×

Method for detecting and preventing a DDoS attack using cloud computing, and server

  • US 9,386,036 B2
  • Filed: 07/12/2010
  • Issued: 07/05/2016
  • Est. Priority Date: 07/23/2009
  • Status: Active Grant
First Claim
Patent Images

1. A method of detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, comprising:

  • providing, by the server, an agent that is installed in a client and that monitors a file currently being executed by the client;

    collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed on each of the plurality of clients and traffic information about network traffic caused by the file, from each of the plurality of clients by using the agent;

    analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information;

    sending a command related to whether to block the file to the client according to the analyzed risk level;

    updating the agent based on a result of the analyzing; and

    providing, by the server, the updated agent to the client, wherein said analyzing is configured such that;

    the server queries a file DNA statistics database, which stores file DNA statistical information obtained by analyzing file DNAs collected from the plurality of clients, about the file DNA of the file, and then classifies the file as a normal malicious or unidentified file, andwhen the network traffic is greater than a preset DDoS threshold and the file is classified as a malicious file, an analysis unit analyzes the file as having a high risk level, and when the network traffic is greater than the preset DDoS threshold and the file is classified as an unidentified file for which information about characteristics of the file is not stored in the DNA statistics database, the analysis unit analyzes the risk level of the file using statistical analysis of the file DNA of the file, and wherein the statistical analysis is implemented such that;

    when network traffic generated by an identical file or one or more unidentified files in the plurality of clients is greater than the preset DDoS threshold, or when amounts of network traffic generated for an identical destination in the plurality of clients are individually greater than the preset DDoS threshold, or when a number of clients that generate network traffic greater than the preset DDoS threshold, for an identical destination, among the plurality of clients is greater than a preset threshold number of DDoS clients, the file is analyzed as having a high risk level.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×