KR20040027705A - SVM Based Advanced Packet Marking Mechanism for Traceback AND Router - Google Patents

Abstract

PURPOSE: A method and a router for tracing back by applying SVM based packet marking technique are provided to reduce the number of packets required for reconstructing the traceback path to reach the damaged system. CONSTITUTION: A method for tracing back by applying SVM based packet marking technique includes the steps of: a first step of inspecting the bandwidth of the traffic for the packet inputted to the router; a second step(S4) of determining whether the packets is a congested signature or not; a third step(S6) of analyzing the SVM based traffic pattern through the SVM module when a large number of packets are generated during a short time period; a fourth step(S10) of marking the pushback field for the corresponding packet when the packet is aggressive; a fifth step(S12) of marking the packets; a seventh step of transmitting the made packets to the front end router; and a seventh step(S20) of determining whether the pushback field is marked or not when a large number of packets are not generated. The method for tracing back is characterized in that the packet marking step of the fifth step(S12) is performed when the pushback field is marked at the seventh step(S20) and the sixth step is performed when the pushback field is not marked.

Description

SVM Based Advanced Packet Marking Mechanism for Traceback AND Router

The present invention relates to a source traceback method and a router using an SMB-based packet marking technique, and spoofed a DDoS spoofed by using a pushback scheme based on SVM and providing a control function for an existing DDoS attack. The present invention relates to a source backtracking method and a router using an SMB-based denial of service attack packet marking technique that traces back an IP source to a packet.

Various techniques for tracking or blocking packets transmitted between networked attackers and victims have been disclosed.

Denial of service (Dos) denials such as the current TCP SYN flooding [Computer Emergency Response Team, "TCP SYN flooding and IP Spoofing attackts," CERT Advisory CA-1996-21, Sept, 1996.] attacks [L. Garber. "Denial-of-service attacks trip the Internet". Computer, pages 12, Apr. Since the vulnerability of TCP / IP system is exposed through 2000., researches are being conducted to cope with hacking attacks in network and Internet. As a countermeasure technology, the firewall system is applied with access control technology and shows passive characteristics in hacking attacks, and the countermeasure technology through the intrusion detection system (IDS) detects abnormal traffic arriving at the victim system. And a passive hacking countermeasure that provides only a blocking function.

Therefore, the technologies proposed to date do not provide hacking countermeasures in active aspects such as identification and tracking of DoS hacking attack sources. The reason for this is that most hacking attacks are carried out by IP spoofing the source IP address. Therefore, an active response technology must be developed. Even if the source address is determined by using Traceroute technology, the address contained in the Distributed Denial of Service (DDos) packet is spoofed. I can't.

Countermeasures against hacking attacks, such as DDoS attacks, are largely divided into passive countermeasures such as vaccines, intrusion detection and invasion techniques, and active countermeasures such as traceback techniques. Can be. Active countermeasures can be divided into proactive backtracking and reactive backtracking depending on how the hacking attack origin is detected.

A technique related to an attacker blocking method of a conventional router is shown in FIG. 1 (Korean Patent Publication No. 2003-42318, published May 28, 2003). As shown in FIG. 1, when the attacker attacks the victim in the global network environment with reference to FIG. 1, the attacker 10 generates illegal traffic and passes through his domain border router 20 to the border of the ISP. After passing through the router 30, the border router 40 of the domain to which the victim belongs is finally delivered to the victim 50. That is, the prior art relates to a technique for detecting illegal traffic and blocking the traffic at the first border router 30 that is passed through the ISP. In the packet transmission structure of the router, a packet discrimination function exists but does not provide a marking scheme for the packet. That is, when a hacking attack occurs, there is a problem that the corresponding technology is passive.

When a DDoS hacking attack occurs, a method of dropping malicious packets that are deemed malicious information by a router or the like on the network is described in ingress filtering [P. Ferguson and D. Senie. Such as "Network ingress Filtering: Defeating denial of service attacks which employ IP source address spoofing", May 2000. RFC 2827.], etc., is passive in DDoS attack. Therefore, as an effective solution, when a DDoS attack occurs, the victim system traces back the actual address of the source of the spoofed DDoS attack.

The backtracking method is a method in which a router generates backtrace path information in advance in a process of transmitting a packet on a network, inserts it into a packet, or delivers the packet to a destination IP address of a packet periodically. If a hacking attack occurs in the damage system, the spoofed hacking attack origin is determined by using the generated and collected traceback path information. Probabilistic packet marking (PPM) [K. Park and H. Lee. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. In Proc. IEEE INFOCOM '01, pages 338 {347, 2001., D. X. Song, A. Perrig, "Advanced and Authenticated Marking Scheme for IP Traceback," Proc, Infocom, vol. 2, pp. 878-886, 2001.] iTrace (ICMP traceback), a variation of the technique and ICMP messages [Steve Bellovin, Tom Taylor, "ICMP Traceback Messages", RFC 2026, Internet Engineering Task Force, February 2003.] This includes techniques.

In addition, recently presented pushback [S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan, V. Paxson, "Pushback Message for Controlling Aggregates in the Network," Internet Draft, 2001]. It provides the function and the transmission control function for the packet along the packet forwarding path. This technique provides the control of DDoS attack traffic, but does not provide the ability to trace back the origin of DDoS hacking attacks, but improves the overall network performance by providing the transmission control function for packets along the packet forwarding path.

On the other hand, Figure 2 is a description of the attacker backtracking method using the log information of the conventional edge router (published May 22, 2003, Republic of Korea Patent Publication No. 2003-39732). As shown in FIG. 1, according to the network configuration of FIG. 1, an attacker's local Internet and an Internet service provider network are connected by edge routers 102 and 103, and an intruder's local Internet and Internet service are connected by edge routers 105 and 106. The provider network is configured to be connected. There are management servers 109, 110, and 111 for tracking attackers in the attacker's local Internet, the Internet service provider network, and the attacker's local Internet, respectively. In addition, a plurality of hosts and specific intrusion detection systems (IDS) are configured in the intruder local internet, the internet service provider network, and the attacker local internet, respectively. In the figure, an external hacker cheats an IP address from his attacking host 101, and edge routers 103 and 105 of his edge router 102 and an ISP domain (Internet Service Provider network). And then attack the intrusion host 107 via the edge router 106 of the intrusion domain (intruder local internet). In this process, the edge routers 103 and 106 of each domain record log information about packets that are accessed from an external domain. The intrusion detection system 108 reports the intrusion information to the management server 109 when detecting the intrusion of the attacker. The management server 109 receives the intrusion information from the intrusion detection system 108 and tracks the attacking host 101 of the attacker domain where the hacker is located based on the log information of the edge router 106. However, the backtracking method using this log information requires a large number of intrusion detection systems and management servers, which causes the system to grow, and has a problem in that it cannot effectively track intrusions due to its large dependence on log information. . In other words, the method of managing log information about packet information in the router requires a lot of memory for the router and provides some backtracking functions, but there is a problem of low security structure and DDoS vulnerability in general.

Conventional DDoS hacking attack response technology

In order to trace back the spoofed DDoS packet, research is being actively conducted to provide a traceback function in the IP layer related to the network transmission process of the packet itself rather than a service-oriented traceback method centering on the TCP layer. If we classify the backtracking technology proposed so far based on the IP layer, it can be divided into proactive backtracking and reactive backtracking according to the hacking response method. Can be classified into traceback technology, management system implementation technology for packet information, special network-oriented technology, and management technology-oriented traceback method.

Proactive traceback technology uses the information already generated and collected when a hacking attack occurs, while generating the traceback path information in advance and inserting it into the packet or forwarding it to the destination in the process of transmitting the packet on the network. It is a technique to determine the origin of hacking attack. It can be divided into probabilistic packet marking (PPM) and iTrace (ICMP traceback), which provides a traceback function by transforming a traditional ICMP message.

PPM technique

In order to identify the original packet transmission path for spoofed packets, a method of inserting information that a packet is transmitted through the router itself into an IP packet by a router, which is a main element of the network, is configured for the packet transmitted on the network around the IP layer. to be. That is, the router checks the packet header information based on the IP layer and routes the packet transmitted through the Internet. At this time, the address information corresponding to the router is marked for the transformable field in the IP header and forwarded to the next router. Technique. As shown in FIG. 3, the router's own IP information is inserted into the 16-bit ID field in the IP header.

In FIG. 3, an IP datagram input to a router includes a source IP address, a destination IP address, a protocol, and a service type. In addition, version, header length, total length, identification, flag, fragmentation offset, time to live, There are items such as header checksums and options.

The information inserted at each router is passed back to the next router and finally to the victim victim system. As shown in FIG. 4, when the marked information is delivered from each router, when the hacking attack occurs later, the router information recorded in the packet corresponding to the hacking attack is reconstructed to reconstruct the actual packet transmission path.

In the process of marking the information transmitted from each router, if all the packets are marked, there is a delay for the entire network. Therefore, in general, routers sample and mark packets with a probability ρ. At this time, node sampling, edge sampling, and improved packet marking schemes are proposed according to the configuration of information marked by a router. As shown in FIG. 5, the node sampling scheme shows a process of sampling path information on which a packet is transmitted with a probability ρ and transmitting the packet to a destination.

6 is a method of not only marking its own IP address information in the packet header by the edge sampling method, but also marking and forwarding the router IP address of the front end where the packet is delivered. In the edge sampling technique, the process of reconstructing the hacking attack path is superior to the node sampling technique. The modified PPM technique includes a technique for providing a security function in the marking process by providing an authentication function for a packet marked by a router.

Problems of Existing PPM Technology

In the case of the PPM scheme, the packet information of the router is sampled with probability ρ, and the router's own IP address information is marked in the message header and transmitted to the packet destination. In other words, the router selects and transmits packets with probability ρ, and a large number of marked packets are required to reconstruct the source path for the DDoS attack. If the edge information or node information in a specific router is delivered without being marked, it may be found that a complete attack path cannot be reconstructed with the remaining marked information. An algorithm is used to mark at least one node or edge information. At least 8 packets must be selected and marked, which is inefficient in terms of overall efficiency.

In addition, in the case of the conventional PPM scheme, when a certain probability ρ is satisfied for a packet, hacking traffic is sent without being marked in the process of using a sampling and transmission technique. In this case, since the traceback path information is marked for general packets, a spoofed attack source cannot be reconstructed when a hacking attack such as DDoS occurs. Therefore, if the probability ρ can be actively adjusted according to the traffic characteristics of the entire network without sampling depending on the fixed type of probability ρ in the process of performing the PPM method in the router, the network load, memory, and traceback functions are compared with the conventional scheme. Better techniques can be provided.

In the conventional hash-based traceback scheme, the hash value for a packet is managed and transmitted at regular intervals. However, when the network is large in size, many problems occur in overall performance. In addition, if a hack is found through the IDS system, etc., a backtracking process is performed. Therefore, if an attack is performed on the network itself, this technique also does not work. As a result, a new method of marking the traceback information by applying the integrity / authentication function with the hash function to the packet through the router and selecting only the DDoS traffic according to the characteristics of the traffic should be presented.

In other words, the packet marking technique and iTrace technique using the existing node and edge sampling require a lot of load when the traceback reconstruction is performed in the damaged system while the management system and network load are small, and they are vulnerable to DDoS attacks. In the case of examining the IP traceback schemes presented to date, most of them have a problem of modification and additional network / system load on existing routers.

Hereinafter, the SVM will be described as a theory of the SVM module.

SVM Research

While traditional techniques are based on minimizing empirical risk, SupportVector Machine (SVM) is based on minimizing structural risk. Empirical risk minimization here refers to efforts to optimize the performance of the training group, while minimizing structural risk refers to minimizing the probability of misclassifying data with fixed but unknown probability distributions [A.C. Snoeren, C. Partridge, L.A. Sanchez, W.T. Strayer, C.E. Jones, F. Tchakountio, and S.T. Kent, "Hash-Based IP Traceback", BBN Technical Memorandum No. 1284, February 7, 2001.].

Consider the problem of linearly separable sets of learning vectors belonging to two classes. Consisting of and bias b Training data set to have a hyperplane of Represents learning to, where Is the input pattern, Becomes the target value. Transcendence Satisfies the condition of Equation (4).

Among the input patterns satisfying the condition of the equal sign in Equation (4), the patterns located closest to the decision surface are called support vectors. Conceptually, these vectors are located closest to the transcendental surface and are difficult to classify. . Thus, learning for classification is to find the optimal transcendental plane that satisfies the constraint (5). This is an optimization problem with constraints. Given the optimal parameters for the optimal transcendental plane Quadratic problem to find and b.

Here, the optimal is to have the maximum margin, and the maximum margin transcendental plane is the transcendental plane that can optimally separate the two classes. Eventually, the optimal linear separation boundary To the support vector The distance The transcendental plane that classifies the input pattern optimally can be expressed as Minimize.

The cost function in equation (6) is Is the block function of, and the constraint (5) is You can see that it is linear to. Summarizing the SVMs for the classifications described so far, the weight vector satisfying the constraint equation (5) given the learning pattern Think of it as an optimization problem that finds and bias b, where To minimize the separation gap to find the best separation surface. In order to solve this optimization problem, using the Lagrange coefficient method, the Lagrange function such as (7) Can be obtained.

At the ceremony Are Lagrangian coefficients, and the solution to the optimization problem is Are minimized for and b, Should be maximized. therefore For b The minimum of can be obtained as the derivative for each of them.

In equation (8) Lagrange function on the basic problem to find Is the objective function Q of the dual problem. ) Is expressed as in Equation (9).

The objective function of equation (9) is generally composed of terms of learning patterns in the form of quadratic programming problems. It is expressed as Therefore, considering the classification problem as the binary problem of equation (9). This is a learning pattern Given this, constraint Wow Lagrangian coefficients that maximize the objective function (9) To find. Therefore, the optimal Lagrangian coefficient maximizing the objective function equation (9) in the constraint equation (5) according to the Quadratic Programming algorithm. Find the best weight vector Can be calculated by equation (8), and the optimal bias b can be calculated from the support vector. The equation for the weight vector and the bias is shown in equation (10).

here and Are the support vectors that satisfy the condition of equation (11).

At this time, it can be seen that the equation (12) has a linear crystal plane by arranging the classification formula by the SVM.

here of If it is positive, it is +1, otherwise it is -1. However, a nonnegative scalar variable can be used to construct a generalized transcendental surface that can classify problems that are not linearly classifiable. You will have Is a slack variable as a measure of error associated with the wrong classification. Thus slack variables for cases that cannot be classified Constraints, including, can be obtained by changing Eq. (5) to Eq. (13) [Tatsuya Baba, Shigeyuki Matsuda, "Tracing Network Attacks to Their Sources," IEEE Internet Computing, pp. 20-26, March, 2002.]

Weight vector that satisfies the constraint And slack variables Cost function including Can be expressed as Equation (14).

C is a parameter having a positive value that controls the correlation between the learning error and generalization. By testing various variables with the parameter C value used to test the method proposed in this paper, we set the value with the optimal learning error. The kernel functions of SVM are dot, polynomial and RBF kernel functions.

Support Vector Machine Overview

Existing traditional techniques for pattern recognition are based on minimizing empirical risk, while SVM is based on minimizing structural risk. Here, minimizing empirical risk refers to efforts to optimize the performance of the training group, while minimizing structural risk refers to minimizing the probability of misclassifying data with fixed but unknown probability distributions.

The advantage of SVM is that it first has the ability to collect the information contained in the training group and uses a relatively low spatial decision plane group. In the case where the pattern group is linear and separable, SVM classifies the input patterns into two classes, +1 and -1, through teacher learning. When the training group S is divided into two classes, a hyperplane that separates training patterns included in each class is determined. Transcendence refers to a cutting plane that separates each group. In this case, the input patterns for determining the transcendental plane are called support vectors.

When the pattern group is separable, the distance (margin) from the transcendental plane to the Support Vector is maximized, and all Support Vectors are located at the same minimum distance from the transcendental plane. In practice, however, pattern groups are rarely separated linearly, so the two classes will often be impossible to separate linearly. The transcendental plane and the support vector at this time are obtained from the solution of the optimal problem with constraints.

The optimal solution has a trade-off between maximizing the margin (the distance between each class's Support Vector) and minimizing the number of errors, which is adjusted by normalized parameters.

Support Vector Machine for Classification

Learn the basic concepts for classification through SVM. If training data Given is, Belongs to one of two classes, Acts as a label that represents the class. SVM maximizes the distance between the separation boundary and the point closest to the separation boundary to find the optimal separation boundary that separates each class. The optimal linear separation boundary To the Support Vector, The distance It can be represented by. SVM Find the optimal separation surface by minimizing the maximum separation interval. This problem becomes the following block optimization problem.

Dual problem with this Lagendra multiple becomes the Quadratic problem below.

For overlapping patterns that cannot be completely distinguished by linear dividing boundaries, the slack variable ( ). Equation (15) is expressed as the following model.

Of the above formula (17) in This means that all patterns can be completely separated. However, most patterns are not linearly separable. Therefore, in order to separate the nonlinear pattern, the input space of the nonlinear pattern is converted into the feature space of the linear pattern.

In other words, Kernel function If we define, the model for separating the nonlinear patterns is expressed as follows from equations (15), (16) and (17).

Where C is the Penalty parameter in equation (17). In the model above, the Lagrange multiple i can be found below (19), which is the flattest function in the feature space.

Support Vector Machine (SVM) is a learning algorithm developed and proposed by Vapnik in 1995. It was originally developed for binary classification and is now successfully applied in various fields such as bioinformatics, character recognition, handwriting recognition, face and object recognition.

The binary classification problem is a process of estimating the target function for classifying two classes using the collected training data. The classifier thus estimated must have good generalization performance to produce correct results even for new data samples not used in the training process.

As shown in FIG. 7, the SVM prevents overfitting by selecting a specific hyperplane among a hyperplane capable of dividing data in a feature space. SVM finds the hyperplane, or maximum margin hyperplane, that maximizes the minimum distance from the hyperplane to the nearest training point. Only the training sample lying close to the decision boundary between the two classes, called the support vector, has a non-zero weight. The larger the margin, the distance between the hyperplanes containing the support vector, the better the classification performance. Based on the hyperplanes found, tests are performed to obtain classification results. That is, in the case of binary classification, SVM is explained by the following equation.

The example of FIG. 7 is a case of linearly separable data sets, which can be classified very easily. However, since most classification problems have a non-linear distribution, a serious problem arises in generalization. To solve this problem, some non-linearly separable classification problems can be solved through the soft margin classifier which introduces the concept of slack variable and penalty function. C is a trade off for model complexity as a variable that penalizes non-separable data. That is, as C increases, the learned machine tends to provide a solution that constitutes the optimal hyperplane, and when C converges to zero, it provides the effect of optimizing the margin maximization term, resulting in a term that minimizes misclassification errors. Doesn't put too much emphasis on this, which creates an SVM classifier with a very large margin width.

In general, the linear boundary used previously is not suitable for classifying input vectors. In this case, the SVM transforms the input vector x into a vector in a higher dimensional feature space and transforms the SVM into a problem of finding a linear boundary. The conversion from input space to feature space generally uses non-linear mapping. In this case, when some conditions are satisfied by Cover's Theorem, there is a high probability that non-linearly separable problems will be converted into linear problems in feature space. High is known. Non-linear mapping functions used to transform into high dimensional feature spaces are generally known to be possible for functions that satisfy Mercer's theorem.These functions include degree q polynomials, radial basis functions, and two-layer perceptrons. have. SVM supports kernels of linear, polynomial and radial based functions to support this. The selection of the most appropriate kernel and its parameters among these kernels has a very important effect on the performance of classification using SVM.

Pros and cons of applying SVM for DDoS attack detection

In the existing technique, the learning machine method is to learn by the given training data and to derive the correct answer when new data is used as input. Machine learning based on an empirical data set has a problem that it may not effectively reflect the distribution of the objective function to be estimated due to the limitation of finite data.

Therefore, the typical neural network technique among machine learning shows many problems in generalization process, and the process of setting various parameters that have a significant effect on the performance of the system does not go through an analytical process. The problem arises because it uses a method that depends on the problem, and in some cases presents a different solution depending on the problem environment.

An object of the present invention is to provide a method for detecting hidden channels present in a TCP / IP header field through an SVM and marking a packet.

According to an embodiment of the present invention for achieving the above object, in a communication system that is selectively connected to a plurality of partner networks and a plurality of routers, respectively, a first for inspecting the bandwidth of the traffic for the packets entering the router step; A second step of determining whether it is a congestion signature corresponding to an attack type, that is, whether a large amount of packets are generated in a short time when it arrives more than a predetermined time; If it is determined that a large amount of packets are generated in a short time, a third step of analyzing the SVM-based traffic pattern through the SVM module; Determining, by the SVM module, whether the attack packet is an attack packet and, if the attack packet is an attack packet, marking a pushback field for the packet; A fifth step of marking the packet; A sixth step of transmitting the marked packet to the router of the previous unit by the output queue of the router; in the second step, if the bandwidth condition is not satisfied, that is, if a large amount of packets are not generated, the pushback field is generated. Determining a seventh step; When the pushback field is marked in the seventh step, the packet marking step of the fifth step is performed, and when the pushback field is not marked, the sixth step is performed. Source traceback methods applied are provided.

Preferably, in the marking step, the IP datagram of the packet input to the router is marked by defining a pushback flag (PF) and a congestion flag (CF) for two bits that are not currently used in the packet TOS field. In the case of RFC2474, when congestion occurs in a network, it is characterized by setting to 1 and marking.

According to another aspect of the present invention, a communication system selectively connected to a plurality of partner networks and a plurality of routers, respectively, comprising: a preprocessing module for preprocessing individual TCP / IP packets input through an input port; In addition to performing SVM learning on preprocessed data, it checks the bandwidth of traffic for incoming packets, and if it arrives above a certain amount, it determines whether it is a congestion signature corresponding to the attack type, that is, whether a large amount of packets occurred in a short time. The SVM module analyzes an SVM-based traffic pattern when it is determined that a large amount of packets are generated in a short time, and determines whether the packet is an attack packet; And a marking module for marking a pushback field for the corresponding packet and transmitting the marked packet to the forwarding unit of the router when the packet is determined to be an attack packet by the SVM module. The router which applied this is provided.

Preferably, the marking module determines whether the pushback field is marked when a large amount of packets are not generated, and marks the packet when the pushback field is marked, and marks the packet when the pushback field is not marked. It is characterized by transmitting as a packet.

Preferably, the preprocessing module is characterized by using only one packet.

Also preferably, the preprocessing module may preprocess the time delay between packets by sliding a plurality of TCP / IP packets one by one in a detection scheme considering a correlation with the packets.

1 is a network diagram illustrating a method for blocking an attacker of a router according to the prior art.

2 is a block diagram of an attacker traceback method using the log information of the ground router according to the prior art.

3 is a diagram illustrating an IP header form in a conventional PPM.

4 is a diagram illustrating a technique structure of a conventional PPM.

5 illustrates a conventional node sampling based PPM technique.

6 illustrates a conventional edge sampling based PPM technique.

7 is a diagram illustrating a classification using a conventionally known SVM.

8 is a diagram illustrating a detection method 1 through SVM learning according to the present invention.

9 is a diagram illustrating a detection method 2 through SVM learning according to the present invention.

10 is a diagram illustrating a router-based DDoS source backtracking flowchart according to the present invention.

FIG. 11 is a diagram illustrating a packet marking field in a source traceback method using an SMB based packet marking technique according to the present invention.

12 is a diagram illustrating a packet marking structure in a source traceback method using an SMB-based packet marking technique.

FIG. 13 is a diagram illustrating a router and an attack path in a source traceback method using an SMB-based packet marking technique.

FIG. 14 is a diagram illustrating an ns-2 based experimental environment construction network of a source backtracking method using an SMB based packet marking technique according to the present invention.

FIG. 15 is a diagram illustrating ns-2 based DDoS simulation in a source traceback method using an SMB based packet marking technique according to the present invention.

16 is a diagram illustrating traffic in a conventional PPM scheme.

FIG. 17 is a diagram illustrating traffic in a source backtracking method using an SMB-based packet marking scheme according to the present invention.

* Explanation of symbols for main parts of the drawing

1001: preprocessing module 1002: SVM module

1004: marking module

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

The present invention proposes two methods of learning SVM to detect hidden channel or attack packet present in TCP / IP header field. First, as a general learning method, an SVM module which preprocesses individual TCP / IP packets inputted through an input port at an arbitrary router R through the preprocessing module 1001 and performs SVM learning on the preprocessed data, 1002) is shown as shown in FIG. 8 (a hidden channel or attack packet detection method 1 through SVM learning). This method considers a single packet as input data of the SVM.

Reference numeral 1004 denotes a marking module which is one feature of the present invention. The function of the marking module 1004 will be described later.

However, since this method is trained using the characteristics of a single packet without considering the correlation between packets, the detection result is expected to be closely influenced only by the features used in the preprocessing. Therefore, instead of using only one packet, SVM learning is performed after preprocessing the time delay between the preprocessing module 1001 by sliding several TCP / IP packets one by one in succession. An SVM module 1002 that performs and processes it is shown in FIG. 9.

This packet sliding technique is due to the fact that the data hidden in the hidden channel and the inherent characteristics of the packet carrying the data are different from the ordinary packet. That is, data concealed and delivered in the hidden channel can be assumed to have correlations between data. Therefore, if several consecutive packets are considered as a learning input unit, it is expected to have higher performance in concealment channel detection.

The SVM learning scheme considering the time correlation between packets may be proposed (detection scheme 2 through SVM learning) as shown in FIG. 9.

Reference numeral 1004 denotes a marking module which is one feature of the present invention. The function of the marking module 1004 will be described later.

Packet Marking-based Traceback for DDoS Attacks

Traceback Structure with Puchback

The network can be defined by a graph G = (V, E) consisting of node set V and edge set E. Again, the network node set V can be divided into routers corresponding to end systems and internal nodes. An edge corresponds to a physical connection to nodes in the V set. We define S SUBSET V as an attacker and t IN V / S as a victim system.

if In this case, it means a hacking attack by a single attacker and the attack path information. In this case, it means the attack path transmitted through d routers from the attack system s to the damage system t. Let N be the number of packets delivered. Link information for the router in the packet If there is a field that can mark, the probability ρ is sampled and passed. With respect to the packet, the router can select the packet with a certain probability and transmit the information about the edge and the distance information about the router in the packet.

In the conventional scheme, a packet is selected with a random probability ρ and marked with the link information of the router. If nodes on the network If it is marked at, the probability that it will be delivered without being remarked by another router. The calculation is as follows.

Thus the probability Means the probability that the packet information corresponding to the attacker is delivered to the victim system without being remarked by another router. Eventually in the damage system In order to increase the value, the value of ρ must be increased, which means that the marking process must be frequently performed at the router, and thus, the conventional technique degrades the network performance.

The technique proposed in the present invention performs a marking process for packets when abnormal traffic is found by the SVM module 1002 without sampling and marking packets with a random probability ρ at the router R. Of course, unlike the conventional ACC method, if an abnormal traffic is found, the packet is processed while the pushback message is not recursively delivered to the upper router. After receiving the pushback message, the upper router recognizes the hacking traffic characteristics included in the message and similarly performs the marking process with two router addresses in its own router and delivers it to the destination. The packet determination and marking processing method according to the router structure of the present invention is shown in FIG.

According to FIG. 10, when the bandwidth of the traffic is checked for a packet entering the router R (S2), when the packet arrives at a predetermined level or more, it is determined whether the signature corresponds to a congestion signature (S4). That is, when it is determined that a large amount of packets occurred in a short time in step S2, the SVM-based traffic pattern is analyzed through the SVM module 1002 (S6). Thereafter, the SVM module determines whether the attack packet is present (S8), and then, generates a pushback message for the corresponding packet (S10). This process may be referred to as a pushback field marking process (see FIG. 11). The pushback message for that packet generated in this step is updated or added as a parameter in the SVM module 1002. After the step S10, a process of marking a packet is performed (S12). Thereafter, this causes the output queue of the router to be transmitted to the previous unit router (S14).

If the bandwidth condition is not satisfied in the step S4, the process of checking whether there is information previously transmitted from the neighbor routers through the pushback message, that is, the process of determining whether the pushback field is marked (S20). If the pushback field is marked, the marking process for the packet is performed as in step S12. If the pushback field in step S20 is not marked, S14 is performed, which is regarded as general traffic and forwarded to the next router. The step S20 is performed again even when it is determined in step S8 that the packet is not an attack packet by the SVM module.

Hereinafter, a backtracking marking technique using pushback will be described in more detail.

Traceback Marking Technique with Pushback

(1) packet header marking field

router IP address Let's say And IP packets arriving at When I say 24 bits to store the marking information in the header Let's say

- router : Router's IP address:

- router Packets arrived at: Modifiable header 24 bits in the packet: packet in 11 is composed of 8 bits of the type of service (TOS) field and 16 bits of the ID field. In case of TOS field, only the current field is defined and not actually used. Therefore, using the TOS field value does not affect the entire network.

In the current TOS field, the upper 3 bits are set as priority bits, and the next 3 bits are defined as the minimum delay, maximum performance, and reliability fields, but are not currently used. Recently, however, according to RFC2474, it is redefined as a differential service field (DS field). Only the upper 6 bits of the 8 bits of the TOS are used and the lower 2 bits are not used. Therefore, in the present invention, two bits not currently used in the TOS field are defined as a pushback flag (PF) and a congestion flag (CF). Especially in case of CF, RFC2474 is defined to be set to 1 when congestion occurs in the network.

(2) Marking structure using TTL information

24-bit About information router IP address for The process of marking a value in a packet header is as follows.

Router for marking 24bit information that can be marked in packet when abnormal traffic occurs through pushback process Your IP address Level router by push and pushback IP address Mark the packet. In order to mark two router address values within 24 bits, a hash value for the router is applied to mark an address value that also provides authentication.

The TTL (time to live) field of every packet is composed of 8-bit information and is generally set to 255 when the packet is transmitted. In the process transmitted by the router, the TTL value is decremented by 1 and finally delivered to the destination.

The current TTL value is used for the purpose of securing the bandwidth in packet transmission on the network and controlling packets not arriving at the destination. Existing researches do not use TTL values, but have a separate hop counter field to calculate the distance information of a packet. However, in the present invention the router Some information is used in the TTL value of the packet arriving at the packet marking process.

Specifically, because routers typically have a network hop distance of up to 32 in 8-bit TTL fields, routers Arrived at The distance information over which a packet is transmitted can be calculated using only 6 bits of lower TTL field. Ie packet Extracts the lower 6 bit information from the TTL field and TOS 6-bit field of the packet Store in

The value indicates the distance information that the current packet was delivered from the attacking system. Compare the value of the packet to the router Distance information transmitted from can also be calculated.

(3) Marking Traceback Paths in Routers

If you are notified that the abnormal traffic has occurred through the SVM module 1002, the router Is a packet corresponding to a congestion signature contained in a pushback message. Perform the marking process for.

First, since we received a pushback message, set the PF field in the TOS field to 1. And the current packet For TTL field 8 bits in Compute the value and store it in 6 bits of the TOS field. And router Address And calculated before Hash Function on Value To compute an 8-bit hash value and replace it with the first 8 bits of the ID field. Mark on The marked packet is the next router in the routing path that corresponds to the packet's destination address. Is passed to.

Now router Is the PF field value of the packet. Is set to 1, it corresponds to the 6 bits of the TOS field in the packet. Minus 1 and router IP address Likewise, by applying a hash function Mark on

After the marking process, the CF field value is set to 1 and transmitted to the next router. If the PF field value and CF field value are set to 1, the next router is marked by the previous router. Do not carry out the process.

Traceback Reconstruction

(1) DDoS attack packet traceback

The victim system V reconfigures the DDoS attack path for the packets transmitted through the network. Suppose that the DDoS attack was performed in S1, S2, and S3 as shown in FIG. Router against attack packets , And Marked the router's own IP information in the packet header 24-bit information and the TTL field 6-bit information in the packet. In case of a DDoS attack, the victim system performs the path traceback process on the packets that arrive.

First, the packet that arrived at the victim system V Define it as a set. A value is a set of packets corresponding to a DDoS attack, and represents a set of packets marked and forwarded by a router in the set. Let's say

Set of packets arriving at the victim system in The way to distinguish the values is to use any packet among the TOS field values in the packet as shown below. Corresponds to the packet PF field in And CF fields The process of selecting a packet in which a part is set is performed.

That is, packets marked in the victim system Any packet corresponding to an element of 8-bit TTL value for Information packetized in the TOS field. Packet against the value Hop distance transmitted after traffic has been marked from the router Can be calculated as

if If it is, it is marked by the router right in front of the victim. However, since the technique proposed in the present invention is associated with the pushback technique, The traceback reconstruction process can be performed directly on the incoming packet.

(2) DDoS attack path reconstruction

Packet that satisfies Is a router that is within two hops distance from the front of the victim. And This means that the packet is marked by. Ie packet Is a router directly connected to the victim system. Any router that is 2 hops away Because it was marked by The value is 2. Thus packet Router with 2 hop distance first Can be determined as follows.

Of course packet Is the router corresponding to the damage system and hop distance 1 Marked by can also be verified in the following manner.

now To satisfy Repeating the above process for DDoS attack packet set Can reconstruct the actual attack path through which the packet was delivered.

Applying the technique proposed in the present invention to the network structure as shown in Figure 13 can be obtained as follows DDoS attack path AP for the damage system.

Through this process, the router can perform network control by applying modified pushback technology while monitoring and determining traffic on the network through the ACC module, and improved to trace back the DDoS hacking path. Packet marking techniques can also be used to provide backtracking for spoofed packets to reconfigure the origin for attackers. Also, by applying hash method, we provided the verification structure of marking information by attacker.

Performance analysis of the proposed technique

1. Experiment Results

In order to evaluate the performance of the proposed technique, we analyzed the performance using ns-2 simulator in Linux environment. The network as shown in FIG. 14 was configured and simulated to perform a DDoS attack on nodes 0, 1 and 2 as shown in FIG. 15.

As a result of the experiment, the conventional packet marking technique is a method of sampling and marking the probability ρ at each router for a DDoS attack as shown in FIG. 16, so that the total number of marked packets (blue line: v1.tr) is marked by DDoS traffic (red line: r0. You can see that it is generated in proportion to tr). In the case of the scheme proposed by the present invention, as shown in FIG. 17, the number of marked packets is reduced by about 25% because the marking process for the DDoS traffic is performed by applying the pushback technique.

Since the scheme proposed in the present invention operates in a manner similar to the conventional PPM scheme, the management load is small, and since the router's identification and control function is applied to the router, the load of the entire network is generated when a hacking attack such as DDoS occurs. It offers the advantage of reducing the cost. In addition, in the conventional PPM scheme, a marking process is performed by selecting a packet with a random probability p. However, the scheme proposed in the present invention uses the TTL field value to mark the route information. This can reduce the number of packets.

Therefore, the bandwidth of the entire network can be improved and the path to the source of the DDoS attack can be reconfigured even with a small number of marking packets. Path reconfiguration has the effect of reconfiguring the source path with only n traceback messages when passing through n routers in the network.

Claims (6)

In a communication system selectively connected to a plurality of partner networks and a plurality of routers, respectively, Checking the bandwidth of the traffic against the packet entering the router; A second step of determining whether it is a congestion signature corresponding to an attack type, that is, whether a large amount of packets are generated in a short time when it arrives more than a predetermined time; If it is determined that a large amount of packets are generated in a short time, a third step of analyzing the SVM-based traffic pattern through the SVM module; Determining, by the SVM module, whether the attack packet is an attack packet and, if the attack packet is an attack packet, marking a pushback field for the packet; A fifth step of marking the packet; A sixth step of causing the router to output the marked packet to the previous unit router; Determining whether the pushback field is marked if the bandwidth condition is not satisfied in the second step, that is, if a large amount of packets are not generated; When the pushback field is marked in the seventh step, the packet marking step of the fifth step is performed, and when the pushback field is not marked, the sixth step is performed. Source traceback method applied. The method of claim 1, wherein the marking is performed by marking an IP datagram of a packet input to a router by defining a pushback flag (PF) and a congestion flag (CF) for two bits that are not currently used in the packet TOS field. In case of CF, the origin traceback method using SVM-based packet marking technique, which is set to 1 when congestion occurs in the network even in RFC2474. In a communication system selectively connected to a plurality of partner networks and a plurality of routers, respectively, A preprocessing module for preprocessing individual TCP / IP packets input through an input port; In addition to performing SVM learning on preprocessed data, it checks the bandwidth of traffic for incoming packets, and if it arrives above a certain amount, it determines whether it is a congestion signature corresponding to the attack type, that is, whether a large amount of packets occurred in a short time. The SVM module analyzes an SVM-based traffic pattern when it is determined that a large amount of packets are generated in a short time, and determines whether the packet is an attack packet; If the SVM module is determined to be an attack packet, the SVM-based packet marking scheme comprises a marking module for marking a pushback field for the corresponding packet and transmitting the marked packet to the router of an output unit of the router. Router applied. 4. The method of claim 3, wherein the marking module determines whether the pushback field is marked when a large amount of packets are not generated, and marks the packet when the pushback field is marked, and the corresponding packet when the pushback field is not marked. Router applying SVM-based packet marking scheme, characterized in that the packet is transmitted as a normal packet. 4. The router according to claim 3, wherein the preprocessing module uses only one packet. The method of claim 3, wherein the preprocessing module applies a SVM-based packet marking technique to preprocess the time delay between packets by sliding a plurality of TCP / IP packets one by one in a detection scheme considering a correlation with packets. router.