ATTACK DEFENDING SYSTEM AND ATTACK DEFENDING METHOD
First Claim
Patent Images
1. A decoy device in an attack defending system comprising:
- an event memory for temporarily storing events related to at least network input/output, file input/output, and process creation/termination while executing a server process; and
an event manager for analyzing cause-effect relations of the events stored in the event memory to form links among the events.
1 Assignment
0 Petitions
Accused Products
Abstract
An attack defending system allows effective defense against attacks from external networks even when a communication system uses a communication path encryption technique such as SSL. A firewall device and a decoy device are provided. The firewall device refers to the header of an input IP packet and, when it is determined that the input IP packet is suspicious, it is guided into the decoy device. The decoy device monitors a process providing a service to detect the presence or absence of attacks. When an attack has been detected, an alert including the attack-source IP address is sent to the firewall device so as to reject subsequent packets from attack source.
49 Citations
7 Claims
-
1. A decoy device in an attack defending system comprising:
-
an event memory for temporarily storing events related to at least network input/output, file input/output, and process creation/termination while executing a server process; and an event manager for analyzing cause-effect relations of the events stored in the event memory to form links among the events.
-
-
2. An attack detecting method in an attack defending system, comprising:
-
temporarily storing events related to at least network input/output, file input/output, and process creation/termination while executing a server process; and analyzing cause-effect relations of the events stored in the event memory to form links among the events.
-
-
3. A program for implementing an attack detecting system on a computer, the program comprising:
-
temporarily storing events related to at least network input/output, file input/output, and process creation/termination while executing a server process; and analyzing cause-effect relations of the events stored in the event memory to form links among the events.
-
-
4. A program for implementing an attack detecting system on a computer, the program comprising:
-
temporarily storing events related to at least network input/output, file input/output, and process creation/termination while executing a server process; analyzing cause-effect relations of the events stored in the event memory to form links among the events; and comparing the events with a rule having domain constraint and type constraint added thereto.
-
-
5. An attack defending system provided at an interface between an internal network and an external network, comprising:
-
a firewall device; and at least one attack detecting system provided in at least one of the internal network and the external network, wherein the firewall device comprises an alert transformation section, which receives an attack detection alert from the at least one attack detecting system and transforms it to an alert including at least an attack-source IP address and an attack-target IP address.
-
-
6. An attack defending method in an attack defending system provided at an interface between an internal network and an external network, comprising:
-
preparing at least one attack detecting system provided in at least one of the internal network and the external network; and when an attack detection alert is received from the at least one attack detecting system, transforming it to an alert including at least an attack-source IP address and an attack-target IP address.
-
-
7. A program for implementing an attack detecting system on a computer, wherein the attack detecting system is provided at an interface between an internal network and an external network, the program comprising:
-
receiving an attack detection alert from at least one attack detecting system provided in at least one of the internal network and the external network; and transforming the attack detection alert to an alert including at least an attack-source IP address and an attack-target IP address.
-
Specification