Internal tracing method for network attack detection

US 20100031093A1
Filed: 01/29/2008
Published: 02/04/2010
Est. Priority Date: 01/29/2008
Status: Abandoned Application

First Claim

Patent Images

1. An internal tracing method for network attack detection, for testing a network intrusion detection system (IDS), comprising:

establishing a network topology structure having an attack end point (AEP), a detect end point (DEP), and a target end point (TEP) in a test network;

installing all types of attack tools and an AEP routine at the AEP, installing a pre-customized Snort IDS and a DEP routine at the DEP, and installing a statistics routine at the TEP;

the AEP classifying the attack types of attack data packets, and setting a check point for capturing information in the data packets according to the classification information;

the DEP setting corresponding check points in different phases, storing all setting options to be a script file, and sending the script file to the other end points;

the AEP sending the attack data packets for test to the DEP or the TEP through the distributed script file, and outputting the check point information to a draft to be stored;

the DEP monitoring the attack data packets sent from the AEP through a bypass interception mode, and outputting the check point information to a draft in a log mode to be stored;

the TEP detecting the received attack data packets, recording the logs, and outputting the logs to a draft to be stored; and

the DEP collecting the drafts from the other end points at the end of the attack task, matching the flow information of each attack data packet in all the drafts, and then generating a final test report upon analysis.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An internal tracing method for network attack detection is used to trace whole life cycle of an attack data packet for test in different phases such as an attacking phase, a defending phase, and an attacked phase through configuring and uniting three parties including an attack end point (AEP), a detect end point (DEP), and a target end point (TEP) and setting a corresponding internal check point in each part when testing a network intrusion detection system (IDS). In other words, when testing the network IDS, in a whole period that the attack data packet for test is attacking, filtered, detected, and finally transmitted to a target host, a tester may clearly know the statuses and information of the data packet in each important phase, thereby generating a test report conveniently, quickly, and accurately.

Citations

7 Claims

1. An internal tracing method for network attack detection, for testing a network intrusion detection system (IDS), comprising:
- establishing a network topology structure having an attack end point (AEP), a detect end point (DEP), and a target end point (TEP) in a test network;
  
  installing all types of attack tools and an AEP routine at the AEP, installing a pre-customized Snort IDS and a DEP routine at the DEP, and installing a statistics routine at the TEP;
  
  the AEP classifying the attack types of attack data packets, and setting a check point for capturing information in the data packets according to the classification information;
  
  the DEP setting corresponding check points in different phases, storing all setting options to be a script file, and sending the script file to the other end points;
  
  the AEP sending the attack data packets for test to the DEP or the TEP through the distributed script file, and outputting the check point information to a draft to be stored;
  
  the DEP monitoring the attack data packets sent from the AEP through a bypass interception mode, and outputting the check point information to a draft in a log mode to be stored;
  
  the TEP detecting the received attack data packets, recording the logs, and outputting the logs to a draft to be stored; and
  
  the DEP collecting the drafts from the other end points at the end of the attack task, matching the flow information of each attack data packet in all the drafts, and then generating a final test report upon analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The internal tracing method for network attack detection as claimed in claim 1, wherein the check points of the AEP are set through directly modifying the source codes of the attack tool, or analyzing the real-time log of the attack tool.
  - 3. The internal tracing method for network attack detection as claimed in claim 1, wherein before the AEP sends the attack data packets for test, the method further comprises verifying the system times of each of the end points to obtain system time differences of different end points, which are stored by any of the end points.
  - 4. The internal tracing method for network attack detection as claimed in claim 1, wherein in the process of performing the attack task, each of the end points records the arriving time of the attack data packet, decodes a captured data packet and matches it with a recorded sent data packet, so as to determine whether the captured data packet is consistent with the sent data packet.
  - 5. The internal tracing method for network attack detection as claimed in claim 1, wherein the process of the DEP detecting the attack data packet further comprises:
    - the check point calculating the quantity of all captured attack data packets, and recording the time stamps of the attack data packets;
      
      after decoding, the check point filtering the attack data packets through a specific IP or other flags in the attack data packets, marking the abnormal data packets as suspicious data packets, and recording the protocol information and the current time stamps;
      
      after finding the suspicious data packets, if the suspicious data packets match with a rule of a preprocessor, the check point recording the information about the preprocessor, and then recording the current time stamps of the suspicious data packets;
      
      after finding the suspicious data packet, the check point recording a whole process for matching with the rules in a rule tree node (RTN)/an optional tree node (OTN), and then recording the current time stamp of the suspicious data packets; and
      
      at the end of processing the data packets, the check point recording a selected event, and then recording the current time stamps.
  - 6. The internal tracing method for network attack detection as claimed in claim 1, wherein the TEP uses Libpcap (a well-known process property analysis software for constructing a network sniffer tool) to detect the received attack data packets.
  - 7. The internal tracing method for network attack detection as claimed in claim 6, wherein the attack data packets are attack data packets with specified source IPs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Inventec Corporation
Original Assignee
Inventec Corporation
Inventors
Chen, Tom, Sun, Meng, Liu, Win-Harn

Application Number

US12/010,698
Publication Number

US 20100031093A1
Time in Patent Office

Days
Field of Search
US Class Current

714/45
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 2463/102   applying security measure f...

H04L 63/102   Entity profiles

Internal tracing method for network attack detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Internal tracing method for network attack detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links