METHOD AND SYSTEM FOR NETWORK CONNECTION CHAIN TRACEBACK USING NETWORK FLOW DATA

US 20150256555A1
Filed: 03/02/2015
Published: 09/10/2015
Est. Priority Date: 03/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method for network connection chain traceback in a traceback system for a network attack, the method comprising:

(A) searching, by one or more respective trace agents distributed on a network, a network session including a trace address included in finger printing information as a destination address by referring to a database for network flow information to generate finger printing information in which a source address of the searched session is substituted with the trace address; and

(B) searching, by the respective trace agents, the network flow information including the substituted finger printing information by referring to the database to generate new finger printing information including a corresponding destination address of the searched network flow information as the trace address and generate an attack connection chain list further including an ID for a corresponding network session in addition to an ID for the previous network session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are provided a method and a system for network connection chain traceback by using network flow data in order to trace an attack source site for cyber hacking attacks that goes by way of various sites without addition of new equipment of a network or modification a standard protocol when the cyber hacking attack occurs in the Internet and an internal network.

Citations

16 Claims

1. A method for network connection chain traceback in a traceback system for a network attack, the method comprising:
- (A) searching, by one or more respective trace agents distributed on a network, a network session including a trace address included in finger printing information as a destination address by referring to a database for network flow information to generate finger printing information in which a source address of the searched session is substituted with the trace address; and
  
  (B) searching, by the respective trace agents, the network flow information including the substituted finger printing information by referring to the database to generate new finger printing information including a corresponding destination address of the searched network flow information as the trace address and generate an attack connection chain list further including an ID for a corresponding network session in addition to an ID for the previous network session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - before step (A),generating, by a trace requester on the network, finger printing information for an attack network session and requesting tracing.
  - 3. The method of claim 1, further comprising:
    - after step (B),further repeating steps (A) and (B) once or more with respect to the new finger printing information by propagating the new finger printing information and the attack connection chain list to the respective trace agents.
  - 4. The method of claim 3, wherein the propagation is achieved with a plurality of trace agents by a P2P mode.
  - 5. The method of claim 1, wherein step (B) includes generating a final attack connection chain list up to now and transmitting the generated final attack connection chain list to the trace requester on the network when the network flow information including the substituted finger printing information is not searched.
  - 6. The method of claim 1, wherein step (B) includes determining whether a period from a flow start time up to a flow end time, corresponding packets, and corresponding bytes of the substituted finger printing information has a subset relationship with the corresponding network flow information in addition to whether the trace address being included in the network flow information as the destination address.
  - 7. The method of claim 5, further comprising:
    - deciding, by the trace requester, a system having a source IP address of a finally traced network session as a source site system by analyzing the final attack connection chain list.
  - 8. The method of claim 1, wherein the finger printing information includes the flow start time, the flow end time, the packets, and the bytes in addition to the trace address.

9. A system for network connection chain traceback for a network attack, the system comprising:
- one or more flow collectors distributively disposed on a network in order to manage network flow information in a database by interlocking with one or more routers for routing among systems on the network,wherein the one or more flow collectors include respective trace agents for tracing back a network connection chain for the network attack by referring to the database, andthe respective trace agent includes a trace unit thatsearches a network session including a trace address included in finger printing information as a destination address to generate finger printing information in which a source address of the searched session is substituted with the trace address,searches the network flow information including the substituted finger printing information to generate new finger printing information including a corresponding destination address of the searched network flow information as the trace address, andgenerates an attack connection chain list further including an ID for a corresponding network session in addition to an ID for the previous network session.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - a trace requester on the network, which is used for requesting tracing to the trace agent by generating finger printing information for an attack network session.
  - 11. The system of claim 9, wherein each of the trace agents includes a sharing unit that controls the attack connection list to be repeatedly generated with respect to the new finger printing information by propagating the new finger printing information and the attack connection chain list to the respective trace agents.
  - 12. The system of claim 11, wherein the sharing unit performs the propagation with a plurality of trace agents by a P2P mode.
  - 13. The system of claim 9, wherein the trace unit generates a final attack connection chain list up to now and transmits the generated final attack connection chain list to the trace requester on the network when the network flow information including the substituted finger printing information is not searched.
  - 14. The system of claim 9, wherein the trace unit determines whether a period from a flow start time up to a flow end time, corresponding packets, and corresponding bytes of the substituted finger printing information has a subset relationship with the corresponding network flow information in addition to whether the trace address being included in the network flow information as the destination address.
  - 15. The system of claim 13, wherein the trace requester decides a system having a source IP address of a finally traced network session as a source site system by analyzing the final attack connection chain list.
  - 16. The system of claim 9, wherein the finger printing information includes the flow start time, the flow end time, the packets, and the bytes in addition to the trace address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
CHOI, Yang Seo, KIM, Ik Kyun, HAN, Min Ho, KIM, Jung Tae, KIM, Jong Hyun

Granted Patent

US 9,537,887 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

METHOD AND SYSTEM FOR NETWORK CONNECTION CHAIN TRACEBACK USING NETWORK FLOW DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR NETWORK CONNECTION CHAIN TRACEBACK USING NETWORK FLOW DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links