APPARATUS AND METHOD FOR ATTACK SOURCE TRACEBACK

US 20150150133A1
Filed: 10/20/2014
Published: 05/28/2015
Est. Priority Date: 11/26/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus for an attack source traceback, comprising:

a server information extracting unit configured to detect an attack for a system, which is generated via a server to thereby extract information on the server;

a traceback agent installing unit configured to install a traceback agent in the server based on the information on the server; and

a traceback unit configured to find an attack source for the system by analyzing network information of the server obtained by the traceback agent.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and a method for an attack source traceback capable of tracing back an attacker, that is, an attack source present behind a command and control (C&C) server in a cyber target attack having non-connectivity over a transmission control protocol (TCP) connection are disclosed. The apparatus for the attack source traceback includes: a server information extracting unit detecting an attack for a system, which is generated via a server to thereby extract information on the server; a traceback agent installing unit installing a traceback agent in the server based on the information on the server; and a traceback unit finding an attack source for the system by analyzing network information of the server obtained by the traceback agent.

Citations

12 Claims

1. An apparatus for an attack source traceback, comprising:
- a server information extracting unit configured to detect an attack for a system, which is generated via a server to thereby extract information on the server;
  
  a traceback agent installing unit configured to install a traceback agent in the server based on the information on the server; and
  
  a traceback unit configured to find an attack source for the system by analyzing network information of the server obtained by the traceback agent.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein the server is a command and control (C&
    - C) server.
  - 3. The apparatus of claim 1, wherein the information on the server includes an internet protocol address of the server and system information.
  - 4. The apparatus of claim 1, wherein the traceback agent installing unit analyzes the network information of the server obtained by the traceback agent to thereby sequentially install the traceback agent from a closest server to the system among the plurality of servers in case of an attack for the system which is generated via a plurality of servers.
  - 5. The apparatus of claim 4, wherein the traceback unit finds the attack source for the system by sequentially analyzing the network information of the plurality of servers obtained by the traceback agent installed in each of the plurality of servers.
  - 6. The apparatus of claim 1, wherein the traceback agent installing unit installs the traceback agent in the server and hides an execution result of the traceback agent so that an attacker does not perceive the installation of the traceback agent.

7. A method for an attack source traceback, comprising:
- detecting, by a server information extracting unit, an attack for a system which is generated via a server to thereby extract information on the server;
  
  installing, by a traceback agent installing unit, a traceback agent in the server based on the information on the server; and
  
  finding, by a traceback unit, an attack source for the system by analyzing network information of the server obtained by the traceback agent.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the server is a command and control (C&
    - C) server.
  - 9. The method of claim 7, wherein the information on the server includes an internet protocol address of the server and system information.
  - 10. The method of claim 7, wherein in the installing of the traceback agent in the server, in case of an attack for the system which is generated via a plurality of servers, the network information of the server obtained by the traceback agent is analyzed to thereby sequentially install the traceback agent from a closest server to the system among the plurality of servers.
  - 11. The method of claim 10, wherein in the finding of the attack source for the system, the attack source for the system is found by sequentially analyzing the network information of the plurality of servers obtained by the traceback agent installed in each of the plurality of servers.
  - 12. The method of claim 7, wherein in the installing of the traceback agent in the server, the traceback agent is installed in the server and an execution result of the traceback agent is hidden so that an attacker does not perceive the installation of the traceback agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
HAN, Min-Ho, KIM, Jung-Tae, CHO, Hyun-Sook, KIM, Ik-Kyun

Granted Patent

US 9,374,382 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 63/164   at the network layer

APPARATUS AND METHOD FOR ATTACK SOURCE TRACEBACK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR ATTACK SOURCE TRACEBACK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links