| CPC H04L 43/16 (2013.01) [H04L 43/04 (2013.01); H04L 43/06 (2013.01); H04L 43/0817 (2013.01); H04L 43/0876 (2013.01); H04L 49/9042 (2013.01); H04L 63/12 (2013.01); H04L 63/1416 (2013.01); H04L 63/1466 (2013.01); H04L 67/1097 (2013.01); H04L 69/22 (2013.01); G06F 12/0866 (2013.01)] | 15 Claims |
|
1. A scenario-based real-time attack detection method comprising:
(a) forming a first attack scenario, a second attack scenario, and a combined attack scenario to be applied to indexed metadata;
(b) extracting metadata from packet data and indexing the metadata from both a first source and a second source;
(c) detecting a first indexed metadata corresponding to the first attack scenario;
(d) detecting a second indexed metadata corresponding to the second attack scenario;
(e) determining the combined attack scenario is established by:
(i) detecting both the first attack scenario and the second attack scenario; and
(ii) detecting that the first indexed metadata and the second indexed metadata share a common condition;
(f) reassembling the packet data;
(g) performing application analysis on the reassembled packet data;
(h) collecting the packet data from data traffic transmitted over a network, wherein additional memory is secured prior to a step (i) for an exceeded amount of collected packet data when an amount of the collected packet data exceeds a collection setting value for a memory of a device;
(j) writing the collected packet data in the memory;
(k) storing, in a storage unit, the collected packet data and the metadata from the memory without intervention of an operating system; and
(l) excluding exception information from a memory writing target by filtering out the exception information from the collected packet data.
|