Apparatus and method of detecting network attack situation
Abstract
Provided is an apparatus for detecting a network attack situation. The apparatus includes an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory. Equal numbers of hash engines and detection engines for processing the alarms in the network to the number of data groups classified as network attack situations are formed in a line. Therefore, a network attack situation can be detected in real time based on a great number of alarms indicating intrusion detection.
Claims
exact text as granted — not AI-modified1 . An apparatus for detecting a network attack situation comprising:
an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory.
2 . The apparatus of claim 1 , wherein the alarm processor comprises:
an alarm parsing unit extracting attributes of the alarms based on the alarm data and generating at least one first data characterized by the attributes; a hash engine unit being equal to the number of the first data and generating a hash key based on the first data, and generating a plurality of hash entries having identical attributes or generating a new hash entry if a lookup fails; a detection engine unit receiving the hash entries, determining whether the critical value is exceeded based on the hash entries, and corresponding to the hash engine unit one to one; and an interface control unit transmitting/receiving information regarding whether the critical value is exceeded to/from the external device.
3 . The apparatus of claim 2 , wherein the alarm parsing unit extracts such attributes as an attack type, an attacker IP address, a target IP address, and a service type from the alarm data and generates the first data characterized by a combination of the extracted attributes.
4 . The apparatus of claim 1 , wherein the memory comprises:
a hash memory unit storing the hash entries; and a control memory unit storing control data including the critical value.
5 . The apparatus of claim 4 , wherein the hash memory unit comprises an index memory accessed by the hash key and storing k (k is a positive integer) indexes having m (m is a positive integer) index entries and a data memory addressed by the m index entries and storing n (n is a positive integer) entries containing predetermined attribute information and counter information, and is operated by the hash engine unit.
6 . The apparatus of claim 5 , wherein the attribute information comprises the attack type, the attacker IP address, the target IP address, and the service type.
7 . The apparatus of claim 2 , wherein the detection engine unit counts the number of alarms having identical attributes based on the hash entries received from the hash engine unit, calculates the number of times that the alarms have been raised within a valid time, and determines whether the number of alarms exceeds the critical value.
8 - 12 . (canceled)Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.