EA039876B1 - Method and system for sonification of cybersecurity events - Google Patents

Abstract

The invention relates to the field of computer technology, in particular to a method and system for sonification of cyber security events. The technical result is to increase the efficiency of response to emerging cyber security events in network zones through the use of an event sonification plan formed by the network protection tools based on the statistical characteristics of connections between corporate network nodes in a given time interval. The claimed result is achieved due to a computer-implemented method of sonification of cyber security events generated by network protection tools, implemented using a processor in which cyber security event data is collected, including IP addresses of network exchange nodes, network ports, time of connections between the nodes and reaction of network protection tools to the mentioned connections; the received cyber security events are aggregated by various criteria in accordance with the selected sonification model, and statistical characteristics of aggregated events are calculated in a given time interval; an event sonification plan is generated based on the mentioned statistical characteristics of connections between the network nodes, while the said plan is formed in accordance with one of the proposed sonification models: sound source - network zone, number of connections in the network zone - volume of the sound source, deviation from the average value in the time interval – frequency of repetition of the sound from the mentioned source in the time interval, ratio of blocked and allowed connections for each zone - timbre/pitch of the sound from the source; and then sound alerts are generated for incoming cyber security notifications in accordance with the mentioned sonification plan.

Description

Technical field

The proposed technical solution, in general, relates to the field of computer technology, and in particular to a method and system for the sonification of cybersecurity events.

State of the art

With the development of the technical level in the field of data processing, which require a prompt response to a transient change in their states, a new method has been formed that allows you to analyze various processes based on the use of auditory display of information, in which the data obtained during the measurement or control of various processes can be converted into sound vibrations, which makes it possible to register them through sound channels of perception.

This approach is called sonification and is currently used in many scientific fields as an alternative to the visual presentation of data, allowing you to generate sound alerts associated with a change in the state of controlled processes. At the same time, the main advantages are the ability to process and respond to a large number of parallel information flows in real time, as well as the rapid detection of changes in critical parameters, which is especially critical in processing cybersecurity event processes.

The most important criterion for sonification is the construction of an audio scheme for the specific task of identifying and notifying given types of events. As a rule, the sound scheme relies on a number of parameters to form the sonification of events, for example, the parameters of sounds, the amount of data, their connectivity, etc.

Information tends to grow. Each new virtual entity of an individual initializes new connections with other entities, receives and sends data, initializes various processes, that is, carries out information activity leading to data growth. An increase in the volume of data storages and a decrease in the cost of their storage leads to the fact that the general trend of interaction with information systems can be expressed as saving everything instead of saving this fragment. The thesis about informational saturation (saturation) of the visual channel of perception is indisputable. Whether it is a customer in a supermarket or an operator of a situational center, a person is forced to pay attention to more and more visually displayed data that falls into the field of view and / or separate their presentation in time, thereby increasing the processing time of this data. This leads to a number of well-known problems - from increased fatigue and a decrease in labor efficiency to the occurrence of critical errors in the decision-making process. Against this background, the problems associated with the combination of various data intensify.

Currently, sonification methods are widely used in various fields, including medicine, aviation and complex systems management, media art, business analytics, seismography, assistive technologies for the visually impaired, and astronomy [1].

From the existing prior art, various approaches are known for the sonification of observed data. For example, analysis of network activity using the SonSTAR software allows you to generate sound alerts based on the analysis of network activity streams by filtering the data of transmitted packets [2]. From patent US 7511213 B2 (Soft Sound Holdings LLC, 03/31/2009) the principle of sonification of these changes in the securities market is known by constructing a mapping scheme for sounds to generate alerts based on the parameters of dynamic market changes, for example, fluctuations in exchange rates, stock prices, etc. P. Existing approaches are not suitable for analyzing cybersecurity events in terms of detecting network anomalies and forming an audio environment based on statistical data of connections between nodes, aggregated according to certain characteristics.

Disclosure of invention

The present invention is aimed at solving a technical problem, which consists in creating a new principle of cybersecurity event sonification, which allows more efficient and timely identification of network anomalies in a corporate network.

The technical result is to increase the efficiency of response to emerging cybersecurity events in network zones through the use of an event sonification scheme generated by network protection tools based on the statistical characteristics of connections between corporate network nodes in a given time interval.

The claimed result is achieved due to a computer-implemented method for sonifying cybersecurity events generated by network protection tools, which is performed using a processor and contains the steps at which cybersecurity event data is collected, which include IP addresses of network exchange nodes, network ports, execution time connections between nodes and the reaction of network protection tools to the mentioned connections;

aggregate the received cybersecurity events by various criteria in accordance with the selected sonification model and calculate the statistical characteristics of the aggregated events in

- 1 039876 given time interval;

an event sonification scheme is generated based on the mentioned statistical characteristics of connections between network nodes, and the said scheme is formed in accordance with one of the proposed sonification models: sound source - network zone, number of connections in the network zone - volume of the sound source, deviation from the average value in the time interval - the frequency of repetition of the sound of the mentioned source in the time interval, the ratio of blocked and allowed connections for each zone - the timbre / pitch of the sound of the source;

generating sound alerts for incoming cybersecurity notifications in accordance with said sonification scheme.

In one of the particular embodiments of the method, the aggregated network connections are additionally visualized in real time.

In another particular embodiment of the method, visualization is performed synchronously with the formation of sound alerts.

In another particular embodiment of the method, an audio alert and/or visualization of network zones is transmitted to the user's mobile device.

In another particular embodiment of the method, the source is selected from the group: musical instrument, environmental sounds, animal sounds, nature sounds, synthesized sounds, or combinations thereof.

The claimed result is also achieved through a system for sonifying cybersecurity events generated by network protection tools, which contains at least one processor and at least one data storage medium containing machine-readable instructions that, when executed by the processor, perform the above described method.

Other, private aspects of the implementation of the claimed technical solution will be disclosed later in these application materials.

Brief description of the drawings

The features and advantages of the present invention will become apparent from the following detailed description of the invention and the accompanying drawings, in which:

fig. 1 illustrates the general scheme of the claimed solution;

fig. 2 illustrates a flowchart for processing cybersecurity events for their sonification;

fig. 3 illustrates the scheme of cybersecurity events sonification when divided into zones of network activity;

fig. 4 illustrates an example of the division of sound sources into zones of a corporate network;

fig. 5 and 6 illustrate variants of sonification models;

fig. 7 illustrates a view of the computing system.

Implementation of the invention

As shown in FIG. 1, the general scheme of the claimed solution includes a data transmission network (110), the connection between the sections of which is controlled by the network protection tool (120) of the corporate infrastructure. Network security tools (120) can be selected from various devices, for example, the NGFW PaloAlto firewall or any other suitable type of device that provides accounting for audit log events (130) related to the initiation of connections and network interaction of hosts on a corporate network with each other and with external hosts.

The firewall audit log (130) contains cybersecurity events that include data about network connections, such as the time of the event, the source IP address, the destination IP address, the action of the firewall (whether the connection was blocked or allowed by the firewall). Under the data transmission network, the Internet information network can be used, formed by various known protocols and principles of organizing communication, for example, WAN, PAN, WLAN, LAN, etc.

The cybersecurity event data from the audit log (130) is fed to a processing device (200) based on a personal computer, which provides data processing to carry out the information sonification process.

The device (200) contains a preprocessing module (210) that enriches the data received from network protection tools (120), a sonification module (220) that generates sound alerts according to the set sound scheme, a sound database (230) containing sound sources for generating sound alerts, a visualization module (240) that performs visualization of cybersecurity event data.

In FIG. 2 presents the method steps for sonifying cybersecurity events. The first step (301) collects audit log events (130) of the firewall (120). The received data using the preprocessing module (210) is aggregated taking into account the time stamp in accordance with the selected sonification scheme and enriched with additional information, for example, whether the IP address belongs to a certain network zone of the corporate network, the presence of the IP address and/or network port in the black list IP addresses and/or network ports. The preprocessing module (210) can be executed in Python and, in a particular variant, represent a module based on machine algorithms.

- 2 039876 training, for example, a neural network that overlays the sonification scheme on the generated set of statistical characteristics from network security tools (120) to generate sound alerts on network activity anomalies.

Depending on the data received from the network protection means (120), at step (301), the statistical characteristics of the connections (302) are calculated, on the basis of which a decision is then made to apply the selected data sonification and visualization scheme at step (303) for the subsequent formation of the sound environment in real time scale (304).

In FIG. 3 shows an example of the scheme of the claimed solution, in which the information to be sonified is distributed over the zones of the corporate network (400). As shown in FIG. 4 for each network zone (4001-4004) and a given time interval (which can be set as needed 1,3,5,10 sec, etc.) a unique sound source (I1-I4) is assigned, which allows identifying each of the zones (4001-4004).

In this sonification scheme, the statistical characteristics of connections are determined using the preprocessing module (210), which represent the total number of network connections in each of the zones (4001-4004) of the corporate network (400) in one time interval (in accordance with the selected aggregation interval ( 1, 3, 5, 10 s)), the ratio of blocked and allowed connections, the deviation of the current value of the number of connections from the average number of connections for the given network zone, the ratio of the number of connections from the given zone to the total number of connections, the number of zones with which connections are established from this zone.

These statistics are then passed to the sonification module (220) and the visualization module (240) to perform the step including data sonification and visualization (303). In the sonification step (303), the statistics obtained in step (302) for each network area (110) are processed with the generated audio schema. The sound scheme is built as follows: the sound source is the network zone, the number of connections in the network zone is the volume of the sound source, the deviation from the average value in the time interval is the repetition frequency of the sound of the mentioned source in the time interval, the ratio of blocked and allowed connections for each zone is timbre / source pitch.

The sound source is selected from various kinds of sound representations stored in the database (230) and assigned to each of the zones (4001-4004). Such representations can be, for example, a musical instrument, environmental sounds, animal sounds, nature sounds, synthesized sounds, or combinations thereof. The list of sound representations is not limited to the examples given and can be extended.

The sound source is superimposed on the generated sonification scheme to generate sound alerts (304) on recorded anomalies in the data network (110). Anomalies are understood as abrupt changes in observed statistical characteristics (a sharp change in the number of connections in a certain area, a change in the ratio of blocked and allowed connections, a strong deviation from the average value of the number of connections in a given area), which can signal a security incident or the functioning of IT systems. Anomaly sonification allows more explicit and/or earlier notification of the occurrence of such events and improves the efficiency and responsiveness of operators monitoring network activity.

For example, certain changes in network activity in the data network (110) can signal an incipient DDoS attack, a massive virus infection, malfunctioning protection tools, and so on. Taking into account the fact that in a large network infrastructure even one network protection tool (130) can generate tens of thousands of events per second, with the use of sonification, the operator is able to quickly identify an anomalous one subset of them, which requires more detailed study for threats. The visualization module (240) allows you to additionally generate images based on emerging anomalies in the network connections of the data network (110). Module (240) can be implemented, for example, on the Unity engine, which provides various types of generation of visually perceptible information on emerging cybersecurity events. Visualization of the statistical characteristics of data network connections (110) can be formed simultaneously with sound alerts.

The audible alerts generated by the sonification circuit in step (304) are output using standard means of the operator's workstation, such as headphones. Sound alerts can also be sent to operators on personal mobile devices or other types of wearable devices such as smart watches. The device (200) that provides data sonication can be implemented as a server and contain information with the assignment of observed anomalies to operator profiles, which allows generating sound alerts to the required employees. The transmission of such information is carried out by means of wireless communication, such as Bluetooth, Wi-Fi, etc. In another particular variant, the cybersecurity event sonification scheme can be formed on the basis of statistical characteristics determined based on the analysis of network connection transport protocol data. In FIG. 5 is a flowchart for executing a cybersecurity event sonification process using a network protocol analysis sonification model (500). At the first stage (501), data pre-processing is performed, in which events are aggregated according to the involved transport protocol (TCP / UDP / ICMP), and the presence of IP addresses and network ports is checked from security events in blacklists of IP addresses and ports. Blacklists contain malicious and dangerous IP addresses (as a rule, hosts on the Internet that are involved in malicious activity such as phishing, spam, malware distribution, etc.) and ports, the use of which may indicate infection of a corporate network host with malware.

At step (502) for each transport protocol, statistical characteristics are calculated: the number of connections per unit of time; deviation from the average value of the number of connections for a particular transport protocol.

For blacklisted IP addresses and ports, the presence of blacklisted IP addresses and ports in each time interval is calculated.

Generation of an audio environment using the sonification scheme at step (503), while if it is determined that the data received from the security tool (120) contains IP addresses and / or ports of network connections from the black list, then for such IP addresses or ports are assigned a separate audio source to identify them in the general data stream (504).

The sonification model in step (503) is performed as follows. For transport protocols:

transport protocol - separate instrument/sound source;

the relative number of connections using a particular transport protocol; the volume of the sound source;

deviation from the average value of the number of connections for a particular transport protocol - timbre/pitch of the sound source.

For blacklisted IP addresses and network ports:

the presence of an IP address / network port in the black list - instrument / sound source (a separate tool for IP addresses and for network ports);

number of blacklisted IP addresses/ports in one time interval - volume levels of the instrument/sound source (where zero volume means no blacklist entries in the given time interval).

Below is an example of the formation of a sound environment using the above sonification model (500):

TCP protocol - tree leaves rustling in the wind (left);

protocol UDP - noise waves (right);

ICMP protocol - wind whistle (left);

IP address from the black list - overflows / chimes in the style of a wind catcher (left);

blacklisted network port - ship horn (right).

Also, another example of a sonification model as shown in FIG. 6 may be an aggregation analysis by the action of the protection agent (600). The pre-processing step (601) performs event aggregation by firewall action type (allow/deny/alert/drop/reset) and checks for the presence of IP addresses and network ports from security events in the blacklists of IP addresses and ports. Blacklists contain malicious and dangerous IP addresses (as a rule, hosts on the Internet that are involved in malicious activity such as phishing, spam, malware distribution, etc.) and ports, the use of which may indicate infection of a corporate network host with malware.

For each transport protocol, statistics are calculated (602): the number of connection attempts with a given security action per unit of time; deviation from the average value of the number of connections for a specific action of the protection tool.

For blacklisted IP addresses and ports, the presence of blacklisted IP addresses and ports in each given time interval is calculated.

Generation of sound environment using the sonification scheme at step (603), while if it is determined that the data received from the protection tool (120) contains IP addresses and / or ports of network connections from the black list, then for such IP addresses or ports are assigned a separate audio source to identify them in the general data stream (604). The sonification model in step (603) is performed as follows:

type of action of the network tool - a separate instrument / sound source;

the relative number of connection attempts with the given action of the firewall; the volume of the sound source;

deviation from the average value of the number of connections for a specific action of the protective equipment - timbre/pitch of the sound source.

For blacklisted IP addresses and network ports:

the presence of an IP address/network port in the black list - instrument/sound source (separate tool for IP addresses and network ports);

number of blacklisted IP addresses/ports in one time interval - volume levels of the instrument/sound source (where zero volume means no blacklist entries in the given time interval).

The following is an example of the formation of a sound environment using the above sonification model (600):

action allow (allow) - the rustle of the leaves of the trees from the wind (right);

action deny (reject) - the sound of burning fireworks (left);

action alert (alarm) - crickets, rarely bird (left) action drop (dropping) - sparrows and other birds (right) action reset (reset) - eagle owl (right) action undefined - (left) wind whistle;

ip-address from the black list - overflows, wind catcher (center);

blacklisted network port - bells (center).

The diagrams and examples of distribution of sound sources shown are only for the purpose of showing one of the examples of sound environment formation.

In FIG. 7 shows an example of a general view of a computing system (700) based on a computing device that provides the implementation of the claimed method. The computing device may be a computing device capable of executing sonication and data processing functionality, such as a personal computer, laptop, smartphone, tablet, server, or the like. The device (200) may be a particular embodiment of the computing system (700). In the general case, the system (700) contains one or more processors (701), memory devices such as RAM (702) and ROM (703), input / output interfaces (704), input / output devices connected by a common information exchange bus (710), output (705) and a device for networking (706).

The processor (701) (or multiple processors, multi-core processor) may be selected from a variety of devices currently widely used, such as Intel™, AMD™, Apple™, Samsung Exynos™, MediaTEK™, Qualcomm Snapdragon™, etc. . Under the processor, it is also necessary to take into account a graphic processor, for example, an NVIDIA or ATI GPU, which is also suitable for the complete or partial execution of the data processing and sonification method. In this case, the memory means can be the available memory capacity of the graphics card or graphics processor.

RAM (702) is a random access memory and is designed to store machine-readable instructions executable by the processor (701) to perform the necessary data logical processing operations. The RAM (702) typically contains the executable instructions of the operating system and associated software components (applications, program modules, and the like).

ROM (703) is one or more persistent storage devices such as a hard disk drive (HDD), a solid state drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media (CD-R /RW, DVD-R/RW, BlueRay Disc, MD), etc.

Various types of I/O interfaces (704) are used to organize the work of the components of the computing system (700) and organize the work of external connected devices. The choice of appropriate interfaces depends on the particular design of the computing device, which can be, but not limited to: PCI, AGP, PS/2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, Type C), TRS/Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

To ensure user interaction with the computing system (300), various means (705) of I/O information are used, for example, a keyboard, a display (monitor), a touch screen, a touchpad, a joystick, a mouse, a light pen, a stylus, a touchpad, trackball, speakers, microphone, augmented reality tools, optical sensors, tablet, indicator lights, projector, camera, biometric identification tools (retinal scanner, fingerprint scanner, voice recognition module), etc.

The networking means (706) enables the communication of data by the system (300) via an internal or external computer network, such as an Intranet, Internet, LAN, or the like. As one or more means (706) can be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communication module, NFC module, Bluetooth and / or BLE module, Wi-Fi module and others

Additionally, satellite navigation tools as part of the system (400) can also be used, for example, GPS, GLONASS, BeiDou, Galileo.

Modifications and improvements to the above described embodiments of the present technical solution will be clear to experts in this field of technology.

The foregoing description is provided by way of example only and is not intended to be limiting in any way. Thus, the scope of the present technical solution is limited only by the scope of the appended claims.

Sources of information:

1. Rogozinsky G.G. Models and methods of sonification of cyber-physical systems / Dissertation, St. Petersburg, St. Petersburg State University of Telecommunications. prof. M.A. BonchBruevich, 2019

2. Debashi M, Vickers P (2018) Sonification of network traffic flow for monitoring and situational awareness. PLoS ONE 13(4): e0195948. https://doi.org/10.1371/journal.pone.0195948.

Claims (6)

1. A computer-implemented method for sonifying cybersecurity events generated by network protection tools, performed using a processor and containing the steps at which cybersecurity event data is collected, which include IP addresses of network exchange nodes, connection time between nodes and the reaction of means network protection on the mentioned connections; aggregate received IP addresses according to belonging to data network zones and calculate statistical characteristics of connections between nodes of each aggregated network zone in a given time interval; an event sonification scheme is generated based on the mentioned statistical characteristics of connections between network nodes, and the mentioned scheme is formed as: sound source - network zone, number of connections in the network zone - volume of the sound source, deviation from the average value in the time interval - sound repetition frequency of the mentioned source in the time interval, the ratio of blocked and allowed connections for each zone - timbre/pitch of the sound of the source; generating sound alerts for incoming cybersecurity notifications in accordance with said sonification scheme. 2. The method according to claim 1, characterized in that the network zones and connections between them are additionally visualized in real time. 3. The method according to claim 2, characterized in that the visualization is performed synchronously with the formation of sound alerts. 4. The method according to any one of claims 1 to 3, characterized in that the sound notification and/or visualization of the network zones is transmitted to the user's mobile device. 5. The method according to claim 1, characterized in that the source is selected from the group: musical instrument, environmental sounds, animal sounds, nature sounds, synthesized sounds, or combinations thereof. 6. A system for sonicating cybersecurity events generated by network protection tools, comprising at least one processor and at least one data storage medium containing machine-readable instructions that, when executed by the processor, perform the method according to any one of paragraphs. 1-5.