1. Field of the Invention
The present invention relates to a real-time network attack pattern detection system for an unknown network attack and a method thereof, and more particularly, to a real-time network attack pattern detection system and a method thereof in which a common pattern is detected in real time from packets, which are suspected to be a network attack such as Worm, to effectively block the attack.
2. Description of the Related Art
Generally, a method of searching an attacker's internet protocol (IP) address for a network traffic to control an amount of traffic at a corresponding IP address has been mainly used so as to protect a network from an attack. However, the method has a drawback in that a normal traffic cannot be distinguished from the attack traffic. Accordingly, a method of finding a common character pattern from various kinds of packets suspected to be the attack traffic has been suggested. However, this method should perform real-time pattern detection in the attack traffic to detect an unknown attack pattern, thereby blocking interference. Now, this algorithm can be found in a method for detecting a gene base sequence pattern, but there remains a drawback in most of cases in that real-time application is difficult due to a performance defect. Much endeavor is being made to detect and block a new Worm or a Distributed Denial of Service (DDoS) attacking the network, but most of endeavors are being made through an anomaly detection method for detecting the unknown attack. However, it is difficult in the anomaly detection method to accurately detect the attack due to its many false alarms. Accordingly, a research for a method of detecting a traffic abnormal symptom and the like and then directly extracting an attack signature from packets, which are proved to be abnormal, to block intervention is being begun. This research is performed in a manner that the packets of the traffic recognized to be the attack are extracted and then, a common pattern of the packets is detected. However, since an initiation (initiating) position of the common pattern, a length of the pattern or the like is never known in a few packets, much endeavor is required to detect the common pattern. As an endeavor for detecting an unknown constant pattern from pieces of data, a research for detecting a specific alignment from a gene base sequence is being performed. However, these technologies have a disadvantage in that much time is taken. It has been reported that a new Worm paralyzes all network services within three minutes in a current technology. Accordingly, methods for rapidly and easily extracting the common pattern from suspicious packets to previously block a Worm proliferation are required to effectively block a Worm traffic before the Worm paralyzes the network service.