KR101250899B1 - Apparatus for detecting and preventing application layer distribute denial of service attack and method - Google Patents

Abstract

The present invention relates to an application layer distributed denial of service attack detection and blocking technology, and does not detect various DDoS attacks that are attempted at the application layer of all programs based on the amount of traffic, but compares them with a predefined normal traffic model. By determining whether an attack is performed, even if the amount of attack traffic is not as large as that under normal conditions, the attack is detected and the IP address of a specific attacker is derived as a result of the detection, and only the attack traffic delivered from the attacker is detected. Characterized in that it can be implemented to block for a desired period. According to the present invention, it is possible to protect the traffic of the normal user and to ensure the continuity of the service.

Application Layer, Distributed Service Denial (DDoS) Attack, Attack Traffic Modeling

Description

Apparatus for detecting and preventing application layer distribute denial of service attack and method}

The present invention relates to a technology for performing detection and blocking of threats that threaten network networks, and particularly, attacks on services of an application layer, which is a main target of a distributed denial of service (DDoS) attack. Apparatus and method for detecting and blocking distributed application denial of service attacks suitable for effective detection and blocking thereof.

The present invention is derived from a study conducted as part of the IT growth engine technology development project of the Ministry of Knowledge Economy [Task management number: 2009-S-038-01, Task name: Development of a response service for distributed service rejection (DDoS) attack].

In general, a DDoS attack is an attack in which multiple computers are operated simultaneously to cause excessive load on a specific site. In order to attack a specific site, a hacker has installed DDoS attack programs on several computers and sends a huge amount of packets to the target site that cannot be processed by the system at the target site simultaneously. It may cause paralysis of certain services or paralysis of the system itself. This DDoS attack prevents normal users from accessing the site to a specific site and, in severe cases, may damage the network equipment or server hardware.

Also, computer systems with DDoS attack tools installed in any path can be used as DDoS attack systems without their knowledge. Popular DDoS attack tools include Trinooo, Tribal Flood Network, and Stacheldraht. Recently, NetBot, a botnet, BlackEnergy, etc. DDoS attack tools invade the public's computer systems through various routes in the form of worms and viruses.

Conventional DDoS attack detection and blocking technology used a method of detecting and blocking DDoS-specific attack patterns, or by limiting the traffic on the network or server side to ensure the validity of the server. The unique attack pattern refers to excessive generation of packets modulated in a specific form for each DDoS in order to put a load on the server. Typical examples include TCP SYN Flood, TCP Flag Flood, HTTP Flood, UDP Flood, ICMP Flood. Etc.

Most DDoS attack detection techniques use this method to determine if network traffic suddenly occurs more frequently than usual. In other words, the criterion for attack is simply how much traffic is transmitted compared to the past.

This type of attack detection is very inadequate for detecting DDoS attacks at the application layer. This is because the recent DDoS attack on the application layer is not so large that the amount of traffic is out of the normal range, so it is very difficult to detect the amount of traffic. For example, some DDoS attacks against an HTTP server can disrupt the server's behavior with only a few hundred Kbps to several Mbps of attack traffic. This is less than 1% of the normal traffic of a large portal site. In general, when the attack is judged by the total traffic volume, it is determined whether the attack is made by analyzing the amount of traffic delivered to a specific server, which can only determine whether an attack has occurred that a DDoS attack has occurred. It's not a way to know who it is. Recently, technical proposals for detecting and blocking DDoS attacks on web services using the HTTP protocol have been made, but DDoS attack detection techniques that can be applied to all application layer services in common have not been developed.

In the attack detection and blocking method according to the prior art operating as described above, it is not a detection method capable of accurately selecting and blocking only the traffic transmitted from the attacker since the attack is detected by detecting a sudden change in the traffic amount. . For this reason, in the past, the attack detection techniques used a bandwidth limit method in order to keep the total amount of traffic below a certain level when a large amount of traffic occurred, but even in this case, the normal normal user to the blocked traffic There was a problem that could also include traffic. In addition, the proposed DDoS attack detection technology for the application layer can detect only DDoS attacks for web services using the HTTP protocol, and is not a method that can be applied to all application services in common.

Accordingly, the present invention can accurately detect DDoS attack traffic for the service of the application layer by modeling network traffic of the application layer service, block only the detected attack traffic, and apply the application layer to all services of the application layer. A distributed denial of service attack detection and blocking device and a method thereof are provided.

In addition, the present invention does not detect various DDoS attacks that are attempted at the application layer of all programs based on the amount of traffic, but determines whether the attack is compared to a predefined normal traffic model, even though the amount of attack traffic is increased. Although it is not much compared with the traffic volume under this normal situation, it detects an attack that occurs, derives the IP address of a specific attacker as a result of the detection, and blocks only the attack traffic delivered from the attacker for a desired period of time. It provides an application layer distributed denial-of-service detection and blocking device and method for protecting the service and securing service continuity.

The first thing to do in order to apply the present invention to any application layer service is to define a "service request" from that service. In other words, the general user makes a request for using a different type of service defined for each application service in order to use the corresponding service. In this case, the user defines what action is referred to as a "service request."

For example, in the HTTP protocol, an HTTP GET Request packet may be defined as a "service request", and in the case of an FTP service, a network packet requesting connection to an FTP server may be defined as a "service request". If only "service request" is defined in this manner, the present invention can be applied to all application layer services.

In the present invention, in addition to the "service request" for DDoS attack detection, information available for attack detection specific to a specific application layer service may be used together.

Here, an embodiment of the present invention will be described by applying a web service using the HTTP protocol.

Applied layer distributed denial of service attack detection and blocking device according to an embodiment of the present invention, the data transmitted to the application layer by monitoring the plurality of servers and clients for a predetermined monitoring period through a network connected to a plurality of servers and clients An information collecting unit for collecting information, a monitoring unit for setting the monitoring period, deriving traffic information from data information collected during the set monitoring period, and comparing the derived traffic information with a previously learned traffic model Includes an analysis section to determine whether or not.

The preset monitoring period may include a plurality of unit times.

In addition, the data information collected by the information collection unit is a "service request" requested during a unit time in the monitoring period when the destination (DST) port included in the service request packet is a hypertext transfer protocol (HTTP). In the example, the amount of change in the number of GET request packets and the number of packets, the amount of change in the cache control packet count and the number of packets among the GET Request packets requested during the unit time as information specific to the HTTP service, At least one of the byte distribution information for the Uniform Resource Identifier (URI) of the GET Request requested for a unit time, and the entropy value of the byte distribution for the URI of the GET Request requested for the unit time.

In addition, the traffic information derived from the monitoring unit is based on the data information collected by the information collecting unit, the number of unit times that the GET Request packet is present and non-existing during the entire monitoring period, and the GET Request packet during the entire monitoring period. The maximum number of consecutive time units that existed and did not exist, the number of unit time cache units existed and did not exist during the entire monitoring period, and the presence or absence of cache control packets consecutively during the whole monitoring period. A variance value of the maximum number of unit times, the sum of the number of GET Request packets and CC packets extracted in unit time during the entire monitoring period, the amount of change in the number of GET Request packet extracted in unit time during the whole monitoring period, At least one of the variance values of the entropy values extracted in units of time during the entire monitoring period It is characterized by one.

As described above, the application layer distributed denial of service attack detection and blocking device, when it is determined that the traffic information derived from the data information collected during the monitoring period as the attack traffic information through the analysis unit, the IP address transmitting the traffic information It characterized in that it further comprises a blocking unit for blocking.

The application layer distributed denial of service attack detection and blocking device expresses traffic information of a plurality of monitoring period samples previously transmitted from the monitoring unit in a vector form, and uses a pattern classification algorithm on the extracted information of the vector form. The apparatus may further include a learning unit configured to form a normal traffic model and an attack traffic model in which the critical sections of the normal traffic and the attack traffic are set.

In this case, the learning unit updates the attack traffic model by transmitting the traffic information determined as the attack traffic to the traffic model through the analysis unit, and delivers the traffic information determined as the normal traffic to the traffic model. It is characterized by updating the normal traffic model.

The analyzing unit may classify the derived traffic information using a pattern classification algorithm and compare the classified traffic information with the attack traffic model.

Here, the pattern classification algorithm is characterized in that any one of Support Vector Machine, K-Means algorithm, KNN algorithm, Euclidean Distance algorithm, Bayes' Theorem.

When the set monitoring period ends, the monitoring unit includes session termination information in a preset queue and transmits the information to the information collection unit to notify the monitoring end of the plurality of servers and clients.

The traffic information derived from the monitoring unit is characterized in that the destination (DST) port of the data packet is a hypertext transfer protocol (HTTP).

Application layer distributed denial of service attack detection and blocking method according to an embodiment of the present invention, by monitoring the service request packets requested by the plurality of servers and clients through a network connected to a plurality of servers and clients Collecting data information transmitted to an application layer, setting the monitoring period, deriving traffic information from the data information collected during the set monitoring period, and comparing the derived traffic information with previously learned traffic models. And determining the attack traffic.

The preset monitoring period may include a plurality of unit times.

In the collecting of the data information, when the destination (DST) port included in the service request packet is a hypertext transfer protocol (HTTP), the number of GET request packets requested for a unit time within the monitoring period. And a change amount of the packet number, a change amount of a cache control packet and a packet number of the GET Request packets requested during the unit time, and a byte for a Uniform Resource Identifier (URI) of the GET Request requested during the unit time. At least one of the distribution information and the entropy value of the byte distribution for the URI of the GET Request requested during the unit time is collected.

In addition, the derivation of the traffic information includes the number of unit times during which the GET Request packet is present and nonexistent during the entire monitoring period from the collected data information, and the GET Request packet is continuously present and present during the entire monitoring period. The maximum number of unit times that did not exist, the number of unit times during which the cache control packets existed and did not exist during the entire monitoring period, and the maximum number of unit times during which the cache control packets continued and existed during the entire monitoring period. And a sum of the number of GET Request packets and cache control packets extracted in unit time during the entire monitoring period, the variance value of the amount of change in the number of GET Request packets extracted in unit time during the entire monitoring period, and the total monitoring period. At least one of the variance values of the entropy values extracted in units of And it characterized in that.

As described above, the application layer distributed denial of service attack detection and blocking method further includes the step of blocking the IP address transmitting the attack traffic information when it is determined that the attack traffic information is the result of the determination of the attack traffic. It is done.

In the distributed application denial of service attack detection and blocking method, the sample traffic information previously obtained during a plurality of monitoring periods is represented in a vector form, and the information is extracted through a pattern classification algorithm on the extracted information of the vector form. The method may further include forming a normal traffic model and an attack traffic model in which the critical sections of the traffic and the attack traffic are set.

The application layer distributed denial of service attack detection and blocking method may further include: updating the attack traffic model by transmitting traffic information determined as the attack traffic to the traffic model through determining whether the attack traffic is present; And transmitting the traffic information determined as the normal traffic to the traffic model to update the normal traffic model.

On the other hand, the process of determining whether the attack traffic, characterized in that it comprises the step of classifying the derived traffic information by using a pattern classification algorithm, and comparing the classified traffic information with the attack traffic model .

Here, the pattern classification algorithm is characterized in that any one of Support Vector Machine, K-Means algorithm, KNN algorithm, Euclidean Distance algorithm, Bayes' Theorem.

On the other hand, in the derivation process, when the set monitoring period ends, the session termination information is included in a preset queue, and the monitoring is terminated by transferring it to an information collection unit that monitors the plurality of servers and clients. It is characterized by.

The deriving of the traffic information is characterized in that the application layer service, that is, the destination (DST) port of the data packet is designated, that is, the hypertext transfer protocol (HTTP, 80) in this example.

According to the application layer distributed denial of service attack detection and blocking apparatus and method thereof according to an embodiment of the present invention as described above, there are one or more of the following effects.

Applied layer distributed denial of service attack detection and blocking apparatus and method according to an embodiment of the present invention, conventionally detects an attack based on the amount of traffic or detects the characteristics of a specific application layer when detecting a DDoS attack on the application layer Local detection methods that can be used only for the application layer have been proposed.

In particular, when detecting an attack based on the amount of change in traffic amount, it is possible to determine whether an attack has occurred, but it does not know which traffic is sent by the attacker.

Therefore, in the present invention, when a DDoS attack occurs, the attack is detected within a short monitoring period, and based on the detected information, the attacker's IP address is accurately extracted to remove only the attacker's traffic. In addition, since detection is implemented based on previously-trained learning information, it is possible to accurately determine whether the attack is performed in a very short time when the actual attack is detected.

In addition, it is possible to apply not only to a specific application but also to the application layer of all applications in a networked device. The present invention provides an attacker's IP address extracted from attack traffic to existing information security equipment. By doing so, it is possible to prevent DDoS attacks by actively utilizing the currently operated information security equipment.

Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. To fully disclose the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions in the embodiments of the present invention, which may vary depending on the intention of the user, the intention or the custom of the operator. Therefore, the definition should be based on the contents throughout this specification.

Each block of the accompanying block diagrams and combinations of steps of the flowchart may be performed by computer program instructions. These computer program instructions may be mounted on a processor of a general purpose computer, special purpose computer, or other programmable data processing equipment such that instructions executed through the processor of the computer or other programmable data processing equipment may not be included in each block or flowchart of the block diagram. It will create means for performing the functions described in each step. These computer program instructions may be stored in a computer usable or computer readable memory that can be directed to a computer or other programmable data processing equipment to implement functionality in a particular manner, and thus the computer usable or computer readable memory. It is also possible for the instructions stored in to produce an article of manufacture containing instruction means for performing the functions described in each block or flowchart of each step of the block diagram. Computer program instructions may also be mounted on a computer or other programmable data processing equipment, such that a series of operating steps may be performed on the computer or other programmable data processing equipment to create a computer-implemented process to create a computer or other programmable data. Instructions that perform processing equipment may also provide steps for performing the functions described in each block of the block diagram and in each step of the flowchart.

In addition, each block or step may represent a portion of a module, segment or code that includes one or more executable instructions for executing a specified logical function (s). It should also be noted that in some alternative embodiments, the functions noted in the blocks or steps may occur out of order. For example, the two blocks or steps shown in succession may in fact be executed substantially concurrently or the blocks or steps may sometimes be performed in the reverse order, depending on the functionality involved.

In the embodiment of the present invention, the DDoS attack effectively detects and blocks an attack on a service of an application layer, which is a main target of a DDoS attack, and performs various DDoS attacks based on the amount of traffic to the application layer of all programs. By detecting whether the attack is compared with the predefined normal traffic model, the attack is detected even if the amount of attack traffic is not large compared to the amount of traffic under normal conditions. By deriving an IP address, it is possible to block only the attack traffic delivered from the attacker for a desired period, thereby protecting the traffic of the normal user and ensuring the continuity of the service.

Accordingly, the following embodiment defines a new traffic model to overcome the attack detection method according to the change of traffic amount used in the existing DDoS attack detection technology, and based on this, before defining the traffic model to perform the attack detection, HTTP Taking the traffic as an example, the operation of the traffic of the general application layer will be described.

When normal users access a specific web server by using a web browser and look at the operation when receiving data, generally, the procedure is as follows.

(1) First, the user requests a web page (eg index.html) from a specific server,

(2) After that, if the server delivers the contents of the web page to the user,

(3) The user recognizes the delivered web page, selects a desired hyperlinked URL to move to another page he / she wants, and requests the web page secondly from the server.

(4) The user repeats (2) to (3) until the desired information is obtained.

In general, normal users request a web page until they obtain the desired information in the order of (1) to (4). At this time, the data transferred from the user to the server will be a GET request requesting a specific web page.

An important feature of this is that there is typically a waiting time between these GET requests. That is, it takes a long time (for example, several seconds to several tens) to recognize the content of the web page requested by the user first, determine what additional data the user wants, and request additional data.

In other words, when looking at the type of traffic that a user sends to the server during a specific time period, generally, a small amount of traffic is used to convey information of a desired destination, and all responses to the request are sent to the user. It will wait until it is delivered.

This feature occurs equally in most applications that users use. That is, when a situation occurs in humans, it takes time to analyze and judge for a certain period of time to cope with it. However, since a large amount of traffic is generated between DDoS attacks in a very short period of time, it can be accurately distinguished from the type of traffic generated by a user, that is, a person.

Using these characteristics, we can model the network traffic type of normal traffic and classify DDoS attacks based on this. Although the embodiment of the present invention uses the HTTP protocol as an example, it can be applied to the DDoS attack on all application layers accessed and used by the user in the same manner.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram showing the structure of a DDoS attack detection and blocking device according to an embodiment of the present invention.

Referring to FIG. 1, the DDoS attack detection and blocking apparatus 100 is installed and implemented at a position capable of monitoring and blocking a network packet transmitted from a client to a server, and a predefined "service request" from the transmitted network packet. Check whether the packet (eg GET request packet in HTTP) is transmitted on the network, analyze the request type of the GET request packet, and compare it with the attack and normal GET request traffic pattern model generated through learning Determining whether or not an attack, and if the attack is determined to block the attack, the network connection unit 102, information collection unit 104, monitoring unit 106, analysis unit 108, traffic model 110, blocking The unit 112, the learning unit 114 and the like.

In this case, the client (not shown) may be a variety of computing devices that request services through a network such as a personal computer, a laptop, a portable user device, and the like, and are used as a computer for DDoS attack through pre-installed malware. An attack is performed by a server or another system that is targeted by a server, where a server (not shown) refers to a system that is attacked by clients.

Referring to the DDoS attack detection and blocking device 100 in detail, the network connection unit 102 monitors the transmission and reception of data between the server and the plurality of clients to collect a "service request" packet delivered to a predefined application layer service Transfer to the information collecting unit 104. Accordingly, the information collecting unit 104 collects various information based on data transmission / reception information for each client by monitoring a “service request” between the plurality of clients and the server during the monitoring period set by the monitoring unit 106. .

The monitoring unit 106 sets the monitoring period and transmits the information to the information collecting unit 104, and receives the information collected during the monitoring period from the information collecting unit 104 to extract necessary traffic pattern information from the collected information. . At this time, the monitoring period is set by the user or a constant monitoring time.

On the other hand, when the set monitoring period is over, the session termination information is inserted into a preset queue, and the session termination information is transmitted to the information collection unit 104 to transmit information about the communication between the plurality of clients and the server. Recognizes the end of monitoring and ends the collection of information.

On the other hand, the monitoring unit 106 delivers the traffic information extracted during the monitoring time to the analysis unit 108, the analysis unit 108 is derived during the monitoring period in conjunction with the information collection unit 104 and the monitoring unit 106 The classified traffic information is classified using a pattern classification algorithm, and the classified traffic information is compared with the previously learned traffic model 110 to determine whether the classified traffic information, that is, whether the traffic information monitored during the monitoring period is the attack traffic. You will be judged.

At this time, the traffic model 110 is basically formed through learning prior to the start of DDoS attack detection, and includes an attack traffic model and a normal traffic model.

The learning unit 114 may transmit the information used in the analysis result to the traffic model 110 based on the analysis result of the analysis unit 108 and use it to update the existing attack traffic and the normal traffic model. That is, receiving traffic information derived through monitoring during the plurality of monitoring periods transmitted from the monitoring unit 106 and further learning about the attack traffic and the normal traffic based on the traffic information derived during the plurality of monitoring periods. will be.

The learning unit 114 expresses the extracted information in a vector form, and then performs traffic modeling to determine a critical section of the learned data using a pattern classification algorithm, thereby classifying attack traffic and normal traffic. Do. As described above, the attack traffic and the normal traffic modeling information in which the critical sections of the public traffic and the normal traffic are determined through the pattern classification are transmitted to the traffic model 110.

The analysis unit 108 refers to the predefined traffic model 110 or the traffic model 110 learned through the learning unit 114 as described above, and determines whether the traffic monitored during the monitoring period is attack traffic. do. As a result, when it is determined that the attack traffic is included in the traffic during the monitoring period, the analysis unit 108 delivers the IP address corresponding to the attack traffic to the blocking unit 112, and the blocking unit 112 transmits the corresponding traffic. By blocking communication and data transmission and reception only for IP addresses, it is possible to block only attack traffic.

Hereinafter, the DDoS attack detection and blocking apparatus 100 will be described in detail with reference to FIGS. 2 to 7.

2 is a diagram illustrating a monitoring period and a unit time description method according to an embodiment of the present invention.

Referring to FIG. 2, the monitoring unit 106 sets a monitoring period (MP) 200 in order to model the operation of users, that is, the network traffic type of normal traffic. The monitoring period 200 is composed of a total of N unit time slots (TS) 202. In this case, the unit time 202 may be heuristically defined in accordance with the type of traffic in a normal situation. For a typical HTTP server, about 100ms may be appropriate.

Based on the monitoring period 200 and the unit time 202 defined as above, the information collecting unit 104 collects various information generated in the unit time 202. The information collected at this time is calculated by pairing the source IP address and the destination IP address. The collected information is explained using the HTTP protocol as an example.

First, the information collected during the unit time is as follows.

(1-1) Number of GET Request packets requested during unit time

(1-2) The amount of change in the number of GET Request packets requested during the unit time

(1-3) Number of Cache Control (CC) Packets among GET Request Packets Requested during Unit Time

(1-4) Change in Cache Control Packet Count among GET Request Packets Requested during Unit Time

(1-5) Byte Distribution of URI (Uniform Resource Identifier) of GET Request requested for unit time

(1-6) Entropy value of byte distribution for URI of GET Request requested during unit time

Information extracted during the monitoring period using the above information is as follows.

(2-1) Number of unit times that GET Request packet existed during the entire monitoring period

(2-2) Number of unit times during which the GET Request packet did not exist for the entire monitoring period

(2-3) The maximum number of unit times that GET Request packets existed continuously during the entire monitoring period.

(2-4) The maximum number of unit times during which the GET Request packet did not exist continuously during the entire monitoring period.

(2-5) Number of unit times that cache control packets existed during the entire monitoring period

(2-6) Number of unit times when cache control packet did not exist for all monitoring periods

(2-7) Maximum number of unit times of continuous cache control packets during the entire monitoring period

(2-8) The maximum number of unit times during which no cache control packets existed continuously for the entire monitoring period.

(2-9) Total number of GET Request packets extracted per unit time during the entire monitoring period

(2-10) The total number of cache control packets extracted in unit time unit during the entire monitoring period

(2-11) Variance value of the amount of change in the number of GET Request packets extracted in unit time during the entire monitoring period

(2-12) The variance of entropy values extracted in units of time during the entire monitoring period

The extracted values may be used to form the traffic model 110, and the process of generating the traffic model 110 is as follows. First, the DDoS attack traffic and normal traffic for the application service to be protected in advance are collected through the information collecting unit 104. From the collected traffic, the information of (1-1) to (1-6) is extracted for the defined monitoring period, and based on this, the monitoring unit 106 collects the information of (2-1) to (2-12). Create

At this time, since the monitoring period is very small compared to the total traffic collected, the monitoring period defined for the collected traffic is repeatedly (1-1) to (1-6), (2-1) to ( 2-12) Extract information. Thereafter, the learning unit 114 expresses a series of information about the extracted traffic in a vector form and uses it to generate the traffic model 110 using a pattern classification algorithm. At this time, the information extracted from the attack traffic is used to generate the attack traffic model, and the information extracted from the normal traffic is used to generate the normal traffic model.

On the other hand, with respect to the extracted values as described above, the partial extraction value for the normal traffic and the partial extraction value for the attack traffic is compared with each other as shown in Figs.

3 is a graph of the number of unit times of a GET Request packet during the entire monitoring period according to an embodiment of the present invention.

As can be seen in the graph of FIG. 3, although the traffic of 77DDoS 300 and the BlackEnergy 302, which are the attack traffic, a large number of unit times in which a GET Request packet existed existed, in general normal traffic 304, a relatively small amount of unit time was present. It can be seen that there is a unit time number.

4 is a graph showing the maximum number of TSs in which GET Requests of attack traffic and normal traffic are continuously present according to an embodiment of the present invention.

Referring to the graph of FIG. 4, 77DDoS (400) of attack traffic, which represents the maximum number of unit times in which GET Request packets existed continuously during the entire monitoring period of attack traffic and normal traffic (2-3). ) And BlackEnergy 402 can be easily distinguished since the maximum number per unit time is greater than that of normal traffic 404.

5 is a graph showing the total number of GET Request packets in unit time units of attack traffic and normal traffic according to an embodiment of the present invention.

Referring to the graph of FIG. 5, (2-9) represents the total number of GET Request packets extracted in unit time units during the entire monitoring period. As shown in FIGS. 3 to 4, 77DDoS 500 and BlackEnergy ( Since 502 has more GET Request packets per unit time than normal traffic 504, it is easily distinguishable.

As such, the traffic information extracted by the monitoring unit 106 through the information collected by the information collecting unit 104 are information that may be usefully used to distinguish the attack traffic from the normal traffic.

Therefore, the monitoring unit 106 derives the corresponding information based on the monitoring period and the unit time for the normal traffic and the attack traffic by using such information, and delivers the corresponding information to the analyzing unit 108, so that the analyzing unit 108 Pattern classification for attack traffic and normal traffic is performed based on traffic information derived based on monitoring period and unit time.

On the other hand, the learning unit 114 represents the traffic information extracted based on the previous monitoring time in a vector form, and then determines the critical section of the learned data using various machine learning and pattern classification algorithms widely used in ICT research. . Therefore, the attack traffic model 110 is formed on the basis of the result of the learning that has been performed in advance, and the analysis unit 108 classifies the traffic information derived from the monitoring unit 106 by using the pattern classification algorithm. The attack traffic model 110 is referred to the pattern classified traffic information to determine whether the attack traffic is received in the traffic during the monitoring period or the unit time.

The pattern classification algorithm that can be used can be applied to all classification techniques that can classify patterns such as Support Vector Machine, K-Means Algorithm, KNN Algorithm, Euclidean Distance Algorithm, Bayes'Theorem.

The result of this type of attack traffic detection is a specific source IP address and a destination IP address as mentioned above. Therefore, if the traffic is determined to be an attack, the source IP address derived from the analysis means the attacker's IP address.

In some DDoS attacks, an IP spoofing technique is applied that attempts to attack by manipulating an IP address. However, IP Spoofing cannot be applied to DDoS attacks at the application layer. Because in order to deliver the data the attacker wants to the application layer, the network layer must go through the 3-way handshake process. If the IP address is manipulated, the 3-way handshake process cannot be established. Passing data to the layer itself becomes impossible.

Therefore, since all source IP addresses used in DDoS attacks on the application layer can be said to be unmanipulated pure IP addresses, the source IP address resulting from the traffic analysis is the attacker's IP address.

Accordingly, the analysis unit 108 may directly detect whether or not the attack traffic and a specific attacker IP address transmitting the attack traffic, and transfers the found information to the blocking unit 112, the blocking unit 112 from the attacker IP address Only traffic transmission can be selectively blocked. Of course, by providing a list of target systems to be blocked by interlocking with the existing general network security equipment (IPS, IDS, Firewall, etc.) as well as the blocker 112 may maximize the effect. Therefore, the blocking unit 112 and the network security equipment to block the attack traffic and provide a normal user can continuously receive data transmission and reception services.

Therefore, the operation flow of the blocking process for the DDoS attack of the application layer will be described in detail with reference to FIGS. 6A to 6B.

6A is a flowchart illustrating an operation procedure for extracting traffic information in a DDoS attack detection and blocking device according to an embodiment of the present invention.

Referring to FIG. 6A, in step 600, the monitoring unit 106 sets a monitoring time including N unit times, and then transmits and receives a plurality of clients transmitted and received on a network connected to the network connection unit 102 through the information collection unit 104. Monitors the service request packet for all sessions created to communicate with the server.

In step 602, the information collecting unit 104 collects "service request" data information transmitted by the plurality of clients to the server through all communication sessions, and transmits the collected information to the monitoring unit 106. Accordingly, the monitoring unit 106 extracts the necessary traffic information from the data packet received for each unit time within the monitoring period.

First, in step 604, if the destination (DST) port of the data packet of the data packet received in step 604 is Hyper Text Transport Protocol (HTTP), it is checked and proceeds to step 606 in the case of HTTP. The process returns to step 604 to extract information about another packet.

In step 606, the presence of the GET packet and the CC packet among the GETs is checked to determine whether the packet belongs to a different unit time in step 608.

If the packet belongs to the same unit time, the process proceeds to step 610 to update the count value of the GET packet and the number of CC packets in the unit time, update the URI byte distribution information of the GET packet, and update the count of the GET packet and the CC packet number. After performing the sum update or the like, the process returns to step 602 to extract and confirm information of another packet within the same unit time.

However, if the packet belongs to a different unit time in step 608, the flow proceeds to step 612, where the packet checking of the unit time is terminated, the total number of GET packets and CC packets are calculated, and the entropy value of the byte distribution for the URI. Will yield

If the packet check for all the unit time constituting the monitoring period is completed in step 614, after the packet check is completed, proceed to step 618 of Figure 6b, if not completed in step 616 proceeds to the next unit time In step 604, information is extracted from the received data packet.

6B is a flowchart illustrating an attack traffic modeling and an attack traffic blocking procedure in a DDoS attack detection and blocking device according to an embodiment of the present invention.

In step 618 of FIG. 6B, when the checking of all packets in the monitoring period is completed, all unit time-specific information for the monitoring period is added, and in step 620, the dispersion value of the GET packet and the CC packet and the variance of entropy values are calculated. The traffic information derived through the extraction of information is transferred to the analysis unit 108.

In step 622, the analysis unit 108 analyzes whether the corresponding traffic is the attack traffic by comparing the derived information with the predetermined normal traffic and the attack traffic pattern and comparing the traffic model 110 with a threshold value. If attack traffic exists in the traffic information in step 624, the corresponding IP address transmitting the attack traffic is forwarded to the blocking unit 112 in step 626, so that the blocking unit 112 performs a data transmission or communication session for the IP. Will be blocked.

Thereafter, the traffic information determined as an attack in step 630 is transmitted to the traffic model 110 through the learning unit 114 to update the attack traffic model.

In addition, if it is determined in step 624 that the normal traffic does not exist in the traffic information in the traffic information, in step 630, the corresponding traffic information is transferred to the traffic model 110 through the learning unit 114 to update to the normal traffic model. do.

As described above, the application layer distributed denial of service attack detection and blocking apparatus and method thereof according to an embodiment of the present invention effectively detect and block an attack on a service of an application layer which is a main target of a DDoS attack. Instead of detecting various DDoS attacks targeted to the application layer of all programs based on the amount of traffic, it is determined whether the attack is compared with a predefined normal traffic model, even if the amount of attack traffic is normal. It protects the traffic of normal users by detecting the attack that occurs even if it is not much compared to the traffic volume, and by extracting the IP address of a specific attacker as a result of the detection, and blocking only the attack traffic from the attacker for a desired period. To ensure continuity of service The.

Meanwhile, in the detailed description of the present invention, specific embodiments have been described, but various modifications are possible without departing from the scope of the present invention. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be determined by the scope of the appended claims, and equivalents thereof.

1 is a block diagram showing the structure of a DDoS attack detection and blocking device according to an embodiment of the present invention;

2 is a diagram illustrating a monitoring period and a unit time description method according to an embodiment of the present invention;

3 is a graph of the number of unit times of a GET Request packet during the entire monitoring period according to an embodiment of the present invention;

4 is a graph showing the maximum number of TSs in which GET Requests of attack traffic and normal traffic are continuously present according to an embodiment of the present invention;

5 is a graph showing the total number of GET Request packets in unit time units of attack traffic and normal traffic according to an embodiment of the present invention;

6A is a flowchart illustrating an operation procedure for extracting traffic information in a DDoS attack detection and blocking device according to an embodiment of the present invention;

6B is a flowchart illustrating an attack traffic modeling and blocking procedure of an attack traffic in a DDoS attack detection and blocking device according to an embodiment of the present invention.

<Description of Signs of Major Parts of Drawings>

100: DDoS attack detection and blocking device 102: network connection

104: information collecting unit 106: monitoring unit

108: analysis unit 110: traffic model

 112: blocking unit 114: learning unit

Claims (20)

Collecting information collecting data information transmitted to an application layer by monitoring service request packets requested by the plurality of servers and clients during a preset monitoring period through a network capable of monitoring network traffic transmitted by the plurality of servers and clients Wealth, A monitoring unit for setting the monitoring period and deriving traffic information from data information collected during the set monitoring period; Analysis unit for determining the attack traffic by comparing the derived traffic information with the previously learned traffic model App layer distributed denial of service attack detection and blocking device comprising a. The method of claim 1, The preset monitoring period is App layer distributed denial of service attack detection and blocking device comprising a plurality of unit times. The method of claim 1, Data information collected by the information collecting unit, If the destination (DST) port included in the service request packet is a hypertext transfer protocol (HTTP), the number of changes and the number of packet requests requested during the unit time within the monitoring period and the number of packets, A change amount of the cache control packet and the number of packets among the GET request packets requested during the unit time; Byte distribution information on a Uniform Resource Identifier (URI) of a GET Request requested during the unit time; Applied layer distributed denial of service attack detection and blocking device, characterized in that at least one of the entropy value of the byte distribution for the URI of the GET Request requested during the unit time. The method of claim 3, Traffic information derived from the monitoring unit based on the data information collected by the information collecting unit, The number of unit times the GET Request packet was present and nonexistent during the entire monitoring period, The maximum number of unit times of continuous and non-existent GET Request packets during the entire monitoring period. The number of unit times during which the cache control packet existed and did not exist during the entire monitoring period; The maximum number of unit times during which the cache control packet was continuously present and nonexistent during the entire monitoring period; The total number of GET Request packets and CC packets extracted in unit time units during the entire monitoring period; A variance value of the amount of change in the number of GET Request packets extracted in unit time units during the entire monitoring period; Applied layer distributed denial of service attack detection and blocking device, characterized in that at least one of the variance of the entropy values extracted in units of time during the entire monitoring period. The method of claim 1, The application layer distributed denial of service attack detection and blocking device, Blocking unit for blocking the IP address that transmitted the traffic information, if the traffic information derived from the data information collected during the monitoring period through the analysis unit is determined as attack traffic information App layer distributed denial of service attack detection and blocking device further comprising. The method of claim 1, The application layer distributed denial of service attack detection and blocking device, A normal traffic model in which traffic information of a plurality of monitoring period samples previously transmitted from the monitoring unit is expressed in a vector form, and a critical section of normal traffic and attack traffic is set using a pattern classification algorithm in the extracted information of the vector form; Application layer distributed denial of service attack detection and blocking device further comprising a learning unit for forming an attack traffic model. The method according to claim 6, The learning unit, Update the attack traffic model by transmitting traffic information determined as the attack traffic to the traffic model through the analysis unit; Applied layer distributed denial of service attack detection and blocking device, characterized in that for updating the normal traffic model by passing the traffic information determined as the normal traffic to the traffic model. The method of claim 1, The analysis unit, Classify the derived traffic information using a pattern classification algorithm, Applied layer distributed denial of service attack detection and blocking device, characterized in that for comparing the classified traffic information with the attack traffic model. 9. The method of claim 8, The pattern classification algorithm, Application layer distributed denial of service attack detection and blocking device, characterized in that any one of Support Vector Machine, K-Means algorithm, KNN algorithm, Euclidean Distance algorithm, Bayes'Theorem. The method of claim 1, The monitoring unit, When the set monitoring period is over, the application layer distributed denial of service attack detection including session termination information in a predetermined queue and transmitting the information to the information collection unit to notify the termination of monitoring of the plurality of servers and clients. And blocking device. Collecting data information transmitted to an application layer by monitoring service request packets requested by the plurality of servers and clients during a preset monitoring period through a network connected to a plurality of servers and clients; Setting the monitoring period and deriving traffic information from the data information collected during the set monitoring period; The process of determining whether the attack traffic is compared by comparing the derived traffic information with the previously learned traffic model Application layer distributed denial of service attack detection and blocking method comprising a. 12. The method of claim 11, The preset monitoring period is Application layer distributed denial of service attack detection and blocking method comprising a plurality of unit times. 12. The method of claim 11, The process of collecting the data information, If the destination (DST) port included in the service request packet is a hypertext transfer protocol (HTTP), the number of changes and the number of packet requests requested during the unit time within the monitoring period and the number of packets, A change amount of the cache control packet and the number of packets among the GET request packets requested during the unit time; Byte distribution information on a Uniform Resource Identifier (URI) of a GET Request requested during the unit time; Application layer distributed denial of service attack detection and blocking method characterized in that for collecting at least one of the entropy value of the byte distribution for the URI of the GET Request requested during the unit time. 14. The method of claim 13, Deriving the traffic information, The number of unit times during which the GET Request packet was present or absent during the entire monitoring period from the collected data information, The maximum number of unit times of continuous and non-existent GET Request packets during the entire monitoring period. The number of unit times during which the cache control packet existed and did not exist during the entire monitoring period; The maximum number of unit times during which the cache control packet was continuously present and nonexistent during the entire monitoring period; The total number of GET Request packets and cache control packets extracted in unit time units during the entire monitoring period; A variance value of the amount of change in the number of GET Request packets extracted in unit time units during the entire monitoring period; Application layer distributed denial of service attack detection and blocking method, characterized in that for deriving at least one of the variance value of the entropy values extracted in units of time during the entire monitoring period. 12. The method of claim 11, The application layer distributed denial of service attack detection and blocking method, Blocking the IP address that transmitted the attack traffic information when it is determined as the attack traffic information as a result of the determination of the attack traffic; Application layer distributed denial of service attack detection and blocking method further comprising. 12. The method of claim 11, The application layer distributed denial of service attack detection and blocking method, The normal traffic model and the attack where the critical sections of the normal traffic and the attack traffic are set by learning the sample traffic information previously derived during the plurality of monitoring periods in vector form and using a pattern classification algorithm on the extracted information of the vector form. The process of forming a traffic model Application layer distributed denial of service attack detection and blocking method further comprising. 17. The method of claim 16, The application layer distributed denial of service attack detection and blocking method, Updating the attack traffic model by transmitting traffic information determined as the attack traffic to the traffic model through determining the attack traffic; Updating the normal traffic model by transmitting traffic information determined as the normal traffic to the traffic model; Application layer distributed denial of service attack detection and blocking method further comprising. 12. The method of claim 11, The process of determining whether the attack traffic, Classifying the derived traffic information using a pattern classification algorithm; And comparing the classified traffic information with the attack traffic model. 19. The method of claim 18, The pattern classification algorithm, Application layer distributed denial of service attack detection and blocking method comprising any one of Support Vector Machine, K-Means Algorithm, KNN Algorithm, Euclidean Distance Algorithm, Bayes'Theorem. 12. The method of claim 11, The derivation process, When the set monitoring period ends, the application layer distributed service service comprises including session termination information in a preset queue and transferring the information to the information collection unit that monitors the plurality of clients to terminate the monitoring. How to detect and block secondary attacks.

Images