USRE45381E1 - Network correction security system and method - Google Patents

Network correction security system and method Download PDF

Info

Publication number
USRE45381E1
USRE45381E1 US12/954,373 US95437310A USRE45381E US RE45381 E1 USRE45381 E1 US RE45381E1 US 95437310 A US95437310 A US 95437310A US RE45381 E USRE45381 E US RE45381E
Authority
US
United States
Prior art keywords
network node
fault
security
router
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US12/954,373
Inventor
Seung-Min Lee
Taek-Yong Nam
Sung-won Sohn
Chee-Hang Park
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electronics and Telecommunications Research Institute ETRI
Original Assignee
Electronics and Telecommunications Research Institute ETRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electronics and Telecommunications Research Institute ETRI filed Critical Electronics and Telecommunications Research Institute ETRI
Priority to US12/954,373 priority Critical patent/USRE45381E1/en
Application granted granted Critical
Publication of USRE45381E1 publication Critical patent/USRE45381E1/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates to a network correction security system and method, and more particularly, to a network correction security system and method for preventing network attacks and correcting attacks that occur to carry out security performance.
  • an intrusion detection system one of security systems, has been proposed in order to cope with attacks from hackers.
  • the intrusion detection system requires an improved structure in terms of software and hardware since the attacks from the hackers become more sophisticated and a network bandwidth is rapidly increasing.
  • a conventional IDS is classified into a host IDS and a network IDS.
  • the host IDS protects a single terminal system such as a server or a personal computer and a network application using an auditing system or even logs.
  • the network IDS monitors network traffic to detect attacks or intrusions of hackers and blocks the attacks or intrusions.
  • the development of the network IDS is concentrated on signature detection, anomaly detection, and detection of denial of service.
  • a conventional security system such as a Firewall and an intrusion prevention system as well as the host IDS and network IDS requires a considerably long period of time to recover a fault generated in a system and normally operate the system. This is because the conventional security system lacks a technique of continuing services the system has been providing by utilizing restricted resources while the system is having a fault or recovering functions of the system.
  • the conventional security system needs a technique that dynamically improves the system having a fault in cooperation with an external system to prevent the generation of the fault in advance and prevent the same failure from being repeated.
  • the present invention provides a network correction security system and method for preventing the same failure from being repeatedly generated through a function of continuously improving the performance of the system.
  • a network correction security system that is connected between a network node and a security-related external system, detects an external attack on the network node, and corrects a weak part of the performance of the network node, comprises a correction agent that removes a fault generated in the network node according to a measure corresponding to a level of the fault to correct the fault, and when it is confirmed that the fault has not been completely corrected, repeats a recovery process of reallocating and dividing resources of the network node; and a correction manager hat continuously collects information required for improving the security performance of the network node from the security-related external system and analyzes the collected information to control the improvement of the security performance of the network node.
  • the correction manager recovers functions of the network node according to a mechanism that recovers a part of the network node or the entire network node when it is confirmed that the fault has not been completely corrected even after the recovery process has been carried out.
  • a recording medium including a network correction security method that detects an external attack on a network node and corrects a weak part of the performance of the network node comprises a function of removing a fault generated in the network node according to a measure corresponding to a grade of the fault to correct the fault; a function of repeating a recovery process that reallocates and divides resources of the network node when the fault has not been completely corrected; a function of recovering functions of the network node according to a mechanism of recovering a part or the entirety of the security performance of the network node when the fault has not been completely corrected even after the recovery process; and a function of continuously collecting information required for improving the security performance of the network node from a security-related external system and analyzing the collected information to improve the security performance of the network node.
  • FIG. 1 shows a detailed construction of a network correction security system according an embodiment of the present invention
  • FIG. 2 is a flow chart showing the operation procedure of the network correction security system shown in FIG. 1 ;
  • FIG. 3 shows the construction of an ISP network to which the network correction security system of FIG. 1 is applied.
  • FIG. 4 is a graph showing the result of execution of the security performance of the network correction security system of FIG. 1 .
  • FIG. 1 shows the construction of a network correction security system according to an embodiment of the present invention.
  • the network correction security system 100 includes a single correction manager 110 and at least one correction agent 120 .
  • the network correction security system 100 includes a recovery region and an improvement region in terms of function.
  • the correction agent 120 recovers and improves principal functions of a network node 200 , such as a router, a security system, and various security servers, through data transmission/reception to/from the network node 200 .
  • the correction agent 120 can be included in a specific device of the network node 200 . Otherwise, the correction agent 120 can be constructed as a separate system.
  • the correction manager 110 includes a network resource controller 111 , a recovery data manager 112 , an improvement manager 113 , and a function creator 114 .
  • the correction agent 120 includes a resource/fault monitor 121 , a resource controller 122 , a fault assessor 123 , a fault remover 124 , a dynamic updater 125 , and a dynamic platform 126 .
  • the correction manager 110 has both the recovery and improvement functions.
  • the correction manager 110 manages at least one correction agent 120 and controls the entire correction operation.
  • the network resource manager 111 of the correction manager 110 manages resources of a corresponding system (hereinafter referred to as “security system”).
  • the network resource manager 111 reallocates the resources of the security system when normal services cannot be provided according to resource allocation in the security system.
  • the network resource manager 111 grasps the state of resources of another correction agent 120 and performs a secondary fault removal measure (for example, additional resource allocation) according to the grasped state of the resources.
  • a secondary fault removal measure for example, additional resource allocation
  • the recovery data manager 112 carries out rapid function recovery through a recovery mechanism (for example, rebooting the security system using stored data or resetting functions of the security system) for a part of the security system or the entire security system when the secondary fault removal measure has not been successfully performed.
  • a recovery mechanism for example, rebooting the security system using stored data or resetting functions of the security system
  • the improvement manager 113 receives information about the improvement of the performance of a network from an external system 300 (a network resource system), and executes data mining and correlation analysis for the received information (for example, information about vulnerability of the network) to decide whether the security system is improved.
  • an external system 300 a network resource system
  • the improvement manager 113 judges that the security system requires improvement, the improvement manager 113 provides items to be improved to the correction agent 120 in real time in order to remove causes of a fault before the fault is generated in the security system to prevent the generation of the fault in advance or to prevent the fault from being repeatedly generated.
  • the function creator 114 creates a new function when it judges that the new function is needed for improving the performance of the security system and provides the created new function to the correction agent 120 which dynamically executes the new function.
  • the correction agent 120 recovers and improves principal functions of the security system.
  • the resource/fault monitor 121 of the correction agent 120 monitors faults in the security system and availability of principal resources in close relation to the functions of the security system. When a fault is generated in the security system, the resource/fault monitor 121 informs the fault assessor 123 of the generation of the fault.
  • the resource controller 122 carries out a recovery process including reallocation or division of remaining resources, to secure availability of main components of the security system when the generated fault has not been completely removed though the first recovery measure has been executed after confirmation of the fault.
  • the fault assessor 123 assesses a grade of the generated fault.
  • the fault remover 124 removes the fault according to a measure corresponding to the assessed grade. In addition, the fault remover 124 prevents the fault from being repeatedly generated.
  • the fault assessor 123 can request the function creator 114 of the correction manager 110 to create a new function corresponding to the generated fault.
  • the dynamic updater 125 improves a weak part of the performance of the security system in real time according to the information about the improvement of the performance of the security system, received from the improvement manager 113 of the correction manager 110 .
  • the dynamic platform 126 supports the correction agent 120 to smoothly perform the recovery and improvement functions using at least one new function received from the function creator 114 of the correction manager 110 .
  • FIG. 2 is a flow chart showing the operation procedure of the network correction security system shown in FIG. 1 .
  • the network correction security system 100 executes network correction security of the security system through a fault prevention step, a fault permission step, a function recovery step, and a fault recurrence prevention step.
  • the improvement manager 113 of the correction manager 110 receives information required for improving the performance of the security system from the external system 300 in step 210 . Then, the improvement manager 113 carries out data mining and correlation analysis for the received information (such as information about vulnerability of a network) in step S 211 , and then decides whether the performance of the security system needs improvement in step S 212 .
  • the improvement manager 133 transmits the information required for improving the performance of the security system to the dynamic updater 125 .
  • the dynamic updater 125 improves a weak part of the performance of the security system in real time as instructed by the improvement manager 113 in step S 213 .
  • the resource/fault monitor 121 of the correction agent 120 monitors the performance of the security system when there is a problem in the performance of the security system due to a fault that was not removed in advance, in step S 220 , and confirms whether the performance of the security system is deteriorated in step S 221 .
  • the resource/fault monitor 121 immediately informs the fault assessor 123 thereof.
  • the fault assessor 123 assesses a grade of the fault in step S 223
  • the fault remover 124 removes the fault in step S 224 .
  • step S 225 the resource controller 122 reallocates and divides internal resources of the security system in step S 226 , thereby maintaining the normal performance of the security system.
  • the network resource manager 111 grasps the state of the resources of the correction agent 120 and performs a third network-based fault removing measure (for example, additional resource allocation) according to the grasped resources, in step S 228 .
  • a third network-based fault removing measure for example, additional resource allocation
  • the recovery data manager 112 rapidly recovers functions of the security system by executing a recovery algorithm (for example, rebooting the system or storing data required for resetting the functions of the system) in step S 230 .
  • a recovery algorithm for example, rebooting the system or storing data required for resetting the functions of the system
  • the improvement manager 113 of the correction manager 110 analyzes at least one fault that was generated in the security system, in step S 240 .
  • the improvement manager 113 transmits information about the improvement of the security system to the dynamic updater 125 to improve a weak part of the performance of the security system in real time, in step S 242 .
  • the network correction security system and method of the present invention prevents the generation of a fault due to an external attack on or intrusion to the security system, or a vulnerability of the security system, in advance. Furthermore, the present invention continuously maintains the performance of the security system using restricted resources while the fault generated in the security system is being recovered.
  • the present invention prevents the same fault from being repeatedly generated in the security system through a function of continuously improving the performance of the security system.
  • FIG. 3 shows the construction of the ISP network to which the network correction security system shown in FIG. 1 is applied.
  • the correction manager 110 is located on a management/control network and cooperates with a vulnerability analysis system, a network management system, and an integrated security system. At least one correction agent 120 is located in each router, or if required, exists in the form of a dedicated agent.
  • the improvement manager 113 of the correction manager 110 receives an indication of the DDoS attack from the vulnerability analysis system, network management system, and integrated security management system, and then transmits the information about the indication to the dynamic updater 125 of the correction agent 120 . Then, the dynamic updater 125 dynamically operates a function of discarding a DDoS packet to prevent the generation of a fault in advance.
  • DDoS Distributed Denial of Service
  • the resource/fault monitor 121 informs the fault assessor 123 of information about a generated fault.
  • the fault assessor 123 assesses a grade of the fault, and the fault remover 124 carries out the fault permission step through a fault removal function of discarding the DDoS packet that is a cause of the fault.
  • the resource controller 122 reallocates a memory capacity required for executing the processing in the router. Furthermore, the network resource manager 111 changes a path of some packets to a neighboring router to control a router processing load.
  • the recovery data manager 112 executes a recovery mechanism (for example, rebooting the system or storing data required for resetting functions of the system) using optimum setting information of the router to rapidly recover functions of the system.
  • a recovery mechanism for example, rebooting the system or storing data required for resetting functions of the system
  • the improvement manager 113 transmits information about the improvement of the system to the dynamic updater 125 to improve a weak part of the performance of the system in real time.
  • FIG. 4 is a graph showing the correction result of the network correction security system shown in FIG. 1 .
  • the network correction security system of the present invention (indicated by a solid line) has performed function recovery within a short period of time, compared to a conventional security system (represented by a dotted line).
  • the present invention can continuously provide normal services through networks even in unfavorable conditions having external attacks or intrusions.
  • the network correction security system and method according to the present invention can prevent the generation of a fault due to an external attack or intrusion, or a vulnerability of a corresponding system. Furthermore, the present invention can continuously maintain the performance of the corresponding system using restricted resources while the fault generated in the system is being recovered. Moreover, the present invention prevents the same fault from being repeatedly generated through a function of continuously improving the performance of the system.

Abstract

A network correction security system. The network correction security system connected between a network node and a security-related external system, detects attacks on the network node, corrects weak parts of the performance of the network node, collects information for improving the security performance of the network node from a security-related external system, analyzes the information, monitors principal resources of the network node to detect a fault, and removes the fault according to a measure corresponding to a grade of the fault. The network correction security system carries out a recovery process when the fault has not been corrected, and recovers the functions of the network node according to a recovery mechanism when the fault has not been removed after the recovery process.

Description

CROSS REFERENCE TO RELATED APPLICATION APPLICATIONS
This applicationThe present patent application is a Reissue of U.S. Pat. No. 7,457,949, issued on Nov. 25, 2008, which claims priority to and the benefit of KoreaKorean Patent Application No. 2003-70398 filed on Oct. 9, 2003 in the Korean Intellectual Property Office, the entire content of each of which isare incorporated herein by reference.
BACKGROUND OF THE INVENTION
(a) Field of the Invention
The present invention relates to a network correction security system and method, and more particularly, to a network correction security system and method for preventing network attacks and correcting attacks that occur to carry out security performance.
(b) Description of the Related Art
Recently, intrusions to or attacks on networks have been rapidly evolved with the popularization of computers and the Internet. The attacks paralyze the networks to result in a severe economical loss caused by, for instance, suspension of electronic commercial transactions and social chaos due to the interruption of providing Internet service.
Accordingly, an intrusion detection system (IDS), one of security systems, has been proposed in order to cope with attacks from hackers. The intrusion detection system requires an improved structure in terms of software and hardware since the attacks from the hackers become more sophisticated and a network bandwidth is rapidly increasing.
A conventional IDS is classified into a host IDS and a network IDS. The host IDS protects a single terminal system such as a server or a personal computer and a network application using an auditing system or even logs. The network IDS monitors network traffic to detect attacks or intrusions of hackers and blocks the attacks or intrusions. The development of the network IDS is concentrated on signature detection, anomaly detection, and detection of denial of service.
However, a conventional security system such as a Firewall and an intrusion prevention system as well as the host IDS and network IDS requires a considerably long period of time to recover a fault generated in a system and normally operate the system. This is because the conventional security system lacks a technique of continuing services the system has been providing by utilizing restricted resources while the system is having a fault or recovering functions of the system.
Furthermore, the conventional security system needs a technique that dynamically improves the system having a fault in cooperation with an external system to prevent the generation of the fault in advance and prevent the same failure from being repeated.
Therefore, there are required a system and method for correctly detecting the type of a network intrusion, which varies rapidly, to recover the performance of a corresponding system having a fault within a short period of time and preventing the same failure from being repeated in the system.
SUMMARY OF THE INVENTION
It is an advantage of the present invention to provide a network correction security system and method for preventing a fault from being generated in a system due to an external attack or intrusion, or a vulnerability of the corresponding system in advance, and when a fault is generated in the system, continuously maintaining the performance of the system using restricted resources while the failure is being recovered.
Furthermore, the present invention provides a network correction security system and method for preventing the same failure from being repeatedly generated through a function of continuously improving the performance of the system.
In one aspect of the present invention, a network correction security system that is connected between a network node and a security-related external system, detects an external attack on the network node, and corrects a weak part of the performance of the network node, comprises a correction agent that removes a fault generated in the network node according to a measure corresponding to a level of the fault to correct the fault, and when it is confirmed that the fault has not been completely corrected, repeats a recovery process of reallocating and dividing resources of the network node; and a correction manager hat continuously collects information required for improving the security performance of the network node from the security-related external system and analyzes the collected information to control the improvement of the security performance of the network node.
The correction manager recovers functions of the network node according to a mechanism that recovers a part of the network node or the entire network node when it is confirmed that the fault has not been completely corrected even after the recovery process has been carried out.
In another aspect of the present invention, a network correction security method that detects an external attack on a network node and corrects a weak part of the performance of the network node comprises a step (a) of removing a fault generated in the network node according to a measure corresponding to a grade of the fault to correct the fault; a step (b) of repeating a recovery process that reallocates and divides resources of the network node when the fault has not been completely corrected in the step (a); a step (c) of recovering functions of the network node according to a mechanism of recovering a part or the entirety of the security performance of the network node when the fault has not been completely corrected even after the recovery process of the step (b); and a step (d) of continuously collecting information required for improving the security performance of the network node from a security-related external system and analyzing the collected information to improve the security performance of the network node.
In another aspect of the present invention, a recording medium including a network correction security method that detects an external attack on a network node and corrects a weak part of the performance of the network node comprises a function of removing a fault generated in the network node according to a measure corresponding to a grade of the fault to correct the fault; a function of repeating a recovery process that reallocates and divides resources of the network node when the fault has not been completely corrected; a function of recovering functions of the network node according to a mechanism of recovering a part or the entirety of the security performance of the network node when the fault has not been completely corrected even after the recovery process; and a function of continuously collecting information required for improving the security performance of the network node from a security-related external system and analyzing the collected information to improve the security performance of the network node.
BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate an embodiment of the invention, and, together with the description, serve to explain the principles of the invention:
FIG. 1 shows a detailed construction of a network correction security system according an embodiment of the present invention;
FIG. 2 is a flow chart showing the operation procedure of the network correction security system shown in FIG. 1;
FIG. 3 shows the construction of an ISP network to which the network correction security system of FIG. 1 is applied; and
FIG. 4 is a graph showing the result of execution of the security performance of the network correction security system of FIG. 1.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention will now be described more fully with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. The invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the invention to those skilled in the art. Throughout the drawings, like reference numerals refer to like elements.
FIG. 1 shows the construction of a network correction security system according to an embodiment of the present invention. Referring to FIG. 1, the network correction security system 100 includes a single correction manager 110 and at least one correction agent 120. The network correction security system 100 includes a recovery region and an improvement region in terms of function.
The correction agent 120 recovers and improves principal functions of a network node 200, such as a router, a security system, and various security servers, through data transmission/reception to/from the network node 200. The correction agent 120 can be included in a specific device of the network node 200. Otherwise, the correction agent 120 can be constructed as a separate system.
The correction manager 110 includes a network resource controller 111, a recovery data manager 112, an improvement manager 113, and a function creator 114. The correction agent 120 includes a resource/fault monitor 121, a resource controller 122, a fault assessor 123, a fault remover 124, a dynamic updater 125, and a dynamic platform 126.
The components of the network correction system 100 and network recovery and improvement functions thereof will now be explained.
The correction manager 110 has both the recovery and improvement functions. The correction manager 110 manages at least one correction agent 120 and controls the entire correction operation.
The network resource manager 111 of the correction manager 110 manages resources of a corresponding system (hereinafter referred to as “security system”). The network resource manager 111 reallocates the resources of the security system when normal services cannot be provided according to resource allocation in the security system.
Specifically, when it is confirmed that a fault in the security system has not been completely eliminated though the fault has been removed when it was first generated in the security system, the network resource manager 111 grasps the state of resources of another correction agent 120 and performs a secondary fault removal measure (for example, additional resource allocation) according to the grasped state of the resources.
The recovery data manager 112 carries out rapid function recovery through a recovery mechanism (for example, rebooting the security system using stored data or resetting functions of the security system) for a part of the security system or the entire security system when the secondary fault removal measure has not been successfully performed.
The improvement manager 113 receives information about the improvement of the performance of a network from an external system 300 (a network resource system), and executes data mining and correlation analysis for the received information (for example, information about vulnerability of the network) to decide whether the security system is improved.
When the improvement manager 113 judges that the security system requires improvement, the improvement manager 113 provides items to be improved to the correction agent 120 in real time in order to remove causes of a fault before the fault is generated in the security system to prevent the generation of the fault in advance or to prevent the fault from being repeatedly generated.
The function creator 114 creates a new function when it judges that the new function is needed for improving the performance of the security system and provides the created new function to the correction agent 120 which dynamically executes the new function.
The correction agent 120 recovers and improves principal functions of the security system. The resource/fault monitor 121 of the correction agent 120 monitors faults in the security system and availability of principal resources in close relation to the functions of the security system. When a fault is generated in the security system, the resource/fault monitor 121 informs the fault assessor 123 of the generation of the fault.
The resource controller 122 carries out a recovery process including reallocation or division of remaining resources, to secure availability of main components of the security system when the generated fault has not been completely removed though the first recovery measure has been executed after confirmation of the fault.
The fault assessor 123 assesses a grade of the generated fault. The fault remover 124 removes the fault according to a measure corresponding to the assessed grade. In addition, the fault remover 124 prevents the fault from being repeatedly generated.
The fault assessor 123 can request the function creator 114 of the correction manager 110 to create a new function corresponding to the generated fault.
The dynamic updater 125 improves a weak part of the performance of the security system in real time according to the information about the improvement of the performance of the security system, received from the improvement manager 113 of the correction manager 110.
The dynamic platform 126 supports the correction agent 120 to smoothly perform the recovery and improvement functions using at least one new function received from the function creator 114 of the correction manager 110.
The operation of the network correction security system having the aforementioned construction will now be explained with reference to FIG. 2.
FIG. 2 is a flow chart showing the operation procedure of the network correction security system shown in FIG. 1. Referring to FIG. 2, the network correction security system 100 executes network correction security of the security system through a fault prevention step, a fault permission step, a function recovery step, and a fault recurrence prevention step.
First, in the fault prevention step, the improvement manager 113 of the correction manager 110 receives information required for improving the performance of the security system from the external system 300 in step 210. Then, the improvement manager 113 carries out data mining and correlation analysis for the received information (such as information about vulnerability of a network) in step S211, and then decides whether the performance of the security system needs improvement in step S212.
When it is decided that the performance of the security system needs improvement, the improvement manager 133 transmits the information required for improving the performance of the security system to the dynamic updater 125. The dynamic updater 125 improves a weak part of the performance of the security system in real time as instructed by the improvement manager 113 in step S213.
In the meantime, the resource/fault monitor 121 of the correction agent 120 monitors the performance of the security system when there is a problem in the performance of the security system due to a fault that was not removed in advance, in step S220, and confirms whether the performance of the security system is deteriorated in step S221. When it is confirmed that the performance of the security system is deteriorated, the resource/fault monitor 121 immediately informs the fault assessor 123 thereof. Then, the fault assessor 123 assesses a grade of the fault in step S223, and the fault remover 124 removes the fault in step S224.
When it is confirmed that the fault has not been completely removed after the aforementioned first fault removal measure, in step S225, the resource controller 122 reallocates and divides internal resources of the security system in step S226, thereby maintaining the normal performance of the security system.
When the performance of the security system is determined not to be recovered even through the secondary measure, in step S227, the network resource manager 111 grasps the state of the resources of the correction agent 120 and performs a third network-based fault removing measure (for example, additional resource allocation) according to the grasped resources, in step S228.
In the function recovery step, when the security system is not properly operated even when the aforementioned measures has been executed, the recovery data manager 112 rapidly recovers functions of the security system by executing a recovery algorithm (for example, rebooting the system or storing data required for resetting the functions of the system) in step S230.
Next, in the fault recurrence prevention step, the improvement manager 113 of the correction manager 110 analyzes at least one fault that was generated in the security system, in step S240. When it is judged that the security system requires improvement from the analysis result, the improvement manager 113 transmits information about the improvement of the security system to the dynamic updater 125 to improve a weak part of the performance of the security system in real time, in step S242.
As described above, the network correction security system and method of the present invention prevents the generation of a fault due to an external attack on or intrusion to the security system, or a vulnerability of the security system, in advance. Furthermore, the present invention continuously maintains the performance of the security system using restricted resources while the fault generated in the security system is being recovered.
Moreover, the present invention prevents the same fault from being repeatedly generated in the security system through a function of continuously improving the performance of the security system.
Next, an Internet service provider (ISP) network, one of communication networks to which the network correction security system is applied, is explained with reference to FIG. 3. FIG. 3 shows the construction of the ISP network to which the network correction security system shown in FIG. 1 is applied.
Referring to FIG. 3, the correction manager 110 is located on a management/control network and cooperates with a vulnerability analysis system, a network management system, and an integrated security system. At least one correction agent 120 is located in each router, or if required, exists in the form of a dedicated agent.
If a DDoS (Distributed Denial of Service) attack that menaces the security of the network to paralyze the network is generated, the improvement manager 113 of the correction manager 110 receives an indication of the DDoS attack from the vulnerability analysis system, network management system, and integrated security management system, and then transmits the information about the indication to the dynamic updater 125 of the correction agent 120. Then, the dynamic updater 125 dynamically operates a function of discarding a DDoS packet to prevent the generation of a fault in advance.
However, when a router passes the fault prevention step and is exposed to causes of a fault, the capacity of a memory that is an important resource required for processing of the router is consumed so that the processing performance of the router may be deteriorated. The resource/fault monitor 121 informs the fault assessor 123 of information about a generated fault. The fault assessor 123 assesses a grade of the fault, and the fault remover 124 carries out the fault permission step through a fault removal function of discarding the DDoS packet that is a cause of the fault.
When the router does not normally operate although the aforementioned fault removal process has been carried out, the resource controller 122 reallocates a memory capacity required for executing the processing in the router. Furthermore, the network resource manager 111 changes a path of some packets to a neighboring router to control a router processing load.
When a fault is generated in the router so that the router does not normally operate although the above-described fault permission step has been executed, the recovery data manager 112 executes a recovery mechanism (for example, rebooting the system or storing data required for resetting functions of the system) using optimum setting information of the router to rapidly recover functions of the system.
The improvement manager 113 transmits information about the improvement of the system to the dynamic updater 125 to improve a weak part of the performance of the system in real time.
FIG. 4 is a graph showing the correction result of the network correction security system shown in FIG. 1.
From FIG. 4, it can be known that the network correction security system of the present invention (indicated by a solid line) has performed function recovery within a short period of time, compared to a conventional security system (represented by a dotted line).
Moreover, the present invention can continuously provide normal services through networks even in unfavorable conditions having external attacks or intrusions.
While this invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
The network correction security system and method according to the present invention can prevent the generation of a fault due to an external attack or intrusion, or a vulnerability of a corresponding system. Furthermore, the present invention can continuously maintain the performance of the corresponding system using restricted resources while the fault generated in the system is being recovered. Moreover, the present invention prevents the same fault from being repeatedly generated through a function of continuously improving the performance of the system.

Claims (17)

What is claimed is:
1. A network correction security system that is connected between a network node router and a security-related external system, detects an external attack on the network node router, and corrects a weak part of the performance vulnerability of the network node router, comprising:
a correction agent that removes processor connected to the router, wherein the correction agent processor is configured to remove a fault generated in the network node router according to a measure corresponding to a level of the fault to correct the fault, and when it is confirmed that the fault has not been completely corrected, repeats repeat a recovery process of reallocating and dividing resources of the network node router; and
a correction manager that processor connected to the correction agent processor and the security-related external system, wherein the correction manager processor is configured to continuously collects collect information for improving the a security performance of the network node router from the security-related external system and analyzes, analyze the collected information to control the improvement of the security performance of the network node router, and in response to the analyzing of the collected information, allocate additional resources from another network excluding the router to improve the security of the router while the fault is being recovered, wherein
the correction manager processor recovers functions of the router and corrects the vulnerability of the router, which vulnerability is subject to an external attack, based on the information for improving the security performance of the router that is received from the security-related external system.
2. The network correction security system as claimed in claim 1, wherein the correction manager processor recovers functions of the network node router according to a mechanism that recovers a part of the network node router or the entire network node router when it is confirmed that the fault has not been completely corrected after the recovery process has been carried out.
3. The network correction security system as claimed in claim 2, wherein the correction manager improves a weak part of the performance of the network node, which is vulnerable to an external attack and is detected when the functions of the network node are recovered, based on the information for improving the security performance of the network node that is received from the security-related external system.
4. The network correction security system as claimed in claim 1, wherein the correction agent processor comprises:
a resource/fault monitor that monitors availability of principal resources of the network node router to detect whether a fault is generated in the network node router;
a fault assessor that assesses a grade of a fault detected by the resource/fault monitor; and
a fault remover that removes the fault according to a measure corresponding to the assessed grade to correct the fault.
5. The network correction security system as claimed in claim 4, wherein the correction agent processor further comprises a resource controller that carries out a recovery process of reallocating and dividing the resources of the network node router when it is confirmed that the corrected fault has not been completely removed.
6. The network correction security system as claimed in claim 5, wherein the correction manager processor comprises:
a network resource manager that grasps the state of the resources of the network node router when it is confirmed that the generated fault has not been completely removed after the resource controller has carried out the recovery process; and
a recovery data manager that carries out a recovery process including additionally allocating and dividing the resources of the network according to the grasped state of the resources.
7. The network correction security system as claimed in claim 6, wherein the recovery data manager recovers the functions of the network node router according to a recovery mechanism including reconstructing, resetting, and rebooting a specific system of the network node router when it is confirmed that the fault has not been completely removed through the recovery process of the resource controller.
8. The network correction security system as claimed in claim 6, wherein the correction manager processor further comprises a function creator that creates at least one new function that improves a part or the entirety of the security performance of the network node router and provides the new function to the correction agent processor.
9. A network correction security method that detects an external attack on a network node router and corrects a weak part of the performance vulnerability of the network node router, comprising:
(a) removing a fault generated in the network node router according to a measure corresponding to a grade of the fault to correct the fault;
(b) repeating a recovery process that reallocates and divides resources of the network node router when the fault has not been completely corrected in (a);
(c) recovering functions of the network node router according to a mechanism of recovering a part or the entirety of the a security performance of the network node router when the fault has not been completely corrected after the recovery process of (b); and
(d) continuously collecting information for improving the security performance of the network node router from a security-related external system and, analyzing the collected information to improve the security performance of the network node router, and in response to the analyzing of the collected information, allocating additional resources from another network excluding the router to improve the security of the router while the fault is being recovered, wherein
(d) includes recovering functions of the router and correcting the vulnerability of the router, which vulnerability is subject to an external attack, based on the information for improving the security performance of the router received from the security-related external system.
10. The network correction security method as claimed in claim 9, wherein (d) includes improving a weak part of the performance of the network node, which is vulnerable to an external attack and is detected when the functions of the network node are recovered, based on the information for improving the security performance of the network node received from the security-related external system.
11. The network correction security method as claimed in claim 9, wherein (a) comprises:
monitoring availability of principal resources of the network node router;
detecting whether a fault is generated in the network node router according to the result of the monitoring step;
assessing a grade of at least one fault detected; and
removing the fault according to a measure corresponding to the assessed grade.
12. The network correction security method as claimed in claim 9, wherein (b) comprises:
confirming whether the fault has been completely removed;
grasping the state of the resources of the network node router when it is confirmed that the fault has not been completely removed; and
carrying out a recovery process including additionally allocating and dividing the resources of the network node router according to the grasped state of the resources.
13. The network correction security method as claimed in claim 9, wherein (c) comprises:
confirming whether the fault has been completely corrected after the security performance of the network node router has been recovered;
grasping the state of the resources of the network node router again when the fault has not been completely corrected;
carrying out a recovery process including additionally allocating and dividing the resources of the network node router according to the grasped state of the resources; and
recovering the functions of the network node router according to a recovery mechanism of rebooting a specific system of the network node router when the fault has not been completely corrected even after the recovery process.
14. The network correction security method as claimed in claim 9, wherein (d) comprises:
analyzing data mining and correlation of the collected information for improving the security performance of the network node router: and
determining whether the performance of the network node router is improved according to the result of the analysis.
15. A non-transitory computer-readable recording medium including a network correction security method that detects instructions that when executed by a computer detect an external attack on a network node router and corrects a weak part of the performance correct a vulnerability of the network node router, the network correction security method instructions comprising:
removing a fault generated in the network node router according to a measure corresponding to a grade of the fault to correct the fault;
repeating a recovery process that reallocates and divides resources of the network node router when the fault has not been completely corrected;
recovering functions of the network node router according to a mechanism of recovering a part or the entirety of the a security performance of the network node router when the fault has not been completely corrected even after the recovery process; and
continuously collecting information required for improving the security performance of the network node router from a security-related external system and, analyzing the collected information to improve the security performance of the network node router and, in response to the analyzing of the collected information, allocating additional resources from another network excluding the router to improve the security of the router while the fault is being recovered, wherein the recording medium is readable by a computer having a program installed therein, wherein
improving the security performance of the router includes recovering functions of the router and correcting the vulnerability of the router, which vulnerability is subject to an external attack, based on the information for improving the security performance of the router received from the security-related external system.
16. The network correction security system of claim 1, wherein the correction manager processor is configured to allocate other routers excluding the router connected to the correction agent process to provide additional resources.
17. The network correction security system of claim 1, wherein the correction manager processor is configured to allocate additional resources through a network monitoring system (NMS) or an external security manager (ESM).
US12/954,373 2003-10-09 2010-11-24 Network correction security system and method Expired - Fee Related USRE45381E1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/954,373 USRE45381E1 (en) 2003-10-09 2010-11-24 Network correction security system and method

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR1020030070398A KR100544900B1 (en) 2003-10-09 2003-10-09 System and method for providing network correction security
KR10-2003-0070398 2003-10-09
US10/882,749 US7457949B2 (en) 2003-10-09 2004-06-30 Network correction security system and method
US12/954,373 USRE45381E1 (en) 2003-10-09 2010-11-24 Network correction security system and method

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/882,749 Reissue US7457949B2 (en) 2003-10-09 2004-06-30 Network correction security system and method

Publications (1)

Publication Number Publication Date
USRE45381E1 true USRE45381E1 (en) 2015-02-17

Family

ID=34420589

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/882,749 Ceased US7457949B2 (en) 2003-10-09 2004-06-30 Network correction security system and method
US12/954,373 Expired - Fee Related USRE45381E1 (en) 2003-10-09 2010-11-24 Network correction security system and method

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/882,749 Ceased US7457949B2 (en) 2003-10-09 2004-06-30 Network correction security system and method

Country Status (2)

Country Link
US (2) US7457949B2 (en)
KR (1) KR100544900B1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100805820B1 (en) * 2006-09-29 2008-02-21 한국전자통신연구원 Method and apparatus for sensor network node fault management
US20120265872A1 (en) * 2011-04-18 2012-10-18 Cox Communications, Inc. Systems and Methods of Automatically Remediating Fault Conditions
KR102157711B1 (en) * 2013-06-28 2020-09-18 주식회사 케이티 Methods for recovering failure in communication networks

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5493689A (en) * 1993-03-01 1996-02-20 International Business Machines Corporation System for configuring an event driven interface including control blocks defining good loop locations in a memory which represent detection of a characteristic pattern
US5781716A (en) 1995-05-19 1998-07-14 Compaq Computer Corporation Fault tolerant multiple network servers
US20030033542A1 (en) * 2001-06-11 2003-02-13 Mcnc Intrusion tolerant communication networks and associated methods
KR20030035181A (en) 2001-10-30 2003-05-09 한국전자통신연구원 Apparatus and method for managing network faults by multi-agent communication
US6574605B1 (en) * 1998-11-17 2003-06-03 Citibank, N.A. Method and system for strategic services enterprise workload management
KR20030056652A (en) 2001-12-28 2003-07-04 한국전자통신연구원 Blacklist management apparatus in a policy-based network security management system and its proceeding method
US20040093512A1 (en) * 2002-11-08 2004-05-13 Char Sample Server resource management, analysis, and intrusion negation
US20040117658A1 (en) * 2002-09-27 2004-06-17 Andrea Klaes Security monitoring and intrusion detection system
US20040148520A1 (en) * 2003-01-29 2004-07-29 Rajesh Talpade Mitigating denial of service attacks
US7492713B1 (en) * 2002-08-26 2009-02-17 Juniper Networks, Inc. Adaptive network router
US7986625B2 (en) * 2002-12-10 2011-07-26 International Business Machines Corporation Resource-aware system, method and program product for managing request traffic based on a management policy

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5493689A (en) * 1993-03-01 1996-02-20 International Business Machines Corporation System for configuring an event driven interface including control blocks defining good loop locations in a memory which represent detection of a characteristic pattern
US5781716A (en) 1995-05-19 1998-07-14 Compaq Computer Corporation Fault tolerant multiple network servers
US6574605B1 (en) * 1998-11-17 2003-06-03 Citibank, N.A. Method and system for strategic services enterprise workload management
US20030033542A1 (en) * 2001-06-11 2003-02-13 Mcnc Intrusion tolerant communication networks and associated methods
KR20030035181A (en) 2001-10-30 2003-05-09 한국전자통신연구원 Apparatus and method for managing network faults by multi-agent communication
KR20030056652A (en) 2001-12-28 2003-07-04 한국전자통신연구원 Blacklist management apparatus in a policy-based network security management system and its proceeding method
US7492713B1 (en) * 2002-08-26 2009-02-17 Juniper Networks, Inc. Adaptive network router
US20040117658A1 (en) * 2002-09-27 2004-06-17 Andrea Klaes Security monitoring and intrusion detection system
US20040093512A1 (en) * 2002-11-08 2004-05-13 Char Sample Server resource management, analysis, and intrusion negation
US7986625B2 (en) * 2002-12-10 2011-07-26 International Business Machines Corporation Resource-aware system, method and program product for managing request traffic based on a management policy
US20040148520A1 (en) * 2003-01-29 2004-07-29 Rajesh Talpade Mitigating denial of service attacks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Intrusion Tolerance Via Network Layer Controls" by Dick O'Brien, et al., DARPA Information Survivability Conference and Exposition, vol. 1, p. 90-96 (2003).

Also Published As

Publication number Publication date
KR20050034478A (en) 2005-04-14
KR100544900B1 (en) 2006-01-24
US20050081046A1 (en) 2005-04-14
US7457949B2 (en) 2008-11-25

Similar Documents

Publication Publication Date Title
US11089057B1 (en) System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
US10257224B2 (en) Method and apparatus for providing forensic visibility into systems and networks
US7757285B2 (en) Intrusion detection and prevention system
US8006302B2 (en) Method and system for detecting unauthorized use of a communication network
US7607041B2 (en) Methods and apparatus providing recovery from computer and network security attacks
US7979889B2 (en) Methods and apparatus providing security to computer systems and networks
US9088605B2 (en) Proactive network attack demand management
JP4794197B2 (en) Mitigating network amplification attacks
US20210297446A1 (en) Distributed denial-of-service attack mitigation with reduced latency
US20120324585A1 (en) Methods, Devices and Computer Program Products for Regulating Network Activity Using a Subscriber Scoring System
US20100251370A1 (en) Network intrusion detection system
CN108270722B (en) Attack behavior detection method and device
EP1678615A2 (en) Policy-based network security management
CN101064597B (en) Network security device and method for processing packet data using the same
US20230007032A1 (en) Blockchain-based host security monitoring method and apparatus, medium and electronic device
USRE45381E1 (en) Network correction security system and method
US11916945B2 (en) Method and apparatus for combining a firewall and a forensics agent to detect and prevent malicious software activity
CN111835719A (en) Computer network firewall system based on multi-terminal inspection and working method thereof
JP2006050442A (en) Traffic monitoring method and system
KR100628312B1 (en) Apparatus for securing internet server and method thereof
CN111404868B (en) Method and device for relieving DDoS attack, electronic equipment and storage medium
Tao et al. A case study: Using architectural features to improve sophisticated denial-of-service attack detections
CN115225297A (en) Method and device for blocking network intrusion
JP4585156B2 (en) Defense device and program
CN115086068A (en) Network intrusion detection method and device

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FPAY Fee payment

Year of fee payment: 8

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY