Attack defending system and attack defending method
First Claim
1. An attack defending system provided at an interface between an internal network and an external network, comprising a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, whereinthe firewall device comprises:
- a microprocessor programmed to execute;
a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a distribution condition; and
a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets,wherein the destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition,the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
1 Assignment
0 Petitions
Accused Products
Abstract
An attack defending system allows effective defense against attacks from external networks even when a communication system uses a communication path encryption technique such as SSL. A firewall device and a decoy device are provided. The firewall device refers to the header of an input IP packet and, when it is determined that the input IP packet is suspicious, it is guided into the decoy device. The decoy device monitors a process providing a service to detect the presence or absence of attacks. When an attack has been detected, an alert including the attack-source IP address is sent to the firewall device so as to reject subsequent packets from attack source.
41 Citations
66 Claims
-
1. An attack defending system provided at an interface between an internal network and an external network, comprising a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein
the firewall device comprises: -
a microprocessor programmed to execute; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a distribution condition; and a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets, wherein the destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An attack defending method using a decoy device in a firewall device provided at an interface between an internal network and an external network, comprising:
-
a microprocessor programmed to execute; preparing a filtering condition and a distribution condition for input IP packets; holding confidence levels for source IP addresses of a plurality of input IP packets; determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on whether the confidence level satisfies the distribution condition; detecting presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet, wherein the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. An attack defending method using a decoy device in a firewall device provided at an interface between an internal network and an external network, comprising:
-
preparing a distribution condition of IP packets; holding confidence levels for source IP addresses of a plurality of input IP packets; selecting one of the internal network and the decoy device as a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A firewall device connected to a decoy device, provided at an interface between an internal network and an external network, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, comprising:
-
a microprocessor programmed to execute; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a distribution condition; and a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets, wherein the destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
-
-
40. A firewall device connected to a decoy device, provided at an interface between an internal network and an external network, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, comprising:
-
a microprocessor programmed to execute; a first destination selector; a second destination selector; and a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets, wherein the first destination selector selects one of the second destination selector and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a first predetermined condition; and the second destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies a second predetermined condition, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
-
-
41. A firewall device connected to a decoy device, provided at an interface between an internal network and an external network, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, comprising:
-
a microprocessor programmed to execute; a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted and forwarded by the packet filter, based on the header information of the input IP packet and a distribution condition; a confidence manager for managing confidence levels for source IP addresses of a plurality of input IP packets; and a filtering condition manager for managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether the attack detector detects an attack based on the input IP packet, wherein the destination selector obtains a confidence level for a source IP address of the input IP packet from the confidence manager and selects a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
-
-
42. A program for implementing an attack defending system on a computer, the attack defending system including a decoy device and a firewall device, which are provided at an interface between an internal network and an external network, the program comprising:
-
a microprocessor programmed to execute; preparing a set of filtering conditions and a distribution condition of IP packets; holding confidence levels for source IP addresses of a plurality of input IP packets; determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on whether the confidence level satisfies the distribution condition; detecting presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet, wherein the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
-
-
43. A program for implementing an attack defending system on a computer, the attack defending system including a decoy device and a firewall device, which are provided at an interface between an internal network and an external network, the program comprising:
-
a microprocessor programmed to execute; preparing a distribution condition of IP packets; holding confidence levels for source IP addresses of a plurality of input IP packets; selecting one of the internal network and the decoy device as a destination of the input IP packet depending on whether the confidence level satisfies the distribution condition, wherein the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
-
-
44. A program for implementing a firewall device on a computer, wherein the firewall is connected to a decoy device and is provided at an interface between an internal network and an external network, the program comprising:
-
a microprocessor programmed to execute; preparing a set of filtering conditions and a distribution condition of IP packets; holding confidence levels for source IP addresses of a plurality of input IP packets; determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on whether the confidence level satisfies the distribution condition; instructing the decoy device to detect presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet, wherein the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
-
-
45. An attack defending system provided at an interface between an internal network and an external network, comprising a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, wherein the firewall device comprises:
-
a microprocessor programmed to execute; a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet, based on request data included in the input IP packet and a distribution condition; and a confidence manager for managing a confidence level of request data, wherein the destination selector obtains a confidence level of the request data included in the input IP packet from the confidence manager and determines a destination of the input IP packet depending on whether the obtained confidence level of the request data included in the input IP packet satisfies the distribution condition, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets. - View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54)
-
-
55. An attack defending method using a decoy device in a firewall device provided at an interface between an internal network and an external network, comprising:
-
preparing a set of filtering conditions and a distribution condition of IP packets; holding confidence levels for source IP addresses of a plurality of input IP packets; determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on whether the confidence level satisfies the distribution condition; detecting presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet, wherein the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
-
-
56. A non-transitory computer readable recording medium with a computer program recorded thereon for implementing an attack detecting system on a computer, wherein the attack detecting system uses a decoy device and a firewall device provided at an interface between an internal network and an external network, the computer program executed by the computer comprising:
-
preparing a set of filtering conditions and a distribution condition of IP packets; holding confidence levels for source IP addresses of a plurality of input IP packets; determining whether an input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet; selecting one of the internal network and the decoy device as a destination of the input IP packet accepted, based on whether the confidence level satisfies the distribution condition; detecting presence or absence of an attack by executing a service process for the input IP packet forwarded to the decoy device; and managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether an attack is detected based on the input IP packet, wherein the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets. - View Dependent Claims (57, 58, 59)
-
-
60. An attack defending system provided at an interface between an internal network and an external network, comprising:
-
a firewall device comprising a programmed microprocessor; a decoy device comprising a programmed microprocessor; and at least one confidence management server comprising a programmed microprocessor, wherein the firewall device transmits a request message including at least a part of data of an input IP packet, to the at least one confidence management server, and the at least one confidence management server generates a confidence level for the input IP packet from data included in the request message in response to the request message, and transmits a response message including at least the confidence level back to the firewall device, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets, the firewall device uses a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a distribution condition. - View Dependent Claims (61)
-
-
62. A non-transitory computer readable recording medium with a computer program recorded thereon for implementing an attack detecting system on a computer, wherein the attack detecting system is provided at an interface between an internal network and an external network, the computer program executed by the computer comprising:
-
assigning at least one requisite confidence level to each of a plurality of decoy devices, which correspond to a server on the internal network; holding a distribution condition used to distribute an IP packet based on the at least one requisite confidence level and confidence levels for a plurality of IP packets; when an IP packet is inputted, obtaining a confidence level of the input IP packet; and determining a decoy device having a requisite confidence level, which is not greater than the obtained confidence level, as a destination of the input IP packet, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
-
-
63. An attack defending method in an attack defending system provided at an interface between an internal network and an external network, wherein the attack defending system comprises a firewall device, a decoy device, and at least one confidence management server, wherein the firewall device transmits a request message including at least a part of data of an input IP packet, to the at least one confidence management server, and
the at least one confidence management server generates a confidence level for the input IP packet from data included in the request message in response to the request message, and transmits a response message including at least the confidence level back to the firewall device, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets, the firewall device uses a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a distribution condition.
-
65. A non-transitory computer readable recording medium with a computer program recorded thereon for implementing an attack detecting system on a computer, wherein the attack detecting system is provided at an interface between an internal network and an external network, wherein the attack defending system comprises a firewall device, a decoy device, and at least one confidence management server, the computer program executed by the computer, comprising:
-
receiving a request message from the firewall device, wherein the request message includes at least a part of data of an input IP packet; generates a confidence level for the input IP packet from data included in the request message in response to the request message; and transmitting a response message including at least the confidence level back to the firewall device, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets, the firewall device using selecting one of the internal network and the decoy device as a destination of the input IP packet based on header information of the input IP packet and a distribution condition.
-
-
66. A non-transitory computer readable recording medium with a computer program recorded thereon for implementing an attack detecting system on a computer, wherein the attack detecting system is provided at an interface between an internal network and an external network, wherein the attack defending system comprises at least a decoy device, a firewall device and a confidence management server, the computer program executed by the computer comprising:
-
transmitting a request message from the firewall device to the confidence management server, wherein the request message includes at least a part of data of an input IP packet; receiving a response message from the confidence management server, the response message including at least a confidence level of the input IP packet calculated from data included in the request message; and selecting one of the internal network and the decoy device as a destination of the input IP packet depending on whether the confidence level of the input IP packet satisfies a predetermined distribution condition, the confidence level is calculated based on the header information of the input IP packet and an input history of previous input IP packets.
-
Specification