EP3055975A1 - Procédé et dispositifs de détection d'un logiciel autonome auto-propagateur - Google Patents
Procédé et dispositifs de détection d'un logiciel autonome auto-propagateurInfo
- Publication number
- EP3055975A1 EP3055975A1 EP15700477.1A EP15700477A EP3055975A1 EP 3055975 A1 EP3055975 A1 EP 3055975A1 EP 15700477 A EP15700477 A EP 15700477A EP 3055975 A1 EP3055975 A1 EP 3055975A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- indicator
- network
- unit
- behavior
- arithmetic unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
Definitions
- Known types of malware include viruses, worms, Trojan horses, rootkits and spyware.
- the malicious code can be distributed or infected via e-mail, web sites, file downloads and file sharing, as well as peer-to-peer software, instant messaging and direct personal manipulation of computer systems.
- Protected special networks are computer networks, which are separated from other networks such as office networks and the Internet by suitable technical measures, such as firewall (protective wall) or air-gap (air gap). Examples of considered systems are industrial control systems, eg in critical infrastructures or systems for the processing of sensitive data.
- An example of a special network is an automation network of a production line in which the manufacturing robots represent safety-critical systems.
- the "disengagement" of the public network enables protection of the special network against a malware attack starting from the public network, and traditional security mechanisms such as anti-virus are also used on the security-critical systems in the special network.
- the invention relates to a method for detecting autonomous, self-propagating malware in at least one first computing unit in a first network, wherein the first network is coupled to a second network via a first connection, comprising the following method steps: a) generating at least a first indicator, which specifies a first behavior of the at least one first arithmetic unit;
- the method can be used universally for any type of autonomous, self-propagating malware, so that even for unknown malware of the type mentioned, a high degree of identification rate can be achieved.
- the term behavior is understood to mean one or more activities that the respective first or second processor performs, such as writing or reading data or specific file names to or from a memory unit assigned to the respective processor, starting, pausing, Stopping or terminating processes, eg with specific process names / or identifiers.
- the behavior can describe a state of the respective arithmetic unit or the associated activities and / or changes of the respective activities over a period of time at a specific time.
- the invention also relates to a device for detecting autonomous, self-propagating malware in at least one first computing unit in a first network, wherein the first network can be coupled to a second network via a first connection, comprising the following units:
- first unit for generating at least a first indicator, which specifies a first behavior of the at least one first arithmetic unit
- fourth unit for generating at least one correlation result by correlating the at least one first indicator with the at least one second indicator
- fifth unit for outputting a notification signal if, in a comparison by the correlation result, the definable threshold value is exceeded.
- the first unit and the second unit carry out the generation of the at least one first indicator and the at least one second indicator at regular time intervals.
- the at least one first indicator makes a first type of behavior in a first time interval and by the at least one a second indicator, the first or another type of behavior in a second time interval displayable, wherein the second time interval is arranged in time before the first time interval.
- the office network NET2 is also referred to as the second network NET2.
- the second network is connected via a second connection V2 by means of a DSL modem (DSL - Digital Subscriber Line) to the Internet INT.
- DSL modem DSL - Digital Subscriber Line
- the respective second arithmetic units in this example are networked together by means of LAN.
- the service employee wants to import new welding software into the control unit RE1.
- a mobile storage medium VI e.g. a USB stick.
- the USB stick is used for data transmission from the second arithmetic unit of the second network to the first arithmetic unit in the first network.
- the mobile storage medium VI provides a first connection VI between the first network and the second network.
- the first connection may be through a wired medium, e.g. a LAN connection.
- Transferring the new welding software to the control unit also copies the malware BD into the control unit of the welding robot RE1.
- the work PC RE2 and the welding robot RE1 are monitored.
- the first indicator II includes, for example, the following file names:
- those file names or information are removed by the first or second arithmetic unit or by the correlation component from the first and / or second indicator II, 12, which according to a prior knowledge about that on the respective arithmetic unit used operating system and / or installed without malicious software programs installed on the respective processing unit.
- the first and second arithmetic units are installed after the first installation without autonomous self-propagating malware.
- the lists for the first and second indicator are generated for 2 days.
- basic lists are generated in the respective arithmetic unit and / or correlation component with at least a part of the information contained in the respective indicator.
- the first exclusion list for the first indicator includes the filenames "D1519.exe” and “G011A.exe”
- the second exclusion list for the second counter has the filename "N4711.exe. This results in "XXXX.exe” for the first indicator II and "MCHP.exe”, "DD22DD0a.exe”, “XXXX.exe” and "D55.exe” for the second indicator 12.
- the checking of the information of this indicator takes place analogous to the above embodiment.
- the respective indicators indicate which file names in a considered period, e.g. one minute, have been rewritten to the respective arithmetic unit, rewritten or / and changed.
- the malware is detected if identical file names are displayed by the indicators.
- the frequency of occurrences of specific processes can be monitored in the respective computing units RE1 and RE2 and transmitted as information in the form of the first and second indicators II, 12 to the correlation component KK.
- the first indicator II includes, for example, the following process names and their frequency:
- step S3 the first indicator and the second indicator are transmitted to a correlation component.
- step S4 the correlation result is generated by correlating the first indicator with the second indicator.
- step S5 the correlation result is compared with a definable threshold. If the threshold is not exceeded, it proceeds to step S7. Will the
- step S7 it is checked whether a predetermined time interval has expired. If this is the case, step S8 takes place. If this is not the case, step S2 takes place. This loop x is run through until the predetermined time interval, e.g. 1 minute, has expired.
- third unit E3 for transmitting the at least one first indicator and the at least one second indicator to a correlation component
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102014201592.8A DE102014201592A1 (de) | 2014-01-29 | 2014-01-29 | Verfahren und Vorrichtungen zum Erkennen von autonomer, selbstpropagierender Software |
PCT/EP2015/050743 WO2015113836A1 (fr) | 2014-01-29 | 2015-01-16 | Procédé et dispositifs de détection d'un logiciel autonome auto-propagateur |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3055975A1 true EP3055975A1 (fr) | 2016-08-17 |
Family
ID=52354984
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP15700477.1A Withdrawn EP3055975A1 (fr) | 2014-01-29 | 2015-01-16 | Procédé et dispositifs de détection d'un logiciel autonome auto-propagateur |
Country Status (5)
Country | Link |
---|---|
US (1) | US20170041329A1 (fr) |
EP (1) | EP3055975A1 (fr) |
CN (1) | CN106416178A (fr) |
DE (1) | DE102014201592A1 (fr) |
WO (1) | WO2015113836A1 (fr) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10491467B2 (en) * | 2014-05-23 | 2019-11-26 | Nant Holdings Ip, Llc | Fabric-based virtual air gap provisioning, systems and methods |
US10454950B1 (en) * | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US11182476B2 (en) * | 2016-09-07 | 2021-11-23 | Micro Focus Llc | Enhanced intelligence for a security information sharing platform |
US20220327219A1 (en) * | 2019-08-30 | 2022-10-13 | First Watch Limited | Systems and methods for enhancing data provenance by logging kernel-level events |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7246156B2 (en) * | 2003-06-09 | 2007-07-17 | Industrial Defender, Inc. | Method and computer program product for monitoring an industrial network |
US7761923B2 (en) * | 2004-03-01 | 2010-07-20 | Invensys Systems, Inc. | Process control methods and apparatus for intrusion detection, protection and network hardening |
US8549642B2 (en) * | 2010-01-20 | 2013-10-01 | Symantec Corporation | Method and system for using spam e-mail honeypots to identify potential malware containing e-mails |
DE102010008538A1 (de) | 2010-02-18 | 2011-08-18 | zynamics GmbH, 44787 | Verfahren und System zum Erkennen einer Schadsoftware |
US20120311710A1 (en) * | 2011-06-03 | 2012-12-06 | Voodoosoft Holdings, Llc | Computer program, method, and system for preventing execution of viruses and malware |
US8839435B1 (en) * | 2011-11-04 | 2014-09-16 | Cisco Technology, Inc. | Event-based attack detection |
US9088606B2 (en) * | 2012-07-05 | 2015-07-21 | Tenable Network Security, Inc. | System and method for strategic anti-malware monitoring |
US20140173577A1 (en) * | 2012-12-19 | 2014-06-19 | Asurion, Llc | Patchless update management on mobile devices |
RU2522019C1 (ru) | 2012-12-25 | 2014-07-10 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ обнаружения угроз в коде, исполняемом виртуальной машиной |
US20160127417A1 (en) * | 2014-10-29 | 2016-05-05 | SECaaS Inc. | Systems, methods, and devices for improved cybersecurity |
JP2018081514A (ja) * | 2016-11-17 | 2018-05-24 | 株式会社日立ソリューションズ | マルウェアの解析方法及び記憶媒体 |
-
2014
- 2014-01-29 DE DE102014201592.8A patent/DE102014201592A1/de not_active Withdrawn
-
2015
- 2015-01-16 US US15/107,112 patent/US20170041329A1/en not_active Abandoned
- 2015-01-16 CN CN201580006491.3A patent/CN106416178A/zh active Pending
- 2015-01-16 WO PCT/EP2015/050743 patent/WO2015113836A1/fr active Application Filing
- 2015-01-16 EP EP15700477.1A patent/EP3055975A1/fr not_active Withdrawn
Non-Patent Citations (2)
Title |
---|
None * |
See also references of WO2015113836A1 * |
Also Published As
Publication number | Publication date |
---|---|
DE102014201592A1 (de) | 2015-07-30 |
WO2015113836A1 (fr) | 2015-08-06 |
US20170041329A1 (en) | 2017-02-09 |
CN106416178A (zh) | 2017-02-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3278529B1 (fr) | Procédé de détection d'attaque, dispositif de détection d'attaque et système de bus pour un véhicule automobile | |
EP2975801B1 (fr) | Procédé de détection d'une attaque sur un réseau informatique | |
EP3097506B1 (fr) | Procédé et système d'obtention et d'analyse de données forensiques dans une infrastructure informatique distribuée | |
EP2966828B1 (fr) | Procédé de reconnaissance d'une attaque dans un environnement de travail relié à un réseau de communication | |
EP3055975A1 (fr) | Procédé et dispositifs de détection d'un logiciel autonome auto-propagateur | |
EP3430558B1 (fr) | Détection d'un écart entre un état de sécurité d'un dispositif de calcul et un état de sécurité théorique | |
DE102020112592A1 (de) | Anwendungsverhaltensbezogene Fingerabdrücke | |
WO2019052798A1 (fr) | Procédé et dispositif de détection d'une attaque sur un système de communication série | |
EP3122016B1 (fr) | Reseau d'automatisation et procede de surveillance de la securite de la transmission de paquets de donnees | |
EP2954534B1 (fr) | Dispositif et procédé de détection de manipulations non autorisée de l'état du système d'une unité de commande et de régulation d'une installation nucléaire | |
EP3286683A1 (fr) | Système et procédé pour surveiller l'intégrité d'un composant délivré par un système serveur à un système client | |
DE102017209806A1 (de) | Verfahren und Vorrichtung zum Erkennen von Angriffen auf einen Feldbus | |
DE202015004439U1 (de) | Überwachungsvorrichtung und Netzwerkteilnehmer | |
EP3486825A1 (fr) | Procédé et dispositif de détermination assistée par ordinateur d'une gravité d'un non-respect de l'intégrité constaté | |
EP3726309A1 (fr) | Procédé et système de surveillance d'un état actuel d'intégrité d'un système d'automatisation distribué | |
EP4329242A1 (fr) | Procédé et ensemble système permettant d'établir de manière proactive une configuration de sécurité | |
EP4372589A1 (fr) | Système de surveillance pour tester l'intégrité d'un système en aval | |
DE10055118A1 (de) | Offenbarendes Verfahren zur Überwachung ausführbarer oder interpretierbarer Daten in digitalen Datenverarbeitungsanlagen mittels gerätetechnischer Einrichtungen | |
DE102022204710A1 (de) | Eindringungs-Detektion in Computersystemen | |
WO2024088790A1 (fr) | Procédé et système de détection d'anomalie liée à la sécurité dépendant de l'environnement pour une instance de conteneur | |
DE102021210902A1 (de) | Techniken zum detektieren eines eindringens in ein bussystem | |
EP4213050A1 (fr) | Déplacement automatique et sécurisé d'au moins une instance de conteneur | |
EP4142212A1 (fr) | Système d'automatisation pourvu d'au moins un composant comportant au moins une application et installation de production | |
EP3993317A1 (fr) | Système de mesure, composant de communication, dispositif, procédé et programme informatique pour un composant de communication d'un système de mesure permettant de synchroniser des données d'accès | |
Bauer | Untersuchung der Möglichkeiten zum Betreiben von Honeypots zur Nachbildung von internetfähigen Steuergeräten in der Gebäudeautomation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20160512 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: SIEMENS AKTIENGESELLSCHAFT |
|
17Q | First examination report despatched |
Effective date: 20181009 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20200827 |