1. Field of the Invention
The present invention relates to an apparatus and method for quickly and accurately detecting an unknown network attack, the apparatus connected between two networks or connected by port mirroring of an Ethernet switch to real-time monitor all packets flowing through the networks.
This work was supported by the IT R&D program of MIC/IITA. [2006-S-024-01, “Development of Signature Generation and Management Technology against Zero-day Attack]
2. Description of the Related Art
Currently, as methods used for detecting an attack in intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), there are a method of using abnormal traffic detection and a method of detecting by using a unique signature included in an attack packet.
In the case of the method of using abnormal traffic detection, characteristics of traffic caused by an attack is analyzed to detect the attack, regardless of vulnerability used for the attack, which is capable of being generally used to network attacks but has a high false positive rate. Accordingly, currently, most of commercial IDSs and IPSs, the abnormal traffic detection function is inactively used.
On the other hand, the method of using a unique signature included in an attack packet is currently used in most of integrated firewalls and IDSs and IPSs, which is capable of quickly and accurately detecting and preventing an attack by comparing a packet on a network with a unique signature extracted from an attack packet. However, so far, since an attack signature is generated by hand due to lack of a technology for generating a signature used for detection, it may be considered that an effective defense system against variant worms and unknown attacks is not yet formed due to a delay in generating the signature used for detection.
Accordingly, a new technology capable of detecting unknown network attacks is required.
Particularly, a function of detecting unknown attacks is not only important in itself but also is more significant in an aspect of generating a new detection signature by using the function. Accordingly, for continuous progress of an information protection field, it is required to automatically detect unknown attacks in real-time and apply a result thereof.