N grouping of traffic and pattern-free Internet worm response system and method using N grouping of traffic

Abstract

Provided are N grouping of traffic and pattern-free Internet worm response system and method. According to the method, traffic factors generated by respective worms are grouped into N groups so that a great quantity of information may be effectively understood and a worn generated afterward is involved with characteristics of a relevant group. Damages of a network or a system predictable through already classified N traffic characteristics are defined so that corresponding step-by-step measures are taken. Characteristics of the grouped worms are quantitatively analyzed so that a danger degree of a new worm is predicted when the new worm appears afterward and a forecast and alarming through the prediction are performed. Easiness with which a controlling operator instantly understands an accident using a visualization method having an approximate real-time characteristic is increased, so that detection efficiency for most of worms not detected using a conventional rule is increased.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide a further understanding of the invention, are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the principle of the invention. In the drawings:

FIG. 1 is a view illustrating an entire structure of N grouping of traffic and a pattern-free Internet worm response system using the N grouping of traffic according to an embodiment of the present invention;

FIG. 2 is a flowchart of a grouping process by a traffic classifier used for N grouping of traffic and a pattern-free Internet worm response method using the N grouping of traffic according to an embodiment of the present invention; and

FIG. 3 is a flowchart of N grouping of traffic and a pattern-free Internet worm response method using the N grouping of traffic according to an embodiment of the present invention.

Claims

1. N grouping of traffic and a pattern-free Internet worm response method using the N grouping of traffic, the method comprising: grouping various worms into N groups where similar traffic factors generated by the worms are grouped; andinvolving a worm appearing afterward with a traffic characteristic of a corresponding group defined in advance to allow a network or a system to control forecast/alarm and a countermeasure for a danger of the network or system (here, N is a natural number equal to or greater than 2).

2. The method of claim 1, wherein determining of the traffic characteristic of the corresponding group defined in advance comprises: executing various worms and collecting generated traffic data to perform grouping on traffic factors that generate similar results;creating N groups using the grouping results;inserting data of a real network as noises with consideration of a circumstance where noises and worms of various communication networks are generated simultaneously in a bundle;quantitatively analyzing the groups;dividing a damage influence of the quantitatively analyzed group into a plurality of hierarchies; andmatching a countermeasure with each hierarchy.

3. The method of claim 1 or 2, further comprising, after the inserting of data of the real network, applying a nerve network algorithm to the inserted data and performing the grouping of various worms to allow the group to converge.

4. The method of claim 3, wherein the controlling of the forecast/alarm and the countermeasure of the danger comprises: collecting newly generated worm traffic using the traffic characteristic of the corresponding group defined in advance;comparing similarity of each grouped pattern with that of the newly generated worm traffic on the basis of the traffic characteristic of the corresponding group;selecting a group most similar to the grouped pattern; andperforming forecast/alarming and countermeasure according to a countermeasure scheme that corresponds to the hierarchy of the group.

5. The method of claim 4, wherein the comparing of similarity is performed using a data mining technique.

6. The method of claim 5, wherein visualization of all operations is performed to allow a controlling operator to easily make an immediate judgment of a correlation between the grouped pattern and a newly generated worm traffic.

7. N grouping of traffic and a pattern-free Internet worm response system using the N grouping of traffic, the system comprising: a traffic classification unit executing various worms, collecting generated traffic data to put together the worms having the same traffic data as collected, creating N groups where traffic factors that generate similar results are grouped, dividing a damage influence of the group into a plurality of hierarchies, and matching a countermeasure with each hierarchy and thus defining a traffic characteristic;a traffic collection unit collecting newly generated worm traffic using the traffic characteristic of a relevant group that is defined by the traffic classification unit; anda forecast/alarming and countermeasure unit comparing similarity of each group with that of the newly generated worm traffic with reference to the traffic classification unit and making a forecast/alarming and a countermeasure according to a countermeasure scheme for each hierarchy of a most similar group (here, N is a natural number equal to or greater than 2).

8. The system of claim 7, wherein the traffic classification unit comprises: a primitive grouping element executing various worms, collecting generated traffic data, and creating N groups using a nerve network for final classification of a worm that generates a similar result;a processing grouping element inserting data of a real network as noises with consideration of a circumstance where noises and worms of various communication networks are generated simultaneously in a bundle, and applying a new nerve network algorithm to allow the worms to converge to N groups;a group quantitative analysis element quantitatively analyzing the groups;a hierarchy dividing element dividing a damage influence of the quantitatively analyzed group into a plurality of hierarchies; anda countermeasure matching element matching a countermeasure for a damage for each hierarchy.

9. The system of claim 8, wherein the forecast/alarming and countermeasure unit comprises: a detector/comparator calculating similarities of the worm with respect to respective groups and outputting a group having greatest similarity among the calculated similarities;a seriousness judgment part monitoring a seriousness degree of the group output from the detector/comparator, calculating a degree of similarity of the relevant group, and mapping the group to hierarchy defined in advance to output a corresponding countermeasure; anda countermeasure/alarming part providing forecast/alarming and countermeasure according to damage and countermeasure guides defined in advance with reference to the countermeasure output from the seriousness judgment part.

10. The system of one of claims 7 to 9, further comprising a traffic integration unit collecting, from the traffic collection unit connected to an end of a network, traffic data including an IP (Internet protocol), a source port number, a destination IP address, a destination port number, a size of a protocol packet, a time stamp, and a flag, and integrating all traffic data every predetermined period.

11. The system of claim 10, further comprising an attack visualization unit visualizing a circumstance in order to deliver similarity of each group to a controlling operator in real time with reference to the detector/comparator and countermeasure/alarming part and thus help the controlling operator flexibly taking a countermeasure for an attack, and showing alarm delivery of the countermeasure/alarming part, and a countermeasure scheme.