With the advent of Denial of Service (DoS) attacks in the late 1990s, networks have actually served as not only a foundation of cyber attacks but also a medium for propagation of cyber attacks. As a result, security attacks have significantly increased, and complexity of attacks is also ever-intensifying.
The DoS attack, which is one of the most widely-used hacking techniques, transmits a mass amount of data for obstructing normal services of a target network or system, which rapidly reduces performance of the target network or system, thereby preventing use of services provided from the target network or system. At the initial stage of the DoS attack when there were little Internet users, the mainstream was a one-to-one type attack in which one attacker targets a single system or a single service of one victim.
However, a current mainstream attack is an N-to-one type attack named Distributed Denial of Service (DDoS), in which N unspecified systems target a single network. Such an attack can infect a plurality of unspecified systems through pre-works such as a port scan, and then can try simultaneous attacks by the infected systems. Therefore, the DDoS attack is destructive enough to knock out not only a single system but also an entire network.
In the DDoS attack, the port scan refers to a process of sequentially accessing a server through a network so as to detect vulnerability in security, i.e. a security hole. In other words, a server-grade computer exposed on the Internet operates based on a TCP/IP protocol, and prepares for multiple access windows called “ports” and awaits an access request from users. Then, the port scan sequentially accesses the ports of the server-grade computer and checks the types of application software and Operation System (OS) running within the server, in order to detect any vulnerable port that may serve as an intrusion path, As a result of the port scan, when a security hole is detected, an unauthorized intrusion is made by using an intrusion program.
With the recent gradual increase of the above-mentioned port scan attacks, an Intrusion Detection System (IDS) for detecting an abnormal harmful traffic and an Intrusion Prevention System (IPS) for detecting and blocking an abnormal harmful traffic, etc., have been proposed so as to protect important systems, and have been effectively blocking the above-described port scan attacks.
However, it is difficult for the conventional IDSs and IPSs to detect and block slow port scan attacks known as a kind of a stealth scan attack. That is, the conventional IDSs and IPSs can detect a general scan attack by using log file or packet analysis, but it is difficult for IDSs and IPSs to discriminate a normal traffic from a slow port scan attack. Furthermore, in the case of strictly applying the pattern, the conventional IDSs and IPSs may cause a serious side effect of misjudging a normal traffic as abnormal traffic and blocking the normal traffic.