Attack defending system and attack defending method
First Claim
1. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, whereinthe decoy device comprises:
- an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, andthe firewall device comprises;
a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and
a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device, whereinthe destination selector comprises a memory for storing as the distribution condition a guiding list containing a set of IP addresses unused in the internal network, the destination selector selecting the decoy device when a destination IP address of the input IP packet matches an unused IP address contained in the guiding list.
1 Assignment
0 Petitions
Accused Products
Abstract
An attack defending system allows effective defense against attacks from external networks even when a communication system uses a communication path encryption technique such as SSL. A firewall device and a decoy device are provided. The firewall device refers to the header of an input IP packet and, when it is determined that the input IP packet is suspicious, it is guided into the decoy device. The decoy device monitors a process providing a service to detect the presence or absence of attacks. When an attack has been detected, an alert including the attack-source IP address is sent to the firewall device so as to reject subsequent packets from attack source.
-
Citations
30 Claims
-
1. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the decoy device comprises: -
an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, and the firewall device comprises; a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device, wherein the destination selector comprises a memory for storing as the distribution condition a guiding list containing a set of IP addresses unused in the internal network, the destination selector selecting the decoy device when a destination IP address of the input IP packet matches an unused IP address contained in the guiding list. - View Dependent Claims (2, 3, 4)
-
-
5. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the decoy device comprises: -
an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, and the firewall device comprises; a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device, wherein the destination selector comprises; a packet buffer for storing input IP packets; and a monitor for monitoring reception of a destination unreachable message after an input IP packet has been transferred from the packet buffer to the internal network, wherein, when the monitor detects the reception of the destination unreachable message for the input IP packet, the input IP packet is transferred from the packet buffer to the decoy device. - View Dependent Claims (6, 7, 8)
-
-
9. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the decoy device comprises: -
an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, and the firewall device comprises; a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device, wherein the filtering condition manager comprises; a condition generator for generating a filtering condition corresponding to a combination of an attack category of an attack detected by the attack detector and address information of the input IP packet; and a filtering condition controller for dynamically updating the filtering condition according to the filtering condition generated by the condition generator. - View Dependent Claims (10, 11, 12, 13)
-
-
14. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the decoy device comprises: -
an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, an event memory for temporarily storing events related to at least network input/output, file input/output, and process creation/termination, and an event manager for analyzing cause-effect relations of the events stored in the event memory to form links among the events; and the firewall device comprises; a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the decoy device comprises: -
an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, and the firewall device comprises; a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device, wherein the attack detector detects an attack from an execution status of the service process according to a rule having at least one of domain constraint and type constraint added thereto. - View Dependent Claims (22, 23, 24, 25)
-
-
26. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the decoy device comprises: -
an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, and the firewall device comprises; a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device; and a mirroring device for copying at least a file system from a server on the internal network to the decoy device, wherein when an attack is detected by the decoy device, the mirroring device copies at least the file system from the server on the internal network to the decoy device. - View Dependent Claims (27, 28, 29, 30)
-
Specification