System and method for detecting internet worm traffics through classification of traffic characteristics by types

Abstract

A system and method for detecting Internet worm traffics through classification of traffic characteristics by types is disclosed. The system and method defines Internet worm as a characteristic profile classified into diverse traffic characteristics, detects Internet worm traffics by comparing the similarity of a collected traffic with that of a defined traffic, classifies the type of the Internet worm, and performs severity judgment and alarming. The detection efficiency of most worms, which cannot be detected based on the existing rule, can be increased. Also, the risk grade of the corresponding worm traffic can be quantitatively provided by judging the severity according to the similarity scores and the predefined severity grade. Accordingly, the survival of the entire communication network can be heightened through the countermeasure and the forecast/alarm in steps, and mass information can be effectively seized.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principle of the invention. In the drawings:

FIG. 1 is a view illustrating the entire construction of a system for detecting Internet worm traffics through classification of traffic characteristics by types according to an embodiment of the present invention;

FIG. 2 is a flowchart illustrating a process of initially adjusting a characteristic profile of a predefined Internet worm traffics to match a means or position in which the system is installed according to an embodiment of the present invention; and

FIG. 3 is a flowchart illustrating the operation of a system for detecting Internet worm traffics through classification of traffic characteristics by types according to an embodiment of the present invention.

Claims

1. A system for detecting Internet worm traffics through classification of traffic characteristics by types, the system comprising: a traffic collection and integration unit for collecting, analyzing, and storing network traffics for a predetermined time;a traffic characteristic vector generation unit for generating traffic characteristic vectors using characteristic filters from the traffics collected for the predetermined time;a similarity analysis unit for generating similarity scores between the generated traffic characteristic vectors and respective types in a predefined worm traffic characteristic profile;a traffic type decision unit for deciding the traffic types using the similarity scores generated for the type in the predefined worm traffic characteristic profile;a severity judgment unit for judging a severity grade by comparing the similarity scores of the decided traffic type with a predefined severity judgment score range; anda countermeasuring and alarming unit for performing a countermeasure and an alarming according to the result of judgment.

2. The system as claimed in claim 1, wherein the traffic collection and integration unit collects diverse basic information of the network traffics such as a source EP, a destination IP, a source port, a destination port, a packet length, a protocol, and flag information, and stores the basic information in a database, so that the traffic characteristic vector generation unit uses them for an analysis purpose.

3. The system as claimed in claim 1, wherein the traffic characteristic vector generation unit applies characteristic filters that can be added or deleted, and generates simple statistical values that include a source IP address, a destination IP address, a source port number, a destination port number, a packet length, a protocol, a packet flag, and a source IP address—destination IP address and entropies for the simple statistical items, as the characteristic values, using the traffic information collected for the predetermined time.

4. The system as claimed in claim 1, wherein the similarity analysis unit calculates the similarity by diverse similarity analysis methods including such as a cosine similarity analysis method and a Jaccard similarity analysis method,

5. The system as claimed in claim 1, wherein the countermeasuring and alarming unit performs a countermeasure corresponding to the similarity grade decided by the similarity judgment unit by types of worm traffics decided by the traffic type decision unit, and gives an alarm to a manager through a screen popup, an email, and an SMS message.

6. A method for detecting Internet worm traffics through classification of traffic characteristics by types, performing type classification, performing severity judgment, and giving an alarm, the method comprising the steps of: constituting a worm traffic characteristic profile in which traffic characteristic vectors by groups are defined by grouping in advance Internet worms;generating characteristic vectors for traffics collected for a predetermined time, performing a similarity comparison of the generated characteristic vectors with traffic characteristic vectors predefined by groups, and deciding a worm traffic type having the highest similarity scores;judging a severity grade by comparing similarity scores of the decided traffic type with reference scores by severity judgment grades predefined from “normal” to “severe”;providing a countermeasure on the severity grade of the decided traffic type, and judging whether a user alarm exists; andif the user alarm is required as a result of judging whether the user alarm exists, performing a countermeasure by predefined traffic types and risk grades, and giving an alarm to a manager through an alarm means.

7. The method as claimed in claim 6, wherein if the user alarm is required as a result of judgment of whether the user information exists, the traffic is considered as a normal traffic.

8. The method as claimed in claim 6, further comprising the step of initially adjusting a predefined worm traffic characteristic profile by adjusting characteristic vectors by types of the predefined worm traffic characteristic profile to match an installation time.

9. The method as claimed in claim 8, wherein the step of initially adjusting the worm traffic characteristic profile comprises the steps of: collecting packets, and generating traffic basic information by analyzing a header of the collected packet;storing the generated traffic basic information in a traffic basic information database;generating traffic characteristic values by types using the collected traffic basic information, and storing the generated traffic characteristic values in a characteristic value database;judging whether a period for generating the worm traffic characteristic profile is completed, and if the period for generating the worm traffic characteristic profile is completed as a result of judgment, generating a characteristic value profile for a normal-time traffic of an installation means, using the characteristic value database; andconstituting the worm traffic characteristic profile by adjusting the stored traffic characteristic values by types by using the characteristic value of the normal-time traffic of the installation means.

10. The method as claimed in claim 9, wherein if the period for generating the worm traffic characteristic profile is not completed as a result of judgment, returning to the packet collection step, and repeatedly performing the process until the generation of the worm traffic characteristic profile is completed.

11. The method as claimed in claim 9, wherein the normal-time characteristic indicates the traffic characteristic as a result of operating the traffic characteristics of an installation means.