RU2644537C2 - Method of determination of type of network traffic for filtration and controlling network connections - Google Patents

Abstract

FIELD: radio engineering, communication.

SUBSTANCE: method of determination of type of network traffic through the use of at least one computer connected to the network and has installed operating system and application software, including the traffic analysis system, is that the analysis of network packets received from the network leads by consistently carrying out first a signature analysis of each incoming network packet stream, then a behavioural analysis of the streams of network packets that did not pass the classification in the signature base, and all those analysed streams of network packets are checked on the 7th level headers of the seven-level OSI model. Encrypted incoming streams of network packets before the signature analysis are pre-decrypted by substitution of certificates.

EFFECT: method of determination of type of network traffic for filtration and controlling network connections.

6 cl, 4 dwg

Description

The invention relates to hardware and software complexes of network communication, and in particular to methods for determining the type of passing network traffic of the seven-level OSI model for filtering and controlling the speed of network connections.

The OSI model was known back in the 1970s [Zimmermann H. OSI reference model – The ISO model of architecture for open systems interconnection // Communications, IEEE Transactions on. - 1980. - T. 28. - No. 4, 425-432 pp.] And is a classic in the field of construction of the Internet. The OSI network model is also described in detail in GOST R ISO / IEC 7498-1-99.

In the simplest case, traffic type analysis can be performed by parsing TCP, UDP, and other layer 4 protocols. However, at this point, the problem of tracking the connection occurs. Some protocols use random ports. For example, FTP control commands can go through the ports described in the specification, and data will be transmitted over randomly selected ports. Obviously, it makes sense to limit the traffic for the transmitted data - there is more of it than the manager, it affects the operation of another type of traffic using the same Internet channel more. This case can also be handled by regular means, for example, GNU / Linux OS - through the connection tracking mechanism, which depends on the GNU / Linux platform used.

 Using the above technologies, it is impossible to track the type of traffic in the following cases:

1. If the traffic, which according to the specification should use a specific port, but client and server applications are configured to use a different port. For example, an HTTP server can be raised on port 8080, which will be displayed in the link for clients. Then the expected port (80) will not correspond to the real one (8080), which will lead to an incorrect determination of the type of traffic.

2. If the type of traffic is not described by official specifications. For example, applications using closed (commercial) implementations of various algorithms cannot be recognized based on the TCP / IP stack protocol headers.

3. If traffic uses data encryption, then filtering by encrypted data is also impossible (computationally complex).

When considering solutions that provide the ability to determine the type of traffic using non-standard ports, the most common are systems using signature bases [Dreger H. et al. Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection // USENIX Security. - 2006. - S. 257-272; Sen S., Spatscheck O., Wang D. Accurate, scalable in-network identification of p2p traffic using application signatures // Proceedings of the 13th international conference on World Wide Web. - ACM, 2004. - S. 512-521]. The known method allows you to successfully find streams to servers even when changing ports. However, the known method is not valid when trying to analyze encrypted traffic.

 A known system and method for reducing false positives when determining a network attack, which contains the following modules: a control module designed to store statistics of previous network attacks to adjust filtering rules for cleaning centers; collectors designed to draw up filtering rules based on traffic information from treatment centers and sensors; cleaning centers designed to filter traffic based on filtering rules; sensors designed to aggregate traffic information for further transmission to the collectors [patent for invention RU No. 2480937, 2012].

The known method provides the ability to essentially determine the type of traffic ("network attack"), using information not from the data itself that makes up network traffic, but information about the nature of the traffic passing through. However, the known method has a narrow scope, because can be used to search the database of already known attacks, i.e. in fact, only signature analysis tools were used.

Closest to the proposed is a method of detecting computer attacks on a network computer system, including at least one computer connected to the network and having an installed operating system and installed application software, including a traffic analysis system, in which for analyzing packets received from the network certain parameters are selected and their values are calculated, which are then compared with the reference values, and the fact of the presence of a single or combined simultaneous attack and the definition of attack types is determined by a combination of established conditions for the parameters. To process the data packets received from the network, a traffic analysis system is used, which allows calculating traffic parameters in real time [patent for the invention RU No. 2538292, 2015].

The known method allows you to detect computer attacks of various types, including combined ones and allows you to determine the types of attacks using an approach similar to the one described above: to analyze the nature of the traffic, information is not used from the network traffic packets themselves, but information that describes the nature of the traffic — the volume of a certain type of traffic in a certain period. As practice shows, this approach is effective in the field of security. However, in the known method, the data are considered regardless of their intensity and the method does not allow to allocate a certain type of network traffic, which should have a higher priority, for example, during video conferencing, telephony, and also increase the connection speed of the priority type of network traffic.

The technical task is to expand the operational capabilities of applications that manage network connections by setting priorities for network traffic in real time, and increasing the speed of connections.

EFFECT: determination of the type of network traffic for effective filtering and management of network connections.

The problem is solved in that a method for determining the type of network traffic for filtering and managing network connections by using at least one computer connected to a network and having an installed operating system and application software including a traffic analysis system, while analyzing received from a network of network packet streams are carried out by sequentially first conducting a signature analysis of each incoming network packet stream by comparing the packet part and with the base of known packet types for the matching of the packet parts related to the transmission protocol with the construction of the initial hypothesis about the packet type, then they conduct a behavioral analysis of network packet flows that did not pass classification according to the signature database, using the statistical information of all packets of this connection with By obtaining a hypothesis about the type of traffic, all analyzed network packet flows are checked according to the headers of the 7th level of the seven-level OSI model as follows: a comparative analysis is carried out on the subject whether this header is suitable for the selected traffic type, if a traffic type does not match the header of the 7th level of the seven-level OSI model, it is saved in a log for subsequent manual analysis without assigning a specific type of traffic, while the encrypted incoming network packet streams are preliminarily decrypt by substituting certificates.

In the claimed method, instead of detecting attacks, the type of traffic is determined, which allows not only to provide network security, but also allows you to set priorities for a certain type of traffic, which gives additional opportunities for video conferencing and telephony in real time.

In particular, the claimed method allows to obtain data on traffic intensity, which allows to obtain a more rigorous description of each specific traffic stream, to compare different traffic flows and determine their similarity, allowing to determine not only the type of attacks, but also the type of traffic passing in general.

Comparison of the proposed method with the known allows us to conclude that it meets the criteria of "novelty" and "inventive step", because a new set of essential features has been announced, which allows to obtain a new technical result, expressed in determining the type of traffic passing through to filter and manage network connections.

The inventive method is applicable in the seven-level OSI (deep analysis) model, requires a computer containing at least one network card for receiving and transmitting data, network interfaces (physical ports). Network interfaces provide the ability to read, write, transfer and delete data from the memory card. The inventive method is implemented using a computer (computer) connected to the network, namely to break the network, forming two transmission media interacting with each other through a connected computer (computer). A computer (computer) has a Linux, FreeBSD or Windows operating system and application software (applications). An application receives network packets from one transmission medium and sends network packets to another transmission medium. Network interfaces have a device for encoding / decoding a signal transmitted over a transmission medium by means of radio signals, or electrical signals for transmission, for example, in an Ethernet environment (via a conductor), Wi-Fi.

The sequence of network packets transmitted over the network by the application can be considered as a pseudo-random sequence. Among the statistics related to a pseudo-random sequence of this nature, one should consider:

- The size of packets transmitted over the network.

- Frequency of sending packets.

- OSI level 7 packet headers.

Then the set of network packets is a set of ordered triples <S, F, Н> - size, frequency, headers of the OSI level 7 packet.

- The size of the transmitted packets over the network - the size of the network packet in bytes.

- Frequency - time from the previous packet sent by the application.

- Level 7 packet headers - a string of the first N bytes of a level 7 packet.

In FIG. 1 shows a logical diagram of the proposed method for determining the type of network traffic.

In FIG. Figure 2 shows a comparison of the data stream with the reference (function S (t)) for VoIP streams. Sampling "Stream 1" - 50 packets.

In FIG. 3 shows a diagram of parallel processing of data streams.

In FIG. 4 shows a computer installation diagram with a program for determining the type of network traffic.

Many packets related to one data stream from one application are represented as a set of points in a two-dimensional orthonormal space.

Coordinates of points are represented as:

• The S axis (size of transmitted bytes) 1 in 1 is mapped to coordinates.

• The t axis (time) consists of the “frequency” indicators of packets.

Thus, for any data stream, it is possible to construct a graph of the function S (t) - the dependence of the transmitted data on time. Even if at the beginning of the data transfer there was an additional data transfer, then at a distance of 40-50 packets, using the approximation of the function, you can analyze the graph of the received function.

This approach demonstrates visually the "similarity" of threads. However, correlation was used to automatically determine “similarity”.

Since it is impossible to determine the exact nature of the data stream sent by the application, we will consider it as a system of n random variables with a discrete uniform distribution. Then the mathematical expectation is calculated as:

where: M [X] is the mathematical expectation of a random variable X (functions S (t) for a particular data stream).

n is the number of elements in the sample (number of packets).

x _i is the value of the element in the sample (packet length).

and dispersion as:

where: D [X] is the variance of the random variable X (functions S (t) for a particular data stream).

M [X] is the mathematical expectation of a random variable X (function S (t) for a particular data stream).

X is a random variable X (function S (t) for a particular data stream).

then covariance:

where: cov _xy is the covariance of a random variable X (function S (t) for a particular data stream) and a random variable Y (function S (t) for a reference data stream).

M [Y] is the mathematical expectation of the random variable Y (function S (t) for the reference data stream).

M [X] is the mathematical expectation of a random variable X (function S (t) for a particular data stream).

X is a random variable X (function S (t) for a particular data stream).

Y is a random variable Y (function S (t) for the reference data stream).

and the linear correlation coefficient:

where: r_xy- linear correlation coefficient of a random variable X (function S (t) for a particular data stream) and a random variable Y (function S (t) for a reference data stream).

cov _xy - covariance of the random variable X (function S (t) for a particular data stream) and the random variable Y (function S (t) for a reference data stream).

σ is the square root of the variance.

Thus, using this statistical relationship between two random variables - the analyzed packet flows, we can make a reasonable assumption about the correspondence of the studied traffic type to the standard one (if r (x, y) is close to 1). A comparison of the data stream with the reference stream (function S (t)) for VoIP streams is shown in FIG. 2.

Considering that there are also many reference streams (for each type of traffic sought for one reference), a performance problem may arise. However, this potential problem is resolved by parallel traffic processing.

So, for example, checking one type of traffic for compliance with one reference does not affect another. Also, the analysis time for compliance with one reference type of traffic does not depend on its complexity. Scheme of parallel behavioral analysis of the type of network traffic of each stream implemented in the claimed method is shown in FIG. 3.

The inventive method implements the following logic, which is shown in Fig.1. The computer is connected to the network, namely, “to break the network” (shown in the diagram of Fig. 4). Incoming streams of network packets are transmitted to the connection tracking module, in which packets are aggregated into many network connections so that it is possible to operate not with separate packets, but with streams. If the data is encrypted, the “man in the middle” approach is used to decrypt the passing encrypted traffic. The indicated approach is known as a method of certificate substitution and is based on the interception and substitution of network packets exchanged by correspondents, and none of the latter is aware of its presence in a computer channel that performs network packet substitution. After decryption, encrypted traffic data is processed similarly to unencrypted traffic. The data is transmitted to the signature search module, which compares the parts of the packet with the database of known packet types for the matching portions of the packet related to the transmission protocol, and not its content part. As a result of comparative analysis of the signatures, the primary hypothesis about the type of packet is built. If it was not possible to determine the type of packet from the signature database, then the packet is transferred to the behavioral analysis module, where information about the entire connection (statistical information of all packets of this connection) is used, as a result we get a hypothesis about the type of traffic. In the level 7 header module of the OSI seven-level model, the previously analyzed network packet flows are compared as follows: does this header fit the selected traffic type. If the type of traffic does not pass the check according to the headers of the 7th level of the seven-level OSI model, i.e. Since it is not assigned a specific type of traffic, such packets are stored in a log for subsequent manual analysis.

Thus, in the claimed method, the signature analysis, which is implemented by the signature search module and the signature database classification module, is not ignored, but a behavioral analysis module is additionally introduced, in which data that does not pass classification according to the signature database is processed. In this case, the signature analysis module works with static data (package contents), while the behavioral analysis module allows you to analyze the dynamics (signal size and time).

The inventive method provides high quality determination of the type of network traffic when parsing streams having 40 or more packets. However, with the number of packets less than 40, the effectiveness of the proposed method is somewhat reduced, because rare few packets are poorly recognized. Also, the effectiveness of the method is reduced when analyzing streams having an unstable connection. The practical use of the proposed method allowed with a high degree of probability (more than 90%) to determine the type of network traffic for traffic related to real-time traffic, including encrypted network traffic. Also, the claimed method shows high accuracy in determining the type of traffic when analyzing many common protocols, such as HTTP, FTP, SSH.

Claims (6)

1. The method of determining the type of network traffic for filtering and managing network connections by using at least one computer connected to the network and having an installed operating system and application software, including a traffic analysis system, characterized in that the analysis of the streams received from the network network packets are conducted by sequentially first conducting a signature analysis of each incoming stream of network packets by comparing a portion of the packet with a database of known packet types on and the subject of the match of the packet parts related to the transmission protocol with the construction of the initial hypothesis about the type of packet, then they conduct a behavioral analysis of the flows of network packets that did not pass classification on the basis of signatures, using the statistical information of all packets of this connection with obtaining a hypothesis about the type of traffic, all analyzed network packet streams are checked according to the headers of the 7th level of the seven-level OSI model as follows: a comparative analysis is carried out to determine whether it is suitable for the selected type traffic, this header, if it detects traffic type inconsistency with the header of the 7th level of the seven-level OSI model, saves it in the log for subsequent manual analysis without assigning a specific type of traffic, while the encrypted incoming network packet streams are pre-decrypted before performing signature analysis by substituting certificates. 2. A method for determining the type of network traffic for filtering and managing network connections according to claim 1, characterized in that Linux or FreeBSD or Windows is chosen as the operating system. 3. A method for determining the type of network traffic for filtering and managing network connections according to claim 1, characterized in that the computer is connected to the network gap, forming two transmission media interacting with each other. 4. A method for determining the type of network traffic for filtering and managing network connections according to claim 1, characterized in that the network packet stream contains at least 40 packets. 5. A method for determining the type of network traffic for filtering and managing network connections according to claim 1, characterized in that the behavioral analysis is carried out by parallel processing of each stream of network packets. 6. A method for determining the type of network traffic for filtering and managing network connections according to claim 1, characterized in that the incoming streams of network packets are passed through a connection tracking module and converted into multiple network connections before performing signature analysis.

Images