Method for detecting and preventing a DDoS attack using cloud computing, and server

US 9,386,036 B2
Filed: 07/12/2010
Issued: 07/05/2016
Est. Priority Date: 07/23/2009
Status: Active Grant

First Claim

Patent Images

1. A method of detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, comprising:

providing, by the server, an agent that is installed in a client and that monitors a file currently being executed by the client;

collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed on each of the plurality of clients and traffic information about network traffic caused by the file, from each of the plurality of clients by using the agent;

analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information;

sending a command related to whether to block the file to the client according to the analyzed risk level;

updating the agent based on a result of the analyzing; and

providing, by the server, the updated agent to the client, wherein said analyzing is configured such that;

the server queries a file DNA statistics database, which stores file DNA statistical information obtained by analyzing file DNAs collected from the plurality of clients, about the file DNA of the file, and then classifies the file as a normal malicious or unidentified file, andwhen the network traffic is greater than a preset DDoS threshold and the file is classified as a malicious file, an analysis unit analyzes the file as having a high risk level, and when the network traffic is greater than the preset DDoS threshold and the file is classified as an unidentified file for which information about characteristics of the file is not stored in the DNA statistics database, the analysis unit analyzes the risk level of the file using statistical analysis of the file DNA of the file, and wherein the statistical analysis is implemented such that;

when network traffic generated by an identical file or one or more unidentified files in the plurality of clients is greater than the preset DDoS threshold, or when amounts of network traffic generated for an identical destination in the plurality of clients are individually greater than the preset DDoS threshold, or when a number of clients that generate network traffic greater than the preset DDoS threshold, for an identical destination, among the plurality of clients is greater than a preset threshold number of DDoS clients, the file is analyzed as having a high risk level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, the method includes collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed by each of the clients and traffic information about network traffic caused by the file, from each client by using an agent that is installed in the client and that monitors the file currently being executed by the client. Further, the method includes analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information. Furthermore, the method includes sending a command related to whether to block the file to the client according to the analyzed risk level.

Citations

15 Claims

1. A method of detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, comprising:
- providing, by the server, an agent that is installed in a client and that monitors a file currently being executed by the client;
  
  collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed on each of the plurality of clients and traffic information about network traffic caused by the file, from each of the plurality of clients by using the agent;
  
  analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information;
  
  sending a command related to whether to block the file to the client according to the analyzed risk level;
  
  updating the agent based on a result of the analyzing; and
  
  providing, by the server, the updated agent to the client, wherein said analyzing is configured such that;
  
  the server queries a file DNA statistics database, which stores file DNA statistical information obtained by analyzing file DNAs collected from the plurality of clients, about the file DNA of the file, and then classifies the file as a normal malicious or unidentified file, andwhen the network traffic is greater than a preset DDoS threshold and the file is classified as a malicious file, an analysis unit analyzes the file as having a high risk level, and when the network traffic is greater than the preset DDoS threshold and the file is classified as an unidentified file for which information about characteristics of the file is not stored in the DNA statistics database, the analysis unit analyzes the risk level of the file using statistical analysis of the file DNA of the file, and wherein the statistical analysis is implemented such that;
  
  when network traffic generated by an identical file or one or more unidentified files in the plurality of clients is greater than the preset DDoS threshold, or when amounts of network traffic generated for an identical destination in the plurality of clients are individually greater than the preset DDoS threshold, or when a number of clients that generate network traffic greater than the preset DDoS threshold, for an identical destination, among the plurality of clients is greater than a preset threshold number of DDoS clients, the file is analyzed as having a high risk level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein:
    - when the file DNA of the file is not present in the file DNA statistics database, the file DNA of the file is stored in the file DNA statistics database, the file DNA statistics database is queried for file DNA of associated files that are executed together when the file is executed, and when one or more of the associated files are classified as malicious files, the file is classified as a malicious file.
  - 3. The method of claim 1, wherein said sending a command is configured to send a command to continuously monitor the file to the client when the file is classified as an unidentified file.
  - 4. The method of claim 1, wherein one or more of the preset DDoS threshold and the preset threshold number of DDoS clients are determined based on results of statistical analysis of amounts of network traffic for respective previous destinations stored in the server.
  - 5. The method of claim 1, wherein the file DNA statistical information comprises:
    - results of statistical analysis of attribute information including one or more of a file name of a file corresponding to the file DNA collected from each of the plurality of clients, creation date of the file DNA, and a number of times the file is registered in a database, results of statistical analysis of association information including file DNAs of other files that are executed together with the file corresponding to the file DNA collected from the client, and results of statistical analysis of behavior information including one or more of file access, registry access, memory access, and network access performed by the file corresponding to the file DNA collected from the client.
  - 6. The method of claim 1, wherein the network traffic is determined to be an instantaneous measured value of the network traffic or a statistical value of the network traffic obtained for a preset period of time.
  - 7. The method of claim 1, wherein said sending a command is configured to send the command to block the file to the client if the file is analyzed as having a high risk level.
  - 8. The method of claim 7, wherein one or more of behavior of a program including the file, network behavior of a process of the file, and network behavior of a thread that is included in the process of the file and that generates traffic for the DDoS attack are designated as prevention targets.
  - 9. The method of claim 1, wherein:
    - the client receives a protection destination list related to destinations desired to be protected, from the server and stores the protection destination list, and when the network traffic is greater than the preset DDoS threshold, and a destination of the network traffic is included in the protection destination list, the client blocks the file.
  - 10. The method of claim 1, wherein the server requests the client to transmit the traffic information when the network traffic is greater than the preset DDoS threshold.

11. A server for detecting and preventing a Distributed Denial of Service (DDoS) attack, the server being connected to a plurality of clients and configured to detect and prevent the DDoS attack, comprising:
- an agent transmission unit for transmitting, to a client, an agent that is a monitoring program, the agent being installed on the client;
  
  an information-collecting unit for collecting file deoxyribonucleic acid (DNA) extracted from a file currently being executed on each of the plurality of clients and traffic information about network traffic caused by the file from the client by using the agent that is a monitoring program installed on the client;
  
  a file DNA statistics database for storing file DNA statistical information obtained by analyzing the file DNA collected from the client;
  
  an analysis unit for analyzing a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information, wherein the analysis unit queries the file DNA statistics database about the file DNA of the file; and
  
  a command unit for sending a command related to whether to block the file to the client according to the analyzed risk level,wherein when the network traffic is greater than a preset DDoS threshold and the file is classified as a malicious file, the analysis unit analyzes the file as having a high risk level, and wherein when the network traffic is greater than the preset DDoS threshold and the file is classified as an unidentified file for which information about characteristics of the file is not stored in the DNA statistics database, the analysis unit analyzes the risk level of the file using statistical analysis of the file DNA of the file, wherein the agent is updated based on the results of analyzing by the analysis unit, wherein the updated agent is transmitted to the client by the agent transmission unit, and wherein the statistical analysis is configured such that;
  
  when network traffic generated by an identical file or one or more unidentified files in the plurality of clients is greater than the preset DDoS threshold, or when amounts of network traffic generated for an identical destination in the plurality of clients are individually greater than the preset DDoS threshold, or when a number of clients that generate network traffic greater than the preset DDoS threshold, for an identical destination, among the plurality of clients is greater than a preset threshold number of DDoS clients, the file is analyzed as having a high risk level.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The server of claim 11, wherein the analysis unit is configured such that if when the file DNA of the file is not present in the file DNA statistics database:
    - the analysis unit stores the file DNA of the file in the file DNA statistics database, the analysis unit queries the file DNA statistics database about file DNA of associated files that are executed together when the file is executed, and the analysis unit classifies the file as a malicious file when one or more of the associated files are classified as malicious files.
  - 13. The server of claim 11, further comprising a traffic statistics database for storing traffic statistical information including a subject causing the network traffic collected from the plurality of clients, a destination of the network traffic, and an amount of network traffic.
  - 14. The server of claim 11, further comprising:
    - an agent storage unit for storing the agent.
  - 15. The server of claim 11, further comprising a protection destination database for storing a protection destination list related to destinations desired to be protected against the DDoS attack, wherein the agent causes the client to block the file when the network traffic is greater than the preset DDoS threshold and a destination of the network traffic is included in the protection destination list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ahnlab Incorporated
Original Assignee
Ahnlab Incorporated
Inventors
Kim, Jeong Hun, Kim, Sung Hyun
Primary Examiner(s)
Abyaneh, Ali
Assistant Examiner(s)
DE JESUS LASSAIA, CARLOS MANUEL

Application Number

US13/386,516
Publication Number

US 20120124666A1
Time in Patent Office

2,185 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Method for detecting and preventing a DDoS attack using cloud computing, and server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method for detecting and preventing a DDoS attack using cloud computing, and server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links