CZ2013663A3 - Method of and device for detection of information and communication network attack - Google Patents

Abstract

The method of detecting infiltration of information and communication networks by advanced network attacks and malware is performed by analyzing the patterns of data flow passing through. Analysis of the traffic flow of network traffic determines the behavior metrics that represent the behavior of network data flow from static, dynamic, distribution, and behavioral behaviors, which distinguishes legitimate data flows from malicious data flows. The method for performing the method in a network infrastructure (20, 30) includes at least one network probe (200) with a connected behavioral signature generator (300), a classifier (400), and a virtual machine.

Description

Method and apparatus for detecting infections of information and communication networks

Technical field

The invention relates to a method for detecting information network communications attacks by advanced network attacks and malware, and to devices for performing it.

BACKGROUND OF THE INVENTION

Currently, there is a large increase in network infections showing high self-resilience to prevent detection by current antimalware tools. Trends in malware development are moving towards unpredictable morphing software, capable of changing the methods and methods of attack.

The goal of most current malware is to create live or hidden botnet networks — infected computers — capable of generating high economic potential - according to most analyzes conducted in 2011-2013, about a third of all computers are infected. Thus, the existence and distribution of these malware is starting to pose a significant risk not only from the economic point of view, but also from the position of breach of security of critical infrastructure.

Current detection methods of the NIDS -Network Intrusion Detection System, including the ADS -Amonaly Detection System, are based on a comparison mechanism based only on the equality (and inequality) of data obtained from network communication. In the case of IDS / IPS, this is a strict comparison of binary-packet data. In the case of ADS, detection is based on exceeding defined statistical boundaries and deviations, such as over-use of statistically less used services.

The collection of data for their analysis through honeypots and other active network elements is a relatively common practice for security professionals and network administrators. In the case of backbone networks with heavy traffic, it is not possible to store traffic in a form suitable for further detailed analysis. The data must be reduced in such a way that information important for further safety analysis is not lost from it, which is considered a difficult task in the available literature.

Current state of the art literature can be presented by the articles of the authors of the Behavioral Signature Generation Using Shadow Honeypot 2012 and Automated Malware Detection Based on Novel Network Behavioral Signatures 2013, which deal with the possibilities of detection of buffer overflow attacks via interactive honeypots and detection network behavior metrics that cannot be generated in principle in real time. This also applies to the equivalent metrics (discriminators) of A. Moore's 2005 Discriminators for Use in Flow-based Classification.

In 2012, Microsoft was granted the "Real-time network malware protection" patent -US 8256003 B2-, describing the Network Status Database, which contains information about networked devices that can be used to manage network risks in in case of malware spreading over this network (blocking).

To protect an individual computer from malware behavior, in 2009 Symantec granted the patent "Using Machine Infection Characteristics for Behavior-Based Detection of Malware", -US 8266698 B1-. In the case of protection of mobile networks and devices without classical operating and antivirus systems, Openet was granted in 2011 patent "Methods, Systems and Devices for Detection and Prevention of Malware Within a Network" -US 20120233656 Al- or "Detection and filtering of malware" based on traffic observations made in a distributed mobile traffic management system ”(US 20120278886 Al) in 2012.

The European patent (EP 2326057 A1) "Detecting malicious behavior on a network" granted in 2011 deals with the detection of malware (Intrusion Detection System, IDS) on a Proxy server. Several European patents further deal with packet content analysis (IDS), such as another British Telecomunications patent of 2010 "Detecting malicious behavior on acomputer network" (EP 2222048 A1).

SUMMARY OF THE INVENTION

SUMMARY OF THE INVENTION It is an object of the present invention to provide a method for identifying unwanted behavior of data flow and malware in a network without analyzing communication content or automatically verifying these findings to enable them to learn and recognize new variants of known and previously unknown attacks. It is also an object of the invention to provide an apparatus for carrying out this method.

• • •

This is largely achieved by the method of detecting information and communication network attacks by advanced network attacks and malware, according to the invention, which consists in analyzing the behavior of the passing data flow and analyzing the passing traffic flow of network traffic to determine behavior metrics representing data flow from static, dynamic, distribution and behavioral behavior, which separates legitimate data streams from dangerous data streams.

With a view to improving detection, it is advantageous to evaluate the harmfulness of the data stream, to create its signature on the basis of content and behavior, and then to update the detection module.

An apparatus for carrying out a method advantageous for high throughput, simple paralizability suitable for large network configurations is in particular comprising a router to which at least one network probe with a behavioral signature generator is connected in parallel to the network infrastructure.

With respect to the connectivity, it is preferred that the probe with the connected behavioral signature generator be connected directly to the router and is connected to the classifier and the vitrualized computer and the control and learning module arranged in the network infrastructure.

With respect to data flow blocking capabilities, it is advantageous to include a probe serially connected to a network infrastructure to which a block containing a behavioral signature generator, a classifier and temporary memory is connected via a system interface, and a virtualized virtualized network computer is connected through the network interface.

It appears advantageous if temporary memory is arranged in block 345.

Ob clarification of drawings

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of a device with a probe in parallel connection, FIG. 2 is a schematic diagram of a device with a probe in series connection, and FIG. Figure 4 is a schematic diagram of the active probe device, Figure 5 is a probe diagram, and Figure 6 is a highly monitored virtualized computer 600.

EXAMPLE IV Embodiments of the invention

The invention will be described by way of example of two different connections according to Figures 1 and 2, which can be used optionally, as indicated below. In the basic embodiment of FIG. 1, the redirected network traffic 10 (in promiscuous mode) is processed in parallel from the router 40 by the parallel network probe 200 in passive mode interconnected therewith, characterized in that the network traffic 10 is not routed over it. non-blocking. The location of the router 40 in the network infrastructure 20, 30 may be arbitrary, as well as a portion of the network traffic cloned onto another network probe 200. A network hub hub of appropriate speed may also be used for saving. The data preprocessed by the network probe 200, or the parallel probes 200, is further processed using a real-time behavioral signature generator 300 coupled to the network probe 200.

Due to the non-blocking nature of the engagement, it is not necessary for the behavioral signatures to be further processed in real time with the router 40 connected by the classifier 400. The positioning of the classifier 400 in the demilitarized zone of the network infrastructure 20 is as desired. computers 600 connected to the router 40 as well as the control and learning module 700. The control and learning module 700 may optionally be located centrally (in the cloud).

Advantage of the device according to Scheme 1 is its high throughput, currently tens of Gbps, and simple parallelization, therefore it is suitable for very large network infrastructures 20, 30 and provides information about infected computers 70 in environments such as Internet providers and the like Active threat protection is a matter of service, or it is possible to send information from the classifier 400 to a blocking device that is a network router 40 or firewall 50 to prevent the attack from continuing.

The device according to Scheme 2 has a probe 200 connected in series with the network infrastructure 20, 30, to which a block 345 containing a behavioral signature generator 300, a classifier 400, a temporary memory 500, or a learning module 700 is connected via a system interface 190. Performing the advantage in series connection of the probe 200 and the real-time run of the classifier 400, allowing blocking of communication, thus preventing the ongoing 911 attack, as shown in Schemes 3 and 4. In case of suspicion Ongoing attack 941 redirects ongoing communications to a highly monitored virtualized computer 600 shadow honeypot, which has seemingly the same software as a network device 70, such as a PC, server, etc., to which is or has been, with some degree of probability, an attack. This virtualized computer 600 has apparently the same and other network identification data, such as IP or MAC addresses, which is made possible by the way in which virtual network 60 is created, as shown in Figure 2. Virtual network 60 can only be accessed via network interface 100 via a network probe 200 having a mirroring function.

Network traffic data 910 is, according to Schemes 3 and 4, recorded by a probe 200 in the temporary memory 500 in the event that there are indications indicating its harmfulness during it. In this temporary memory 500, network traffic data 910 is retained for a period of time until it is apparent from the intermediate result of class 940 in classifier 400 that it is either a legitimate 942 communication or low probability and the memory 500 becomes full. Conversely, if it is likely to be malicious traffic 941, where the flow is processed using virtualized computer 600, as described above, where the final decision is made about the harmfulness of the data flow and where its signature is created based on the content of the communication and behavior (using metrics ASNM). These are further sent to the control and learning module 700 for subsequent update of the detection model 970.

Together with storing the network traffic data 910 in the temporary memory 500, the network traffic data 910 is processed by the behavioral signature generator 300 in real time in the same way as in passive mode. Moreover, in the active mode, the classification in the unit 400 is carried out in real time, which is achieved through the classification of calculations and, in particular, the current ASNM signature intermediate calculations, which are able to determine the degree of harmfulness of the data stream on an ongoing basis. Active threat protection is performed by blocking other malicious communication 941 in the serial connected probe 200, or it is possible to send classifier information 400 to the blocking device network router 40 or firewall 50, as in the case of passive connection.

Network Probe 200 is a (hardware) component typically based on FPGA circuitry technology, including several network interfaces 100 (typically one to four), capable of processing, filtering, blocking, routing and temporarily storing real-time traffic within one network interface 100 A diagram of the network probe 200 is shown in Scheme 5. The network probe 200 is essentially a network card modified to have high processing power. It includes an FPGA 120 processor and a memory of a much larger and faster memory 140 than conventional. This network card is programmable and sends network data directly via network interface 100 via bus 190, without the need for prior processing by the CPU 110 and main memory 150 of the highly monitored virtualized computer 600.

Within the network probe 200, a portion of the signature generator may be implemented, in particular data preprocessing and statistics. The data of the selected network traffic may be sent to the temporary memory 500. This information is typically conveyed over the system bus 190.

Network data provided by network probe 200 is typically stored in temporary memory 500 over system bus 190 typically due to possible later analysis by a highly monitored virtualized computer 600. If it is shown that the data does not pose a security risk, it is deleted as in the case of limited hardware resources - we assume the duration of the attack is only in minutes. Temporary memory 500 is an optional part of the system.

Signatures to be created (Behavior Signature Generator 300) are number vectors, each corresponding to a specific metric value. Each metric is a characterization of the network flow behavior and can be defined as an extension to the NetFlow protocol describing not only the statistical properties of the network flow, but also includes dynamic, localization, and behavioral specifics.

Signatures are defined by the Advanced Security Network Metrics (ASNM) metric file. This file includes up to 300 metrics for each bitrate that is generated from source data that is extracted from network traffic. These metrics do not use packet content, which in most cases can be encrypted. Metrics are divided into 5 logical groups according to their purpose - statistical, dynamic, localization, distribution and behavioral.

Statistical metrics define flow characteristics in terms of properties such as their quantity, number of packets, their size and duration, relevant services in a given flow, and so on, their limit values, median, mean, standard deviation and entropy, and other statistical variables.

Dynamic metrics represent dynamic flow characteristics, such as speed - the number of bytes / packets of the data link and flow (the amount of outgoing and incoming data) per unit of time, its error rate, and the like that change over time.

• · · · · · · · · · · · · · · · · · · · · ·

Localization metrics use static flow characteristics to refine the location of resources, and to trace and geolocate the attack. Their aim is to provide arguments in the decision-making process of artificial intelligence.

Distribution metrics divide stream packets and their context, if any, into specified equidistant groups (similar to histograms) by delivery time, accumulated size of received or sent data, or other properties.

Behavioral metrics are created based on an analysis of properties directly associated with attack behavior. Examples include legitimate or illegitimate connection closure, number of flows at a specified time, their intervals, frequency properties and polynomial approximations of packet size, their sum and similar information directly related to exploitation of a vulnerable service.

The input of the behavioral signature classifier 400 is network data in the form of previously defined signatures (ASNM metrics). The data is supplemented with data from the knowledge base, including for example DNS information, Whois, whether it is a known botnet address (blacklisting) and so on. In addition, statistics - such as the number and duration of connections, the number of packets, their size and entropy (historical statistical data) are different for each monitored network node (subnet, computer, mobile device) and each service provided. Integrated data sets enter the classification process where statistical models and artificial intelligence detection algorithms (classification, clustering and outliers analysis) are applied. The results of the sub-methods are input to the summary classifier, which determines the degree of harmfulness of the classified flow and creates a description of incident 940.

The output of the process is furthermore a set of reports 980, GUI, Syslog, SIEM, and a decision whether to block the ongoing network communication in case of a probe in active mode or the presence of a similar device with the ability to block selected traffic.

The control and learning module 700 creates a detection model for the classifier 400 and is responsible for learning new signatures of detected attacks. In case of its absence in the network, it is possible to use a central module (located in the cloud), which centralizes and distributes models of detected attacks.

The attack processor input is data from the virtualized computer 600's systems when a new attack is detected. Data from the virtualized computer 600 (exploit packages, traffic data, attack time, etc.) is used to extract the values defined by the behavior metrics to create their signature.

• 9 · 9 · 9 · 9 · 9

The learning process uses a dataset integrated from historical data containing random legitimate traffic, which is marked as valid, and malicious traffic that is captured and extracted from honeypot systems after the attack. The training set data in the form of ASNM metrics is supplemented with data from the knowledge base similar to the classifier, as well as information typical for individual nodes and network services (statistics).

The control and learning module 700 is trained on a certain data set, and the detection model 970, the learning output, is sent to the classifier 400. Training can be performed by various methods - Bayesian classification, GMM / EMM Gaussian Mixture Model / Expectation Maximization, SVM (Support Vector Machines) and their (probabilistic) combination in different configurations and with different metrics.

All learned data models and statistics are stored in a database that is part of module 700. Learning is performed with every new attack detected on the virtualized computer 600 or with an exposed attack that was false positive as shown in the diagram

4.

The previously described system modules pre-process known attacks by analyzing traffic. The analysis is carried out either by comparing the operation parameters with behavioral signatures with an expert database of identified malware with a reasonable degree of certainty (eg exceeding the threshold of malicious decision) or knowledge provided by a highly monitored virtualized computer 600 - honeypot.

Virtualized computer 600 is able to determine the harmfulness of, for example, attacks that exploit buffer overflow vulnerabilities based on a taint analysis technique once a process executes instructions from memory that should not normally be executed. Above all it concerns data coming from network communication. Virtualized computer 600 marks the process as malicious and stops execution. After the attack is reported, all traffic from the network interface 100 of the virtualized computer 600, operating system processes, and memory status, registers, including malicious data flow, are recorded, sent to the control and learning module 700 for

further analyzing and learning the process and subsequently updating the detection model as illustrated in the schematic diagram of the invention No. 4.

The highly monitored virtualized computer 600 is capable of software emulation of 610 Windows, Linux, and POSIX-based operating systems on x86 and x86_64 architectures, PowerPC and ARM. A schematic of the virtualized computer 600 is shown in FIG. 6, including the emulator inputs and outputs, and a schematic of internal components including a flow of information about the origin of the data being executed and recording. For simplicity, the upload phase for further analysis to the learning and control module 700 is not shown here. A highly monitored virtualized computer 600 is a conventional computer within which at least one other virtual computer 610 is software-modified, with its network interface hardware resources 100, processor 110, memory. 150 and 160 - the disk is virtualized and simulated by software so that all data and operations performed can be monitored to identify commonly unrecognizable instructions and their parameters.

Internet ilitarized zone of DMZ uLAN reference numbers

100 ALIGN!

110

120

140

Reticular

Reticular

Virtual network

Network device (

Network Interface (a

Processor (standard), any other device or subnet)

FPGA (programmable hardware)

High-speed RAM (eg cache)

Steam / RAM type (standard) HDD type (magnetic or electronic) ystem interface (bus)

Network probe (active mode, blocking, forward direction)

Mains probe (passive mode, non-blocking)

150

160

190

Generator of behavioral signatures

Device (computer) including modules 300,400, 500 and volley 700.

Classifier • Temporary memory

500

600

610

690

700

900

Virtualized operating system (OS, possibly Firmware) in the computer interface (collector etc.)

Highly monitored virtualized computer (hpneypot)

Virtuali

Control and training module

The general signal \ pa of the diagram will show unlabeled arrows, depending on the context) Normal TCP / IP traffic (usually unmarked lines in schema / hata)

Statistics, preprocessed ^ traffic (of 200)

ASNM signatures (ž 300)

Class / e classes (all zNOQ classes) Positive

910

911

912

920

930

940

941 communication

942

960

961

962

Report set (GUI, Syslog, SIEM) assignment (probably unwanted or malicious traffic), malicious

Negative classification (probably legitimate traffic), legitimate communication and attack (positive and negative, out of 600 Information, attack proved Information, attack not proved Detection model

Industrial applicability

The present invention is essentially applicable to any network infrastructure, but is targeted to medium to large enterprise networks, telecommunications operators and critical infrastructure, due to its ability to protect a large number of devices from various targeted attacks and unknown vulnerability or signature-resistant malware 30.

List of reference marks

Internet

Demilitarized zone of the DMZ network

LAN

Network router

Network fírewall

Virtual network (LAN or DMZ)

Network device (PC, server, any other device or subnet)

100 Network interface (adapter)

110 Processor (Standard)

120 FPGA (Programmable Hardware) Processor

140 RAM (for example, cache)

150 RAM (standard)

160 'HDD (magnetic or electronic)

190 System interface (bus)

200 Network probe (active mode, blocking or routing)

200n Mains Probe (Passive, Non-Blocking) • ·

300 Behavioral Signature Generator

345 Device (computer) including modules 300,400, 500 and optionally 700.

400 Classifier

500 Temporary memory

600 Highly monitored virtualized computer (honeypot)

610 Virtualized Operating System (OS or Firmware)

690 Virtualized computer interface (bus, etc.)

700 Control and learning module

900 General signal (usually unmarked arrows in the diagram, depending on context)

910 Normal TCP / IP traffic (lines not marked on the scheme)

911 Blocked traffic (unwanted communication)

912 Legitimate traffic

920 Statistics, preprocessed operation (of 200)

930 ASNM signatures (of 300)

940 Classification classes (all classes out of 400)

941 Positive classification (probably unwanted or harmful traffic), harmful communication

942 Negative classification (probably legitimate traffic), legitimate communication

960 Infestation report (positive and negative, out of 600)

961 Information, assault has been proven

962 Information, assault has not been proven

970 Detection model

980 Report Set (GUI, Syslog, SIEM)

Claims (6)

PATENT CLAIMS 1. A method of detecting information and communication network attacks by advanced network attacks and malware, characterized in particular by analyzing the behavior of the passing data flow and analyzing the passing traffic flow of network traffic to determine behavior metrics representing the behavior of the network data flow from static, dynamic, distributional and behavioral behavior, which distinguishes legitimate data streams from dangerous data streams. Method according to claim 1, characterized in that the harmfulness of the data flow is evaluated, its signatures are created based on the content and behavior, and are then updated by the detection module. An apparatus for carrying out the method according to claim 1, characterized in that it comprises a router (40) to which at least one network probe (200) is connected in parallel to the network infrastructure (20, 30) with the behavioral signature generator (300) connected. Device for carrying out the method according to claim 3, characterized in that the probe (200) with the associated behavioral signature generator (300) is connected directly to the router (40) and is connected to the classifier (400) and the vitrualized computer (600) and a control and learning module (700) arranged in the network infrastructure (20, 30). Device for carrying out the method according to claims 1 and 2, characterized in that it comprises a probe (200) serially connected to a network infrastructure (20, 30) to which a block (345) containing a behavioral generator is connected via a system interface (190). signatures (300), classifier (400), and temporary memory (500), the virtualized computer (600) of the virtualized network (60) being connected via a network interface. Device according to claim 5, characterized in that a temporary memory (500) is arranged in the block (345).