EP3732844A1 - Intelligent defense and filtration platform for network traffic - Google Patents
Intelligent defense and filtration platform for network trafficInfo
- Publication number
- EP3732844A1 EP3732844A1 EP17832511.4A EP17832511A EP3732844A1 EP 3732844 A1 EP3732844 A1 EP 3732844A1 EP 17832511 A EP17832511 A EP 17832511A EP 3732844 A1 EP3732844 A1 EP 3732844A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- network
- network packets
- features
- computer
- packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/2433—Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Definitions
- the disclosed various example embodiments relate generally to computer network security and to improved systems and methods for automatically identifying and preventing cyber attacks on communication networks and cloud services.
- IoT Internet of Things
- the embodiments disclosed herein are directed to various examples of improved cyber attacks systems and methods for detecting and preventing cyber-attacks on communication networks.
- the systems and methods provide a hybrid anomaly detection module (HADM) that uses a combination of linear algorithms and learning algorithms.
- the linear algorithms filter and extract distinctive attributes and features of the cyber-attacks and the learning algorithms use these attributes and features to identify new types of cyber-attacks.
- learning algorithms such as algorithms that employ neural networks and genetic search algorithms, have better detection accuracy when they are used along with linear algorithms, such as algorithms that employ Support Vector Machine (SVM), Decision Tree or Fuzzy Rule logic.
- SVM Support Vector Machine
- Decision Tree Fuzzy Rule logic
- the HADM may comprise several processing components in some embodiments, such as a protocol analyzer, linear and learning algorithms, validator and database, and other components. These processing components may be implemented as software, hardware, or a combination of software and hardware depending on the particular application.
- the components are deployed in conjunction with one another to filter packets on the communication networks, such as mobile networks, for certain network protocols that are known or considered to be vulnerable to cyber-attacks. This allows the HADM to expend a smaller amount of processing resource on other network protocols, such as streaming protocols, that are not normally vulnerable and thus not typically targeted by cyber-attackers.
- the ability of the HADM to focus on vulnerable network protocols helps avoid burdening network servers with unnecessary computational load.
- the protocol analyzer component functions to filter the network packets and identify suspected protocols. For certain suspected attacks, such as DoS (denial of service) attacks, the protocol analyzer forwards the filtered packets to a linear algorithm. For other suspected attacks, the protocol analyzer forwards the filtered packets to a combination of a linear algorithm and a learning algorithm.
- the linear algorithm initially defines whether the packets are safe or unsafe regardless of the suspected attack type, then extracts the features of the suspected attack and provides them to the learning algorithm.
- the learning algorithm compares the extracted features against known attack features and classifies the suspected attack as either known or unknown, then outputs this information to the validator and database component.
- the validator and database component validates the output of the linear and learning algorithms. In general, if the actual output (e.g., from the learning algorithm) differs from the expected output, then the actual output is considered as an error.
- the expected output refers to numeric values which are predefined by a user and represent safe traffic.
- the actual output are numeric values assigned to the features and attributes from the output of the learning algorithm. The comparison is done based on the values of these traffic features.
- the validator output is stored into database component and the attack features are provided as feedback to the protocol analyzer and the linear and learning algorithms for use in subsequent detections. Such an arrangement allows the HADM to dynamically define new attack features in order to better identify new types of cyber-attacks.
- the disclosed embodiments are directed to a computer-based method of detecting a cyber-attack on a communication network.
- the method comprises receiving, at a server connected to the communication network, a plurality of network packets from a computing device.
- the method further comprises extracting one or more features of the network packets at the server, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non- suspicious traffic.
- the method still further comprises performing an analysis of the one or more features of the network packets at the server using at least one linear algorithm in conjunction with at least one learning algorithm, and designating the network packets as suspicious traffic at the server based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
- the disclosed embodiments are directed to a computer-based system for detecting a cyber-attack on a communication network.
- the system comprises at least one processor and at least one memory connected to the at least one processor, the at least one memory having a plurality of processing components stored therein.
- the at least one memory and the plurality of processing components are configured to, with the at least one processor, cause the system at least to perform the plurality of the processing components.
- the plurality of the processing components comprises a protocol analyzer component configured to receive a plurality of network packets from a computing device via the communication network.
- the plurality of processing the components further comprises a dynamic machine learning component configured to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic.
- the dynamic machine learning component is further configured to perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm and designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
- the disclosed embodiments are directed to a computer- based system for detecting a cyber-attack on a communication network.
- the system comprises one or more processors and one or more storage devices connected to the one or more processors, the one or more storage devices storing computer-readable instructions thereon.
- the computer-readable instructions are executable by the one or more processors to cause the system to receive a plurality of network packets from a computing device via the communication network.
- the computer-readable instructions are further executable by the one or more processors to cause the system to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non- suspicious traffic.
- the computer-readable instructions are still further executable by the one or more processors to cause the system to perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm and designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
- FIG. 1 illustrates an exemplary communication network equipped with an exemplary hybrid anomaly detection module (HADM) according to aspects of the disclosed embodiments;
- HADM hybrid anomaly detection module
- FIG. 2 illustrates an exemplary server having an exemplary HADM thereon according to aspects of the disclosed embodiments
- FIG. 3 illustrates an exemplary protocol analyzer module for an HADM according to aspects of the disclosed embodiments
- FIG. 4 illustrates an exemplary dynamic machine learning module for an HADM according to aspects of the disclosed embodiments
- FIG. 5 illustrates an exemplary threat validator and database storage module for an HADM according to aspects of the disclosed embodiments
- FIG. 6 illustrates a more detailed view of exemplary implementation of an HADM according to aspects of the disclosed embodiments
- FIG. 7 illustrates an exemplary flowchart for an HADM according to aspects of the disclosed embodiments
- FIG. 8 illustrates a more detailed view of an exemplary flowchart for an HADM according to aspects of the disclosed embodiments.
- FIG. 9 illustrates an exemplary alternative dynamic machine learning module for an HADM according to aspects of the disclosed embodiments.
- the embodiments disclosed herein relate to improved systems, apparatuses, and methods for detecting and preventing cyber-attacks on communication networks, such as mobile networks.
- the systems, apparatuses, and methods provide one or more modules and/or circuitries that can detect and/or prevent cyber-attacks and/or anomalies, such as a hybrid anomaly detection module (HADM), that uses a combination of linear algorithms and learning algorithms.
- HADM hybrid anomaly detection module
- the linear algorithms filter and extract attributes and features of the attacks and the learning algorithms use these attributes and features to identify new attacks.
- the use of linear algorithms in conjunction with learning algorithms allows the HADM to achieve improved performance compared to existing network security solutions.
- a communication network 100 such as a mobile communication network, is shown equipped with an HADM according to disclosed embodiments.
- the network 100 may be any current or soon-to-be available mobile network, such as 3G, 4G, 5G, cloud services and similar networks, that can provide online or Internet connectivity to computing devices.
- computing devices are connected to the network 100 in the present example, such as a smartphone 102, a personal computer 104, as well as a personal communication device, one or more communication network equipment, one or more IoT devices, one or more sensor devices, one or more vehicles, and one or more smart household appliances, indicated generally at 106, or any combination thereof.
- These computing devices 102, 104, and 106 may of course comprise any other computing device that is capable of transmitting to and receiving data packets from the communication network 100, for example over a mobile communication link 108, such as a cellular communication link.
- the communication network 100 comprises at least one network system or apparatus 110, such as at least one network server 110 having an HADM, or one or more of the HADM elements, circuitries and/or processing components, implemented thereon.
- the at least one network server 110 may be any suitable server capable of processing network packets sent to the network 100, such as one or more physical servers as well as one or more virtual (i.e., cloud based) servers.
- the HADM may then execute a number of the processing components in conjunction with one another on the at least one network server 110 to detect and prevent cyber-attacks on the mobile network 100.
- the HADM focuses on one or more particular network protocols that are known or considered to be vulnerable to cyber-attacks over other protocols that are not considered vulnerable and therefore not typically used by cyber-attackers, such as streaming protocols. This allows the HADM to avoid burdening the at least one network server 110 with unnecessary computational load.
- FIG. 2 shows an exemplary physical implementation of the at least one network server 110 having the HADM thereon.
- This network server 110 may be any suitable computing system known to those having ordinary skill in the art, such as a high-end computer, workstation, main frame, circuitry, and the like.
- Such a network server 110 typically comprises a bus 200 or other communication mechanism for transferring information within the network server 110 and one or more circuitries, such as one or more single or multi-core CPU’s (Central Processing Unit) 202, such as field programmable gate arrays (FPGA), an AI (Artificial Intelligence) accelerator or a GPU (Graphics Processing Unit), or any combination thereof, coupled with the bus 200 for processing the information.
- CPU Central Processing Unit
- FPGA field programmable gate arrays
- AI Artificial Intelligence
- GPU Graphics Processing Unit
- the network server 110 may also comprise a main memory 204, such as a random access memory (RAM) or other dynamic storage device coupled to the bus 200 for storing computer-readable instructions, such as one or more computer program product, to be executed by the CPU 202.
- the main memory 204 may also be used for storing temporary variables or other intermediate information during execution of the instructions to be executed by the CPU 202.
- the network server 110 may further comprise a read only memory (ROM) 206 or other static storage device coupled to the bus 200 for storing static information and instructions for the CPU 202.
- ROM read only memory
- a computer-readable storage device 208 such as a magnetic disk or optical disk, may be coupled to the bus 200 for storing information and instructions for the CPU 202.
- Non-volatile media may comprise, for example, optical or magnetic disks, such as the storage device 208.
- Volatile media may comprise dynamic memory, such as main memory 204.
- Transmission media may comprise coaxial cables, copper wire and fiber optics, such as wires of the bus 200.
- Transmission itself may take the form of acoustic or light waves, such as those generated during radio frequency (RF) and infrared (IR) data communications.
- RF radio frequency
- IR infrared
- Common forms of computer-readable media may comprise, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, other magnetic medium, a CD ROM (Compact Disc Read-Only Memory), DVD (Digital Versatile Disc), other optical medium, a RAM (Random-access memory), a PROM (Programmable read-only memory), an EPROM (Erasable programmable read-only memory, a FLASH EPROM, other memory chip or cartridge, or any other medium from which a computer can read.
- a floppy disk a flexible disk, hard disk, magnetic tape, other magnetic medium
- CD ROM Compact Disc Read-Only Memory
- DVD Digital Versatile Disc
- RAM Random-access memory
- PROM Programmable read-only memory
- EPROM Erasable
- the CPU 202 may also be coupled via the bus 200 to a display 210, such as a liquid crystal display (LCD), cathode ray tube (CRT), and the like for displaying information to a user.
- a display 210 such as a liquid crystal display (LCD), cathode ray tube (CRT), and the like for displaying information to a user.
- One or more input devices 212 such as alphanumeric and other keyboards, mouse, trackball, cursor direction keys, and so forth, may be coupled to the bus 200 for communicating information and command selections to the CPU 202.
- a communication interface 214 provides two-way data communication between the network server 110 and other computers.
- the communication interface 214 may be an integrated services digital network (ISDN) card or a modem used to provide a data communication connection to a corresponding type of communication line.
- ISDN integrated services digital network
- the communication interface 214 may be a local area network (LAN) card used to provide a data communication connection to a compatible LAN.
- Wireless links may also be implemented via the communication interface 214.
- the main function of the communication interface 214 is to send and receive electrical, electromagnetic, optical, or other signals that carry digital data streams representing various types of information.
- an HADM 216 may also reside on the storage device 208.
- the computer- readable instructions for the HADM 216 may then be executed by the CPU 202 and/or other components of the network server 110.
- the HADM 216 has been expanded into several discrete blocks or modules representing operational phases, such as Phase 1, Phase 2, and Phase 3, each operational phase comprising a phase-specific processing component.
- the first operational phase, Phase 1 is a protocol analyzer phase and comprises a protocol analyzer component 218, such as a protocol analyzer circuitry.
- the second operational phase, Phase 2 is a dynamic machine learning phase and comprises a dynamic machine learning component 220, such as dynamic machine learning circuitry.
- the third operational phase, Phase 3, is a validator and database phase and comprises a validator and database component 222, such as a validator and database circuitry.
- circuitry may refer to one or more or all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry); (b) combinations of hardware circuits and software, such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s) with software/firmware and (ii) any portions of hardware processor(s) with software (such as digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions); and (c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
- hardware-only circuit implementations such as implementations in only analog and/or digital circuitry
- combinations of hardware circuits and software such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s
- circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
- circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
- the protocol analyzer component 218 receives network packets and filters such packets, indicated generally at 224.
- the protocol analyzer component 218 looks specifically for packets sent using a network protocol that is considered or has been found to be vulnerable to cyber-attacks. Packets that were sent using a vulnerable protocol, indicated generally at 226, are provided to the dynamic machine learning component 220 for detection of malicious code or content. Packets that were sent using a non-vulnerable protocol, indicated generally at 228, are forwarded directly to the validator and database component 222 for further validation.
- the headers and payloads of the vulnerable protocol packets 226 are processed by a combination of linear and learning algorithms to detect possible attacks or anomalies.
- Features and attributes of one or more suspected attacks that are considered to be distinctive are extracted and provided to the validator and database component 222, indicated generally at 230.
- the extracted features and attributes 230 are compared against the expected output defined in the validator.
- the packets that are sent using a non-vulnerable protocol, indicated generally at 228, are likewise validated by the validator and database component 222 in a similar manner.
- the validation results are stored by the validator and database component 222 in a database and their attack features are provided as feedback 232 to the protocol analyzer component 218 and the dynamic machine learning component 220 for use in subsequent detections.
- FIG. 3 illustrates an exemplary implementation of the protocol analyzer component 218 according to the disclosed embodiments.
- the protocol analyzer component 218 uses one or more functional modules and/or circuitries to filter the network packets 224, such as a decision module and/or circuitry 300, a counter and prioritization module and/or circuitry 302, a feature extraction module and/or circuitry 304, a first learning algorithm module and/or circuitry 306 comprising a Learning Algorithm I, and a log file 308.
- These functional modules and/or circuitries 300-308 operate in a manner that allows the protocol analyzer component 218 to focus on packets sent using a network protocol that is considered to be vulnerable to cyber-attacks.
- the modules and/or circuitries 300-306 can be implemented in one or more circuitries and/or modules, in any combination.
- the decision module 300 is responsible for receiving the network packets 224 and checking the packet headers to determine whether the packets were carried using a vulnerable network protocol. As those skilled in the art are aware, certain network protocols like TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are more vulnerable to cyber-attacks than protocols like RTSP (Real Time Streaming Protocol), which are considered safe. To make the determination, the decision module 300 compares the received network packets 224 against a list of network protocols that are known or have been found to be vulnerable from the log file 308.
- any protocol that carries signaling packets over the network can be vulnerable and may be included on the list used in the decision module 300.
- These protocols may comprise IP based protocols as well as non-IP based protocols.
- Examples of vulnerable control plane protocols that may be on the list comprise NAS (Non- Access Stratum), Sl Application Protocol (S1AP), GTP-C (GPRS Tunneling Protocol Control Plane).
- the list may then be updated dynamically from time to time with additional network protocols via feedback 232 received from the validator and database component 222.
- Network packets 224 that are found to have been carried using a vulnerable protocol, indicated at 310, are forwarded by the decision module 300 to the counter and prioritization module 302.
- the counter and prioritization module 302 prioritizes the vulnerable protocols with which the packets 310 were sent based on the number of times the protocol was used and a minimum occurrence threshold, n. For example, only protocols that have been used n times within a predefined time window (e.g., 1 hour, 1 day, etc.) are prioritized. Additionally, vulnerable protocols that are used more frequently are prioritized over vulnerable protocols that are used less frequently.
- the counter and prioritization module 304 may prioritize only the 20 protocols with the highest number of occurrences within a predefined time window. By prioritizing protocols in this way, the counter and prioritization module 302 helps minimize the number of vulnerable protocols that are subsequently processed.
- the value of n is an integer number (e.g., 100, 200, 300, etc.) that may be defined manually by the user or automatically by the counter and prioritization module 302 based on the time window used and the amount of network packets received within the time window. Network packets carried over the prioritized protocols are then forwarded as suspicious packets 312 to the dynamic machine learning component 220.
- network packets 224 found not to have been carried using a vulnerable protocol, indicated at 314, may be considered safe and no further processing is needed.
- these non- vulnerable protocol network packets 314 are forwarded by the decision module 300 to the feature extraction module 304 for further processing, as shown in the FIG. 3 example.
- the feature extraction module 304 extracts features and attributes from the packets 314 and provides these features and attributes, indicated at 316, to the first learning algorithm 306 for analysis.
- a network packet has a header and a payload. The header contains overhead information about the packet, the network service, and other transmission related information, while the payload contains the content carried by the packet.
- the features and attributes extracted by the feature extraction module 304 are generally the properties that can identify the type of content carried by the packet.
- Examples of features and attributes that may be extracted by the feature extraction module 304 comprise: Ethernet Size, Ethernet, Destination Address, Ethernet Source Address, IP (Internet Protocol) header Length, IP Type of Service, IP Length, IP Time To Live, IP Protocol, IP Source Address, IP Destination Address, TCP Source Port, TCP Destination Port, UDP Source Port, UDP Destination Port, UDP Length, ICMP (Internet Control Message Protocol) Type, ICMP Code, Duration of Connection, Connection Starting Time, Fragmentation, and the like.
- IP Source Address such as A.B.C.D. and have feature(s) such as average package length and average response time less than a predefined threshold or as typically seen in normal traffic can represent malicious content, such as a botnet.
- the features and attributes 316 provided by the features extraction module 304 are analyzed by using the Learning Algorithm I to determine whether they may match or otherwise correspond to features and attributes of known cyber attacks.
- Examples of learning algorithms that may be used as the Learning Algorithm I in the first learning algorithm module 306 comprise Extreme Learning Machines (ELM), Self- Organizing Map (SOM), and Multi-Layer Perceptron (MLP) algorithms, as well as other suitable learning algorithms known to those skilled in the art. If it is determined that the features and attributes 316 overlap or coincide with a known attack, then the first learning algorithm module 306 forwards the packets as suspicious packets, indicated at 318, to be recorded in the log file 308.
- the first learning algorithm module 306 serves as a sort of second check to detect newly vulnerable protocols that were previously considered to be non- vulnerable. If it is determined that the features and attributes 316 do not overlap or coincide with any known attacks, then the packets are forwarded to the dynamic machine learning module 220 as safe packets 320.
- the log file 308 operates as a repository for suspicious packets carried over vulnerable protocols.
- the log file 308 records information about the packets, such as timestamp, packet size, IP header, and network layers (e.g., Ethernet, TCP, application layer, etc.). Every time the first learning algorithm module 306 detects a new vulnerable protocol, that protocol is recorded into the log file 308, which may then be accessed by the other modules in the protocol analyzer component 218 as needed.
- the log file 308 also forwards any suspicious packets 318 to the validator and database component 222.
- the dynamic machine learning component 220 uses one or more functional modules and/or circuitries, such as a decision module and/or circuitry 400, a first feature extraction module and/or circuitry 402, a first linear algorithm module and/or circuitry 404 comprising a Linear Algorithm I, a second feature extraction module and/or circuitry 406, a second linear algorithm module and/or circuitry 408 comprising a Linear Algorithm II, a rule extractor and deduplicator module and/or circuitry 410, and a second learning algorithm module and/or circuitry 412 comprising a Learning Algorithm II.
- a decision module and/or circuitry 400 uses one or more functional modules and/or circuitries, such as a decision module and/or circuitry 400, a first feature extraction module and/or circuitry 402, a first linear algorithm module and/or circuitry 404 comprising a Linear Algorithm I, a second feature extraction module and/or circuitry 406, a second linear algorithm module and/or circuitry 408 compris
- modules and/or circuitries 400-412 operate in a manner that allows the dynamic machine learning component 220 to combine linear and learning algorithms to more efficiently detect cyber-attacks.
- the modules and/or circuitries 400-412 can be implemented in one or more circuitries and/or modules, in any combination.
- the decision module 400 receives suspicious packets 312 sent using a vulnerable protocol from the protocol analyzer component 218 and determines whether the packets were carried over UDP or TCP. Note that the function of the decision module 400 may also be implemented in the protocol analyzer component 218 instead of the dynamic machine learning component 220 in some embodiments. In either case, suspicious packets that were sent using UDP, indicated at 414, are forwarded to the first feature extraction module 402 for feature extraction.
- the first feature extraction module 402 operates in the same or nearly the same manner as the feature extraction module 304 in the protocol analyzer module 218 to extract features and attributes of the suspicious packets and therefore will not be described in detail here. These features and attributes, indicated at 416, are provided to the first linear algorithm 404 for analysis.
- the first linear algorithm module 404 analyzes the UDP packets to detect DoS attacks, since DoS attacks are mostly carried on UDP.
- the Linear Algorithm I may be an algorithm that uses Support Vector Machine, Decision Tree, or Fuzzy Rule logic in order to minimize computational load.
- other types of linear algorithms requiring low processing loads may certainly be used without departing from the scope of the disclosed embodiments. If the analysis performed by first linear algorithm module 404 determines that the UDP packets contain a DoS attack, then the UDP packets are forwarded as malicious packets, indicated at 418, to the validator and database component 222. Otherwise, the samples of UDP packets are forwarded as safe packets, indicated at 420, to the validator and database component 222.
- Suspicious packets that were sent using TCP are forwarded to the second feature extraction module 406 for feature extraction.
- the second feature extraction module 406 also operates in the same or nearly the same manner as the feature extraction module 304 in the protocol analyzer module 218 to extract features and attributes of the suspicious packets. These features and attributes, indicated at 424, are then provided to the second linear algorithm module 408 for analysis.
- the second linear algorithm module 408 analyzes the TCP packets to detect other, non-DoS attacks.
- the Linear Algorithm II may be an algorithm that uses Support Vector Machine, Decision Tree, or Fuzzy Rule logic in order to minimize computational load.
- the analysis performed by the second linear algorithm module 408 determines that the TCP packets contain an attack, then the TCP packets are forwarded as attack packets, indicated at 426, to the rule extractor and duplicator module 410. Otherwise, the samples of TCP packets are forwarded as safe packets, indicated at 428, to the validator and database component 222.
- the rule extractor and deduplicator module 410 operates to filter known attack packets against which the network is already protected by using information from other parallel- deployed security mechanisms.
- the rule extractor and deduplicator module 410 uses a set of rules obtained from the other security mechanisms in the network to analyze (i.e., compare) the extracted features and attributes of the attack packets 426. These rules may be updated dynamically based on input from the parallel-deployed security mechanisms from time to time. If the rule extractor and deduplicator module 410 determines that the attack packets 426 reflect a known attack, the attack is ignored, as the network is already protected against such attacks.
- a rule for the Snort network intrusion detection system follows is an example of a rule for the Snort network intrusion detection system:
- the above rule sends an alert when there are network packets from source IP address 1.2.3.4 through any source port destined for IP address 5.6.7.8, which typically indicates a DoS Jolt attack. These network packets may therefore be ignored by the rule extractor and deduplicator module 410 as being indicative of a known attack. Otherwise, the rule extractor and deduplicator module 410 forwards the network packets as unknown attack, indicated at 430, to the second learning algorithm 412 for further analysis.
- the second learning algorithm module 412 provides the final detection stage in some embodiments and the Learning Algorithm II therein may be any suitable type of unsupervised algorithms, such as Artificial Neural Networks (ANN), Genetic Algorithm (GA), SOM, Swarm intelligence (SI), and the like, as well as learning algorithms of the type commonly referred to as“deep neural networks.”
- ANN Artificial Neural Networks
- GA Genetic Algorithm
- SOM Swarm intelligence
- SI Swarm intelligence
- an initial set of clusters are defined, for example, during the algorithm training process, that groups together attacks having similar features.
- the clusters may comprise clusters for botnet attacks (B), malicious codes (M), and the like.
- the unknown attack packets 430 are then labeled or otherwise assigned to one of the clusters based on the similarity of their features.
- the packets that arrive at this module have already been identified as attack packets, if the packets do not exhibit features belonging to any of the already defined clusters, then they are considered a new type of attack (N) and the second learning algorithm 412 creates a new cluster for the packets. In this way, the features of the new type of attack (N) may be added to the second learning algorithm 412 for subsequent detection.
- the second learning algorithm 412 then forwards the labeled attack packets as malicious packets 432 to the validator and database component 222.
- FIG. 5 illustrates an exemplary implementation of the validator and database component 222 according to the disclosed embodiments.
- the validator and database component 222 comprises one or more functional modules and/or circuitries, such as a validator module and/or circuitry 500 and a database module and/or circuitry 502. These functional modules and/or circuitries 500 and 502 operate together to allow the validator and database component 222 to validate detected attacks, store them in a database, and share the updates with other modules.
- the modules and/or circuitries 500 and 502 can be implemented in one or more circuitries and/or modules, in any combination.
- the validator module 500 operates essentially as an error detection module in order to decrease occurrences of false positives (FP) (i.e., suspicious/malicious packets inadvertently labeled as safe) and false negatives (FN) (i.e., safe packets inadvertently labeled as attacks).
- FP false positives
- FN false negatives
- the validator module 500 receives both suspicious/malicious packets and samples of safe packets from the protocol analyzer component 218 and the dynamic machine learning component 220.
- the validator module 500 then confirms whether these packets were correctly categorized (in the previous components) by comparing their features and attributes with those of known attack and safe traffic features and attributes. In some embodiments, the comparison is done on a numerical basis, with numerical values assigned to the features and attributes being compared.
- the numerical values for the features and attributes of suspected botnet attacks should match those of known botnet attacks to within a predefined error margin, which may be a percentage (e.g., 5%, 10%, 15%, 20%, etc.) or a numerical value (e.g., 100, 200, 300, etc.).
- the numerical values for different features may vary and may be assigned by a user as needed along with the allowable deviation or error margin. For example, some Peer-to-Peer (P2P) hots may have an average packet size of 108.88 (actual), whereas the average packet size for P2P software considered to be safe is 872.23 (expected), and the allowable deviation set by the user is 200.
- the analysis yields an output of 250 (actual result) and classifies the traffic as safe traffic.
- the comparison by the validator module 500 of the two average packet sizes (actual and expected) results in a difference of 622.23, which is greater the allowable deviation of 200.
- the validator module 500 therefore flags or otherwise indicates that the packets were incorrectly categorized.
- the output 504 of the validator 500 is then stored in the database 502.
- the database module 502 operates to save the packets processed by the validator 500, such as samples of safe packets, packets from known (and hence dropped) attacks, and packets from unknown attacks.
- the sampling of safe traffic may be done using a suitable packet sampling tool, such as sFlow and the like. Because the volume of safe packets is extremely large, the sampling rate may be kept small (e.g., every lOOth packet, 200th packet, etc.) in order to reduce the load on the HADM.
- the packets from the unknown attacks along with their features and attributes are then provided as feedback to the protocol analyzer component 218 and the dynamic machine learning component 220 for use in subsequent detection. For example, the feedback may be used by the protocol analyzer component 218 to correct any false positives and false negatives that may have arisen.
- FIG. 6 a detailed view of the exemplary HADM 216 is shown according to the disclosed embodiments. From this view, many of the components, circuitries, and modules described above may be seen in context with one another. In addition, a plurality of clusters may be seen in the second learning algorithm 412, such as a cluster 600 for botnet (B) attacks, a cluster 602 for malicious codes (M), and clusters 604 and 608 for other types of attacks. Feedback is provided from the database module 502 to the decision module 300 of the protocol analyzer component 218.
- B botnet
- M malicious codes
- FN false negative
- FIG. 7 is flow chart 700, or portion thereof, outlining a high-level method that may be used to operate the HADM described herein.
- the flow chart 700 begins with input of traffic in the form of network packets at block 702.
- the network packets arrive, they first go through a data normalization process at block 704 where the data in the packets undergo data conversion, data enrichment and data scaling operations.
- data conversion converts data into a format that subsequent processes can understand, such as converting hexadecimal into decimal.
- Data enrichment produces data elements by performing arithmetic and logical operations on the data in the packets.
- Data scaling scales the data so that data fields have the same range of values and the variance among data fields is reduced.
- the flow chart 700 proceeds to block 710 where the HADM undergoes testing using test data. Thereafter, the results of the testing is evaluated at block 712 to confirm the effectiveness and efficiency of the training from block 708.
- FIG. 8 illustrates a flow chart 800, or portion thereof, showing a more detailed method that may be used to operate the HADM described herein.
- the flow chart 800 begins with input of traffic in the form of network packets at block 802.
- a decision is made whether the input traffic is carried on a vulnerable protocol by a decision module configured with a list of vulnerable protocols. If the input traffic is carried on a vulnerable protocol, meaning the traffic is suspicious traffic, then at block 806, a counter and prioritization module prioritizes the traffic based on the number of occurrences of the vulnerable protocol against a predefined threshold n.
- the flow chart 800 then proceeds to block 808 where a determination is made whether the prioritized traffic is carried over UDP or TCP.
- Traffic carried over UDP is processed at block 810 by a feature extraction module that extracts features of the traffic considered to be distinctive.
- a first linear algorithm analyzes the traffic using the extracted features, and at block 814, a determination is made whether the traffic is suspicious or non- suspicious based on the analysis by the first linear algorithm at block 812.
- a validator module validates the suspicious or non-suspicious traffic determination made at block 814 in the manner described above.
- Traffic carried over TCP is processed at block 818 by another feature extraction module that extracts features of the traffic considered to be distinctive.
- another linear algorithm analyzes the traffic using the extracted features, and at block 822, a determination is made whether the traffic is suspicious or non-suspicious based on the analysis by the second linear algorithm at block 820.
- Traffic determined to be suspicious is analyzed by a rule extractor module at block 824 using rules already utilized by other in-place security mechanisms to protect the network.
- a determination is made whether the suspicious traffic resembles attacks already accounted for by other, in-place security mechanisms based on the analysis by the rule extractor module at block 824.
- both blocks 824 and 826 may be performed by a rule extractor and deduplicator 830.
- the traffic is stored in a database at block 828 and dropped (i.e., ignored) or otherwise designated as not an attack. If the suspicious traffic resembles attacks against which the network is not already being protected, then at block 832, the traffic is processed by yet another feature extraction module, which extracts features of the traffic considered to be distinctive and analyzes the features for assignment to one of several existing clusters. At block 834, a determination is made whether the suspicious traffic may be assigned to one of several existing attack clusters based on the feature analysis at block 832. If the determination is yes, meaning the features of the suspicious traffic have already been learned, then the suspicious traffic is validated by the validator module at block 816 in the manner described above.
- blocks 832, 834, and 836 may be performed by a learning algorithm 838.
- the traffic is processed at block 840 by yet another feature extraction module that extracts features of the traffic considered to be distinctive.
- another learning algorithm analyzes the non-suspicious traffic using the extracted feature to reconfirm that the traffic is not carried by a vulnerable protocol.
- a determination is made at block 844 as to whether the traffic is suspicious or non-suspicious based on the analysis by the learning algorithm at block 842. If the determination is yes, meaning the non-suspicious traffic is actually suspicious, then it is recorded in a log file at block 846 and subsequently provided to the database at block 828 for storage.
- this database also stores the results from the determination at block 826 and the validator module at block 816, and therefore contains known attacks, new attacks, as well as dropped attacks.
- the database also provides feedback indicative of false positives (FP) and false negatives (FN) to the feature extraction modules at block 810, 818 and 840 and the decision module at block 804.
- FIG. 9 illustrates an exemplary alternative implementation of the dynamic machine learning component 900 according to aspects of the disclosed embodiments.
- This alternative implementation of the dynamic machine learning component 900 is similar to the dynamic machine learning component 220 shown in FIG. 4 insofar as it comprises a feature extraction module and/or circuitry 406, a linear algorithm 408 module and/or circuitry comprising a Linear Algorithm II, a rule extractor and deduplicator module and/or circuitry 410, and a learning algorithm 412 module and/or circuitry comprising a Learning Algorithm II.
- the alternative dynamic machine learning component 900 depicted here can receive and process all network packets 224 directly from the mobile network 100.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Artificial Intelligence (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/FI2017/050953 WO2019129915A1 (en) | 2017-12-29 | 2017-12-29 | Intelligent defense and filtration platform for network traffic |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3732844A1 true EP3732844A1 (en) | 2020-11-04 |
Family
ID=61007714
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP17832511.4A Withdrawn EP3732844A1 (en) | 2017-12-29 | 2017-12-29 | Intelligent defense and filtration platform for network traffic |
Country Status (2)
Country | Link |
---|---|
EP (1) | EP3732844A1 (en) |
WO (1) | WO2019129915A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113103535A (en) * | 2021-03-17 | 2021-07-13 | 贵州大学 | GA-ELM-GA-based injection molding part mold parameter optimization method |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111181930A (en) * | 2019-12-17 | 2020-05-19 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, computer equipment and storage medium |
FR3106914B1 (en) * | 2020-01-31 | 2022-10-28 | Orange | Method for monitoring data exchanged on a network and intrusion detection device |
CN113139598B (en) * | 2021-04-22 | 2022-04-22 | 湖南大学 | Intrusion detection method and system based on improved intelligent optimization algorithm |
CN113242226A (en) * | 2021-05-05 | 2021-08-10 | 航天云网云制造科技(浙江)有限公司 | Big data-based intelligent network security situation prediction method |
CN114866349B (en) * | 2022-07-06 | 2022-11-15 | 深圳市永达电子信息股份有限公司 | Network information filtering method |
FR3142058A1 (en) * | 2022-11-15 | 2024-05-17 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method and device for detecting network intrusion by anomaly in network communications |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110231564A1 (en) * | 2000-09-25 | 2011-09-22 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
US8856926B2 (en) * | 2008-06-27 | 2014-10-07 | Juniper Networks, Inc. | Dynamic policy provisioning within network security devices |
US8418249B1 (en) * | 2011-11-10 | 2013-04-09 | Narus, Inc. | Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats |
-
2017
- 2017-12-29 EP EP17832511.4A patent/EP3732844A1/en not_active Withdrawn
- 2017-12-29 WO PCT/FI2017/050953 patent/WO2019129915A1/en unknown
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113103535A (en) * | 2021-03-17 | 2021-07-13 | 贵州大学 | GA-ELM-GA-based injection molding part mold parameter optimization method |
Also Published As
Publication number | Publication date |
---|---|
WO2019129915A1 (en) | 2019-07-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Lima Filho et al. | Smart detection: an online approach for DoS/DDoS attack detection using machine learning | |
US11985169B2 (en) | Classification of unknown network traffic | |
EP3732844A1 (en) | Intelligent defense and filtration platform for network traffic | |
US11899786B2 (en) | Detecting security-violation-associated event data | |
US11394728B2 (en) | Associating a user identifier detected from web traffic with a client address | |
US8418249B1 (en) | Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats | |
US9426166B2 (en) | Method and apparatus for processing finite automata | |
US9426165B2 (en) | Method and apparatus for compilation of finite automata | |
JP5362669B2 (en) | Efficient classification of network packets | |
Hatef et al. | HIDCC: A hybrid intrusion detection approach in cloud computing | |
US20230025946A1 (en) | Network Attack Detection Method and Apparatus | |
US20170034195A1 (en) | Apparatus and method for detecting abnormal connection behavior based on analysis of network data | |
WO2019190403A1 (en) | An industrial control system firewall module | |
Bensaid et al. | Toward a Real‐Time TCP SYN Flood DDoS Mitigation Using Adaptive Neuro‐Fuzzy Classifier and SDN Assistance in Fog Computing | |
US11552986B1 (en) | Cyber-security framework for application of virtual features | |
Shaikh et al. | Advanced signature-based intrusion detection system | |
McLaren et al. | Mining malware command and control traces | |
CN115086068B (en) | Network intrusion detection method and device | |
Li et al. | FusionTC: Encrypted App Traffic Classification Using Decision‐Level Multimodal Fusion Learning of Flow Sequence | |
Schumacher et al. | One-Class Models for Intrusion Detection at ISP Customer Networks | |
KR102369240B1 (en) | Apparatus and method for detecting network intrusion | |
Ismail et al. | Stateless malware packet detection by incorporating naive bayes with known malware signatures | |
Lee et al. | Malicious traffic compression and classification technique for secure internet of things | |
BS et al. | P‐DNN: Parallel DNN based IDS framework for the detection of IoT vulnerabilities | |
Bahlali | Anomaly-based network intrusion detection system: A machine learning approach |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20200729 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20220329 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20220809 |