The invention relates to a security system against an unlawful access on a network, and more particularly to an intrusion detection and prevention system having a function of detecting and preventing a DoS (Denial of Service) attack at an early stage.
A threat on the network is an unlawful access such as the DoS attack. The DoS attack is an attacking action that makes disabled implementation of the service for terminals excluding an attacker terminal by causing a high load on the server in a way that giving, for instance, consecutive service requests from the attacker terminal on the network. The DoS attack is classified into a DoS attack (Single DoS attack) from a single attacker and a DDOS attack (Distributed DoS attack) form a plurality of attackers.
The DDOS attack takes a method of, for example, seizing a multiplicity of terminals unrelated to an attack target and attacking a target server from the respective terminals. If this attack gets successful, the server cannot provide a service. On the network, especially a measure against the DDOS attack is highly desired.
The prior art is exemplified by measures for security in each terminal and server. To be specific, these measures are patching (mending program) of an OS (Operating System) and of an application (software) and updating of a definition file of virus countermeasure software, which are executed on a terminal-by-terminal or server-by-server basis. This method depends on an operation of an administrator of each terminal, and there is a possibility that a hole (security hole) might be formed intentionally or by mistake.
Another prior art is a method of installing a device (intrusion detection and prevention device) called an IDP (Intrusion Detection and Prevention) (registered trademark) The intrusion detection and prevention device has a function of detecting and preventing (screening or blocking) various types of attacks. The intrusion detection and prevention device is in-line-installed in anteriority to a server, whereby once the attack is detected, a flow thereof can be blocked from this onwards, and this enables the server to be safeguarded from the attack.
The intrusion detection and prevention device, however, detects it to suffer the massive attack in an after-the-fact manner. The reason why so is that it is impossible to screen (from the attack) till a traffic quantity exceeds a judging criterion (threshold value) based on a quantitative or qualitative parameter to some extent in order to prevent a misdetection. Therefore, when the traffic quantity exceeds the threshold value, there remains a problem that the attacker can access the server till the attack is blocked just before the server.
It may be said to be a better scheme that the threshold value is decreased for detecting the attack, however, more misdetections might occur, and therefore this is not a solution. Further, if the attack takes place with the traffic quantity that does not exceed the threshold value, it is inevitable that the attacker can yet access the server.
Moreover, even if blocked anterior to the attack target server, problems still remain, wherein the attacker can attack a different server, and the attacking traffic continues to wastefully consume resources of the network, which is insufficient as a countermeasure.
Still another prior art is a method by which the intrusion detection and prevention device is installed not just before the server but at an boundary between the networks, and, when the intrusion detection and prevention device anterior to a certain server detects the attack, this intrusion detection and prevention device notifies the intrusion detection and prevention device on an ingress side of the network that the attack is detected, thereby logically moving a screening execution point.
Although this method has an effect in restraining the traffic within the network by distributing a processing load, the detection itself essentially the same as by another prior art described above, and hence, till the screening is completed by the intrusion detection and prevention device located in the ingress position of the network, the system still has the same problem in its hands, wherein, i.e., the attacker can access till the screening is done and if the attacking traffic quantity is equal to or smaller than the threshold value.
As discussed above, each of the prior arts is that the detection and the screening are conducted after suffering the massive attack on the attack target site, and it is impossible to prevent at an early stage the massive attacking traffic from flowing into a relay network within the site where the attacker exists by effectively detecting the DDoS attack (attacking action taking a specified method aiming at the unspecified majority of users) etc.
The following are related arts to the present invention. [Patent document 1] Japanese Patent Application Laid-Open Publication No. 2004-320636