1. Field of the Invention
The present invention relates to a technology for tracking a cyber hacking attack, and more specifically, to a system and method for generating a fingerprint of a connection and tracing back the origin of an attack using network flow (NetFlow) data.
2. Discussion of Related Art
A technology for tracing back a cyber hacking attack is to locate a hacker's real location, i.e., the origin of an attack, even when the location of an attack system differs from the real location of the hacker who actually attempts to hack a system.
As technologies for tracing back the cyber hacking attack according to the related arts, host-based TCP connection traceback, network IP packet-based traceback, and a traceback method which finds an original transmitter of packets with respect to IP spoofing have been suggested.
The host-based TCP connection traceback method uses traceback modules installed in all systems to locate the real location of a hacker that has passed through other multiple systems.
The network IP packet-based traceback method uses a traceback module installed at a location where it is possible to observe network packets to locate the real location of a hacker that has passed through other multiple systems.
All of the above-described related arts have a problem in that Internet service provider (ISP) overhead exists.
In addition, a honeypot decoy server as a bait for a hacker and automatic hacker tracing software have been developed, but they can only operate in certain environments of a virtual network.
According to the related arts, all network traffic packets and communication connections are to be monitored, and thus resulting overhead is significant, and especially when an attack via a network device (router) or an ISP which do not support a traceback function, traceback is not possible.
That is, according to the related arts, dedicated monitoring devices are to be installed in a distributed manner over the network or Internet protocols are to be altered, and hence it is practically impossible to be applied to a real network.