METHOD AND SYSTEM FOR NETWORK CONNECTION CHAIN TRACEBACK USING NETWORK FLOW DATA
First Claim
Patent Images
1. A method for network connection chain traceback in a traceback system for a network attack, the method comprising:
- (A) searching, by one or more respective trace agents distributed on a network, a network session including a trace address included in finger printing information as a destination address by referring to a database for network flow information to generate finger printing information in which a source address of the searched session is substituted with the trace address; and
(B) searching, by the respective trace agents, the network flow information including the substituted finger printing information by referring to the database to generate new finger printing information including a corresponding destination address of the searched network flow information as the trace address and generate an attack connection chain list further including an ID for a corresponding network session in addition to an ID for the previous network session.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are provided a method and a system for network connection chain traceback by using network flow data in order to trace an attack source site for cyber hacking attacks that goes by way of various sites without addition of new equipment of a network or modification a standard protocol when the cyber hacking attack occurs in the Internet and an internal network.
-
Citations
16 Claims
-
1. A method for network connection chain traceback in a traceback system for a network attack, the method comprising:
-
(A) searching, by one or more respective trace agents distributed on a network, a network session including a trace address included in finger printing information as a destination address by referring to a database for network flow information to generate finger printing information in which a source address of the searched session is substituted with the trace address; and (B) searching, by the respective trace agents, the network flow information including the substituted finger printing information by referring to the database to generate new finger printing information including a corresponding destination address of the searched network flow information as the trace address and generate an attack connection chain list further including an ID for a corresponding network session in addition to an ID for the previous network session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for network connection chain traceback for a network attack, the system comprising:
-
one or more flow collectors distributively disposed on a network in order to manage network flow information in a database by interlocking with one or more routers for routing among systems on the network, wherein the one or more flow collectors include respective trace agents for tracing back a network connection chain for the network attack by referring to the database, and the respective trace agent includes a trace unit that searches a network session including a trace address included in finger printing information as a destination address to generate finger printing information in which a source address of the searched session is substituted with the trace address, searches the network flow information including the substituted finger printing information to generate new finger printing information including a corresponding destination address of the searched network flow information as the trace address, and generates an attack connection chain list further including an ID for a corresponding network session in addition to an ID for the previous network session. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification