Method for detecting and preventing a DDoS attack using cloud computing, and server
First Claim
1. A method of detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, comprising:
- providing, by the server, an agent that is installed in a client and that monitors a file currently being executed by the client;
collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed on each of the plurality of clients and traffic information about network traffic caused by the file, from each of the plurality of clients by using the agent;
analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information;
sending a command related to whether to block the file to the client according to the analyzed risk level;
updating the agent based on a result of the analyzing; and
providing, by the server, the updated agent to the client, wherein said analyzing is configured such that;
the server queries a file DNA statistics database, which stores file DNA statistical information obtained by analyzing file DNAs collected from the plurality of clients, about the file DNA of the file, and then classifies the file as a normal malicious or unidentified file, andwhen the network traffic is greater than a preset DDoS threshold and the file is classified as a malicious file, an analysis unit analyzes the file as having a high risk level, and when the network traffic is greater than the preset DDoS threshold and the file is classified as an unidentified file for which information about characteristics of the file is not stored in the DNA statistics database, the analysis unit analyzes the risk level of the file using statistical analysis of the file DNA of the file, and wherein the statistical analysis is implemented such that;
when network traffic generated by an identical file or one or more unidentified files in the plurality of clients is greater than the preset DDoS threshold, or when amounts of network traffic generated for an identical destination in the plurality of clients are individually greater than the preset DDoS threshold, or when a number of clients that generate network traffic greater than the preset DDoS threshold, for an identical destination, among the plurality of clients is greater than a preset threshold number of DDoS clients, the file is analyzed as having a high risk level.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, the method includes collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed by each of the clients and traffic information about network traffic caused by the file, from each client by using an agent that is installed in the client and that monitors the file currently being executed by the client. Further, the method includes analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information. Furthermore, the method includes sending a command related to whether to block the file to the client according to the analyzed risk level.
-
Citations
15 Claims
-
1. A method of detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, comprising:
- providing, by the server, an agent that is installed in a client and that monitors a file currently being executed by the client;
collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed on each of the plurality of clients and traffic information about network traffic caused by the file, from each of the plurality of clients by using the agent;
analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information;
sending a command related to whether to block the file to the client according to the analyzed risk level;
updating the agent based on a result of the analyzing; and
providing, by the server, the updated agent to the client, wherein said analyzing is configured such that;the server queries a file DNA statistics database, which stores file DNA statistical information obtained by analyzing file DNAs collected from the plurality of clients, about the file DNA of the file, and then classifies the file as a normal malicious or unidentified file, and when the network traffic is greater than a preset DDoS threshold and the file is classified as a malicious file, an analysis unit analyzes the file as having a high risk level, and when the network traffic is greater than the preset DDoS threshold and the file is classified as an unidentified file for which information about characteristics of the file is not stored in the DNA statistics database, the analysis unit analyzes the risk level of the file using statistical analysis of the file DNA of the file, and wherein the statistical analysis is implemented such that;
when network traffic generated by an identical file or one or more unidentified files in the plurality of clients is greater than the preset DDoS threshold, or when amounts of network traffic generated for an identical destination in the plurality of clients are individually greater than the preset DDoS threshold, or when a number of clients that generate network traffic greater than the preset DDoS threshold, for an identical destination, among the plurality of clients is greater than a preset threshold number of DDoS clients, the file is analyzed as having a high risk level. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- providing, by the server, an agent that is installed in a client and that monitors a file currently being executed by the client;
-
11. A server for detecting and preventing a Distributed Denial of Service (DDoS) attack, the server being connected to a plurality of clients and configured to detect and prevent the DDoS attack, comprising:
- an agent transmission unit for transmitting, to a client, an agent that is a monitoring program, the agent being installed on the client;
an information-collecting unit for collecting file deoxyribonucleic acid (DNA) extracted from a file currently being executed on each of the plurality of clients and traffic information about network traffic caused by the file from the client by using the agent that is a monitoring program installed on the client;
a file DNA statistics database for storing file DNA statistical information obtained by analyzing the file DNA collected from the client;an analysis unit for analyzing a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information, wherein the analysis unit queries the file DNA statistics database about the file DNA of the file; and
a command unit for sending a command related to whether to block the file to the client according to the analyzed risk level,wherein when the network traffic is greater than a preset DDoS threshold and the file is classified as a malicious file, the analysis unit analyzes the file as having a high risk level, and wherein when the network traffic is greater than the preset DDoS threshold and the file is classified as an unidentified file for which information about characteristics of the file is not stored in the DNA statistics database, the analysis unit analyzes the risk level of the file using statistical analysis of the file DNA of the file, wherein the agent is updated based on the results of analyzing by the analysis unit, wherein the updated agent is transmitted to the client by the agent transmission unit, and wherein the statistical analysis is configured such that;
when network traffic generated by an identical file or one or more unidentified files in the plurality of clients is greater than the preset DDoS threshold, or when amounts of network traffic generated for an identical destination in the plurality of clients are individually greater than the preset DDoS threshold, or when a number of clients that generate network traffic greater than the preset DDoS threshold, for an identical destination, among the plurality of clients is greater than a preset threshold number of DDoS clients, the file is analyzed as having a high risk level. - View Dependent Claims (12, 13, 14, 15)
- an agent transmission unit for transmitting, to a client, an agent that is a monitoring program, the agent being installed on the client;
Specification