Method and apparatus for tracing attack source of abnormal network traffic
First Claim
Patent Images
1. A method for tracing an attack source in the case of abnormal network traffic, which is characterized in comprising steps of:
- from one or more network nodes of an attack link, selecting any or multiple said network nodes as one or more tracing start points, where said attack link is a communication link between an attacked target and an attack source; and
according to one or more said tracing start points, identifying one or more higher-level network nodes of said attack link stepwise until a final attack source is confirmed;
wherein any or multiple said network nodes are selected as one or more tracing start points, which comprises steps of;
acquiring the data packet payload via one or more port of a network node in said attack link according to a preset period; and
determining said tracing start point according to the data packet payload collected currently and that collected in last said preset period;
wherein said data packet payload is the average for each data packet payload in said preset period;
wherein said average for each data packet payload in a preset period is determined through the following formula,average for each data packet payload in a preset period=Average bandwidth in a preset period/Total quantity of data packets in a preset period;
wherein in the case of multiple said higher-level network nodes, the method further comprises;
discriminating the multiple higher-level network nodes according to the matching degree with said attack link, wherein said matching degree is used to indicate the level of similarity between said average for each data packet payload via one or more tracing start points in a preset period and different averages for each data packet payload via multiple said higher-level network nodes in a preset period;
wherein the step determining said tracing start point according to the data packet payload collected currently and that collected in last said preset period specifically comprises;
determining a fingerprint of the flow via the port(s) of said network node(s) of an attack link according to the data packet payload collected currently and that collected in last said preset period, wherein said flow fingerprint is calculated with the formula as follows;
Flow fingerprint=[1−
(▴
P/▴
BP)]×
100%, ▴
P=P0−
(P-1), ▴
BP=BP0−
(BP-1),wherein P0 indicates current data;
(P−
) indicates the data in last period of current preset period;
BP0 indicates the data at same moment yesterday;
(BP−
1) indicates the data yesterday in the period one earlier to current preset period;
wherein in the case that said flow fingerprint does not reach a preset threshold value, the network node corresponding to said flow fingerprint is used as a tracing start point;
wherein the higher-level network node(s) of said attack link is identified stepwise according to said one or more tracing start points, which comprises;
acquiring the increment of incoming flow to said one or more tracing start points and the increment of outgoing flow from said one or more higher-level network nodes, wherein;
said increment of incoming flow is the increased flow in the case that the network traffic received by said one or more tracing starting points is abnormal compared to normal network traffic and said increment of outgoing flow is the increased network flow in the case that the network traffic transmitted from said one or more higher-level network nodes is abnormal compared to normal network traffic;
determining of said one or more higher-level nodes as one or more new tracing start points according to the ratio between said increment of incoming flow and said increment of outgoing flow; and
determining stepwise of one or more higher-level network nodes of said one or more new tracing start points of said attack link according to said one or more new tracing start points; and
wherein the following method is employed to confirm a final attack source;
when the quantity of one or more higher-level network nodes is 0, the one or more network nodes in the next level lower to said one or more higher-level network nodes is determined as a final attack source.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a method and an apparatus for tracing an attack source in the case of an abnormal network traffic, where said method comprises: from the network node(s) of an attack link, any or multiple said network nodes are selected as a tracing start point(s) and there into, said attack link is a communication link between an attacked target and an attack source. According to said tracing start point(s), a higher-level network node of said attack link is identified stepwise until a final attack source is confirmed. By adopting said technical solution provided by the present invention, the problems that the network security mechanisms in related technologies can only alleviate a network attack rather than position an attack source are solved, thus an effect can be achieved to trace and position the attack source in a reverse direction.
1 Citation
1 Claim
-
1. A method for tracing an attack source in the case of abnormal network traffic, which is characterized in comprising steps of:
-
from one or more network nodes of an attack link, selecting any or multiple said network nodes as one or more tracing start points, where said attack link is a communication link between an attacked target and an attack source; and according to one or more said tracing start points, identifying one or more higher-level network nodes of said attack link stepwise until a final attack source is confirmed; wherein any or multiple said network nodes are selected as one or more tracing start points, which comprises steps of; acquiring the data packet payload via one or more port of a network node in said attack link according to a preset period; and determining said tracing start point according to the data packet payload collected currently and that collected in last said preset period; wherein said data packet payload is the average for each data packet payload in said preset period; wherein said average for each data packet payload in a preset period is determined through the following formula, average for each data packet payload in a preset period=Average bandwidth in a preset period/Total quantity of data packets in a preset period; wherein in the case of multiple said higher-level network nodes, the method further comprises; discriminating the multiple higher-level network nodes according to the matching degree with said attack link, wherein said matching degree is used to indicate the level of similarity between said average for each data packet payload via one or more tracing start points in a preset period and different averages for each data packet payload via multiple said higher-level network nodes in a preset period; wherein the step determining said tracing start point according to the data packet payload collected currently and that collected in last said preset period specifically comprises; determining a fingerprint of the flow via the port(s) of said network node(s) of an attack link according to the data packet payload collected currently and that collected in last said preset period, wherein said flow fingerprint is calculated with the formula as follows;
Flow fingerprint=[1−
(▴
P/▴
BP)]×
100%, ▴
P=P0−
(P-1), ▴
BP=BP0−
(BP-1),wherein P0 indicates current data;
(P−
) indicates the data in last period of current preset period;
BP0 indicates the data at same moment yesterday;
(BP−
1) indicates the data yesterday in the period one earlier to current preset period;wherein in the case that said flow fingerprint does not reach a preset threshold value, the network node corresponding to said flow fingerprint is used as a tracing start point; wherein the higher-level network node(s) of said attack link is identified stepwise according to said one or more tracing start points, which comprises; acquiring the increment of incoming flow to said one or more tracing start points and the increment of outgoing flow from said one or more higher-level network nodes, wherein;
said increment of incoming flow is the increased flow in the case that the network traffic received by said one or more tracing starting points is abnormal compared to normal network traffic and said increment of outgoing flow is the increased network flow in the case that the network traffic transmitted from said one or more higher-level network nodes is abnormal compared to normal network traffic;determining of said one or more higher-level nodes as one or more new tracing start points according to the ratio between said increment of incoming flow and said increment of outgoing flow; and determining stepwise of one or more higher-level network nodes of said one or more new tracing start points of said attack link according to said one or more new tracing start points; and wherein the following method is employed to confirm a final attack source; when the quantity of one or more higher-level network nodes is 0, the one or more network nodes in the next level lower to said one or more higher-level network nodes is determined as a final attack source.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeBeijing Runstone Technology Incorporation
-
Original AssigneeBeijing Runstone Technology Incorporation
-
InventorsWang, Lijun
-
Primary Examiner(s)Hirl, Joseph P
-
Assistant Examiner(s)TRUVAN, LEYNNA THANH
-
Application NumberUS14/349,071Publication NumberTime in Patent Office1,720 DaysField of SearchUS Class CurrentCPC Class CodesH04L 2463/146 Tracing the source of attacksH04L 63/1416 Event detection, e.g. attac...H04L 63/1441 Countermeasures against mal...
