A conventional network security system can only protect its own domain by detecting a sign of intrusion and blocking off the traffic coming from an external intruder. In the conventional security system, however, the intruder can still surf the web freely even after he has failed to invade a first target domain, attempting another attack on other domains.
Further, the conventional security system has many drawbacks as follows. It is very difficult to build a cooperation system between many domains on a network in the conventional security system. Even for the same attack, data recognized at a certain domain cannot be shared by another domain on the same network. Further, the conventional security system is lack of capability of integrating related data in the different domains on a network level. Thus, it has been difficult to expect cooperation between the domains in defending against an attacker.
Therefore, there have been conducted an increasing number of researches for the purpose of developing a system capable of tracing the attacker, intercepting the traffic generated from a source of the attack and, further, isolating the attacker from the entire network by integration of data and cooperation between the domains that constitute the entire network.
One representative research of such kind is AN-IDR (Active Network-Intrusion Detection and Response), which is conducted as a DARPA (Defense Advanced Research Project Agency) project to overcome the shortcomings of the conventional network security system and complement IDIP (Intrusion Detection Isolation Protocol) instituted as one of SLSS (Survivability of Large Scale System) programs.
The AN-IDR provides a mechanism capable of effectively tracking and defending against the attacker through a series of processes of detecting an attack using TCP, UDP, or the like, performing backtracking based on data monitored by each router and isolating the attacker from the entire network by employing the IDIP system and a security management domain having a hierarchic structure.
However, the AN-IDR provides a way only effective for guarding against an attacker agent in coping with the distributed denial-of-service attack. Thus, the defense mechanism of the AN-IDR is operated as follows: first, the traffic from distributed attacker agents is blocked off; an agent serving as a source of the attacker agents is removed; and the traffic interception is released. In other words, since the AN-IDR removes only the agents used in the distributed denial-of-service attack, it is impossible to isolate the attacker from the entire network according to the AN-IDR, so that a second or a third attack of the attacker cannot be prevented in advance.