LOG-BASED TRACEBACK SYSTEM AND METHOD USING CENTROID DECOMPOSITION TECHNIQUE
First Claim
1. A log-based traceback system using centroid decomposition technique, the system comprising:
- a log data input module collecting log data of an intrusion alarm from an intrusion detection system;
a centroid node detection module generating a shortest path tree by applying a shortest path algorithm to network router connection information collected by a network administration server, detecting a centroid node by applying centroid decomposition technique removing a leaf-node to the shortest path tree, and generating a centroid tree whose node of each level is the detected centroid node; and
a traceback processing module requesting log data of a router matched with the node of each level of the centroid tree, and tracing back a router identical to the log data of the collected intrusion alarm by comparing the log data of the router with the log data of the collected intrusion alarm as a router connected to a source of an attacker.
1 Assignment
0 Petitions
Accused Products
Abstract
There are provided a system and method for tracing back an attacker by using centroid decomposition technique, the system including: a log data input module collecting log data of an intrusion alarm from an intrusion detection system; a centroid node detection module generating a shortest path tree by applying a shortest path algorithm to network router connection information collected by a network administration server, detecting a centroid node by applying centroid decomposition technique removing a leaf-node to the shortest path tree, and generating a centroid tree whose node of each level is the detected centroid node; and a traceback processing module requesting log data of a router matched with the node of each level of the centroid tree, and tracing back a router identical to the log data of the collected intrusion alarm as a router connected to a source of an attacker by comparing the log data of the router with the log data of the collected intrusion alarm. According to the system and method, an attacker causing a security intrusion event may be quickly detected, a load on the system is reduced, and a passage host exposed to a danger or having weaknesses may be easily recognized, thereby easily coping with an attack.
-
Citations
15 Claims
-
1. A log-based traceback system using centroid decomposition technique, the system comprising:
-
a log data input module collecting log data of an intrusion alarm from an intrusion detection system; a centroid node detection module generating a shortest path tree by applying a shortest path algorithm to network router connection information collected by a network administration server, detecting a centroid node by applying centroid decomposition technique removing a leaf-node to the shortest path tree, and generating a centroid tree whose node of each level is the detected centroid node; and a traceback processing module requesting log data of a router matched with the node of each level of the centroid tree, and tracing back a router identical to the log data of the collected intrusion alarm by comparing the log data of the router with the log data of the collected intrusion alarm as a router connected to a source of an attacker. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of generating a centroid tree by using centroid decomposition technique, the method comprising:
-
collecting network router connection information from a network administration server; generating a shortest path tree by applying a shortest path algorithm to the collected network router connection information; and generating a centroid tree where a centroid node that is detected by applying centroid decomposition technique of removing a leaf-node of the shortest path tree becomes a node of each level. - View Dependent Claims (8)
-
-
9. A log-based traceback method using centroid decomposition technique, the method comprising:
-
collecting log data of an intrusion alarm generated from an intrusion detection system and connection information of a network router where an attack packet pass through from a network administration server; generating a centroid tree where a centroid node that is detected by applying centroid decomposition technique of removing a leaf-node to the connection information of the network router where an attack packet passes through is a node for each level; comparing log data of the node for each level of the centroid tree with log data of the intrusion alarm collected from the intrusion detection system to search a router connected to a source of an attacker; and extracting an attack pattern from the log data of the router connected to the source of the attacker, searching an MAC address identical to the attack pattern, and tracing back the source of the attacker by requesting an IP address corresponding to the MAC address. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
Specification