DE102015004402A1 - host system - Google Patents

Abstract

The present invention relates to a host system for offering Internet content in which a plurality of host computers cooperate and a security computer is provided. In particular, it is a host system (10) for offering Internet content in a network, the host system comprising at least a first host (12), a second host (14), and a third host (16), the first host (12). stores a plurality of Internet content in content files and uses a plurality of URIs, wherein the URIs are arranged in a hierarchical system comprising at least one major URI and at least one sub-URI, and wherein each content file is associated with a URI and wherein the second Host (14) is connected to the first host (12) to allow traffic and the second host (14) as outgoing traffic content files due to a content file related query to another host, at least the third host (16), or a Client (22) and the third host (16) comprises a data exchange unit (18) which can pass files to another host or a client (22), and de r third host (16) further comprises a security computer (20) which can control the data switching unit (18) and which can create a log record (42), wherein the log record (42) at least a first information unit, a second information unit and a third information unit, wherein the first information unit comprises an identification feature of a client or host computer, and the second information unit comprises an inquiry time and the third information unit comprises an identification attribute of a content file or the associated URI to which the query relates; and wherein the security computer (20) further manages a reference file (50, 52) which is created on the basis of log data sets (42) and comprises reference values for at least the first information unit, the second information unit and the third information unit and on the third Host (16) or the security computer (20) g is stored. The invention also relates to a method for operating a host system.

Description

Field of the invention

The present invention relates to a host system for offering Internet content in which a plurality of host computers cooperate and a security computer is provided.

Background of the invention

US patent application US 2006/0039540 A1 discloses a method to fend off attacks on telephone connections. This concerns in particular the prevention of so-called DDoS attacks on telephone systems, namely with regard to the possible disruption of emergency numbers ("911 Emergency" numbers).

US patent application US 2009/0282478 A1 relates to a method and a computer system which are intended to provide protection against attacks by external computers. The patent application describes an approach in which an attack is to detect both the controlled server / host and the controlling server / host in a network.

US Patent Application US 2013/0104230 A1 discloses a system and method for detecting attacks on a network. Two analysis systems are used, one of which can be operated in a particularly fast time cycle. The analysis systems can evaluate data such as Get and Post Requests and SIP Sessions (SIP for Session Initiation Protocol). When analyzing the data, relatively sophisticated statistical methods can be used by at least one analysis system

The present invention desirably seeks to provide a host system that ensures efficient data provision of users, particularly Internet data. The host system should also be able to block attacks by interfering computers efficiently and be inexpensive and reliable to operate.

These advantages are achieved by a host system according to claim 1 and by methods for operating a host system according to claim 10.

The present invention thus relates to a host system for offering Internet content. Although the usual form of transferring data on the Internet, in particular for display by Internet browsers, is a particularly expedient field of application of the host system, the term "transmission of Internet content" should generally be understood to mean the transmission of data via transmission lines. In particular, the invention can be used to offer or manage content that can be transmitted over the HTTP protocol,

A host system is a network of host computers. The term "host" is based on the fact that in the host system physically separate components are provided and the host system often consists of several physically separate and usually spatially separated computer.

A host within the meaning of this invention is understood to mean a computer which can pass on data to another computer. As a rule, the host will have at least one input / output unit, a central processing unit (CPU), a memory and an operating system which allows the aforementioned three units to work together. A host in the sense of this invention can serve in particular as an Internet server. He can be conveniently configured as a Windows, Linux server.

A host system according to the invention comprises a first host, a second host and a third host. The host system of the present invention has also proved to be particularly useful because these three hosts can operate completely or at least partially independently of each other and can be independently configured. They can each be adapted to their preferred task. Therefore, all hosts of the host system can be operated with different operating systems. They can also include various CPUs, memory, data and input / output system.

The hosts may be located in different locations, and the choice of location may in turn have advantages such as data input or output speed or economic benefits.

The first host in the context of the present invention is primarily for storing content files, in particular content files which are useful as Internet content. The first host should be able to map the content files to URI addresses. The first host is therefore typically used by an Internet content provider. This could be a private or a commercial provider. The first host can be configured as a web server. An example of a provider, is a newspaper publisher who wants to make the online pages of his newspaper available on the Internet.

In the example, content files are text files containing the text corresponding to newspaper articles included, and are image file containing related images. These files are collectively called content files. These content files should be assigned URI addresses. Content files can also include text files and image files in combination. They can also be dynamic, ie they can be time-varying or they can be variable depending on the type of request (eg country-specific). In this respect, a content file here also denotes all electronically generated and stored contents.

In the context of this invention, a URI address is understood in the broadest sense to mean a unique identifier, that is to say a unique name, of such a content file. As a rule, this should be done using the URI system (URI stands for Uniform Resource Identifier). This system is an international standard system, usually defined in RFC 3986. The URI name of a file consists of five parts. Here, a first part stands for a schema or protocol, a second part for a provider or server, a third part for a path, a fourth part for a query and a fifth part for a fragment. The common English terms of these five parts are called Scheme, Authority, Path, Query, Fragment. Not all parts must always be included.

The first part of the URI defines its type, for example, known types are defined by the abbreviation Http or the abbreviation Ftp. At this point, the abbreviation File can also be used to create a reference to a local file. Ftp stands for File Transfer Protocol and Http stands for Hypertext Transfer Protocol, the protocol used to display data in a web browser.

The second part of a URI, the authority part, for example, consist of an Internet address. The structure of the second part of the URI designation is determined by a particular institution. For example, the second part may take the form of common Internet addresses. These Internet addresses are determined by the Domain Name System (DNS). An essential part of the Internet address is a country code, for example .de, and an identifier of the page, for example zeitungsverlag.de. The other parts of the URI allow it to specify more accurate files within such an Internet address, for example, to call certain newspaper articles and the like.

The system recognizes a hierarchy. Subsequent parts of a URI specify a file more and more accurately. This results in a hierarchical structure of a URI identifier.

In the context of the present invention, it often happens that files are determined by URL tags. The URL tags are a subform of the URI tag. URL stands for Uniform Resource Locator. When accessing a content file, such as through the ftp or the widely used https protocol, the URL tag associates the file with a unique location. In this place you can always find the same file or variable files. Based on the example of a newspaper's website, the daily weather forecast can be found at a fixed URL address. The file stored there changes from day to day, but can be called up using the same URL label. URL tags also follow the hierarchical system described above.

This system will be briefly explained again for Internet addresses. The names of Internet addresses are determined by the DNS method. According to the DNS system, such websites contain country identifiers and associated freely identifiable identifiers. An exemplary address can be called zeitung.de. At this address you can call up a website. This page typically has linked subpages, such as wetterbericht.zeitung.de and wirtschaft.zeitung.de, etc. The latter two pages are arranged hierarchically below the zeitung.de page, as they have a further part of the name. Other branches are conceivable, for example, a page today.wetter.zeitung.de conceivable. At this level, a further sub-branching would be possible, but the address may alternatively designate a unique file location that is at least temporarily uniquely associated with a file.

For the purposes of the present invention, a main URI is thus to be understood to mean a URI identifier which is at least one hierarchical level higher than a sub-hierarchy. A major URI can match multiple sub-URI tags. Sub-URI tags can have another hierarchy in them. Likewise, a higher level may be provided above the main URI tag. In general, the main level describes the highest level of an Internet offer, in the above example about newspaper.de.

The second host has the primary task of forwarding traffic on the Internet. For example, such a host could be operated by an internet service provider and configured as a router.

The third host has, in the context of the present invention, similar to the second host, among others, the task of forwarding data. For this purpose, the third host comprises a data exchange unit. The data forwarding can take place between the second host and a user. The user would usually query the data from a client machine. In this case, the required data transfer capacity would have to be adapted to the number of client computers and the volume of data probably required. Often, the third host will be switched between the second host and a fourth host. The fourth host can again be the host of an Internet service provider. In this case, the data exchange unit of the third host should have such a high data capacity that the data flow between the second host and the fourth host is not limited or disturbed.

The third host comprises a security computer in addition to the data exchange unit. This security computer should be able to control the data exchange unit. This means, for example, that he should be able to suppress the transfer of individual data or the transfer of data to certain computers. The control schemes may be even more complicated; for example, temporary suppression or volume limitation of the data flow may be considered.

The security computer can be separate from the data exchange unit. For this purpose, the security computer can be an independent computer. The security computer can also be operated in a physical computer together with the data exchange unit. However, at least in terms of its function, it is separate from the data exchange unit, thus allowing in particular other programs to run. If the security computer is separate from the data exchange unit, it may be located close to the location, for example in the same room, or even more remotely, for example in another room of the same building, in another building of the same city or the like. Preferably, however, the security computer is locally close to the data exchange unit, at least in the same city. The security computer is connected to the data exchange unit via a suitable data line.

The security computer and the data exchange unit may use the same or different operating system. For the security computer is often a Linux operating system appropriate. It is advantageous within the scope of the invention if the security computer is spatially located closer to the third host than to the first or second host.

The fourth host, which may be an optional part of a host system, is again a host of an internet service provider, and therefore, as mentioned, may have the properties of the second host.

The data, which are forwarded by the host system, ie in particular Internet content, which are offered, are finally queried by computers of users. These computers are referred to here as client computers. Such a client computer typically does not forward data, even if a data transfer takes place by the client computer, but the data is at least processed on the client computer. Typical client computers are personal computers.

The coupling of host computers can be carried out in the context of the present invention by various appropriate data lines. Often these are data transmission lines, for example fiber optic cables or occasionally copper cables. The data transport can be unidirectional or bidirectional. Mostly, the data lines allow bidirectional data transport, but not necessarily equal capacity in both directions. To overcome shorter distances, such as the connection of the security computer with the data exchange unit in the third host and wireless connections come into consideration, such as a wireless connection.

Within the scope of the present invention, the respective host computers of the host system may be physically separate computers. For the purposes of the present invention, a physically separate computer is a computer which has at least one independent component, preferably a separate CPU. As a rule, the computers are completely separate, so that they have only a few components in common (for example, a common rack or a common power supply) or have no part in common. Especially with physically completely independent host computers, it may be advantageous to set them up in different places. In this sense, they can stand in different places in the building of a data center. However, it is often advantageous to provide for greater geographical separation as well. The various host computers can be located in different cities. The geographical separation usually still allows a safe and fast Internet traffic. It is also quite possible to interconnect different geographically separated host computer to a host system. This can also offer economic benefits. For example, since the second host essentially has the functions of an Internet provider host computer, a suitable Internet provider can be selected for technical and economic considerations. In the context of this invention, it may be that the third host is a physically separate host and the first host and the second host are housed in one computer, so have the role of physically not separate first and second servers.

A host system according to the present invention allows the efficient and economical data supply of a plurality of client computers. In addition, however, an essential aspect of the host system is that increased security is provided. This means in particular the reliability of the supply of data even when attacking the system. It happens, for example, that individual interferers attack a data provider in order to suppress normal data or Internet operation. Such an attack may be for the purpose of causing economic damage or reputational damage. The damage is usually more likely to arise with the operator of a website than about the Internet provider.

One known form of such interference is DDoS attacks. DDoS stands for Distributed Denial of Service. Systematically selected providers should be disturbed in such a way that the customer service of data supply is no longer possible.

Such attacks can be performed, for example, by sending an enormous amount of requests that overload a conventional host system. This form of attack is commonly described as a capacity attack or a volume DDoS attack.

There are also some known smart attacks, which are usually called application DDoS attacks. It is not primarily trying to generate a high request volume, but complicated queries. For example, it would be possible to search for all articles in the color black in a mail-order company present on the Internet. It goes without saying that compiling these articles requires a very high level of computing power, which is then not available for dealing with serious customers.

However, the host system according to the invention should also ensure the reliable data supply in other security situations. The exploitation of external information is quite possible. In general, it should be possible to control the system by human intervention or to provide an automatic, usually controlled by algorithms control.

For these purposes, a primary log file and / or a reference file is managed by the security computer, which interacts with the data transfer unit in the third host. The reference file is usually created, modified and saved in the safety computer. But it is also possible that the file is created in another computer and stored in another computer. The management should comprise at least one modification. In this case, a file should also be understood to mean a complex form of data storage, for example also a database.

The primary log file captures traffic. This recording is typically not saved, so it is only a temporary recording, so the term "file" should not indicate a permanent storage of data. The primary log file contains a number of log entries, which are also referred to here as log data records. Each such data record, as conceivable, for example, as a table row, comprises a plurality of information units. Conveniently, at least a first, a second and a third information unit, as described below, comprises.

From such a primary log file reference files can be generated. Such reference files include reference entries. These reference entries, which can also be imagined as rows in a data table, in turn comprise information units. The information units of a reference file correspond to the information units of the primary log file. However, the information units of a reference file are preferably further processed or "secondary" to the information units of the primary log file, as will be explained below.

A reference file is thus to be understood as meaning a file with a multiplicity of data records, in which each data record contains a multiplicity of information units. At a minimum, two data sets are to be included in the file, each containing at least three information units. Typically, a file contains several thousand records, and each record contains at least a few, often more than a dozen pieces of information.

The reference file entries, or in short reference entries, usually comprise information units of the same type as the log data records. However, individual types of information units may also be omitted or added.

For example, if an information unit relates to a time indication, the sum or an average of such time information should be understood to mean an information unit of the same type.

Information units of the same type thus relate to the same information content to be measured. However, they may be further processed, for example, by averaging, and are then also referred to herein as "secondary" information units (to an associated information unit from the primary log file).

The log records are typically not saved. Therefore, for example, averaging in the reference file is appropriate. Parallel secondary information units are typically stored there.

In a reference file, most data is compressed so that the reference file contains fewer pieces of information than the corresponding log records or the primary log file.

The reference file can be a statistics reference file in which the statistical distribution of information units is stored over a longer time interval. For this purpose, for example, an average value and a standard deviation for an information unit can be stored.

The reference file can also be an acceptance interval reference file which already specifies acceptance intervals for individual information units. An acceptance interval is to be understood as meaning an interval for the respective information unit in which a positive characteristic value is set with reference to the information unit. The interval may in one case only include one value.

In particular, a main URI identifier can be assigned a reference file. A primary log file can be evaluated by human decision and input or by a mathematical algorithm. In the latter case, a human input can usually be dispensed with.

A log data record should contain a first information unit which includes an identification feature for the data-requesting computer. This can be the IP address of the client machine. It can also be an information unit that has been obtained on the basis of an IP address. It may be appropriate not to store this IP address as such, but to turn it into another identification feature. In this case, for example, a scatter value function can be helpful. In this way, the IP address may be assigned at least in a practically unique manner to another value (i.e., usually a different string). This string can be more easily stored, perhaps because it is shorter. This string can also be used to anonymize the IP address. In the context of the present invention, it has to be considered that an internet user, who as a rule acts as a client here, places a certain trust in the internet offer of a specific URL. As part of this trust, he is willing to submit his IP address to the URL provider. However, if the content is provided by multiple hosts and therefore potentially also the hosts of other providers, the user will not necessarily have the same confidence in these other providers. Therefore, it may be appropriate to store the IP addresses of a user on the third host only anonymized.

The log record comprises a second information unit, which includes time information. The second information unit may be the exact time of polling or receiving the data. Alternatively, a time interval could be stored, namely the interval between the last and the current query of data by a particular client computer or the interval of the current and the last query of a particular information, such as information associated with a URI. The corresponding time intervals can each be stored in separate additional information units.

A log record contains, as a third information unit, the identification of a mediated content file or the associated URI. The storage of the URI, in particular in Internet traffic with URL identification is a simple variant for the identification of a file or at least the file location (in connection with a time information information about the file usually gives a reliable information about the file). In some cases, a file can also be identified in another way; for example, a file can usually be identified with high reliability because of its exact specified size.

In an expedient embodiment of the invention, the security computer can block the transfer of data to another host or client on the basis of a comparison between at least one information unit of a log data record and a corresponding information unit of the reference file.

For this purpose, a comparison between at least one information unit of a log record ( 42 ), preferably an information unit related to the OSI level three or four of the network, of a corresponding information unit of an acceptance interval reference file. This comparison could also take the form of programmed query rules. Information units relating to OSI level three or four are handshaking, as will be explained in more detail below. In particular, however, comes the comparison with a Time-based information unit, ie in particular with an information unit, which is based on the time of a query into consideration. For example, high-frequency queries can be suppressed, especially if they refer to the same URI.

Furthermore, a first comparison and a second comparison can take place, wherein the first comparison between at least one information unit of a log data record and a corresponding information unit of a reference file takes place and an index is calculated on the basis of the first comparison, and in which in the second comparison Key figure is compared to a threshold and because of the second comparison, the transfer of data to another host or a client can be locked. So particularly useful is an analysis in two steps. In the first step, a key figure is calculated. This key figure can certainly be calculated from several information units, in individual cases also from more than five or ten information units. No matter how high this measure is, it does not automatically result in some sort of control, especially not automatically blocking the passing of data to another host or client. Rather, a second step compares the measure with a threshold. This threshold may be affected, for example by a host system operator.

Expediently, the first comparison between at least one information unit of a log data record and a corresponding information unit of a statistics reference file takes place.

Of interest here is a host system in which the threshold depends on a property of the second host or the data traffic leaving the second host. However, the threshold can be set not only by an operator but also by an algorithm. Here, an algorithm is useful in which the threshold depends on a property of the second host or the data traffic leaving the second host. For example, this may be the performance of the second host, or may be the frequency of requests to the second host.

In the following, the use of the log datasets for optimizing the security of the host system will be discussed in addition with some examples. It will also be clear that the operation of a third host separate from the second host, which is equipped with a security computer, offers advantages in ensuring safe and reliable operation.

Some attacks on a host system occur at the network communication level. The OSI model of networks is about levels three and four. Common Internet applications use the TCP / IP protocol at these levels.

The TCP / IP protocol uses a series of commands that allow different computers on a network to communicate with each other to connect. In the case of a regular connection establishment according to the TCP / IP protocol, a client computer sends a SYN request to a host computer with which a synchronization is requested. The host sends a SYN-ACK response, which confirms synchronization ("synchronization acknowledge"). Thereafter, the client computer returns to the host an information packet confirming the establishment of the connection, the ACK response.

This normal information structure can be suppressed in the event of a malicious attack on a host system. This type of attack is also known as SYN Flood. The malicious operator of a client computer would suppress the third message, so do not send an ACK message. However, the host is usually set to wait a few moments for the message to arrive. Now, if a host is faced with a very large number of such requests, it would wait for that large number of requests to send an ACK message. As a result, computing power is tied. This can lead to the complete shutdown of a host computer.

Thus, if an information unit is included in the log record, which records the packets which are exchanged between computers according to the TCP / IP protocol and records the corresponding times, then one can recognize corresponding attacks with these log data records.

Obviously, some computing power is required for this detection. Incidentally, the recognition is an analysis which must take place very quickly, for example in milliseconds. It is expedient to provide a specially optimized computing unit for this purpose. In this sense, the security computer may have an ideal algorithm in combination with an ideal operating system. Overall, the operating system of the third host can be adapted to these requirements, or the third host is designed to cooperate with such an optimized security computer. Often, Linux is a beneficial operating system for the third host.

It is also conceivable to optimize the third host in such a way that it uses several Security computers can work together. In each case, these security computers can be designed individually for the detection of certain attacks. For example, it may be expedient to maintain a security computer for a very rapid analysis basically simple attacks and vorzuhalten another security computer that can analyze with somewhat more complex algorithms and therefore usually slightly slower complex attacks.

More complex attacks are typically attacks at a higher OSI level, such as level seven, also known as the application level.

To detect such attacks at a higher level, it is useful if a log record can also record the types of HTTP requests, for example, if a Get or Post command was sent. It may also be useful to include the language setting or the type of browser in the log record. Furthermore, the country from which a request comes could be recorded in the log record, if possible also a more localized localization, such as a city or state.

For example, the evaluation of such data at the application level allows a consistency check of the request. Consistency criteria can be checked by humans. It is also possible to make specifications for consistency criteria, which are then automatically checked in a defined manner. For example, the combination of a mobile operating system on a mobile phone could be assumed to be consistent, but a different combination would not.

Also, a language setting on a browser that does not match the national language of the query country could already be considered inconsistent. In terms of language, however, it turns out that a very simple and rigid audit scheme will often be unsatisfactory. It may be an appropriate measure in case of acute overload of the host system, but in other situations, more detailed analysis is desirable.

With the host system of the present invention, it is possible to track the flow of data between a plurality of client machines and (initially) the second host computer over a period of time. This is possible while the data flow is routed via the data exchange unit of the third host. In this phase, the security computer can continuously generate a log file of the entire data flow (the primary log file). In the security computer or another computer, a static evaluation of this data flow can be made.

Due to the statistical evaluation, a reference file can be generated. Such a reference file may define typical reference values and acceptable intervals for all information units stored in the log records. For example, for the query from a mobile device, it could be determined which browsers are considered typical for the mobile device. For a data query with a different device-browser combination, the sending of data could be suppressed. Such deviant browser-device combinations can namely be understood as a sign of a query by at least one interferer computer and not by an actual and benevolent user. (Mostly such queries are made by multiple sturgeon computers that interact in a "botnet.")

Similarly, for certain country settings, typical query languages could be recognized. This revaluation can be a statistically reliable way of reproducing the full breadth of language attitudes in a country. It could be noted that some of the queries on a particular European website are made at a time interval by browsers using an Asian language as their default. If, however, the proportion of Asian-language browsers is significantly higher within a certain time interval, this could be interpreted as an indication of an attack on the host system. The generation and use of a reference file allows a much more meaningful and reliable analysis than a rigid evaluation based on general plausibility assumptions.

As mentioned, the log record also contains an information unit about the type of information files retrieved, in Internet applications usually the URL identifier of the page called. Each website has a specific usage behavior. For example, the user of a newspaper page on the Internet generally first calls up the main page. From this he jumps to a single article and then he jumps back to the main page. From the main page in turn he jumps to a next article, etc. The user of the Internet offer of a mail order company behaves differently in the rule. He will usually enter a search term after calling up the main page. He will then search systematically in the hit list returned based on the search word input. But he will not often jump back to the main page or constantly switch back and forth between products of very different categories.

Thus, by storing the timing of calling the URI or URL flags of certain subpages, the log record can record page usage behavior of the main URI tag to which these sub URI tags belong.

For this information, too, it is expedient if a reference file is generated by recording log data records in a sufficiently long time interval.

An interesting aspect of the present invention is that a reference URI tag can be assigned to a reference file. This can either be a statistics reference file in which raw data is recorded over a longer time interval and / or it can be an acceptance interval reference file which already specifies acceptance intervals for individual information units.

It can be assumed that, based on a main URI, user behavior remains relatively constant over a long time. Therefore, it is useful if reference files can be stored for a long time. It may well be that a safety test will not be carried out for a long time if the general safety situation, or rather the frequency of accidents, makes this appear appropriate. In such situations, it is then possible to run traffic through the third host without using the security machine. It would alternatively also be possible to no longer run the data traffic via the third host, but rather to lead it directly from the second host to a client or to a fourth host.

If the security situation makes it necessary again, the data traffic can be routed again via the third host and the security computer can become active again. This usually happens when there are concrete signs of the need for increased safety. In such a situation, it is highly desirable to very quickly maintain a secure, ie, in particular attack-protected, host mode. If necessary, this should be done within seconds.

As discussed, the reference file plays a significant role in countering attacks. Such a reference file requires longer monitoring of the traffic, for example for at least 24 hours. In addition, as a rule, it requires a mathematical evaluation of this data traffic, in particular if a statistics reference file is to be generated. However, by storing such a file on the security computer, for example, it can be called up within minutes and can be used again. An interesting feature is that this file is stored where it can work most efficiently, namely on the third host and / or the associated security machine, but describes properties of the first host. More specifically, it describes characteristics of the data stored on the first host, in particular a hierarchical URI structure of the data.

Because this file is stored outside the first host, it could also be used in the event of a failure of the first host, for example, when the data is read from a backup host for the first host instead of from the first host.

Even if the first host or the second host can become the subject of an attack, it is of considerable advantage to be able to store the corresponding files relevant to the security of operation on a computer different from the first host and the second host.

As mentioned, it is conceivable that the first host is replaced by another computer, for example a backup computer, which stores the corresponding content files. It is also conceivable in situations where it does not depend on the use of backup data to connect the third host to other hosts.

In particular, it may be considered to connect the third host in the manner described with a first host and a second and additionally connect the third host with a fifth host and a sixth host. The fifth host and the sixth host are switched in parallel to the first host and the second host. Accordingly, the fifth host may store content files and the sixth host may be optimized for the data forwarding. In this way, it would be possible with a single third host and connected security computer to handle the security requirements for multiple hosts and thus for multiple customers. It may be considered that a plurality of such host chains is connected to the third host. In this context, the third host can create a plurality of log files with a security computer, which are respectively matched to different URIs, in particular main URIs, on the various hosts which store corresponding content files. It would also be conceivable to connect a plurality of security computers to the third host, for example a security computer relating to the data on the first host and a second security computer relating to the data on the fifth host.

• – Anbieten eines Hostrechners, welcher sich als dritter Hostrechner (16) mit einem ersten Hostrechner (12) und mit einem zweiten Hostrechner (14) koppeln lässt
• – Kopplung des dritten Host (16) mit einem zweiten Host (14), wobei der zweite Host (14) mit einem ersten Host (12) gekoppelt ist
• – Anlegen einer Primär-Log-Datei und/oder Referenz-Datei auf den dritten Host (16) oder einem damit verbundenen Sicherheitsrechner (20)
• – Vermitteln von Datenverkehr von einem Client (22) oder Host über den dritten Host (16) und/oder über den zweiten Host (14) zum ersten Host (12)
• – Registrierung des Datenverkehrs, insbesondere durch Anlegen von Log-Einträgen, welche vorzugsweise jeweils mindestens drei Informationseinheiten umfassen
• – Anlegen einer Referenz-Datei
• – Aktualisieren der Referenz-Datei aufgrund der Log-Einträge

In addition to a host system for offering Internet content, a method for operating a host system is also an object of the present invention. In the context of this invention, a host system is generally operated for offering Internet content, so that the described methods are also the subject of the present invention as a method for offering Internet content. Thus, a method for offering Internet content and / or for operating a host system is part of the present invention, which preferably comprises the following steps in the order of listing:

• Offering a host computer which acts as the third host computer ( 16 ) with a first host computer ( 12 ) and with a second host computer ( 14 ) can be coupled
• - coupling of the third host ( 16 ) with a second host ( 14 ), where the second host ( 14 ) with a first host ( 12 ) is coupled
• - Create a primary log file and / or reference file on the third host ( 16 ) or an associated security computer ( 20 )
• - Transferring traffic from a client ( 22 ) or host over the third host ( 16 ) and / or via the second host ( 14 ) to the first host ( 12 )
• - Registration of data traffic, in particular by creating log entries, which preferably each comprise at least three information units
• - Create a reference file
• - Updating the reference file based on the log entries

• – Anbieten eines Hostrechners, welcher sich als dritter Host (16) mit einem ersten Host (12) und mit einem zweiten Host (14) koppeln lässt
• – Kopplung des dritten Host (16) mit einem zweiten Host (14), wobei der zweite Host (14) mit einem ersten Host (12) gekoppelt ist und wobei der erste Host (12) eine Vielzahl von Internetinhalten in Inhaltsdateien speichert und eine Vielzahl von URIs benutzt, wobei die URI in einem hierarischen System geordnet sind, welches mindestens eine Haupt-URI und mindestens eine Unter-URI umfasst, und wobei jeder Inhaltsdatei eine Unter-URI zugeordnet ist und wobei der zweite Host (14) mit dem ersten Host (12) zur Ermöglichung von Datenverkehr verbunden ist und der zweite Host (14) als abgehenden Datenverkehr Inhaltsdateien aufgrund einer auf eine Inhaltsdatei bezogenen Abfrage an einen anderen Host, zumindest den dritten Host (16), oder einen Client (22) weitergeben kann
• – Vermitteln von Datenverkehr von einem Client (22) oder Host über den dritten Host (16) und über den zweiten Host (14) zum ersten Host (12)
• – Registrierung des Datenverkehrs, insbesondere durch Anlegen von Log-Datensätzen zum Datenverkehr und Anlegen einer Referenz-Datei (50, 52) mit Informationseinheiten zum Datenverkehr auf den dritten Host (16) oder einem damit verbundenen Sicherheitsrechner (20)
• – Aktualisieren der Referenzdatei (50, 52) aufgrund von Log-Datensätzen
• – Steuerung des Datenverkehrs mit Hilfe der Referenzdatei (50, 52)

In particular, it concerns a method which comprises the following steps, again preferably in this order:

• Offering a host computer which acts as the third host ( 16 ) with a first host ( 12 ) and with a second host ( 14 ) can be coupled
• - coupling of the third host ( 16 ) with a second host ( 14 ), where the second host ( 14 ) with a first host ( 12 ) and wherein the first host ( 12 ) stores a plurality of Internet contents in content files and uses a plurality of URIs, wherein the URIs are arranged in a hierarchical system comprising at least one main URI and at least one sub-URI, and wherein each content file is assigned a sub-URI and where the second host ( 14 ) with the first host ( 12 ) is connected to allow traffic and the second host ( 14 ) as outbound traffic content files due to a content file related query to another host, at least the third host ( 16 ), or a client ( 22 ) can pass on
• - Transferring traffic from a client ( 22 ) or host over the third host ( 16 ) and the second host ( 14 ) to the first host ( 12 )
• - Registration of data traffic, in particular by creating log data records for data traffic and creating a reference file ( 50 . 52 ) with traffic information units on the third host ( 16 ) or an associated security computer ( 20 )
• - Update the reference file ( 50 . 52 ) due to log records
• - Control of the data traffic by means of the reference file ( 50 . 52 )

In each of the methods described herein, the described host system can be used, so that preferred features of the host system, in particular as shown in the claims related thereto (claims 1 to 9), can be used in the method.

An advantageous embodiment of the method results if additional connection to a fourth host is provided. The third host can be connected to a corresponding fourth host, with the fourth host again performing the data forwarding task. This fourth host can therefore be connected in the manner of the second host expediently with a client computer or with a multiplicity of client computers.

Within the meaning of the above explanations, it is also expedient in the context of this method if the log file is still stored on the third host or an associated security computer even after the interruption of the coupling of the third host to the second host. In particular, the interruption may involve traffic going directly from the second host to the fourth host. Accordingly, the security computer is not available. In a change in the security situation, however, it is a significant added value if the third host can be switched between the second host and the fourth host again and control of the data flow is possible again without significant start-up time.

Therefore, a method is expedient in which, after the restoration of the coupling of the third host with the second host, the data flow is directly controlled and the data from the log file is used. A control of the data flow is to be understood in particular as meaning that the security computer can block the data transmission on the basis of selection parameters.

Also in the context of this method of operating a host system, it may be advantageous if the third host is additionally coupled to a fifth and a sixth host, with the fifth host being coupled to the sixth host and the sixth host is paired to the third host. In this way, coupling of the sixth host to the third host can be established in parallel with the coupling of the second host to the third host.

A coupling of geographically separated servers can be achieved here as follows: By changing the entry in the DNS name server, a request is forwarded to the third host instead of the second host. A specific Internet address is therefore assigned a different IP address. In addition, it may be useful to prevent the possibility of direct addressing on an optionally provided firewall of a host, which should no longer be addressed directly.

Also useful is a method of also controlling traffic from the fifth host to the sixth host to the third host traffic using at least some of the data in the reference file. An advantage of such a method is that certain settings, which may be due to a learning process, can be transferred from the traffic with the first and second host to the traffic with the fourth and fifth host. For example, creating a reference file would allow you to detect an excessive number of attacks on a particular day from a particular country, and you can use that knowledge immediately with the help of the reference file for data connections to the fourth and fifth hosts.

Of interest is a method in which the security computer can block the transfer of data to another host or client based on a comparison between at least one information unit of a log record and a corresponding information unit of the reference file and in which a first comparison and a second comparison takes place and the first comparison between at least one information unit of a log data record and a corresponding information unit of a reference file takes place and a key figure is calculated on the basis of the first comparison, and in the second comparison the key number is compared with a threshold value and because of the second comparison, the passing of data to another host or client can be disabled, and a new threshold is calculated for the traffic between the fifth host and the sixth host. As discussed, it may be useful to include properties of a host or outbound traffic characteristics in the calculation of the threshold. The security computer can thus store a first threshold relative to the second host and store a second threshold in relation to the fifth host. In this case, the second threshold value can first be calculated on the basis of the first threshold value and be adapted to the data flow or properties of the fifth host if the data flow continues. Thus, in addition to the first threshold, at least a second threshold can be made available. In this way, the security computer can effectively manage the flow of data in a more complex host system.

Incidentally, expediently more accurate embodiments of the method result from the advantageous embodiments of the host system itself.

With particular regard to the description of the method, it has become clear that a host system may be appropriate, which may take various configurations by changing the data connection. The host system thus has, in a first configuration, a multiplicity of host computers, which are connected in a specific way by data lines. These host computers can be completely or partially converted into a second configuration, in which all or at least several host computers of the original configuration are linked by other data connections. It may be particularly interesting to temporarily remove the third host from the host system. It may also be possible to leave the data exchange unit of the third host computer in the system, but to remove the security computer from the system. Thus, in a first configuration of the host system, the second host may be connected to the fourth host via the third host, but in a second host system configuration, the second host may be directly connected to the fourth host. Alternatively, in the second configuration of the host system, the second host may be connected to the fourth host only via the data switch.

In this respect, in the context of the present invention, the following host system is expedient: A host system for offering Internet content, the host system comprising a storage system in which files for Internet content are stored, and a first host and a second host and a backup computer, and the storage system via a first data line is connected to the host computer of an Internet service provider, wherein this host computer may be the above first host or second host, and in a first system configuration an Internet user is assigned Internet content via a second data line by entering a first URI of the first URI in a second configuration, the host system comprises a third data connection between the first host and the security computer and a fourth data connection between the security computer and the second host, and an Internet user can query via a fifth data line by entering a first URI of the first URI associated Internet content, the Internet user in the second configuration over the second data line can not query the URI associated Internet content, wherein the security computer querying the query of the first URI associated with Internet content an algorithm, the algorithm being variable depending on the URI.

Other features, but also advantages of the invention will become apparent from the following drawings and the accompanying description. In the figures and in the accompanying descriptions, features of the invention are described in combination. However, these features may also be included in other combinations of an article of the invention. Each disclosed feature is thus also to be regarded as disclosed in technically meaningful combinations with other features. The illustrations are partly slightly simplified and schematic.

1 shows a schematic representation of a first host system according to the invention;

2 shows a schematic representation of a second host system according to the invention comprising a fourth host;

3 shows a schematic representation of a third host system according to the invention, which is connected to various client computers;

4 shows a schematic representation of a host;

5 shows a schematic representation of a host with connected security computer;

6 shows a schematic representation of a log file;

7 shows a schematic representation of a statistics reference file;

8th shows a schematic representation of an acceptance interval reference file;

9 shows a schematic representation of a fourth host system according to the invention, which is connected to different first and second hosts;

10 shows a schematic representation of a fourth host system according to the invention, which is connected to different first and second hosts and further comprises a plurality of security computers.

1 schematically shows the structure of a first host system 10 , This host system includes a first host 12 , which is suitable for storing content files. Over at least one data line is this host 12 with a second host 14 connected. This second host 14 is represented like a typical host (or server) as a multi-rack device. It may be appropriate to make this host computer so that it is easily removable in its capacity. In any case, it should allow a high data flow. It can be a host of an internet provider.

The second host 14 is with a third host 16 connected. This third host 16 comprises a data exchange unit 18 , The data exchange unit 18 can be similar in function to the second host 14 and therefore in its structure also the second host 14 correspond. The third host 16 but also includes a security calculator 20 , This can, as indicated in the sketch, be a physically separate unit. This unit can be in close proximity to the data exchange unit 18 be located or spatially separated from it.

The third host 16 is via a suitable data connection with a client 22 (here briefly for client computers) connected. This may already be the computer of a private user who queries Internet content. Typically, a large number of clients are connected to the third host.

2 shows in a corresponding schematic representation of a second inventive host system 10 , This host system again has a first host in an analogous manner to the presented host system 12 , a second host 14 and a third host 16 on. The third host 16 in turn comprises a data exchange unit 18 and a connected security computer 20 ,

The third host 16 is, typically via the data exchange unit 18 , in this embodiment via a suitable data line with a fourth host 24 connected. The fourth host 24 should in turn ensure a fast data transfer with sufficient volume. It is therefore the same as the second host 14 shown. In fact, the fourth host can 24 and the second host 14 be constructed identically. Also at the fourth host 24 it can be the host of an internet service provider. About the fourth host 24 then the data traffic is handled with client computers, for example with the client shown 22 ,

It should be noted that in this embodiment, the fast traffic is also through the use of the second host 14 and the fourth host 24 comes about. Both hosts can be understood as conventionally designed hosts of Internet providers. It is therefore possible to use the services of Internet providers in an economically advantageous manner. It is also easily possible within the framework of this host system, for example, to change the Internet provider. The specific advantages of the host system are retained.

3 shows a third host system according to the invention. This is similar in its basic structure to the second presented host system according to the invention. Again, it includes a first host 12 , a second host 14 , a third host 16 and a fourth host 24 , The fourth host 24 This time, however, it is connected to a multiplicity of client computers, namely with client 22 , Client 26 and client 28 ,

The host system is shown in a configuration where the traffic to the clients is controlled. Due to the controlling influence of the safety computer 20 , is the traffic with client 22 still possible. Despite the indirect connection of the clients 26 and 28 over the fourth host 24 however, traffic with these clients is not fully possible. Traffic with client 28 is temporarily blocked. Such a temporary suppression of data traffic is conceivable, for example, while it is not clear whether a client is a disturber.

client 26 is shown as a permanently blocked client machine. Such a computer may clearly be considered a computer from which malware is distributed or which regularly attacks the host system. (A persisted computer is usually blocked for the duration of an IP address assignment.)

4 shows a schematic representation of the typical structure of a host 30 , The host 30 includes an input and output unit 32 , This is suitably connected to data lines for incoming and outgoing data. The input / output unit is controlled by the operating system 34 controlled. This operating system 34 also controls the other units of the host 30 , in particular the central processing unit (CPU) and also the at least one intended memory 38 ,

A host computer with the structure of the host 30 may be used both as the first host in the context of the present invention 12 as well as second host 14 or as a third host 16 or fourth host 24 serve. As a rule, the individual components presented are adapted to the respective task.

5 shows a schematic view of the structure of a host computer, as he especially as a third host 16 suitable is. This calculator can comprise two units, namely a unit corresponding to the host presented 30 equivalent. This unit can be connected to another unit, which serves as a safety computer 20 serves. Both units may have the featured basic modules.

The host 30 has the already introduced units, namely an input / output unit 32A , about an operating system 34A , via a central processing unit (CPU) 36A and at least one memory 38A , The security computer 20 has an input / output unit 32B as well as an operating system 34B and via a central processing unit 36B as well as a memory 38B ,

6 schematically shows the structure of records and a primary log file. Such a primary log file 40 includes a variety of records 42 , The creation and storage of a primary log file 40 is possible, but often not desired and not required. Their representation, however, is to understand the structure of records 42 and the creation of reference files useful. Shown here are a first record 42a , a second record 42b and a third record 42c , Each of these records comprises a plurality of information units. At least three information units are provided here. Accordingly, the first record comprises 42a a first information unit 44a , a second information unit 46a and a third information unit 48a , In a corresponding manner, at least three information units are provided in the other data sets.

A typical data record is also comprised of further information units, wherein 5 to 20 information units can be considered appropriate. The number of records 42 per primary log file 40 is much higher and can exceed 1000, 10,000 or 100,000 records.

A primary log file 40 This form can serve various purposes. It may be at the primary log file 40 Initially, the (temporary) recording of data traffic act. Such a primary log file 40 can be further processed, typically in the security computer. As already explained, it is possible to generate a reference file. In such a file typical distributions for certain parameters could be recorded. In such a file in the form of a statistics reference file, a particular information unit would be assigned a frequency distribution. Therefore, the file would have one record per information unit. The record would be called a Information unit specify the nature of the information unit, for example, that it is a time information. After the time information, data for the statistical distribution of the time unit would then be recorded in further information units. For example, there could be an equal distribution around a certain mean. Such an equal distribution could be characterized by an average and the standard deviation. In this case, the record in question might not have to contain more than three pieces of information.

A corresponding file is in 7 shown. The file also contains a large number of data records, shown are three data records 42a . 42b and 42c , The number of records would typically be the number of pieces of information in 6 correspond. That is, the length of a line in 6 would be the number of columns in 7 determine.

Each data record contains a parameter as the first information unit. Such a parameter typically corresponds to the first information unit 6 So, was there in the field 44a . 44b or 44c stored. As I said it can be z. B. may be a time parameter. As a further information unit of the data set, an average value M is shown. As additional information unit, a standard deviation (represented as "a") is shown.

In 8th is an acceptance interval reference file 52 shown. Such a file may look similar to the file 7 in a first field, contain a parameter representing an information unit 6 equivalent. For the three datasets shown 42a . 42b and 42c Parameters P1, P2 and P3 are shown. A minimum value and a maximum value can then be defined in the data record for each such parameter, for example a value P1-min and a value P1-max for the parameter P1. For example, if P1 describes the acceptable time interval for two consecutive queries, then P1-min could be 5 ms, and P1-max could be 10 ms, as long as a query is for traffic at the TCP / IP level. For higher level traffic, such as the application level, which is commonly described as the seventh OSI level, typical times are significantly longer. For example, the time interval for accessing web pages to a particular primary URL could be between at least 2 seconds and at most 1800 seconds.

9 shows a schematic representation of a fourth inventive host system. In this host system, a plurality of hosts are connected in parallel. It is a first host 12A provided, which with a second host 14A connected is. There is also a fifth host 12B provided, which with a sixth host 14B connected is. Furthermore, a seventh 12C provided, which with an eighth host 14C connected is. As the terms suggest, and as the graph shows, three strands of parallel hosts are created, all with the third host 16 be coupled. Thus, the first host, the fifth host, and the seventh host have substantially similar functions as the second host, the sixth host, and the eighth host have substantially similar functions.

The third host 16 again comprises a data exchange unit 18 and a security calculator 20 , This security computer can execute algorithms that are specifically adapted to the content data residing on the host 12A . 12B and 12C are stored.

Incidentally, in the host system in a known manner, a fourth host 24 provided, which with at least one client 22 connected (typically with many clients).

10 shows a schematic overview of a host system, which from the 9 essentially corresponds. Deviating from 9 this is just the third host 16 designed. This in turn should be a data exchange unit 18 exhibit. This data exchange unit 18 However, it is connected to three different security computers, the security computers 20A . 20B and 20C , These security computers can execute algorithms related to different host chains. For example, in the safety calculator 20A a security algorithm is performed, which is on the host chain 12a and 14a is tuned. Accordingly, the security computer could 20B perform an algorithm which is on the host chain 12b and 14b is tuned. Accordingly, the security computer 20C perform a security algorithm which is on the host chain 12c and 14c is tuned.

Overall, it can be seen how expediently a host system can be designed for the secure handling of data traffic.

LIST OF REFERENCE NUMBERS

10

host system

12

first host / host or server

14

second host / host or server

16

third host

18

Data exchange unit

20

computer security

22

client

24

fourth host

26

blocked client

28

temporarily blocked client

30

host

32

Input / output unit

34

operating system

36

Central processing unit (CPU)

38

Storage

40

(Primary) log file

42

record

44

first information unit

46

second information unit

48

third information unit

50

Statistics reference file

52

Acceptance interval reference file

Claims (16)

Host system ( 10 ) for offering Internet content in a network, the host system having at least one first host ( 12 ), a second host ( 14 ) and a third host ( 16 ), the first host ( 12 ) stores a plurality of Internet contents in content files and uses a plurality of URIs, wherein the URIs are arranged in a hierarchical system comprising at least one main URI and at least one sub-URI, and wherein each content file is assigned a URI and wherein the second host ( 14 ) with the first host ( 12 ) is connected to allow traffic and the second host ( 14 ) as outbound traffic content files due to a content file related query to another host, at least the third host ( 16 ), or a client ( 22 ) and the third host ( 16 ) a data exchange unit ( 18 ) which files to another host or client ( 22 ) and the third host ( 16 ) a security computer ( 20 ), which connects the data exchange unit ( 18 ) and which a log record ( 42 ), whereby the log record ( 42 ) comprises at least a first information unit, a second information unit and a third information unit, wherein the first information unit comprises an identification feature of a client or host computer, and the second information unit comprises a time reference related to the query and the third information unit comprises an identification feature of a content file or the associated URI includes, to which the query relates, and wherein the security computer ( 20 ) a reference file ( 50 . 52 ), which due to log data records ( 42 ) and comprises reference values for at least the first information unit, the second information unit and the third information unit, and on the third host ( 16 ) or the security computer ( 20 ) is stored. Host system ( 10 ) according to one of the preceding claims, in which the security computer ( 20 ) the transfer of data to another host or a client based on a comparison between at least one information unit of a log record ( 42 ) and a corresponding information unit of the reference file ( 50 . 52 ) can lock. Host system ( 10 ) according to claim 2, wherein a comparison between at least one information unit of a log data record ( 42 ), preferably an information unit related to the OSI level three or four of the network, and a corresponding information unit of an acceptance interval reference file ( 52 ) takes place. Host system ( 10 ) according to claim 2 or 3, in which a first comparison and a second comparison takes place and the first comparison between at least one information unit of a log data set ( 42 ) and a corresponding information unit of a reference file ( 50 . 52 ) and, based on the first comparison, a measure is calculated, and in the second comparison, the measure is compared to a threshold and the passing of data to another host or client can be disabled based on the second comparison. Host system ( 10 ) according to claim 4 or 5, wherein the first comparison between at least one information unit of a log data set ( 42 ) and a corresponding information unit of a statistics reference file ( 50 ) takes place. Host system ( 10 ) according to claim 4 or 5, wherein the threshold depends on a property of the second host or the data traffic leaving the second host. Host system ( 10 ) according to one of the preceding claims, in which at least two, preferably all host computers are physically separated. Host system ( 10 ) according to one of the preceding claims, in which the third host ( 16 ) is further connected to a data store containing at least some of the content files of the first host ( 12 ) also saves. Host system ( 10 ) according to one of the preceding claims, wherein the first information unit comprises a value obtained from the IP address by a control value function. Method for operating a host system ( 10 ) for offering Internet content in a network, comprising the steps of: a. Provision of a host, which acts as a third host ( 16 ) with a first host ( 12 ) and with a second host ( 14 ) can be coupled b. Coupling the third host ( 16 ) with a second host ( 14 ), where the second host ( 14 ) with a first host ( 12 ) and wherein the first host ( 12 ) stores a plurality of Internet contents in content files and uses a plurality of URIs, wherein the URIs are arranged in a hierarchical system comprising at least one main URI and at least one sub-URI, and wherein each content file is assigned a sub-URI and where the second host ( 14 ) with the first host ( 12 ) is connected to allow traffic and the second host ( 14 ) as outbound traffic content files due to a content file related query to another host, at least the third host ( 16 ), or a client ( 22 ) c. Mediate traffic from a client ( 22 ) or host over the third host ( 16 ) and the second host ( 14 ) to the first host ( 12 d. Registration of data traffic, in particular by creating log data records for data traffic and creating a reference file ( 50 . 52 ) with traffic information units on the third host ( 16 ) or an associated security computer ( 20 e. Update the reference file ( 50 . 52 ) due to log records f. Traffic control using the reference file ( 50 . 52 ) Method according to the preceding claim, in which additionally a connection with a fourth host is provided and the fourth host with a client computer ( 22 ) connected is Method according to Claim 10 or 11, in which the data traffic between the third host ( 16 ) and the second host ( 14 ) and the reference file ( 50 . 52 continue on the third host ( 16 ) or an associated security computer ( 20 ) is stored. Method according to the preceding claim, in which the data traffic is transmitted to the third host ( 16 ) and the second host ( 14 ) is resumed and the transfer of files to another host or client ( 22 ) immediately after the resumption of data traffic using the data of the reference file ( 50 . 52 ) is controlled. Method according to one of the preceding claims, in which the third host ( 16 ) alternatively or additionally with a fifth host ( 12B ) and a sixth host ( 14B ), the sixth host ( 14B ) parallel to the second host ( 14 ) and the fifth host ( 12B ) to the sixth host ( 14B ) is coupled. The method of claim 14, wherein also the traffic from the fifth host via the sixth host to the third host using at least some information units of the reference file ( 50 . 52 ) is controlled. Method according to Claim 15, in which the security computer ( 20 ) the transfer of data to another host or a client based on a comparison between at least one information unit of a log record ( 42 ) and a corresponding information unit of the reference file ( 50 . 52 ) and in which a first comparison and a second comparison takes place and the first comparison between at least one information unit of a log data record ( 42 ) and a corresponding information unit of a reference file ( 50 . 52 ) and, based on the first comparison, a measure is calculated, and in the second comparison, the measure is compared to a threshold and the passing of data to another host or client can be disabled and, for the traffic between the fifth host calculates a new threshold over the sixth host.

Images