The present invention relates to a device and method for detecting a command and control channel.
Recently, various sorts of target attacks such as a denial of service (DoS) attack, personal information hacking, financial agencies hacking, and cyber terrors have been increasing, starting from the distributed denial of service (DoS) attack. There are various kinds of attackers and attacking methods, and a common ground thereof is that an external part of a network to be attacked and is connected to an internal part of the network to be attacked by a command and control channel and the attack is performed.
The attack through the command and control channel represents an advanced persistent attack. An attacker stays with the network to be attacked for several months, collecting information, attacking the internal network, destroying the system, and hacking information. The network to be attacked is generally protected by a firewall or an intrusion detecting device, so the attacker transmits emails attached with malware to the system to be attacked or installs malicious codes in the system to be attacked during Internet surfing to obtain an initial intrusion route leading to the system to be attacked.
In particular, recently, the command and control channel has not been maintained, but the internal network device contaminated by the attacker periodically attempts access to the attacker provided on the outer side to generate a command and control channel.
The intrusion detecting device up to now detects the command and control channel based on a technical characteristic of the command and control channel. That is, the intrusion detecting device uses known information such as a specific signature or a malicious Internet address to detect the command and control channel. However, such detecting method detects known malicious behavior so it only detects low-level attacks for copying already used attacking methods and has a difficulty in detecting attacks using new command and control channels. Therefore, new detecting methods for processing recent attacking methods are required.