CN113055405B - DNS bypass answering device identification and tracing method - Google Patents

DNS bypass answering device identification and tracing method Download PDF

Info

Publication number
CN113055405B
CN113055405B CN202110382941.6A CN202110382941A CN113055405B CN 113055405 B CN113055405 B CN 113055405B CN 202110382941 A CN202110382941 A CN 202110382941A CN 113055405 B CN113055405 B CN 113055405B
Authority
CN
China
Prior art keywords
dns
dns server
bypass
response message
terminal host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110382941.6A
Other languages
Chinese (zh)
Other versions
CN113055405A (en
Inventor
张兆心
赵东
谢远成
李宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology Weihai
Original Assignee
Harbin Institute of Technology Weihai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology Weihai filed Critical Harbin Institute of Technology Weihai
Priority to CN202110382941.6A priority Critical patent/CN113055405B/en
Publication of CN113055405A publication Critical patent/CN113055405A/en
Application granted granted Critical
Publication of CN113055405B publication Critical patent/CN113055405B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method for identifying and tracing DNS bypass answering equipment, which comprises the following steps: monitoring DNS server configuration of a terminal host, performing low-frequency persistent measurement on the DNS server, and mastering the routing characteristics of the DNS server; and performing TTL length check on the DNS server message received by the terminal host, and processing the abnormal reply. The method solves the technical problems that passive protection is adopted in the existing DNS responder protection, great potential safety hazards exist, and the existing active protection technology cannot identify the friendly DNS responder of an operator, cannot identify the long-term hacker penetration attack, cannot trace the source of the hacker attack occurrence point and is difficult to repair the router vulnerability. The invention can be widely applied to DNS responder defense.

Description

DNS bypass answering device identification and tracing method
Technical Field
The invention relates to a network security technology, in particular to a DNS bypass answering device identification and tracing method based on distance measurement and suitable for a C end.
Background
DNS is the entry to the internet and DNS requests occur in the first link of a user's access to the internet. Under normal conditions, a user terminal should use an official DNS provided by an ISP (Internet service provider), an official DNS server carries out domain name resolution, a resolution result is sent to a user, and the user accesses network resources according to the resolution result. But under special conditions, a hacker can illegally access a routing link of a user accessing the DNS by using a technical means, acquire the flow of the user through a mirror image port, extract a DNS request message of the user, forge a DNS reply to perform DNS rush answer, induce the user to access wrong network resources, further induce the user to access a phishing website to perform fraud or implant trojan files, and realize penetration attack on a user host.
The DNS response mainly comprises two realization methods: the method comprises the steps of serially connecting a first answer and a second answer, respectively obtaining DNS request flow of a user in a mode of accessing a routing link and mirror image port forwarding, extracting information such as a DNS server IP and a domain name to be resolved, and forging DNS reply to realize the first answer. Due to the difficulty of serial access to a routing link and the more and more perfect protection means of a public DNS server, hackers more choose to perform a preemptive answer attack by a bypass preemptive answer mode, namely, long-term monitoring is performed on DNS requests of users through flow analysis, and reply messages are forged in a targeted manner.
Most of the existing DNS response-to-answer protection mechanisms adopt a passive defense method, namely, a user accesses wrong resources and then performs alarm protection, but the user is usually already finished with an attack action at the moment, so that potential safety hazards exist. The existing active defense method has more problems: if the friendly DNS of the operator cannot be identified, the network access quality of the user is greatly influenced; the long-term hacker penetration attack cannot be identified; meanwhile, the existing protection mechanism cannot trace the source of the hacker attack occurrence point, and is difficult to repair the router vulnerability.
Disclosure of Invention
The invention provides an identification and tracing method of DNS bypass first-answer equipment, which is suitable for a C end to identify illegal bypass equipment for DNS first-answer based on a distance measurement technology, trace a path of the bypass equipment and find a route with flow abnormity.
Therefore, the technical scheme of the invention is that the identification and source tracing method of the DNS bypass answering device comprises the following specific steps:
1.1) monitoring DNS server configuration of a terminal host, carrying out low-frequency persistent measurement on the DNS server, and mastering the routing characteristics of the DNS server;
1.2) carrying out TTL length check on the DNS server message received by the terminal host, and rejecting out-of-specification replies.
Preferably, the specific implementation steps are as follows:
2.1) taking a default DNS server configured by the terminal host as a target DNS server to acquire an IP address of the target DNS server;
2.2) acquiring the path length between the third-party trusted source and the target DNS server;
2.3) adopting a method of sending a DNS request message from a third party trusted source to a target DNS server to perform response TTL value query, and extracting a response TTL value from the obtained response message after receiving the response message of the target DNS server;
2.4) acquiring a TTL value of a default response message of the target DNS server system;
2.5) measuring the distance from the terminal host to the target DNS server to obtain an actual distance s;
2.6) sending the same DNS request message from the terminal host to the target DNS server, and extracting the TTL' value in the response message after obtaining the DNS response message;
2.7) using a system of the DNS server to set a default response message TTL value and subtract a TTL 'value of the response message to obtain a theoretical distance s' between the terminal host and the target DNS server;
2.8) comparing DNS response messages sent by the target DNS server to the third-party trusted source library and the terminal host: if the reply contents of the response message are different, DNS hijacking may exist, the terminal host intercepts the untrusted DNS reply message, and sends an abnormal report to the client;
2.9) judging whether bypass answering equipment exists or not by calculating the difference value between the actual distance s from the terminal host to the DNS server and the theoretical distance s';
2.10) when the bypass answering device exists, judging whether the bypass answering device is an official answering device or an illegal answering device: if the answer is the official answer device, entering the step (2.11); if the answer is illegal, entering the step (2.12);
2.11) giving trust evaluation to the bypass answering device;
2.12) intercepting the DNS response message sent by the bypass answering device, and tracing the source of the answering bypass device;
2.13) the traced illegal bypass answering device is warned to be an abnormal flow hijacking router, and an abnormal report is sent to the client.
Preferably, traceroute active probing is performed on the third party trusted source to the target DNS server, so as to obtain the path length between the third party trusted source and the target DNS server.
Preferably, the obtained response TTL value is summed with the path length obtained by active probing, so as to obtain the TTL value of the default response packet of the target DNS server system.
Preferably, when the distance between the terminal host and the target DNS server is measured, the ICMP message is used to perform actual measurement, and the actual distance s is obtained.
Preferably, the specific method for judging whether the bypass answering device exists is as follows:
6.1) calculating the difference value Delta S between the actual distance S from the terminal host to the DNS server and the theoretical distance S';
6.2) when the Delta S is less than or equal to two hops, judging that the DNS server is not answered by the DNS and the DNS service is normal; and when the Delta S is more than two hops, judging that DNS of the bypass equipment is in rush response.
Preferably, the method for judging whether the bypass answering device is the official answering device or the illegal answering device comprises the following steps: comparing the DNS response message received by the terminal host with the DNS response message received by the third-party trusted source, wherein if the contents are the same, the bypass equipment is official answering equipment set by an operator; if the message contents are different, the bypass equipment is judged to be illegal answering equipment.
Preferably, the tracing of the illegal bypass answering device comprises the following specific steps: sending a request message with a TTL value increased hop by hop to a target DNS server from a terminal host, starting from the TTL being 1, recording the TTL value when receiving a DNS response message, and warning that a hop route is an abnormal flow hijack router; and simultaneously sending the received DNS response message and the recorded TTL value as abnormal report contents to the client side for further processing.
The invention has the beneficial effects that:
(1) the low-frequency persistent measurement on the DNS server can effectively carry out and defend long-term hacker penetration attack and prevent the occurrence of events such as cache pollution and the like;
(2) the method comprises the steps that traceroute active detection is carried out on a third party trusted source to a target DNS server, so that the path length between the third party trusted source and the target DNS server is obtained, a shielding or misleading mechanism of partial DNS servers to ICMP messages is avoided, and the obtained path distance is more reliable;
(3) by carrying out active defense at the C end, the problem of potential safety hazard that alarm prevention is still attacked in a passive defense method can be effectively solved, and meanwhile, whether the bypass answering device belongs to equipment of an operator or illegal answering device can be identified friendly, so that the influence on the network access quality of a user is reduced;
(4) for the condition of judging as illegal answering device, the protection mechanism of the invention can trace the source of the attack point of the hacker and remind the user to repair the loophole of the router in time.
Drawings
FIG. 1 is a schematic flow chart of an embodiment of the present invention.
Detailed Description
The present invention will be further described with reference to the following examples.
As shown in fig. 1, a method for identifying and tracing DNS bypass responder devices mainly includes monitoring DNS server configuration of a terminal machine, performing low-frequency persistent measurement on the DNS server to ensure that routing characteristics of the DNS are grasped, performing TTL length check on DNS messages received by the machine, and removing out-of-specification replies, thereby ensuring the security of the terminal host. The specific implementation steps are as follows:
(1) and taking a default DNS server configured by the terminal host as a target DNS server to acquire the IP address of the target DNS server.
(2) And carrying out traceroute active detection on the third party trusted source to the target DNS server to obtain the path length between the third party trusted source and the target DNS server.
Due to the fact that a shielding or misleading mechanism for the ICMP message exists in part of DNS servers, for example, TTL of returned PING reply messages is inconsistent. In order to ensure that the obtained path distance is reliable, a DNS request message is sent to perform a path trace, so that the path length between a third party trusted source and a target DNS server is obtained.
(3) And responding to TTL value query by a method for sending a DNS request message from a third party trusted source to a target DNS server. And after receiving the response message of the target DNS, extracting a response TTL value from the obtained response message.
(4) And summing the obtained response TTL value and the path length obtained by active detection so as to obtain the TTL value of the default response message of the target DNS server system.
(5) And after the system default response message TTL value of the target DNS server is obtained, the distance from the terminal host to the target DNS server is measured, and the actual distance s is obtained.
In order to prevent bypass answering devices from existing in a path, when a distance between a terminal host and a target DNS server is detected by adopting an active detection means, a DNS request message is not sent, and an ICMP message and other messages are used for actual measurement to obtain an actual distance s. Since active probing is performed from the terminal host to the target DNS server, and may not be consistent with a path from the reverse target DNS server to the terminal host, an error of one to two hops may exist between the acquired path length and the actual return path length.
(6) And sending the same DNS request message to a target DNS server from the terminal host, and extracting the TTL' value in the response message after obtaining the DNS response message.
(7) And then, the system of the DNS server is used for setting the default TTL value of the response message and subtracting the TTL 'value of the response message to obtain the theoretical distance s' between the terminal host and the target DNS server.
(8) And comparing DNS response messages sent by the target DNS server to the third-party trusted source library and the terminal host. If the reply contents of the response message are different, DNS hijacking may exist, the terminal host intercepts the untrusted DNS reply message, and sends an exception report to the client.
(9) Identifying whether a bypass device is present:
the actual distance s from the terminal host to the DNS server is compared with the theoretical distance s'. In order to ensure the success rate of the quiz, the bypass quiz device usually has a connection point close to one side of the user machine, so that the difference between the actual distance s and the theoretical distance s 'is large, and the difference between the actual distance s and the theoretical distance s' is usually expressed in the range of several or even more than ten hops. Therefore, the difference between the actual distance s and the theoretical distance s' is calculated, and if the difference is within a given credible range, the difference indicates that the DNS server is not answered by the DNS and the DNS service is normal. If the difference is not within the trusted range, there is a DNS tick by the bypass device.
(10) At the moment, the DNS response message received by the terminal host and the DNS response message received by the third-party trusted source are compared, if the contents are the same, the bypass equipment is official answering equipment set by an operator, and trust evaluation is given to the official answering equipment. If the message contents are different, the bypass device is judged to be possibly malicious answering device, the response message sent by the bypass device is an unreliable message, the DNS response message sent by the bypass device needs to be intercepted, and meanwhile, the source of the answering bypass device is traced.
(11) And sending a request message with a TTL value increased hop by hop to a target DNS (domain name system) server from the terminal host, and recording the TTL value and warning the hop route as an abnormal flow hijack router when receiving a DNS response message from the TTL (transistor-transistor logic) 1. And simultaneously sending the received DNS response message and the recorded TTL value as abnormal report contents to the client side for further processing.
By carrying out active defense at the C end, the problem of potential safety hazard that alarm prevention is still attacked in a passive defense method can be effectively solved. Meanwhile, the invention can identify whether the bypass answering device belongs to the operator or the malicious answering device in a friendly way, thereby reducing the influence on the network access quality of the user. The low-frequency persistent measurement on the DNS server can also effectively carry out and defense on long-term hacker penetration attack and prevent the occurrence of events such as cache pollution and the like. For the condition that the equipment is judged to be maliciously answered, the protection mechanism can also trace the source of the occurrence point of the hacker attack, and can remind a user of repairing the loophole of the router in time.
However, the above description is only exemplary of the present invention, and the scope of the present invention should not be limited thereby, and the replacement of the equivalent components or the equivalent changes and modifications made according to the protection scope of the present invention should be covered by the claims of the present invention.

Claims (6)

1. A DNS server configuration of a monitoring terminal host is monitored, low-frequency permanent measurement is carried out on the DNS server, the routing characteristics of the DNS server are obtained, TTL length check is carried out on DNS server messages received by the terminal host, and non-standard replies are processed, wherein the method comprises the following specific steps:
1.1) identifying DNS bypass answering equipment:
1.1.1) taking a default DNS server configured by a terminal host as a target DNS server to acquire an IP address of the target DNS server;
1.1.2) acquiring the path length between a third-party trusted source and a target DNS server;
1.1.3) adopting a method of sending a DNS request message from a third party trusted source to a target DNS server to perform response TTL value query, and extracting a response TTL value from an obtained response message after receiving the response message of the target DNS server;
1.1.4) acquiring a TTL value of a default response message of a target DNS server system;
1.1.5) measuring the distance from the terminal host to the target DNS server to obtain an actual distance s;
1.1.6) sending the same DNS request message from a terminal host to a target DNS server, and extracting a TTL' value in a response message after obtaining the DNS response message;
1.1.7) using a system of the DNS server to set a default response message TTL value and subtract a TTL 'value of the response message to obtain a theoretical distance s' between a terminal host and a target DNS server;
1.1.8) comparing DNS response messages sent by a target DNS server to a third-party trusted source library and a terminal host: if the reply contents of the response message are different, DNS hijacking may exist, the terminal host intercepts the untrusted DNS reply message, and sends an abnormal report to the client;
1.1.9) judging whether bypass answering equipment exists or not by calculating the difference value between the actual distance s from the terminal host to the DNS server and the theoretical distance s';
1.1.10) when a bypass answering device exists, judging whether the bypass answering device is an official answering device or an illegal answering device: if the answer is the official answer device, entering the step (1.1.11); if the answer is illegal, entering the step (1.1.12);
1.1.11) assigning a trust rating to the bypass answering device;
1.1.12) intercepting a DNS response message sent by the bypass answering device, and tracing the source of the answering bypass device;
1.1.13) warning the traced illegal bypass answering device as an abnormal flow hijacking router and sending an abnormal report to a client;
1.2) tracing the illegal bypass answering device comprises the following specific steps: sending a request message with a TTL value increased hop by hop to a target DNS server from a terminal host, starting from the TTL being 1, recording the TTL value when receiving a DNS response message, and warning that a hop route is an abnormal flow hijack router; and simultaneously sending the received DNS response message and the recorded TTL value as abnormal report contents to the client side for further processing.
2. The method for identifying and tracing the DNS bypass responder according to claim 1, wherein traceroute active probing is performed on a third party trusted source towards the target DNS server to obtain a path length between the third party trusted source and the target DNS server.
3. The method for identifying and tracing the DNS bypass responder according to claim 2, wherein the TTL value of the obtained response is summed with the path length obtained by active probing, so as to obtain the TTL value of the default response packet of the target DNS server system.
4. The method for identifying and tracing the DNS bypass responder according to claim 1, wherein when measuring the distance between the end host and the destination DNS server, the actual distance s is obtained by using the ICMP packet to perform the actual measurement.
5. The method for identifying and tracing the DNS bypass responder according to claim 1, wherein the specific method for determining whether the bypass responder exists is as follows:
5.1) calculating the difference value Delta S between the actual distance S from the terminal host to the DNS server and the theoretical distance S';
5.2) when the Delta S is less than or equal to two hops, judging that the DNS server is not answered by the DNS and the DNS service is normal; and when the Delta S is more than two hops, judging that DNS of the bypass equipment is in rush response.
6. The DNS bypass answering device identifying and tracing method according to claim 1, wherein the method of determining whether the bypass answering device is an official answering device or an illegal answering device is: comparing the DNS response message received by the terminal host with the DNS response message received by the third-party trusted source, wherein if the contents are the same, the bypass equipment is official answering equipment set by an operator; if the message contents are different, the bypass equipment is judged to be illegal answering equipment.
CN202110382941.6A 2021-04-09 2021-04-09 DNS bypass answering device identification and tracing method Active CN113055405B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110382941.6A CN113055405B (en) 2021-04-09 2021-04-09 DNS bypass answering device identification and tracing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110382941.6A CN113055405B (en) 2021-04-09 2021-04-09 DNS bypass answering device identification and tracing method

Publications (2)

Publication Number Publication Date
CN113055405A CN113055405A (en) 2021-06-29
CN113055405B true CN113055405B (en) 2022-03-08

Family

ID=76519384

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110382941.6A Active CN113055405B (en) 2021-04-09 2021-04-09 DNS bypass answering device identification and tracing method

Country Status (1)

Country Link
CN (1) CN113055405B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125242A (en) * 2014-08-18 2014-10-29 北京阅联信息技术有限公司 Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests
CN109413015A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of defence method and device that DNS is kidnapped
CN111031048A (en) * 2019-12-17 2020-04-17 紫光云(南京)数字技术有限公司 DNS hijacking defense method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125242A (en) * 2014-08-18 2014-10-29 北京阅联信息技术有限公司 Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests
CN109413015A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of defence method and device that DNS is kidnapped
CN111031048A (en) * 2019-12-17 2020-04-17 紫光云(南京)数字技术有限公司 DNS hijacking defense method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DNS Configurations and Its Security Analyzing via Resource Records of the Top-Level Domains;Mengyuan Wang, Zhaoxin Zhang, Haiyan Xu;《IEEE》;20171231;全文 *
基于相对密度的DNS 请求数据流源IP异常检测算法;王靖云、史建焘、张兆心、沈英洪;《高技术通讯》;20161231;全文 *

Also Published As

Publication number Publication date
CN113055405A (en) 2021-06-29

Similar Documents

Publication Publication Date Title
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
US20210344686A1 (en) System and method for strategic anti-malware monitoring
Shin et al. Conficker and beyond: a large-scale empirical study
US9350758B1 (en) Distributed denial of service (DDoS) honeypots
Vissers et al. The wolf of name street: Hijacking domains through their nameservers
CN107124434B (en) Method and system for discovering DNS malicious attack traffic
CN112738095A (en) Method, device, system, storage medium and equipment for detecting illegal external connection
JP2014063424A (en) Unauthorized communication detection device, cyber attack detection system, computer program and unauthorized communication detection method
JP2002026907A (en) Communication network security method and method for analyzing network security of communication network, communication system, security host computer and machine-readable medium
US9385993B1 (en) Media for detecting common suspicious activity occurring on a computer network using firewall data and reports from a network filter device
CN110061998B (en) Attack defense method and device
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
CN112311722B (en) Access control method, device, equipment and computer readable storage medium
Nawrocki et al. Transparent forwarders: an unnoticed component of the open DNS infrastructure
Deccio et al. Behind closed doors: a network tale of spoofing, intrusion, and false DNS security
CN112910839B (en) Method and device for defending DNS attack
Li et al. TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets
CN115412265A (en) Domain name hijacking monitoring method, device, equipment and computer readable storage medium
CN113055405B (en) DNS bypass answering device identification and tracing method
US20040233849A1 (en) Methodologies, systems and computer readable media for identifying candidate relay nodes on a network architecture
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
CN113783892B (en) Reflection attack detection method, system, device and computer readable storage medium
US11683337B2 (en) Harvesting fully qualified domain names from malicious data packets
JP2004030287A (en) Bi-directional network intrusion detection system and bi-directional intrusion detection program
KR101003094B1 (en) Cyber attack traceback system by using spy-bot agent, and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant