As various hackings and cyber crimes using Internet are rapidly increased, traceback systems tracing a real location of a hacker have been developed as expediency for more security system for protect a system and a network.
Observing conventional traceback technologies, when an attacker attacks a certain system via several systems, an Internet Protocol (IP) address of a system where an intruder finally passes through is obtained by analyzing a system where an intrusion is detected and an IP address of a system previously passed is obtained by installing a traceback agent in the system of the IP address, thereby sequentially tracing back an intrusion path to search a source of the intruder.
However, in this case, when there are a lot of systems where the intruder passes through, a load on the traceback system may be heavy, it is difficult to manage the traceback agent as a number of traceback agents increases, and it requires a large amount of times and resources to trace the source of the attacker.
As another method, there is an agent transfer traceback method, which obtains attack packet information by analyzing log data of an attacked system by installing an agent in the attacked system.
According to this method, when an attacking system is one on n number of paths, intrusion paths of a network attacker may be traced by repeatedly performing a process of installing an agent in an attacked system and obtaining attack packet information by analyzing log data. Accordingly, this method also requires a large amount of times for the traceback process.
As another method, Korean Patent Application No. 10-2001-0070766 (entitled ATTACKER TRACEBACK METHOD BY USING EDGE ROUTER'S LOG INFORMATION IN THE INTERNET) discloses a method where log information on all of accessing packets is recorded in an edge router of each network, thereby enabling traceback with respect to the packet regardless of changing an IP address of an attacker. Also, since the log information recorded in a plurality of the edge routers should be analyzed, this method requires a large amount of times for traceback process.