System and method for defending against distributed denial-of-service attack on active network
First Claim
1. A system for defending against a distributed denial-of-service attack comprising:
- an intrusion detection system for generating alert data if a denial-of-service attack is detected;
an active security management system for managing a domain, analyzing the alert data to determine whether the denial-of-service attack is the distributed denial-of-service attack, generating and transmitting a backtracking sensor for backtracking an attacker of the distributed denial-of-service attack in a case of the distributed denial-of-service attack, transmitting mobile sensors to a host backtracked by the backtracking sensor to remove a master or an agent program within the host, generating and transmitting a backtracking sensor by using an IP address of a host that has transmitted a packet to the removed master or agent program; and
an active security node located at a boundary of the domain, executing the transmitted backtracking sensor to backtrack an attacking host of the distributed denial-of-service attack and, if the backtracked host is determined as a real attacker, intercepting a traffic generated from the real attacker.
12 Assignments
0 Petitions
Accused Products
Abstract
A system for defending against a distributed denial-of-service attack includes an intrusion detection system, an active security management system and an active security node. The intrusion detection system generates alert data if a denial-of-service attack is detected. The active security management system manages a domain, analyzes the alert data, generates and transmits a backtracking sensor in a case of the distributed denial-of-service attack, transmits mobile sensors to a host backtracked by the backtracking sensor to remove a master or an agent program within the host; and generates and transmits a backtracking sensor by using an IP address of a host that has transmitted a packet to the removed master or agent program. The active security node executes the transmitted backtracking sensor to backtrack an attacking host of the distributed denial-of-service attack and, if the backtracked host is determined as a real attacker, intercepts a traffic generated from the real attacker.
-
Citations
16 Claims
-
1. A system for defending against a distributed denial-of-service attack comprising:
-
an intrusion detection system for generating alert data if a denial-of-service attack is detected; an active security management system for managing a domain, analyzing the alert data to determine whether the denial-of-service attack is the distributed denial-of-service attack, generating and transmitting a backtracking sensor for backtracking an attacker of the distributed denial-of-service attack in a case of the distributed denial-of-service attack, transmitting mobile sensors to a host backtracked by the backtracking sensor to remove a master or an agent program within the host, generating and transmitting a backtracking sensor by using an IP address of a host that has transmitted a packet to the removed master or agent program; and an active security node located at a boundary of the domain, executing the transmitted backtracking sensor to backtrack an attacking host of the distributed denial-of-service attack and, if the backtracked host is determined as a real attacker, intercepting a traffic generated from the real attacker. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for defending against a distributed denial-of-service attack by using an active security management system for backtracking and intercepting an attacker of the distributed denial-of-service attack based on alert data received from an intrusion detection system, the method comprising the steps of:
-
extracting an IP address and a MAC address of a host from the alert data; generating a backtracking sensor for backtracking the host and transmitting the backtracking sensor to an active security node corresponding to the IP address of the host; executing the backtracking sensor by the active security node to backtrack the host; deleting an agent or a master program installed at the backtracked host; observing packets arriving at the deleted agent or master program, generating a backtracking sensor for backtracking a host transmitting the packets, and transmitting the backtracking sensor to the active security node; determining whether the host backtracked by the backtracking sensor is the real attacker; and blocking off traffic generated from an IP address of the real attacker if the backtracked host is the real attacker. - View Dependent Claims (12, 13, 14, 15, 16)
-
Specification