KR-102963629-B1 - DDoS attack simulation training system and method using a feedback loop-based intelligent automatic attack agent

Abstract

According to an embodiment of the present invention, a feedback loop-based intelligent automatic attack agent system is provided, comprising: a metric collection module that collects metrics including response time, packet loss rate, and blocking status in real time from an attack target server and a defense device; a feedback analysis module that analyzes the collected metrics to determine the attack effect and the response status of the defense device; an attack type change module that automatically switches to one or more of a plurality of attack types according to the analysis result of the feedback analysis module; an integrated intensity control module that dynamically changes PPS (Packets Per Second), BPS (Bits Per Second), and the number of concurrent sessions for each attack vector; an adaptive attack agent that automatically adjusts the attack intensity up to just before the threshold of the defense device and dynamically generates a bypassable modified payload when a blocking pattern is detected; and a composite score calculation module that calculates a composite score by integrating response delay, packet loss rate, and attack success rate, and automatically decides an attack strategy based on the composite score.

Inventors

• 최현정

Assignees

• 주식회사 시큐랩

Dates

Publication Date

20260513

Application Date

20260226

Claims (3)

1. A metric collection module that collects metrics in real time, including response time, packet loss rate, and blocking status, from attack target servers and defense equipment; A feedback analysis module that analyzes the collected metrics above to determine the attack effect and the response status of the defense equipment; An attack type change module that automatically switches to one or more of a plurality of attack types based on the analysis results of the above feedback analysis module; An integrated strength control module that dynamically changes PPS (Packets Per Second), BPS (Bits Per Second), and the number of concurrent sessions by attack vector; and An adaptive attack agent that automatically adjusts attack intensity up to just before the threshold of a defense device and dynamically generates a bypassable variant payload when a blocking pattern is detected; and a feedback loop-based intelligent automatic attack agent system comprising a composite score calculation module that calculates a composite score by integrating response delay, packet loss rate, and attack success rate, and automatically determines an attack strategy based on said composite score.
2. In paragraph 1, A feedback loop-based intelligent automatic attack agent system further comprising an adaptive logic module that performs an evasion technique that performs protocol switching upon detection of blocking, a throttling technique that automatically reduces attack intensity when packet loss is excessive, and a target change technique that automatically switches the attack target to an open port by bypassing a blocked port.
3. In paragraph 2, A feedback loop-based intelligent automatic attack agent system in which the above-mentioned metric collection module, feedback analysis module, attack type change module, integrated intensity control module, adaptive attack agent, composite score calculation module, and adaptive logic module form a feedback loop to adjust the attack vector and intensity in real time during the execution of an attack.

Description

DDoS attack simulation training system and method using a feedback loop-based intelligent automatic attack agent The present invention relates to a simulation training technique for verifying defense capabilities against Distributed Denial of Service (DDoS) attacks, and more specifically, to an intelligent automated attack agent system and method that configures a feedback loop based on response metrics collected in real-time from an attack target and automatically changes the type, intensity, and payload of an attack vector through this. DDoS attacks are continuously increasing in frequency and scale globally and are evolving into various forms, ranging from bandwidth-exhausting attacks at the L3/L4 layer to session exhaustion attacks at the L7 application layer. In particular, complex attacks combining multiple attack techniques have recently become commonplace, moving beyond single-vector attacks, and actual attackers utilize automated tools that change attack strategies in real-time based on the response of defense equipment. To counter this, it has become important to verify the performance of defense solutions such as Anti-DDoS equipment, IPS, and WAF in advance, and to precisely identify thresholds and breaking points. However, existing DDoS simulation solutions are limited to simply reproducing predefined fixed scenarios such as TCP Flooding, UDP Flooding, and HTTP GET Flooding, and thus have limitations in reproducing the dynamic and adaptive behavioral patterns of actual attackers. Specifically, existing solutions lack the capability to automatically switch to other attack types even if defense equipment blocks a specific type during attack traffic. Furthermore, they are deficient in the ability to finely control attack intensity just before the defense equipment's threshold or to dynamically generate modified payloads that bypass blocking patterns. Additionally, they lack a comprehensive evaluation framework that quantitatively measures attack effectiveness for decision-making, preventing them from moving beyond the level of fixed-scenario-based performance measurement (BMT). FIG. 1 is an overall configuration diagram of a feedback loop-based intelligent automatic attack agent system according to one embodiment of the present invention. FIG. 2 is an operation flowchart of an adaptive logic algorithm according to one embodiment of the present invention. The following detailed description of the invention refers to the accompanying drawings, which illustrate specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that various embodiments of the invention are different but need not be mutually exclusive. For example, specific shapes, structures, and characteristics described herein with respect to one embodiment may be implemented in other embodiments without departing from the spirit and scope of the invention. It should also be understood that the location or arrangement of individual components within each disclosed embodiment may be changed without departing from the spirit and scope of the invention. Accordingly, the following detailed description is not intended to be limiting, and the scope of the invention is limited only by the appended claims, including all equivalents to those claimed therein, provided appropriately described. Similar reference numerals in the drawings refer to the same or similar functions across various aspects. Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the attached drawings in order to enable a person skilled in the art to easily practice the present invention. FIG. 1 shows an overall configuration diagram of a feedback loop-based intelligent automatic attack agent (100) according to an embodiment of the present invention. The intelligent automatic attack agent (100) is configured to include a metric collection module (110), a feedback analysis module (120), an attack type change module (130), an integrated intensity control module (140), an adaptive attack agent (150), a composite score calculation module (160), and an adaptive logic module (170), and interacts in real time with a target server/network (200) and a defense device (300). The defense device (300) includes an Intrusion Prevention System (IPS), a Web Application Firewall (WAF), an Anti-DDoS device, etc., and performs the role of protecting the target server (200). Attack traffic is transmitted from the intelligent automatic attack agent (100) to the target server (200) via the defense device (300), and the blocking response of the defense device (300) and the response status of the target server (200) are fed back in real time to the metric collection module (110). The metric collection module (110) performs the role of collecting various network response indicators in real time from the target server