1. Field of the Invention
The present invention relates to a network, and more particularly, to a method and apparatus for controlling abnormal traffic input to a network.
2. Description of the Related Art
Recent cyber attacks seem to aim at disrupting certain services rather than to launch attacks on a system level as often as they used to do. For example, an Internet worm launched on 25 Jan. 2003 was one of the fastest spreading denial of service (DOS) attacks ever causing massive disruption on the Internet. Nowadays, cyber attacks have become a serious threat to national security, social cohesion, and the economy more than a threat to personal privacy.
However, conventional Internet security technologies require a considerable amount of time to recover systems damaged by various Internet errors because, once an Internet worm is launched upon a system, a considerable number of packets are eliminated regardless of the types of the packets. Therefore, systems using conventional Internet security technologies take a considerable amount of time to resume their operations for normally providing various Internet services after they are damaged by Internet errors.
Techniques of monitoring and controlling traffic at Internet service provider (ISP) network access points (APs) have drawn attention from the public as a viable way to enhance the reliability and survivability of networks by safely transmitting user services from a subscriber network to a backbone network without disconnection and quickly and appropriately responding to outbreaks of Internet viruses or cyber attacks, such as preventing Internet viruses from being widespread.
Examples of Internet security solutions for providing stable Internet services include Fault Tolerant Networks (FTN) developed by the Defense Advanced Research Project Agency (DARPA) and Peakflow developed by Arbor Inc.
Peakflow measures, collects, and analyzes security-related data based on traffic analysis results provided by Cisco Netflow. In other words, Peakflow can be applied only to an environment where Cisco routers exist.
It is difficult to thoroughly examine traffic input to a network at a network node because network line speed is high at a network node. The level of security at a network node near an Internet access point (AP) is lower than the level of security of security equipment located in a subscriber network.
Unknown attacks launched upon networks have become a trend in a global network environment. When an unknown attack occurs, a network node is highly likely to determine traffic currently input to, a network as being abnormal instead of as being malicious. If all abnormal traffic is determined as being caused by malicious attacks, it must not be served.
However, all abnormal traffic is not malicious traffic, and thus, minimal services need to be performed on abnormal traffic. An abnormal traffic controlling network device is more likely to disallow transmission of normal traffic than a network device for preventing transmission of abnormal traffic. In an Internet environment, abnormal traffic may be generated as a result of a malicious attack. However, there is always a possibility that part of abnormal traffic is normal traffic. Thus, a network device must allocate part of its available system resources to abnormal traffic, so the amount of system resources available to normal traffic decreases.
In other words, services are provided even to abnormal traffic which may include normal traffic by using part of system resources reserved for normal traffic, in which case, normal traffic may not be served sufficiently. Therefore, how to efficiently serve abnormal traffic without indiscriminately preventing transmission of the abnormal traffic still remains as a major problem to be tackled.