Method and Apparatus for Tracing Attack Source of Abnormal Network Traffic

US 20140230059A1
Filed: 11/22/2012
Published: 08/14/2014
Est. Priority Date: 12/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method for tracing an attack source in the case of abnormal network traffic, which is characterized in comprising steps of:

from one or more network nodes of an attack link, selecting any or multiple said network nodes as one or more tracing start points, where said attack link is a communication link between an attacked target and an attack source; and

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method and an apparatus for tracing an attack source in the case of an abnormal network traffic, where said method comprises: from the network node(s) of an attack link, any or multiple said network nodes are selected as a tracing start point(s) and there into, said attack link is a communication link between an attacked target and an attack source. According to said tracing start point(s), a higher-level network node of said attack link is identified stepwise until a final attack source is confirmed. By adopting said technical solution provided by the present invention, the problems that the network security mechanisms in related technologies can only alleviate a network attack rather than position an attack source are solved, thus an effect can be achieved to trace and position the attack source in a reverse direction.

16 Citations

View as Search Results

10 Claims

1. A method for tracing an attack source in the case of abnormal network traffic, which is characterized in comprising steps of:
- from one or more network nodes of an attack link, selecting any or multiple said network nodes as one or more tracing start points, where said attack link is a communication link between an attacked target and an attack source; and
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. according to one or more said tracing start points, identifying one or more higher-level network nodes of said attack link stepwise until a final attack source is confirmed. The method according to claim 1, which is characterized in that any or multiple said network nodes are selected as one or more tracing start points, which comprises steps of:
    - acquiring the data packet payload via one or more port of a network node in said attack link according to a preset period; and
      
      determining said tracing start point according to the data packet payload collected currently and that collected in last said preset period.
  - 3. The method according to claim 2, which is characterized in that said data packet payload is the average for each data packet payload in said preset period.
  - 4. The method according to claim 3, which is characterized in that said average for each data packet payload in a preset period is determined through the following formula:
    - average for each data packet payload in a preset period=Average bandwidth in a preset period/Total quantity of data packets in a preset period.
  - 5. The method according to claim 3, which is characterized in that in the case of multiple said higher-level network nodes, the method further comprises:
    - discriminating the multiple higher-level network nodes according to the matching degree with said attack link, wherein said matching degree is used to indicate the level of similarity between said average for each data packet payload via one or more tracing start points in a preset period and different averages for each data packet payload via multiple said higher-level network nodes in a preset period.
  - 6. The method according to claim 2, which is characterized in that the step determining said tracing start point according to the data packet payload collected currently and that collected in last said preset period specifically comprises:
    - determining a fingerprint of the flow via the port(s) of said network node(s) of an attack link according to the data packet payload collected currently and that collected in last said preset period, wherein said flow fingerprint is calculated with the formula as follows;
      
      Flow fingerprint=[1−
      
      (▴
      
      P/▴
      
      BP)]×
      
      100%, ▴
      
      P=P0−
      
      (P-1), ▴
      
      BP=BP0−
      
      (BP-1),wherein P0 indicates current data;
      
      (P-) indicates the data in last period of current preset period;
      
      BP0 indicates the data at same moment yesterday;
      
      (BP-1) indicates the data yesterday in the period one earlier to current preset period;
      
      wherein in the case that said flow fingerprint does not reach a preset threshold value, the network node corresponding to said flow fingerprint is used as a tracing start point.
  - 7. The method according to claim 1, which is characterized in that:
    - the higher-level network node(s) of said attack link is identified stepwise according to said one or more tracing start points, which comprises;
      
      acquiring the increment of incoming flow to said one or more tracing start points and the increment of outgoing flow from said one or more higher-level network nodes, wherein;
      
      said increment of incoming flow is the increased flow in the case that the network traffic received by said one or more tracing starting points is abnormal compared to normal network traffic and said increment of outgoing flow is the increased network flow in the case that the network traffic transmitted from said one or more higher-level network nodes is abnormal compared to normal network traffic;
      
      determining of said one or more higher-level nodes as one or more new tracing start points according to the ratio between said increment of incoming flow and said increment of outgoing flow; and
      
      determining stepwise of one or more higher-level network nodes of said one or more new tracing start points of said attack link according to said one or more new tracing start points.
  - 8. The method according to claim 1, which is characterized in that:
    - the following method is employed to confirm a final attack source;
      
      when the quantity of one or more higher-level network nodes is 0, the one or more network nodes in the next level lower to said one or more higher-level network nodes is determined as a final attack source.

9. An apparatus for tracing an attack source in the case of abnormal network traffic, which is characterized in comprising:
- a selection module used to select any or multiple said network nodes from the one or more network nodes of attack network as a tracing start point(s), where said attack link is a communication link between an attacked target and an attack source; and
  
  a determination module used to identify stepwise one or more higher-level network node of said attack network according to said one or more tracing start points until a final attack source is confirmed.
- View Dependent Claims (10)
- - 10. The apparatus according to claim 9, which is characterized in that:
    - said determination module comprises;
      
      an acquisition unit used to acquire the increment of incoming flow to said one or more tracing start points and the increment of outgoing flow from said one or more higher-level network nodes, wherein said increment of incoming flow is the increased flow in the case that the network traffic received by said one or more tracing starting points is abnormal compared to normal network traffic and said increment of outgoing flow is the increased network flow in the case that the network traffic transmitted from said one or more higher-level network nodes is abnormal compared to normal network traffic;
      
      a first determination unit used to determine said one or more higher-level nodes as one or more new tracing start points according to the ratio between said increment of incoming flow and said increment of outgoing flow; and
      
      a second determination unit used to identify stepwise one or more higher-level network nodes of said one or more new tracing start points of said attack link according to said one or more new tracing start points until a final attack source is confirmed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Runstone Technology Incorporation
Original Assignee
Beijing Runstone Technology Incorporation
Inventors
Wang, Lijun

Granted Patent

US 9,729,559 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Method and Apparatus for Tracing Attack Source of Abnormal Network Traffic

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

Method and Apparatus for Tracing Attack Source of Abnormal Network Traffic

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others