KR20150088047A - METHOD FOR GENERATING REPUTATION BASED ON CONNECTION TIME FOR DDoS DEFENSE - Google Patents

METHOD FOR GENERATING REPUTATION BASED ON CONNECTION TIME FOR DDoS DEFENSE Download PDF

Info

Publication number
KR20150088047A
KR20150088047A KR1020140008396A KR20140008396A KR20150088047A KR 20150088047 A KR20150088047 A KR 20150088047A KR 1020140008396 A KR1020140008396 A KR 1020140008396A KR 20140008396 A KR20140008396 A KR 20140008396A KR 20150088047 A KR20150088047 A KR 20150088047A
Authority
KR
South Korea
Prior art keywords
reputation
visitor
ddos
present
web
Prior art date
Application number
KR1020140008396A
Other languages
Korean (ko)
Inventor
김혁준
Original Assignee
(주)나루씨큐리티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)나루씨큐리티 filed Critical (주)나루씨큐리티
Priority to KR1020140008396A priority Critical patent/KR20150088047A/en
Publication of KR20150088047A publication Critical patent/KR20150088047A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a method for generating a reputation based on connection time and a method and a system for defending DDoS using the same. The system analyzes a web access manner during a certain period per website visitor to calculate a reputation value of each visitor and distributes resources to the corresponding visitor based on the reputation value of each visitor or detects a DDoS attacker based on the reputation value of each visitor. According to an embodiment of the present invention, the present invention can block even a DDoS attack which does not use a malignant code based on the reputation through web connection profiling.

Description

TECHNICAL FIELD [0001] The present invention relates to a method for generating a reputation based on access time, and a DDoS protection method and system using the same,

The present invention relates to a DDoS protection method and system.

The recent DDoS attacks have a big difference from the previous attacks. Existing attacks generate zombie PCs through malicious code infections. Then, the attacker made a denial of service attack using malicious code that performs denial of service attack. On the other hand, a recent attack does not install an attacking agent, but instead hacking a Web site accessed by a large number of ordinary users and inserting an attack script into the web site. Then, a browser for a general user's web surfing, which has no attack intention, attacks a denial-of-service attack target site.

These attacks do not use signatures because they do not use malicious code. Also, since such an attack uses an attack using a service used by a plurality of users, it can not be blocked by an existing defense method.

A problem to be solved by the present invention is to provide a method for generating a connection time reference reputation for DDoS response, and a DDoS protection method and system using the same.

The system according to an embodiment of the present invention analyzes web access behavior for each web site visitor for a predetermined time, calculates the reputation value of each visitor, distributes resources to the visitor based on the reputation value of each visitor, Based on the reputation value of the DDoS attacker.

According to the embodiment of the present invention, it is possible to block the DDoS attack based on the reputation based on the Web connection profiling even if it is a DDoS attack using no malicious code, no signature, and a service used by a plurality of users.

FIG. 1 is a graph showing the web visitor status of the A site, and FIG. 2 is a graph showing the web visitor status of the B site.
3 is a view for explaining a method of generating a flat plate according to an embodiment of the present invention.
4 is a diagram illustrating a time-based reputation algorithm verification program according to an embodiment of the present invention.
FIGS. 5 to 8 illustrate graphical representations of reputation by web connection behavior according to an embodiment of the present invention.
9 is a view showing a flat graph for each visitor according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise.

The method and system of the present invention is a conversion of the correspondence paradigm of the denial of service attack from the viewpoint of "blocking" to the viewpoint of "guarantee of connection" of the normal user, Loyalty "to a customer with low loyalty.

When accessing the site, the IP will acquire exponential credits, and during the non-visit period, priority will be given to the use of the service until the credits acquired through arithmetic deductions are exhausted.

In this way, if an attack occurs on a Web server that can provide N services per second, priority is given to the users who have an existing relationship. If the maximum connection resources are exhausted only by existing transaction related users, Priority is given according to the value.

HTTP Service Target The purpose of the DDoS attack is to make it difficult or impossible to access normal users by violating the availability of the corresponding web server. Therefore, the purpose of DDoS attack defense is to secure the availability of the web server at the time of attack so that the normal user can be connected. In order to do this, it is necessary to move away from the blocking policy centered on aggressive defenses and shift to defense based on availability.

Reputation - based DDoS correspondence is composed of reputation based on behavior and time - based reputation in order to guarantee normal user 's access in case of DDoS attack by distinguishing normal users and abnormal users that are not in accordance with time. In case of sites with a constant access IP based customer base, it is possible to construct an effective DDoS defense system by constructing a time-based reputation and specify the structure design for such defense system construction.

FIG. 1 is a graph showing the web visitor status of the A site, and FIG. 2 is a graph showing the web visitor status of the B site.

Referring to FIGS. 1 and 2, web connection behavior profiling is described.

Web access behavior profiling analyzes the collected web logs for a certain period of time and obtains IP distributions of users who use the defended web sites.

For example, in the case of a sample analyzer, logs of two organizations that have a log collection period of 74 days and 144 days, which differ by about two times, can be analyzed to analyze the connection behavior of the relevant institution.

Referring to FIG. 1 and FIG. 2, it is assumed that only 3% or less of the IP analyzed for the session in which the 200 OK return code has been accessed among the HTTP connections normally accessed to the corresponding web server during the analysis period is accessed more than 10 times appear. For example, if you look at the number of IPs for the number of consecutive access days in the A site, the total number of visitors is 10.64% or more. In the B site, when the number of IPs for the number of consecutive accesses is viewed, the total number of visitors is 10.78 or more, which is 2.78%.

In this way, if the number of accesses of the web site is relatively constant through the web access behavior profiling, the DDoS defense system can judge the website as a site suitable for detecting the DDoS attack by applying time-based reputation (Temporal Reputation) have.

The DDoS defense system derives optimal parameters through simulations using the reputation generation algorithm, if it is judged to be a website that can perform DDoS detection based on time-based reputation through analysis.

The purpose of the reputation configuration algorithm is to generate a list that minimizes user intervention. To this end, an exponential incentive is given to a continuous user and a reputation value for a visiting discontinuer is reduced to derive an effective list generation and management structure .

3 is a view for explaining a method of generating a flat plate according to an embodiment of the present invention.

Referring to FIG. 3, a Level 2 Data Flow Diagram (DFD) for flat plate generation is performed as follows.

The system collects the access logs of each institution web server.

The system converts the collected logs from the ESM collector into a log of {institution code | date | IP | form} and sends it to the reputation creation server.

The system uses the reputation generation algorithm to generate information that includes {institution code | date | contact IP | reputation value}. Alternatively, the system can generate reputation values through database operations.

The system transmits visualization information and web menu information.

The flat plate generation method can be performed as follows. At this time, the weight values such as the time and the number of times and the score may be variously changed in design.

The system can generate the reputation of each institution collectively through nightly placement work once a day.

The system can save the last 90 days of reputation in the history management database.

The system may grant an exponential incentive to the connected IP C class band-based consecutive concatenator.

The system can process more than once a day as a continuous visitor.

The system can deduct certain points for a user who has not been connected for more than 5 days, for example, one point per day.

The system sets a reputation maximum, for example, set to 60 (maximum 2 months of visitor memory). At this time, the subtraction value 1 and the maximum value 60 of 90 days and 5 days can be reflected in the policy setting through variable processing.

The flat plate can be calculated as shown in Equation (1).

Figure pat00001

Where Vr 'is the updated reputation value of the particular IP, Vr is the existing reputation value, and x is the continuous connection value (set at 5 for 5 consecutive visits).

Values of 0.5, 0.6, etc. are used to control the acquisition period of the crate by continuous connection in the plate configuration. For example, based on Equation (1), it is possible to calculate the reputation value by making Equation (1) so as to receive the maximum reputation value for 7 consecutive days of connection.

Equation (1) is a formula for reaching the maximum reputation value for 7 consecutive days of connection, and a variable is determined so that one IP reaches the maximum value during consecutive 7 consecutive visits within a period of 5 days, The rate of incentives can be adjusted by controlling the exponent constant according to the policy of.

4 is a diagram illustrating a time-based reputation algorithm verification program according to an embodiment of the present invention.

FIGS. 5 to 8 illustrate graphical representations of reputation by web connection behavior according to an embodiment of the present invention.

Fig. 5 shows the IP reputation value showing continuous connection behavior. The bar graph showing continuous connection shows the number of consecutive visitors of the visitor, and the green line graph indicates the reputation value. The graph of Figure 5 is a reputation of persistent visitors.

FIG. 6 shows that as the connection gradually decreases after continuous initial connection, the number of connection days is reduced while the number of connection days is within the range of the flatness, and the flat plate value tends to decrease gradually. The graph of Figure 6 is the reputation of the diminutive visitor.

FIG. 7 shows a case of intensive connection behavior for a certain period of time. In the case of not attempting to reconnect for a long period of time, the maximum reputation value of 60 is obtained. However, during the period when connection is not established, the reputation value is gradually decreased, ). The graph of Figure 7 is the reputation of short-term intensive visitors.

FIG. 8 shows that the reputation value is added to the list (when it is greater than 1) and not divided according to the connection frequency, when the continuous connection exceeds the continuous connection permission period (set to 5 days in this program) and the continuous connection is performed. The graph of FIG. 8 is the reputation of consecutive visitors who have exceeded the consecutive connection allowed period.

9 is a view showing a flat graph for each visitor according to an embodiment of the present invention.

Referring to FIG. 9, the apparatus of the present invention monitors the reputation of each visitor (access IP) based on the connection time as shown in FIG. Accordingly, the apparatus of the present invention can analyze the web connection behavior and thereby detect the visitor (visitor) who shows an abnormal web connection behavior.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.

Claims (1)

It analyzes the web access behavior for a certain period of time for each website visitor, calculates the reputation value of each visitor, distributes the resource to the visitor based on the reputation value of each visitor, or detects the DDOS attacker based on the reputation value of each visitor System.
KR1020140008396A 2014-01-23 2014-01-23 METHOD FOR GENERATING REPUTATION BASED ON CONNECTION TIME FOR DDoS DEFENSE KR20150088047A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020140008396A KR20150088047A (en) 2014-01-23 2014-01-23 METHOD FOR GENERATING REPUTATION BASED ON CONNECTION TIME FOR DDoS DEFENSE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020140008396A KR20150088047A (en) 2014-01-23 2014-01-23 METHOD FOR GENERATING REPUTATION BASED ON CONNECTION TIME FOR DDoS DEFENSE

Publications (1)

Publication Number Publication Date
KR20150088047A true KR20150088047A (en) 2015-07-31

Family

ID=53877188

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020140008396A KR20150088047A (en) 2014-01-23 2014-01-23 METHOD FOR GENERATING REPUTATION BASED ON CONNECTION TIME FOR DDoS DEFENSE

Country Status (1)

Country Link
KR (1) KR20150088047A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10447715B2 (en) 2016-03-02 2019-10-15 Electronics And Telecommunications Research Institute Apparatus and method of detecting distributed reflection denial of service attack based on flow information
US10693908B2 (en) 2016-11-10 2020-06-23 Electronics And Telecommunications Research Institute Apparatus and method for detecting distributed reflection denial of service attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10447715B2 (en) 2016-03-02 2019-10-15 Electronics And Telecommunications Research Institute Apparatus and method of detecting distributed reflection denial of service attack based on flow information
US10693908B2 (en) 2016-11-10 2020-06-23 Electronics And Telecommunications Research Institute Apparatus and method for detecting distributed reflection denial of service attack

Similar Documents

Publication Publication Date Title
US11265350B2 (en) Cyber risk analysis and remediation using network monitored sensors and methods of use
US11647039B2 (en) User and entity behavioral analysis with network topology enhancement
US12003534B2 (en) Detecting and mitigating forged authentication attacks within a domain
US11968227B2 (en) Detecting KERBEROS ticket attacks within a domain
CN108353079B (en) Detection of cyber threats against cloud-based applications
US8312520B2 (en) Methods and systems to detect attacks on internet transactions
US9578004B2 (en) Authentication of API-based endpoints
US20220060497A1 (en) User and entity behavioral analysis with network topology enhancements
US9282116B1 (en) System and method for preventing DOS attacks utilizing invalid transaction statistics
Gonzalez Granadillo et al. Individual countermeasure selection based on the return on response investment index
CN113542279B (en) Network security risk assessment method, system and device
EP2472822A2 (en) Method and system for estimating the reliability of blacklists of botnet-infected computers
CN106685899B (en) Method and device for identifying malicious access
CN107645478B (en) Network attack defense system, method and device
US9092782B1 (en) Methods and apparatus for risk evaluation of compromised credentials
US8887279B2 (en) Distributed real-time network protection for authentication systems
US20130318609A1 (en) Method and apparatus for quantifying threat situations to recognize network threat in advance
US20230319019A1 (en) Detecting and mitigating forged authentication attacks using an advanced cyber decision platform
KR20150088047A (en) METHOD FOR GENERATING REPUTATION BASED ON CONNECTION TIME FOR DDoS DEFENSE
Oo et al. Enhancement of preventing application layer based on DDoS attacks by using hidden semi-Markov model
CN109583177B (en) System and method for identifying new devices during user interaction with banking services
Mezzour et al. Global variation in attack encounters and hosting
CN109743303B (en) Application protection method, device, system and storage medium
WO2016034935A1 (en) Protecting against phishing attacks
Javed et al. On the Inefficient Use of Entropy for Anomaly Detection.

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination