selecting one of the internal network and the decoy device as a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition.
-
-
67. A decoy device in an attack defending system comprising:
-
an event memory for temporarily storing events related to at least network input/output, file input/output, and process creation/termination while executing a server process; and
an event manager for analyzing cause-effect relations of the events stored in the event memory to form links among the events. - View Dependent Claims (69, 70)
-
-
68. A decoy device in an attack defending system comprising:
an attack detector for detecting an attack from an execution status of a service process according to a rule having at least one of domain constraint and type constraint added thereto.
-
71. An attack defending system provided at an interface between an internal network and an external network, comprising a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the firewall device comprises: -
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet, based on request data included in the input IP packet and a distribution condition; and
a confidence manager for managing a confidence level of request data, wherein the destination selector obtains a confidence level of the request data included in the input IP packet from the confidence manager and determines a destination of the input IP packet depending on whether the obtained confidence level of the request data included in the input IP packet satisfies the distribution condition. - View Dependent Claims (72, 73, 74, 75, 76, 77, 78, 79, 80)
-
-
81. An attack detecting method in an attack defending system, comprising:
-
temporarily storing events related to at least network input/output, file input/output, and process creation/termination while executing a server process; and
analyzing cause-effect relations of the events stored in the event memory to form links among the events. - View Dependent Claims (83, 84, 86)
-
-
82. An attack detecting method in an attack defending system, comprising:
-
extracting events related to at least network input/output, file input/output, and process creation/termination; and
comparing the extracted events with a rule having domain constraint and type constraint added thereto. - View Dependent Claims (85)
-
-
87. An attack defending method using a decoy device in a firewall device provided at an interface between an internal network and an external network, comprising:
-
preparing a set of filtering conditions and a distribution condition of IP packets;
determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on request data included in the input IP packet and the distribution condition;
detecting presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and
managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet. - View Dependent Claims (88, 89, 90)
-
-
91. A program for implementing an attack detecting system on a computer, the program comprising:
-
temporarily storing events related to at least network input/output, file input/output, and process creation/termination while executing a server process; and
analyzing cause-effect relations of the events stored in the event memory to form links among the events.
-
-
92. A program for implementing an attack detecting system on a computer, the program comprising:
-
extracting events related to at least network input/output, file input/output, and process creation/termination; and
comparing the extracted events with a rule having domain constraint and type constraint added thereto.
-
-
93. A program for implementing an attack detecting system on a computer, the program comprising:
-
temporarily storing events related to at least network input/output, file input/output, and process creation/termination while executing a server process;
analyzing cause-effect relations of the events stored in the event memory to form links among the events; and
comparing the events with a rule having domain constraint and type constraint added thereto.
-
-
94. A program for implementing an attack detecting system on a computer, wherein the attack detecting system uses a decoy device and a firewall device provided at an interface between an internal network and an external network, the program comprising:
-
preparing a set of filtering conditions and a distribution condition of IP packets;
determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on request data included in the input IP packet and the distribution condition;
detecting presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and
managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet. - View Dependent Claims (95, 96, 97)
-
-
98. An attack defending system provided at an interface between an internal network and an external network, comprising:
-
a decoy device;
a firewall device; and
a switch device connected between the decoy device and the firewall device, wherein the decoy device comprises;
an attack detector for detecting presence or absence of an attack by executing a service process for an input IP packet transferred from the switch device, the switch device comprises;
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the firewall device, based on the header information of the input IP packet and a distribution condition; and
a condition generator for generating the filtering condition corresponding to a combination of an attack category of an attack detected by the attack detector and address information of the input IP packet, and the firewall device comprises;
a filtering condition controller for dynamically updating the filtering condition depending on the filtering condition generated by the condition generator; and
a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and the filtering condition. - View Dependent Claims (99, 100)
-
-
101. An attack defending system provided at an interface between an internal network and an external network, comprising:
-
a decoy cluster including a plurality of decoy devices, which correspond to a server on the internal network; and
a firewall device which transfers an input IP packet to at least one selected from the server and the plurality of decoy devices, wherein the firewall device comprises;
a confidence manager for managing a confidence level for an input IP packet; and
a server manager for managing the server by assigning at least one requisite confidence level to each of the plurality of decoy devices in the decoy cluster, wherein, when an IP packet is inputted, the firewall device obtains a confidence level of the input IP packet from the confidence manager and determines a decoy device having a requisite confidence level, which is not greater than the obtained confidence level, as a destination of the input IP packet.
-
-
102. An attack defending system provided at an interface between an internal network and an external network, comprising:
-
a firewall device; and
at least one attack detecting system provided in at least one of the internal network and the external network, wherein the firewall device comprises an alert transformation section, which receives an attack detection alert from the at least one attack detecting system and transforms it to an alert including at least an attack-source IP address and an attack-target IP address.
-
-
103. An attack defending system provided at an interface between an internal network and an external network, comprising:
-
a firewall device;
a decoy device; and
at least one confidence management server, wherein the firewall device transmits a request message including at least a part of data of an input IP packet, to the at least one confidence management server, and the at least one confidence management server generates a confidence level for the input IP packet from data included in the request message in response to the request message, and transmits a response message including at least the confidence level back to the firewall device. - View Dependent Claims (104)
-
-
105. An attack defending method in an attack defending system provided at an interface between an internal network and an external network, comprising:
-
preparing a plurality of decoy devices, which correspond to a server on the internal network;
holding a distribution condition used to distribute an IP packet based on at least one requisite confidence level assigned to each of the plurality of decoy devices, and confidence levels for a plurality of IP packets;
when an IP packet is inputted, obtaining a confidence level of the input IP packet; and
determining a decoy device having a requisite confidence level, which is not greater than the obtained confidence level, as a destination of the input IP packet.
-
-
106. An attack defending method in an attack defending system provided at an interface between an internal network and an external network, comprising:
-
preparing at least one attack detecting system provided in at least one of the internal network and the external network; and
when an attack detection alert is received from the at least one attack detecting system, transforming it to an alert including at least an attack-source IP address and an attack-target IP address.
-
-
107. A program for implementing an attack detecting system on a computer, wherein the attack detecting system is provided at an interface between an internal network and an external network, the program comprising:
-
assigning at least one requisite confidence level to each of a plurality of decoy devices, which correspond to a server on the internal network;
holding a distribution condition used to distribute an IP packet based on the at least one requisite confidence level and confidence levels for a plurality of IP packets;
when an IP packet is inputted, obtaining a confidence level of the input IP packet; and
determining a decoy device having a requisite confidence level, which is not greater than the obtained confidence level, as a destination of the input IP packet.
-
-
108. A program for implementing an attack detecting system on a computer, wherein the attack detecting system is provided at an interface between an internal network and an external network, the program comprising:
-
receiving an attack detection alert from at least one attack detecting system provided in at least one of the internal network and the external network; and
transforming the attack detection alert to an alert including at least an attack-source IP address and an attack-target IP address.
-
-
109. An attack defending method in an attack defending system provided at an interface between an internal network and an external network, wherein the attack defending system comprises a firewall device, a decoy device, and at least one confidence management server, wherein
the firewall device transmits a request message including at least a part of data of an input IP packet, to the at least one confidence management server, and the at least one confidence management server generates a confidence level for the input IP packet from data included in the request message in response to the request message, and transmits a response message including at least the confidence level back to the firewall device.
-
111. A program for implementing an attack detecting system on a computer, wherein the attack detecting system is provided at an interface between an internal network and an external network, wherein the attack defending system comprises a firewall device, a decoy device, and at least one confidence management server, the program comprising:
-
receiving a request message from the firewall device, wherein the request message includes at least a part of data of an input IP packet;
generates a confidence level for the input IP packet from data included in the request message in response to the request message; and
transmitting a response message including at least the confidence level back to the firewall device.
-
-
112. A program for implementing an attack detecting system on a computer, wherein the attack detecting system is provided at an interface between an internal network and an external network, wherein the attack defending system comprises at least a decoy device, a firewall device and a confidence management server, the program comprising:
-
transmitting a request message from the firewall device to the confidence management server, wherein the request message includes at least a part of data of an input IP packet;
receiving a response message from the confidence management server, the response message including at least a confidence level of the input IP packet calculated from data included in the request message; and
selecting one of the internal network and the decoy device as a destination of the input IP packet depending on whether the confidence level of the input IP packet satisfies a predetermined distribution condition.
-
Specification