EP3732844A1 - Intelligent defense and filtration platform for network traffic - Google Patents

Intelligent defense and filtration platform for network traffic

Info

Publication number
EP3732844A1
EP3732844A1 EP17832511.4A EP17832511A EP3732844A1 EP 3732844 A1 EP3732844 A1 EP 3732844A1 EP 17832511 A EP17832511 A EP 17832511A EP 3732844 A1 EP3732844 A1 EP 3732844A1
Authority
EP
European Patent Office
Prior art keywords
network
network packets
features
computer
packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP17832511.4A
Other languages
German (de)
French (fr)
Inventor
Mehrnoosh Monshizadeh
Kimmo HÄTÖNEN
Vikramajeet Khatri
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Solutions and Networks Oy
Original Assignee
Nokia Solutions and Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions and Networks Oy filed Critical Nokia Solutions and Networks Oy
Publication of EP3732844A1 publication Critical patent/EP3732844A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the disclosed various example embodiments relate generally to computer network security and to improved systems and methods for automatically identifying and preventing cyber attacks on communication networks and cloud services.
  • IoT Internet of Things
  • the embodiments disclosed herein are directed to various examples of improved cyber attacks systems and methods for detecting and preventing cyber-attacks on communication networks.
  • the systems and methods provide a hybrid anomaly detection module (HADM) that uses a combination of linear algorithms and learning algorithms.
  • the linear algorithms filter and extract distinctive attributes and features of the cyber-attacks and the learning algorithms use these attributes and features to identify new types of cyber-attacks.
  • learning algorithms such as algorithms that employ neural networks and genetic search algorithms, have better detection accuracy when they are used along with linear algorithms, such as algorithms that employ Support Vector Machine (SVM), Decision Tree or Fuzzy Rule logic.
  • SVM Support Vector Machine
  • Decision Tree Fuzzy Rule logic
  • the HADM may comprise several processing components in some embodiments, such as a protocol analyzer, linear and learning algorithms, validator and database, and other components. These processing components may be implemented as software, hardware, or a combination of software and hardware depending on the particular application.
  • the components are deployed in conjunction with one another to filter packets on the communication networks, such as mobile networks, for certain network protocols that are known or considered to be vulnerable to cyber-attacks. This allows the HADM to expend a smaller amount of processing resource on other network protocols, such as streaming protocols, that are not normally vulnerable and thus not typically targeted by cyber-attackers.
  • the ability of the HADM to focus on vulnerable network protocols helps avoid burdening network servers with unnecessary computational load.
  • the protocol analyzer component functions to filter the network packets and identify suspected protocols. For certain suspected attacks, such as DoS (denial of service) attacks, the protocol analyzer forwards the filtered packets to a linear algorithm. For other suspected attacks, the protocol analyzer forwards the filtered packets to a combination of a linear algorithm and a learning algorithm.
  • the linear algorithm initially defines whether the packets are safe or unsafe regardless of the suspected attack type, then extracts the features of the suspected attack and provides them to the learning algorithm.
  • the learning algorithm compares the extracted features against known attack features and classifies the suspected attack as either known or unknown, then outputs this information to the validator and database component.
  • the validator and database component validates the output of the linear and learning algorithms. In general, if the actual output (e.g., from the learning algorithm) differs from the expected output, then the actual output is considered as an error.
  • the expected output refers to numeric values which are predefined by a user and represent safe traffic.
  • the actual output are numeric values assigned to the features and attributes from the output of the learning algorithm. The comparison is done based on the values of these traffic features.
  • the validator output is stored into database component and the attack features are provided as feedback to the protocol analyzer and the linear and learning algorithms for use in subsequent detections. Such an arrangement allows the HADM to dynamically define new attack features in order to better identify new types of cyber-attacks.
  • the disclosed embodiments are directed to a computer-based method of detecting a cyber-attack on a communication network.
  • the method comprises receiving, at a server connected to the communication network, a plurality of network packets from a computing device.
  • the method further comprises extracting one or more features of the network packets at the server, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non- suspicious traffic.
  • the method still further comprises performing an analysis of the one or more features of the network packets at the server using at least one linear algorithm in conjunction with at least one learning algorithm, and designating the network packets as suspicious traffic at the server based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
  • the disclosed embodiments are directed to a computer-based system for detecting a cyber-attack on a communication network.
  • the system comprises at least one processor and at least one memory connected to the at least one processor, the at least one memory having a plurality of processing components stored therein.
  • the at least one memory and the plurality of processing components are configured to, with the at least one processor, cause the system at least to perform the plurality of the processing components.
  • the plurality of the processing components comprises a protocol analyzer component configured to receive a plurality of network packets from a computing device via the communication network.
  • the plurality of processing the components further comprises a dynamic machine learning component configured to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic.
  • the dynamic machine learning component is further configured to perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm and designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
  • the disclosed embodiments are directed to a computer- based system for detecting a cyber-attack on a communication network.
  • the system comprises one or more processors and one or more storage devices connected to the one or more processors, the one or more storage devices storing computer-readable instructions thereon.
  • the computer-readable instructions are executable by the one or more processors to cause the system to receive a plurality of network packets from a computing device via the communication network.
  • the computer-readable instructions are further executable by the one or more processors to cause the system to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non- suspicious traffic.
  • the computer-readable instructions are still further executable by the one or more processors to cause the system to perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm and designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
  • FIG. 1 illustrates an exemplary communication network equipped with an exemplary hybrid anomaly detection module (HADM) according to aspects of the disclosed embodiments;
  • HADM hybrid anomaly detection module
  • FIG. 2 illustrates an exemplary server having an exemplary HADM thereon according to aspects of the disclosed embodiments
  • FIG. 3 illustrates an exemplary protocol analyzer module for an HADM according to aspects of the disclosed embodiments
  • FIG. 4 illustrates an exemplary dynamic machine learning module for an HADM according to aspects of the disclosed embodiments
  • FIG. 5 illustrates an exemplary threat validator and database storage module for an HADM according to aspects of the disclosed embodiments
  • FIG. 6 illustrates a more detailed view of exemplary implementation of an HADM according to aspects of the disclosed embodiments
  • FIG. 7 illustrates an exemplary flowchart for an HADM according to aspects of the disclosed embodiments
  • FIG. 8 illustrates a more detailed view of an exemplary flowchart for an HADM according to aspects of the disclosed embodiments.
  • FIG. 9 illustrates an exemplary alternative dynamic machine learning module for an HADM according to aspects of the disclosed embodiments.
  • the embodiments disclosed herein relate to improved systems, apparatuses, and methods for detecting and preventing cyber-attacks on communication networks, such as mobile networks.
  • the systems, apparatuses, and methods provide one or more modules and/or circuitries that can detect and/or prevent cyber-attacks and/or anomalies, such as a hybrid anomaly detection module (HADM), that uses a combination of linear algorithms and learning algorithms.
  • HADM hybrid anomaly detection module
  • the linear algorithms filter and extract attributes and features of the attacks and the learning algorithms use these attributes and features to identify new attacks.
  • the use of linear algorithms in conjunction with learning algorithms allows the HADM to achieve improved performance compared to existing network security solutions.
  • a communication network 100 such as a mobile communication network, is shown equipped with an HADM according to disclosed embodiments.
  • the network 100 may be any current or soon-to-be available mobile network, such as 3G, 4G, 5G, cloud services and similar networks, that can provide online or Internet connectivity to computing devices.
  • computing devices are connected to the network 100 in the present example, such as a smartphone 102, a personal computer 104, as well as a personal communication device, one or more communication network equipment, one or more IoT devices, one or more sensor devices, one or more vehicles, and one or more smart household appliances, indicated generally at 106, or any combination thereof.
  • These computing devices 102, 104, and 106 may of course comprise any other computing device that is capable of transmitting to and receiving data packets from the communication network 100, for example over a mobile communication link 108, such as a cellular communication link.
  • the communication network 100 comprises at least one network system or apparatus 110, such as at least one network server 110 having an HADM, or one or more of the HADM elements, circuitries and/or processing components, implemented thereon.
  • the at least one network server 110 may be any suitable server capable of processing network packets sent to the network 100, such as one or more physical servers as well as one or more virtual (i.e., cloud based) servers.
  • the HADM may then execute a number of the processing components in conjunction with one another on the at least one network server 110 to detect and prevent cyber-attacks on the mobile network 100.
  • the HADM focuses on one or more particular network protocols that are known or considered to be vulnerable to cyber-attacks over other protocols that are not considered vulnerable and therefore not typically used by cyber-attackers, such as streaming protocols. This allows the HADM to avoid burdening the at least one network server 110 with unnecessary computational load.
  • FIG. 2 shows an exemplary physical implementation of the at least one network server 110 having the HADM thereon.
  • This network server 110 may be any suitable computing system known to those having ordinary skill in the art, such as a high-end computer, workstation, main frame, circuitry, and the like.
  • Such a network server 110 typically comprises a bus 200 or other communication mechanism for transferring information within the network server 110 and one or more circuitries, such as one or more single or multi-core CPU’s (Central Processing Unit) 202, such as field programmable gate arrays (FPGA), an AI (Artificial Intelligence) accelerator or a GPU (Graphics Processing Unit), or any combination thereof, coupled with the bus 200 for processing the information.
  • CPU Central Processing Unit
  • FPGA field programmable gate arrays
  • AI Artificial Intelligence
  • GPU Graphics Processing Unit
  • the network server 110 may also comprise a main memory 204, such as a random access memory (RAM) or other dynamic storage device coupled to the bus 200 for storing computer-readable instructions, such as one or more computer program product, to be executed by the CPU 202.
  • the main memory 204 may also be used for storing temporary variables or other intermediate information during execution of the instructions to be executed by the CPU 202.
  • the network server 110 may further comprise a read only memory (ROM) 206 or other static storage device coupled to the bus 200 for storing static information and instructions for the CPU 202.
  • ROM read only memory
  • a computer-readable storage device 208 such as a magnetic disk or optical disk, may be coupled to the bus 200 for storing information and instructions for the CPU 202.
  • Non-volatile media may comprise, for example, optical or magnetic disks, such as the storage device 208.
  • Volatile media may comprise dynamic memory, such as main memory 204.
  • Transmission media may comprise coaxial cables, copper wire and fiber optics, such as wires of the bus 200.
  • Transmission itself may take the form of acoustic or light waves, such as those generated during radio frequency (RF) and infrared (IR) data communications.
  • RF radio frequency
  • IR infrared
  • Common forms of computer-readable media may comprise, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, other magnetic medium, a CD ROM (Compact Disc Read-Only Memory), DVD (Digital Versatile Disc), other optical medium, a RAM (Random-access memory), a PROM (Programmable read-only memory), an EPROM (Erasable programmable read-only memory, a FLASH EPROM, other memory chip or cartridge, or any other medium from which a computer can read.
  • a floppy disk a flexible disk, hard disk, magnetic tape, other magnetic medium
  • CD ROM Compact Disc Read-Only Memory
  • DVD Digital Versatile Disc
  • RAM Random-access memory
  • PROM Programmable read-only memory
  • EPROM Erasable
  • the CPU 202 may also be coupled via the bus 200 to a display 210, such as a liquid crystal display (LCD), cathode ray tube (CRT), and the like for displaying information to a user.
  • a display 210 such as a liquid crystal display (LCD), cathode ray tube (CRT), and the like for displaying information to a user.
  • One or more input devices 212 such as alphanumeric and other keyboards, mouse, trackball, cursor direction keys, and so forth, may be coupled to the bus 200 for communicating information and command selections to the CPU 202.
  • a communication interface 214 provides two-way data communication between the network server 110 and other computers.
  • the communication interface 214 may be an integrated services digital network (ISDN) card or a modem used to provide a data communication connection to a corresponding type of communication line.
  • ISDN integrated services digital network
  • the communication interface 214 may be a local area network (LAN) card used to provide a data communication connection to a compatible LAN.
  • Wireless links may also be implemented via the communication interface 214.
  • the main function of the communication interface 214 is to send and receive electrical, electromagnetic, optical, or other signals that carry digital data streams representing various types of information.
  • an HADM 216 may also reside on the storage device 208.
  • the computer- readable instructions for the HADM 216 may then be executed by the CPU 202 and/or other components of the network server 110.
  • the HADM 216 has been expanded into several discrete blocks or modules representing operational phases, such as Phase 1, Phase 2, and Phase 3, each operational phase comprising a phase-specific processing component.
  • the first operational phase, Phase 1 is a protocol analyzer phase and comprises a protocol analyzer component 218, such as a protocol analyzer circuitry.
  • the second operational phase, Phase 2 is a dynamic machine learning phase and comprises a dynamic machine learning component 220, such as dynamic machine learning circuitry.
  • the third operational phase, Phase 3, is a validator and database phase and comprises a validator and database component 222, such as a validator and database circuitry.
  • circuitry may refer to one or more or all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry); (b) combinations of hardware circuits and software, such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s) with software/firmware and (ii) any portions of hardware processor(s) with software (such as digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions); and (c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
  • hardware-only circuit implementations such as implementations in only analog and/or digital circuitry
  • combinations of hardware circuits and software such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • the protocol analyzer component 218 receives network packets and filters such packets, indicated generally at 224.
  • the protocol analyzer component 218 looks specifically for packets sent using a network protocol that is considered or has been found to be vulnerable to cyber-attacks. Packets that were sent using a vulnerable protocol, indicated generally at 226, are provided to the dynamic machine learning component 220 for detection of malicious code or content. Packets that were sent using a non-vulnerable protocol, indicated generally at 228, are forwarded directly to the validator and database component 222 for further validation.
  • the headers and payloads of the vulnerable protocol packets 226 are processed by a combination of linear and learning algorithms to detect possible attacks or anomalies.
  • Features and attributes of one or more suspected attacks that are considered to be distinctive are extracted and provided to the validator and database component 222, indicated generally at 230.
  • the extracted features and attributes 230 are compared against the expected output defined in the validator.
  • the packets that are sent using a non-vulnerable protocol, indicated generally at 228, are likewise validated by the validator and database component 222 in a similar manner.
  • the validation results are stored by the validator and database component 222 in a database and their attack features are provided as feedback 232 to the protocol analyzer component 218 and the dynamic machine learning component 220 for use in subsequent detections.
  • FIG. 3 illustrates an exemplary implementation of the protocol analyzer component 218 according to the disclosed embodiments.
  • the protocol analyzer component 218 uses one or more functional modules and/or circuitries to filter the network packets 224, such as a decision module and/or circuitry 300, a counter and prioritization module and/or circuitry 302, a feature extraction module and/or circuitry 304, a first learning algorithm module and/or circuitry 306 comprising a Learning Algorithm I, and a log file 308.
  • These functional modules and/or circuitries 300-308 operate in a manner that allows the protocol analyzer component 218 to focus on packets sent using a network protocol that is considered to be vulnerable to cyber-attacks.
  • the modules and/or circuitries 300-306 can be implemented in one or more circuitries and/or modules, in any combination.
  • the decision module 300 is responsible for receiving the network packets 224 and checking the packet headers to determine whether the packets were carried using a vulnerable network protocol. As those skilled in the art are aware, certain network protocols like TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are more vulnerable to cyber-attacks than protocols like RTSP (Real Time Streaming Protocol), which are considered safe. To make the determination, the decision module 300 compares the received network packets 224 against a list of network protocols that are known or have been found to be vulnerable from the log file 308.
  • any protocol that carries signaling packets over the network can be vulnerable and may be included on the list used in the decision module 300.
  • These protocols may comprise IP based protocols as well as non-IP based protocols.
  • Examples of vulnerable control plane protocols that may be on the list comprise NAS (Non- Access Stratum), Sl Application Protocol (S1AP), GTP-C (GPRS Tunneling Protocol Control Plane).
  • the list may then be updated dynamically from time to time with additional network protocols via feedback 232 received from the validator and database component 222.
  • Network packets 224 that are found to have been carried using a vulnerable protocol, indicated at 310, are forwarded by the decision module 300 to the counter and prioritization module 302.
  • the counter and prioritization module 302 prioritizes the vulnerable protocols with which the packets 310 were sent based on the number of times the protocol was used and a minimum occurrence threshold, n. For example, only protocols that have been used n times within a predefined time window (e.g., 1 hour, 1 day, etc.) are prioritized. Additionally, vulnerable protocols that are used more frequently are prioritized over vulnerable protocols that are used less frequently.
  • the counter and prioritization module 304 may prioritize only the 20 protocols with the highest number of occurrences within a predefined time window. By prioritizing protocols in this way, the counter and prioritization module 302 helps minimize the number of vulnerable protocols that are subsequently processed.
  • the value of n is an integer number (e.g., 100, 200, 300, etc.) that may be defined manually by the user or automatically by the counter and prioritization module 302 based on the time window used and the amount of network packets received within the time window. Network packets carried over the prioritized protocols are then forwarded as suspicious packets 312 to the dynamic machine learning component 220.
  • network packets 224 found not to have been carried using a vulnerable protocol, indicated at 314, may be considered safe and no further processing is needed.
  • these non- vulnerable protocol network packets 314 are forwarded by the decision module 300 to the feature extraction module 304 for further processing, as shown in the FIG. 3 example.
  • the feature extraction module 304 extracts features and attributes from the packets 314 and provides these features and attributes, indicated at 316, to the first learning algorithm 306 for analysis.
  • a network packet has a header and a payload. The header contains overhead information about the packet, the network service, and other transmission related information, while the payload contains the content carried by the packet.
  • the features and attributes extracted by the feature extraction module 304 are generally the properties that can identify the type of content carried by the packet.
  • Examples of features and attributes that may be extracted by the feature extraction module 304 comprise: Ethernet Size, Ethernet, Destination Address, Ethernet Source Address, IP (Internet Protocol) header Length, IP Type of Service, IP Length, IP Time To Live, IP Protocol, IP Source Address, IP Destination Address, TCP Source Port, TCP Destination Port, UDP Source Port, UDP Destination Port, UDP Length, ICMP (Internet Control Message Protocol) Type, ICMP Code, Duration of Connection, Connection Starting Time, Fragmentation, and the like.
  • IP Source Address such as A.B.C.D. and have feature(s) such as average package length and average response time less than a predefined threshold or as typically seen in normal traffic can represent malicious content, such as a botnet.
  • the features and attributes 316 provided by the features extraction module 304 are analyzed by using the Learning Algorithm I to determine whether they may match or otherwise correspond to features and attributes of known cyber attacks.
  • Examples of learning algorithms that may be used as the Learning Algorithm I in the first learning algorithm module 306 comprise Extreme Learning Machines (ELM), Self- Organizing Map (SOM), and Multi-Layer Perceptron (MLP) algorithms, as well as other suitable learning algorithms known to those skilled in the art. If it is determined that the features and attributes 316 overlap or coincide with a known attack, then the first learning algorithm module 306 forwards the packets as suspicious packets, indicated at 318, to be recorded in the log file 308.
  • the first learning algorithm module 306 serves as a sort of second check to detect newly vulnerable protocols that were previously considered to be non- vulnerable. If it is determined that the features and attributes 316 do not overlap or coincide with any known attacks, then the packets are forwarded to the dynamic machine learning module 220 as safe packets 320.
  • the log file 308 operates as a repository for suspicious packets carried over vulnerable protocols.
  • the log file 308 records information about the packets, such as timestamp, packet size, IP header, and network layers (e.g., Ethernet, TCP, application layer, etc.). Every time the first learning algorithm module 306 detects a new vulnerable protocol, that protocol is recorded into the log file 308, which may then be accessed by the other modules in the protocol analyzer component 218 as needed.
  • the log file 308 also forwards any suspicious packets 318 to the validator and database component 222.
  • the dynamic machine learning component 220 uses one or more functional modules and/or circuitries, such as a decision module and/or circuitry 400, a first feature extraction module and/or circuitry 402, a first linear algorithm module and/or circuitry 404 comprising a Linear Algorithm I, a second feature extraction module and/or circuitry 406, a second linear algorithm module and/or circuitry 408 comprising a Linear Algorithm II, a rule extractor and deduplicator module and/or circuitry 410, and a second learning algorithm module and/or circuitry 412 comprising a Learning Algorithm II.
  • a decision module and/or circuitry 400 uses one or more functional modules and/or circuitries, such as a decision module and/or circuitry 400, a first feature extraction module and/or circuitry 402, a first linear algorithm module and/or circuitry 404 comprising a Linear Algorithm I, a second feature extraction module and/or circuitry 406, a second linear algorithm module and/or circuitry 408 compris
  • modules and/or circuitries 400-412 operate in a manner that allows the dynamic machine learning component 220 to combine linear and learning algorithms to more efficiently detect cyber-attacks.
  • the modules and/or circuitries 400-412 can be implemented in one or more circuitries and/or modules, in any combination.
  • the decision module 400 receives suspicious packets 312 sent using a vulnerable protocol from the protocol analyzer component 218 and determines whether the packets were carried over UDP or TCP. Note that the function of the decision module 400 may also be implemented in the protocol analyzer component 218 instead of the dynamic machine learning component 220 in some embodiments. In either case, suspicious packets that were sent using UDP, indicated at 414, are forwarded to the first feature extraction module 402 for feature extraction.
  • the first feature extraction module 402 operates in the same or nearly the same manner as the feature extraction module 304 in the protocol analyzer module 218 to extract features and attributes of the suspicious packets and therefore will not be described in detail here. These features and attributes, indicated at 416, are provided to the first linear algorithm 404 for analysis.
  • the first linear algorithm module 404 analyzes the UDP packets to detect DoS attacks, since DoS attacks are mostly carried on UDP.
  • the Linear Algorithm I may be an algorithm that uses Support Vector Machine, Decision Tree, or Fuzzy Rule logic in order to minimize computational load.
  • other types of linear algorithms requiring low processing loads may certainly be used without departing from the scope of the disclosed embodiments. If the analysis performed by first linear algorithm module 404 determines that the UDP packets contain a DoS attack, then the UDP packets are forwarded as malicious packets, indicated at 418, to the validator and database component 222. Otherwise, the samples of UDP packets are forwarded as safe packets, indicated at 420, to the validator and database component 222.
  • Suspicious packets that were sent using TCP are forwarded to the second feature extraction module 406 for feature extraction.
  • the second feature extraction module 406 also operates in the same or nearly the same manner as the feature extraction module 304 in the protocol analyzer module 218 to extract features and attributes of the suspicious packets. These features and attributes, indicated at 424, are then provided to the second linear algorithm module 408 for analysis.
  • the second linear algorithm module 408 analyzes the TCP packets to detect other, non-DoS attacks.
  • the Linear Algorithm II may be an algorithm that uses Support Vector Machine, Decision Tree, or Fuzzy Rule logic in order to minimize computational load.
  • the analysis performed by the second linear algorithm module 408 determines that the TCP packets contain an attack, then the TCP packets are forwarded as attack packets, indicated at 426, to the rule extractor and duplicator module 410. Otherwise, the samples of TCP packets are forwarded as safe packets, indicated at 428, to the validator and database component 222.
  • the rule extractor and deduplicator module 410 operates to filter known attack packets against which the network is already protected by using information from other parallel- deployed security mechanisms.
  • the rule extractor and deduplicator module 410 uses a set of rules obtained from the other security mechanisms in the network to analyze (i.e., compare) the extracted features and attributes of the attack packets 426. These rules may be updated dynamically based on input from the parallel-deployed security mechanisms from time to time. If the rule extractor and deduplicator module 410 determines that the attack packets 426 reflect a known attack, the attack is ignored, as the network is already protected against such attacks.
  • a rule for the Snort network intrusion detection system follows is an example of a rule for the Snort network intrusion detection system:
  • the above rule sends an alert when there are network packets from source IP address 1.2.3.4 through any source port destined for IP address 5.6.7.8, which typically indicates a DoS Jolt attack. These network packets may therefore be ignored by the rule extractor and deduplicator module 410 as being indicative of a known attack. Otherwise, the rule extractor and deduplicator module 410 forwards the network packets as unknown attack, indicated at 430, to the second learning algorithm 412 for further analysis.
  • the second learning algorithm module 412 provides the final detection stage in some embodiments and the Learning Algorithm II therein may be any suitable type of unsupervised algorithms, such as Artificial Neural Networks (ANN), Genetic Algorithm (GA), SOM, Swarm intelligence (SI), and the like, as well as learning algorithms of the type commonly referred to as“deep neural networks.”
  • ANN Artificial Neural Networks
  • GA Genetic Algorithm
  • SOM Swarm intelligence
  • SI Swarm intelligence
  • an initial set of clusters are defined, for example, during the algorithm training process, that groups together attacks having similar features.
  • the clusters may comprise clusters for botnet attacks (B), malicious codes (M), and the like.
  • the unknown attack packets 430 are then labeled or otherwise assigned to one of the clusters based on the similarity of their features.
  • the packets that arrive at this module have already been identified as attack packets, if the packets do not exhibit features belonging to any of the already defined clusters, then they are considered a new type of attack (N) and the second learning algorithm 412 creates a new cluster for the packets. In this way, the features of the new type of attack (N) may be added to the second learning algorithm 412 for subsequent detection.
  • the second learning algorithm 412 then forwards the labeled attack packets as malicious packets 432 to the validator and database component 222.
  • FIG. 5 illustrates an exemplary implementation of the validator and database component 222 according to the disclosed embodiments.
  • the validator and database component 222 comprises one or more functional modules and/or circuitries, such as a validator module and/or circuitry 500 and a database module and/or circuitry 502. These functional modules and/or circuitries 500 and 502 operate together to allow the validator and database component 222 to validate detected attacks, store them in a database, and share the updates with other modules.
  • the modules and/or circuitries 500 and 502 can be implemented in one or more circuitries and/or modules, in any combination.
  • the validator module 500 operates essentially as an error detection module in order to decrease occurrences of false positives (FP) (i.e., suspicious/malicious packets inadvertently labeled as safe) and false negatives (FN) (i.e., safe packets inadvertently labeled as attacks).
  • FP false positives
  • FN false negatives
  • the validator module 500 receives both suspicious/malicious packets and samples of safe packets from the protocol analyzer component 218 and the dynamic machine learning component 220.
  • the validator module 500 then confirms whether these packets were correctly categorized (in the previous components) by comparing their features and attributes with those of known attack and safe traffic features and attributes. In some embodiments, the comparison is done on a numerical basis, with numerical values assigned to the features and attributes being compared.
  • the numerical values for the features and attributes of suspected botnet attacks should match those of known botnet attacks to within a predefined error margin, which may be a percentage (e.g., 5%, 10%, 15%, 20%, etc.) or a numerical value (e.g., 100, 200, 300, etc.).
  • the numerical values for different features may vary and may be assigned by a user as needed along with the allowable deviation or error margin. For example, some Peer-to-Peer (P2P) hots may have an average packet size of 108.88 (actual), whereas the average packet size for P2P software considered to be safe is 872.23 (expected), and the allowable deviation set by the user is 200.
  • the analysis yields an output of 250 (actual result) and classifies the traffic as safe traffic.
  • the comparison by the validator module 500 of the two average packet sizes (actual and expected) results in a difference of 622.23, which is greater the allowable deviation of 200.
  • the validator module 500 therefore flags or otherwise indicates that the packets were incorrectly categorized.
  • the output 504 of the validator 500 is then stored in the database 502.
  • the database module 502 operates to save the packets processed by the validator 500, such as samples of safe packets, packets from known (and hence dropped) attacks, and packets from unknown attacks.
  • the sampling of safe traffic may be done using a suitable packet sampling tool, such as sFlow and the like. Because the volume of safe packets is extremely large, the sampling rate may be kept small (e.g., every lOOth packet, 200th packet, etc.) in order to reduce the load on the HADM.
  • the packets from the unknown attacks along with their features and attributes are then provided as feedback to the protocol analyzer component 218 and the dynamic machine learning component 220 for use in subsequent detection. For example, the feedback may be used by the protocol analyzer component 218 to correct any false positives and false negatives that may have arisen.
  • FIG. 6 a detailed view of the exemplary HADM 216 is shown according to the disclosed embodiments. From this view, many of the components, circuitries, and modules described above may be seen in context with one another. In addition, a plurality of clusters may be seen in the second learning algorithm 412, such as a cluster 600 for botnet (B) attacks, a cluster 602 for malicious codes (M), and clusters 604 and 608 for other types of attacks. Feedback is provided from the database module 502 to the decision module 300 of the protocol analyzer component 218.
  • B botnet
  • M malicious codes
  • FN false negative
  • FIG. 7 is flow chart 700, or portion thereof, outlining a high-level method that may be used to operate the HADM described herein.
  • the flow chart 700 begins with input of traffic in the form of network packets at block 702.
  • the network packets arrive, they first go through a data normalization process at block 704 where the data in the packets undergo data conversion, data enrichment and data scaling operations.
  • data conversion converts data into a format that subsequent processes can understand, such as converting hexadecimal into decimal.
  • Data enrichment produces data elements by performing arithmetic and logical operations on the data in the packets.
  • Data scaling scales the data so that data fields have the same range of values and the variance among data fields is reduced.
  • the flow chart 700 proceeds to block 710 where the HADM undergoes testing using test data. Thereafter, the results of the testing is evaluated at block 712 to confirm the effectiveness and efficiency of the training from block 708.
  • FIG. 8 illustrates a flow chart 800, or portion thereof, showing a more detailed method that may be used to operate the HADM described herein.
  • the flow chart 800 begins with input of traffic in the form of network packets at block 802.
  • a decision is made whether the input traffic is carried on a vulnerable protocol by a decision module configured with a list of vulnerable protocols. If the input traffic is carried on a vulnerable protocol, meaning the traffic is suspicious traffic, then at block 806, a counter and prioritization module prioritizes the traffic based on the number of occurrences of the vulnerable protocol against a predefined threshold n.
  • the flow chart 800 then proceeds to block 808 where a determination is made whether the prioritized traffic is carried over UDP or TCP.
  • Traffic carried over UDP is processed at block 810 by a feature extraction module that extracts features of the traffic considered to be distinctive.
  • a first linear algorithm analyzes the traffic using the extracted features, and at block 814, a determination is made whether the traffic is suspicious or non- suspicious based on the analysis by the first linear algorithm at block 812.
  • a validator module validates the suspicious or non-suspicious traffic determination made at block 814 in the manner described above.
  • Traffic carried over TCP is processed at block 818 by another feature extraction module that extracts features of the traffic considered to be distinctive.
  • another linear algorithm analyzes the traffic using the extracted features, and at block 822, a determination is made whether the traffic is suspicious or non-suspicious based on the analysis by the second linear algorithm at block 820.
  • Traffic determined to be suspicious is analyzed by a rule extractor module at block 824 using rules already utilized by other in-place security mechanisms to protect the network.
  • a determination is made whether the suspicious traffic resembles attacks already accounted for by other, in-place security mechanisms based on the analysis by the rule extractor module at block 824.
  • both blocks 824 and 826 may be performed by a rule extractor and deduplicator 830.
  • the traffic is stored in a database at block 828 and dropped (i.e., ignored) or otherwise designated as not an attack. If the suspicious traffic resembles attacks against which the network is not already being protected, then at block 832, the traffic is processed by yet another feature extraction module, which extracts features of the traffic considered to be distinctive and analyzes the features for assignment to one of several existing clusters. At block 834, a determination is made whether the suspicious traffic may be assigned to one of several existing attack clusters based on the feature analysis at block 832. If the determination is yes, meaning the features of the suspicious traffic have already been learned, then the suspicious traffic is validated by the validator module at block 816 in the manner described above.
  • blocks 832, 834, and 836 may be performed by a learning algorithm 838.
  • the traffic is processed at block 840 by yet another feature extraction module that extracts features of the traffic considered to be distinctive.
  • another learning algorithm analyzes the non-suspicious traffic using the extracted feature to reconfirm that the traffic is not carried by a vulnerable protocol.
  • a determination is made at block 844 as to whether the traffic is suspicious or non-suspicious based on the analysis by the learning algorithm at block 842. If the determination is yes, meaning the non-suspicious traffic is actually suspicious, then it is recorded in a log file at block 846 and subsequently provided to the database at block 828 for storage.
  • this database also stores the results from the determination at block 826 and the validator module at block 816, and therefore contains known attacks, new attacks, as well as dropped attacks.
  • the database also provides feedback indicative of false positives (FP) and false negatives (FN) to the feature extraction modules at block 810, 818 and 840 and the decision module at block 804.
  • FIG. 9 illustrates an exemplary alternative implementation of the dynamic machine learning component 900 according to aspects of the disclosed embodiments.
  • This alternative implementation of the dynamic machine learning component 900 is similar to the dynamic machine learning component 220 shown in FIG. 4 insofar as it comprises a feature extraction module and/or circuitry 406, a linear algorithm 408 module and/or circuitry comprising a Linear Algorithm II, a rule extractor and deduplicator module and/or circuitry 410, and a learning algorithm 412 module and/or circuitry comprising a Learning Algorithm II.
  • the alternative dynamic machine learning component 900 depicted here can receive and process all network packets 224 directly from the mobile network 100.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Artificial Intelligence (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Systems and methods for detecting and preventing cyber-attacks on communication networks provide a hybrid anomaly detection module (HADM) that uses a combination of linear algorithms and learning algorithms. The linear algorithms filter and extract distinctive attributes and features of the cyber-attacks and the learning algorithms use these attributes and features to identify new types of cyber-attacks. The learning algorithms, which may be algorithms that employ Artificial Neural Networks (ANN), Genetic Algorithm (GA), Extreme Learning Machines (ELM), Self-Organizing Map (SOM), Multi-Layer Perceptron (MLP), or Swarm intelligence (SI)and the like, have better detection accuracy when they are used along with linear algorithms, such as algorithms that employ Decision Tree,Support Vector Machine,or Fuzzy Ruleand the like. The use of linear algorithms in conjunction with learning algorithms allows the HADM to achieve improved cyber-attack detection over existing solutions.

Description

INTELLIGENT DEFENSE AND FILTRATION PLATFORM FOR NETWORK
TRAFFIC
FIELD OF THE INVENTION
The disclosed various example embodiments relate generally to computer network security and to improved systems and methods for automatically identifying and preventing cyber attacks on communication networks and cloud services.
BACKGROUND OF THE INVENTION
As society becomes increasingly connected to networks, such as mobile networks, both for work and leisure, users grow more reliant on the availability and integrity of mobile network services. Not only are mobile devices, such as smartphones and tablets, heavily dependent on secure mobile network services, a growing number of“smart” household appliances also require secure mobile network services. These household appliances along with home security systems, building management systems, vehicles control systems, and many other devices embedded with electronics make up a growing market referred to as the Internet of Things (IoT). This market as well as the market for cloud computing has experienced exponential growth in recent years and is expected to continue growing in coming years.
Although the above trend presents many potentially positive advancements for society in general and IoT and cloud computing, it also poses a number of security challenges for mobile network service providers and operators. Cyber-attackers using malicious programs or malware can compromise an entire network, leading to service disruptions, loss of data, and identity theft.
Accordingly, a need exists for improved systems and methods of detecting and preventing cyber-attacks on communication networks, such as mobile networks, for example 5G cloud networks.
SUMMARY OF THE DISCLOSED EMBODIMENTS
The embodiments disclosed herein are directed to various examples of improved cyber attacks systems and methods for detecting and preventing cyber-attacks on communication networks. The systems and methods provide a hybrid anomaly detection module (HADM) that uses a combination of linear algorithms and learning algorithms. The linear algorithms filter and extract distinctive attributes and features of the cyber-attacks and the learning algorithms use these attributes and features to identify new types of cyber-attacks. It has been found that learning algorithms, such as algorithms that employ neural networks and genetic search algorithms, have better detection accuracy when they are used along with linear algorithms, such as algorithms that employ Support Vector Machine (SVM), Decision Tree or Fuzzy Rule logic. The use of linear algorithms in conjunction with learning algorithms allows the HADM to achieve improved cyber-attack detection over existing solutions.
The HADM may comprise several processing components in some embodiments, such as a protocol analyzer, linear and learning algorithms, validator and database, and other components. These processing components may be implemented as software, hardware, or a combination of software and hardware depending on the particular application. The components are deployed in conjunction with one another to filter packets on the communication networks, such as mobile networks, for certain network protocols that are known or considered to be vulnerable to cyber-attacks. This allows the HADM to expend a smaller amount of processing resource on other network protocols, such as streaming protocols, that are not normally vulnerable and thus not typically targeted by cyber-attackers. The ability of the HADM to focus on vulnerable network protocols helps avoid burdening network servers with unnecessary computational load.
In general, the protocol analyzer component functions to filter the network packets and identify suspected protocols. For certain suspected attacks, such as DoS (denial of service) attacks, the protocol analyzer forwards the filtered packets to a linear algorithm. For other suspected attacks, the protocol analyzer forwards the filtered packets to a combination of a linear algorithm and a learning algorithm. The linear algorithm initially defines whether the packets are safe or unsafe regardless of the suspected attack type, then extracts the features of the suspected attack and provides them to the learning algorithm. The learning algorithm compares the extracted features against known attack features and classifies the suspected attack as either known or unknown, then outputs this information to the validator and database component.
The validator and database component validates the output of the linear and learning algorithms. In general, if the actual output (e.g., from the learning algorithm) differs from the expected output, then the actual output is considered as an error. The expected output refers to numeric values which are predefined by a user and represent safe traffic. The actual output are numeric values assigned to the features and attributes from the output of the learning algorithm. The comparison is done based on the values of these traffic features. The validator output is stored into database component and the attack features are provided as feedback to the protocol analyzer and the linear and learning algorithms for use in subsequent detections. Such an arrangement allows the HADM to dynamically define new attack features in order to better identify new types of cyber-attacks.
In general, in one aspect, the disclosed embodiments are directed to a computer-based method of detecting a cyber-attack on a communication network. The method comprises receiving, at a server connected to the communication network, a plurality of network packets from a computing device. The method further comprises extracting one or more features of the network packets at the server, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non- suspicious traffic. The method still further comprises performing an analysis of the one or more features of the network packets at the server using at least one linear algorithm in conjunction with at least one learning algorithm, and designating the network packets as suspicious traffic at the server based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
In general, in another aspect, the disclosed embodiments are directed to a computer-based system for detecting a cyber-attack on a communication network. The system comprises at least one processor and at least one memory connected to the at least one processor, the at least one memory having a plurality of processing components stored therein. The at least one memory and the plurality of processing components are configured to, with the at least one processor, cause the system at least to perform the plurality of the processing components. The plurality of the processing components comprises a protocol analyzer component configured to receive a plurality of network packets from a computing device via the communication network. The plurality of processing the components further comprises a dynamic machine learning component configured to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic. The dynamic machine learning component is further configured to perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm and designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
In general, in still another aspect, the disclosed embodiments are directed to a computer- based system for detecting a cyber-attack on a communication network. The system comprises one or more processors and one or more storage devices connected to the one or more processors, the one or more storage devices storing computer-readable instructions thereon. The computer-readable instructions are executable by the one or more processors to cause the system to receive a plurality of network packets from a computing device via the communication network. The computer-readable instructions are further executable by the one or more processors to cause the system to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non- suspicious traffic. The computer-readable instructions are still further executable by the one or more processors to cause the system to perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm and designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing and other advantages of the disclosed exemplary embodiments will become apparent upon reading the following detailed description and upon reference to the drawings, wherein:
FIG. 1 illustrates an exemplary communication network equipped with an exemplary hybrid anomaly detection module (HADM) according to aspects of the disclosed embodiments;
FIG. 2 illustrates an exemplary server having an exemplary HADM thereon according to aspects of the disclosed embodiments;
FIG. 3 illustrates an exemplary protocol analyzer module for an HADM according to aspects of the disclosed embodiments;
FIG. 4 illustrates an exemplary dynamic machine learning module for an HADM according to aspects of the disclosed embodiments;
FIG. 5 illustrates an exemplary threat validator and database storage module for an HADM according to aspects of the disclosed embodiments;
FIG. 6 illustrates a more detailed view of exemplary implementation of an HADM according to aspects of the disclosed embodiments;
FIG. 7 illustrates an exemplary flowchart for an HADM according to aspects of the disclosed embodiments;
FIG. 8 illustrates a more detailed view of an exemplary flowchart for an HADM according to aspects of the disclosed embodiments; and
FIG. 9 illustrates an exemplary alternative dynamic machine learning module for an HADM according to aspects of the disclosed embodiments. DETAILED DESCRIPTION OF THE DISCLOSED EMBODIMENTS
As an initial matter, it will be appreciated that the development of an actual, real commercial application incorporating aspects of the disclosed embodiments will require many implementation specific decisions to achieve a commercial embodiment. Such implementation specific decisions may comprise, and likely are not limited to, compliance with system related, business related, government related and other constraints, which may vary by specific implementation, location and from time to time. While a developer’s efforts might be considered complex and time consuming, such efforts would nevertheless be a routine undertaking for those of skill in this art having the benefit of this disclosure.
It should also be understood that the embodiments disclosed and taught herein are susceptible to numerous and various modifications and alternative forms. Thus, the use of a singular term, such as, but not limited to,“a” and the like, is not intended as limiting of the number of items. Similarly, any relational terms, such as, but not limited to, “top,”“bottom,”“left,” “right,”“upper,”“lower,”“down,”“up,”“side,” and the like, used in the written description are for clarity in specific reference to the drawings and are not intended to limit the scope of the invention.
As alluded to above, the embodiments disclosed herein relate to improved systems, apparatuses, and methods for detecting and preventing cyber-attacks on communication networks, such as mobile networks. At a high level, the systems, apparatuses, and methods provide one or more modules and/or circuitries that can detect and/or prevent cyber-attacks and/or anomalies, such as a hybrid anomaly detection module (HADM), that uses a combination of linear algorithms and learning algorithms. The linear algorithms filter and extract attributes and features of the attacks and the learning algorithms use these attributes and features to identify new attacks. The use of linear algorithms in conjunction with learning algorithms allows the HADM to achieve improved performance compared to existing network security solutions.
Referring now to FIG. 1, a communication network 100, such as a mobile communication network, is shown equipped with an HADM according to disclosed embodiments. The network 100 may be any current or soon-to-be available mobile network, such as 3G, 4G, 5G, cloud services and similar networks, that can provide online or Internet connectivity to computing devices. Several computing devices are connected to the network 100 in the present example, such as a smartphone 102, a personal computer 104, as well as a personal communication device, one or more communication network equipment, one or more IoT devices, one or more sensor devices, one or more vehicles, and one or more smart household appliances, indicated generally at 106, or any combination thereof. These computing devices 102, 104, and 106 may of course comprise any other computing device that is capable of transmitting to and receiving data packets from the communication network 100, for example over a mobile communication link 108, such as a cellular communication link.
In accordance with the disclosed embodiments, the communication network 100 comprises at least one network system or apparatus 110, such as at least one network server 110 having an HADM, or one or more of the HADM elements, circuitries and/or processing components, implemented thereon. The at least one network server 110 may be any suitable server capable of processing network packets sent to the network 100, such as one or more physical servers as well as one or more virtual (i.e., cloud based) servers. The HADM may then execute a number of the processing components in conjunction with one another on the at least one network server 110 to detect and prevent cyber-attacks on the mobile network 100. In certain embodiments, the HADM focuses on one or more particular network protocols that are known or considered to be vulnerable to cyber-attacks over other protocols that are not considered vulnerable and therefore not typically used by cyber-attackers, such as streaming protocols. This allows the HADM to avoid burdening the at least one network server 110 with unnecessary computational load.
FIG. 2 shows an exemplary physical implementation of the at least one network server 110 having the HADM thereon. This network server 110 may be any suitable computing system known to those having ordinary skill in the art, such as a high-end computer, workstation, main frame, circuitry, and the like. Such a network server 110 typically comprises a bus 200 or other communication mechanism for transferring information within the network server 110 and one or more circuitries, such as one or more single or multi-core CPU’s (Central Processing Unit) 202, such as field programmable gate arrays (FPGA), an AI (Artificial Intelligence) accelerator or a GPU (Graphics Processing Unit), or any combination thereof, coupled with the bus 200 for processing the information. The network server 110 may also comprise a main memory 204, such as a random access memory (RAM) or other dynamic storage device coupled to the bus 200 for storing computer-readable instructions, such as one or more computer program product, to be executed by the CPU 202. The main memory 204 may also be used for storing temporary variables or other intermediate information during execution of the instructions to be executed by the CPU 202. The network server 110 may further comprise a read only memory (ROM) 206 or other static storage device coupled to the bus 200 for storing static information and instructions for the CPU 202. A computer-readable storage device 208, such as a magnetic disk or optical disk, may be coupled to the bus 200 for storing information and instructions for the CPU 202. The term“computer-readable instructions” as used above refers to instructions that may be performed by the CPU 202 and/or other components of the network server 110. In some exemplary embodiments, the term“computer-readable medium” refers to non-transitory storage medium that may be used to store the computer-readable instructions. Such a computer-readable medium may take many forms, such as, but not limited to, non-volatile media, volatile media, and transmission media. Non-volatile media may comprise, for example, optical or magnetic disks, such as the storage device 208. Volatile media may comprise dynamic memory, such as main memory 204. Transmission media may comprise coaxial cables, copper wire and fiber optics, such as wires of the bus 200. Transmission itself may take the form of acoustic or light waves, such as those generated during radio frequency (RF) and infrared (IR) data communications. Common forms of computer-readable media may comprise, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, other magnetic medium, a CD ROM (Compact Disc Read-Only Memory), DVD (Digital Versatile Disc), other optical medium, a RAM (Random-access memory), a PROM (Programmable read-only memory), an EPROM (Erasable programmable read-only memory, a FLASH EPROM, other memory chip or cartridge, or any other medium from which a computer can read.
The CPU 202 may also be coupled via the bus 200 to a display 210, such as a liquid crystal display (LCD), cathode ray tube (CRT), and the like for displaying information to a user. One or more input devices 212, such as alphanumeric and other keyboards, mouse, trackball, cursor direction keys, and so forth, may be coupled to the bus 200 for communicating information and command selections to the CPU 202. A communication interface 214 provides two-way data communication between the network server 110 and other computers. In one example, the communication interface 214 may be an integrated services digital network (ISDN) card or a modem used to provide a data communication connection to a corresponding type of communication line. As another example, the communication interface 214 may be a local area network (LAN) card used to provide a data communication connection to a compatible LAN. Wireless links may also be implemented via the communication interface 214. In summary, the main function of the communication interface 214 is to send and receive electrical, electromagnetic, optical, or other signals that carry digital data streams representing various types of information.
In accordance with the disclosed embodiments, an HADM 216, or rather the computer- readable instructions therefore, may also reside on the storage device 208. The computer- readable instructions for the HADM 216 may then be executed by the CPU 202 and/or other components of the network server 110. For easy reference, the HADM 216 has been expanded into several discrete blocks or modules representing operational phases, such as Phase 1, Phase 2, and Phase 3, each operational phase comprising a phase-specific processing component. Those having ordinary skill in the art will understand, of course, that any of the blocks in FIG. 2 and throughout the drawings may be divided into several constituent blocks, or two or more blocks may be combined into a single block, without departing from the scope of the disclosed embodiments. The first operational phase, Phase 1, is a protocol analyzer phase and comprises a protocol analyzer component 218, such as a protocol analyzer circuitry. The second operational phase, Phase 2, is a dynamic machine learning phase and comprises a dynamic machine learning component 220, such as dynamic machine learning circuitry. The third operational phase, Phase 3, is a validator and database phase and comprises a validator and database component 222, such as a validator and database circuitry.
As used herein, the term“circuitry” may refer to one or more or all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry); (b) combinations of hardware circuits and software, such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s) with software/firmware and (ii) any portions of hardware processor(s) with software (such as digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions); and (c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation. This definition of circuitry applies to all uses of this term herein, including in any claims. As a further example, as used herein, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
In operation, the protocol analyzer component 218 receives network packets and filters such packets, indicated generally at 224. The protocol analyzer component 218 looks specifically for packets sent using a network protocol that is considered or has been found to be vulnerable to cyber-attacks. Packets that were sent using a vulnerable protocol, indicated generally at 226, are provided to the dynamic machine learning component 220 for detection of malicious code or content. Packets that were sent using a non-vulnerable protocol, indicated generally at 228, are forwarded directly to the validator and database component 222 for further validation. At the dynamic machine learning component 220, the headers and payloads of the vulnerable protocol packets 226 are processed by a combination of linear and learning algorithms to detect possible attacks or anomalies. Features and attributes of one or more suspected attacks that are considered to be distinctive are extracted and provided to the validator and database component 222, indicated generally at 230. At the validator and database component 222, the extracted features and attributes 230 are compared against the expected output defined in the validator. The packets that are sent using a non-vulnerable protocol, indicated generally at 228, are likewise validated by the validator and database component 222 in a similar manner. The validation results are stored by the validator and database component 222 in a database and their attack features are provided as feedback 232 to the protocol analyzer component 218 and the dynamic machine learning component 220 for use in subsequent detections.
FIG. 3 illustrates an exemplary implementation of the protocol analyzer component 218 according to the disclosed embodiments. In this example, the protocol analyzer component 218 uses one or more functional modules and/or circuitries to filter the network packets 224, such as a decision module and/or circuitry 300, a counter and prioritization module and/or circuitry 302, a feature extraction module and/or circuitry 304, a first learning algorithm module and/or circuitry 306 comprising a Learning Algorithm I, and a log file 308. These functional modules and/or circuitries 300-308 operate in a manner that allows the protocol analyzer component 218 to focus on packets sent using a network protocol that is considered to be vulnerable to cyber-attacks. In one exemplary embodiment, the modules and/or circuitries 300-306 can be implemented in one or more circuitries and/or modules, in any combination.
The decision module 300 is responsible for receiving the network packets 224 and checking the packet headers to determine whether the packets were carried using a vulnerable network protocol. As those skilled in the art are aware, certain network protocols like TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are more vulnerable to cyber-attacks than protocols like RTSP (Real Time Streaming Protocol), which are considered safe. To make the determination, the decision module 300 compares the received network packets 224 against a list of network protocols that are known or have been found to be vulnerable from the log file 308.
In general, any network protocol that is carrying packets over the network, whether on the user plane or control plane, can be vulnerable and may be included on the list used in the decision module 300. For user plane packets, TCP and UDP are the transport layer protocols that carry most of the application layer protocols, so any packets sent using TCP and UDP can be vulnerable. However, for efficient processing and load balancing, the list in the decision module 300 may focus on specific application layer protocols that are known to be vulnerable to cyber-attacks. Examples of vulnerable application layer protocols that may be on the list comprise Hypertext Transfer Protocol (HTTP), Secure Shell (SSH), File Transfer Protocol (FTP), GTP-U (GPRS Tunneling Protocol User Plane), Proxy Mobile Internet Protocol (PMIP), OpenFlow, and Domain Name System (DNS).
For control plane packets, in general, any protocol that carries signaling packets over the network can be vulnerable and may be included on the list used in the decision module 300. These protocols may comprise IP based protocols as well as non-IP based protocols. Examples of vulnerable control plane protocols that may be on the list comprise NAS (Non- Access Stratum), Sl Application Protocol (S1AP), GTP-C (GPRS Tunneling Protocol Control Plane). The list may then be updated dynamically from time to time with additional network protocols via feedback 232 received from the validator and database component 222.
Network packets 224 that are found to have been carried using a vulnerable protocol, indicated at 310, are forwarded by the decision module 300 to the counter and prioritization module 302. The counter and prioritization module 302 prioritizes the vulnerable protocols with which the packets 310 were sent based on the number of times the protocol was used and a minimum occurrence threshold, n. For example, only protocols that have been used n times within a predefined time window (e.g., 1 hour, 1 day, etc.) are prioritized. Additionally, vulnerable protocols that are used more frequently are prioritized over vulnerable protocols that are used less frequently. For example, if there are currently 20 vulnerable protocols that satisfy the minimum occurrence threshold and a 21 st protocol is found to meet the threshold, then the counter and prioritization module 304 may prioritize only the 20 protocols with the highest number of occurrences within a predefined time window. By prioritizing protocols in this way, the counter and prioritization module 302 helps minimize the number of vulnerable protocols that are subsequently processed. The value of n is an integer number (e.g., 100, 200, 300, etc.) that may be defined manually by the user or automatically by the counter and prioritization module 302 based on the time window used and the amount of network packets received within the time window. Network packets carried over the prioritized protocols are then forwarded as suspicious packets 312 to the dynamic machine learning component 220. As an alternative option, it may be desirable in some implementations to omit the counter and prioritization module 302, as indicated by dashed line 3l0a, and forward the vulnerable protocol packets directly to the dynamic machine learning component 220.
In some embodiments, network packets 224 found not to have been carried using a vulnerable protocol, indicated at 314, may be considered safe and no further processing is needed. In other embodiments, these non- vulnerable protocol network packets 314 are forwarded by the decision module 300 to the feature extraction module 304 for further processing, as shown in the FIG. 3 example. The feature extraction module 304 extracts features and attributes from the packets 314 and provides these features and attributes, indicated at 316, to the first learning algorithm 306 for analysis. Normally, a network packet has a header and a payload. The header contains overhead information about the packet, the network service, and other transmission related information, while the payload contains the content carried by the packet. The features and attributes extracted by the feature extraction module 304 are generally the properties that can identify the type of content carried by the packet. Examples of features and attributes that may be extracted by the feature extraction module 304 comprise: Ethernet Size, Ethernet, Destination Address, Ethernet Source Address, IP (Internet Protocol) header Length, IP Type of Service, IP Length, IP Time To Live, IP Protocol, IP Source Address, IP Destination Address, TCP Source Port, TCP Destination Port, UDP Source Port, UDP Destination Port, UDP Length, ICMP (Internet Control Message Protocol) Type, ICMP Code, Duration of Connection, Connection Starting Time, Fragmentation, and the like. As a simple illustration, network packets that come from an IP Source Address such as A.B.C.D. and have feature(s) such as average package length and average response time less than a predefined threshold or as typically seen in normal traffic can represent malicious content, such as a botnet.
At the first learning algorithm module 306, the features and attributes 316 provided by the features extraction module 304 are analyzed by using the Learning Algorithm I to determine whether they may match or otherwise correspond to features and attributes of known cyber attacks. Examples of learning algorithms that may be used as the Learning Algorithm I in the first learning algorithm module 306 comprise Extreme Learning Machines (ELM), Self- Organizing Map (SOM), and Multi-Layer Perceptron (MLP) algorithms, as well as other suitable learning algorithms known to those skilled in the art. If it is determined that the features and attributes 316 overlap or coincide with a known attack, then the first learning algorithm module 306 forwards the packets as suspicious packets, indicated at 318, to be recorded in the log file 308. In this way, the first learning algorithm module 306 serves as a sort of second check to detect newly vulnerable protocols that were previously considered to be non- vulnerable. If it is determined that the features and attributes 316 do not overlap or coincide with any known attacks, then the packets are forwarded to the dynamic machine learning module 220 as safe packets 320.
The log file 308, as the name suggests, operates as a repository for suspicious packets carried over vulnerable protocols. In general, the log file 308 records information about the packets, such as timestamp, packet size, IP header, and network layers (e.g., Ethernet, TCP, application layer, etc.). Every time the first learning algorithm module 306 detects a new vulnerable protocol, that protocol is recorded into the log file 308, which may then be accessed by the other modules in the protocol analyzer component 218 as needed. The log file 308 also forwards any suspicious packets 318 to the validator and database component 222.
An exemplary implementation of the dynamic machine learning component 220 is depicted in FIG. 4. Like the previous component, the dynamic machine learning component 220 uses one or more functional modules and/or circuitries, such as a decision module and/or circuitry 400, a first feature extraction module and/or circuitry 402, a first linear algorithm module and/or circuitry 404 comprising a Linear Algorithm I, a second feature extraction module and/or circuitry 406, a second linear algorithm module and/or circuitry 408 comprising a Linear Algorithm II, a rule extractor and deduplicator module and/or circuitry 410, and a second learning algorithm module and/or circuitry 412 comprising a Learning Algorithm II. These functional modules and/or circuitries 400-412 operate in a manner that allows the dynamic machine learning component 220 to combine linear and learning algorithms to more efficiently detect cyber-attacks. In one exemplary embodiment, the modules and/or circuitries 400-412 can be implemented in one or more circuitries and/or modules, in any combination.
The decision module 400 receives suspicious packets 312 sent using a vulnerable protocol from the protocol analyzer component 218 and determines whether the packets were carried over UDP or TCP. Note that the function of the decision module 400 may also be implemented in the protocol analyzer component 218 instead of the dynamic machine learning component 220 in some embodiments. In either case, suspicious packets that were sent using UDP, indicated at 414, are forwarded to the first feature extraction module 402 for feature extraction. The first feature extraction module 402 operates in the same or nearly the same manner as the feature extraction module 304 in the protocol analyzer module 218 to extract features and attributes of the suspicious packets and therefore will not be described in detail here. These features and attributes, indicated at 416, are provided to the first linear algorithm 404 for analysis.
The first linear algorithm module 404 analyzes the UDP packets to detect DoS attacks, since DoS attacks are mostly carried on UDP. In some embodiments, in the first linear algorithm module 404 the Linear Algorithm I may be an algorithm that uses Support Vector Machine, Decision Tree, or Fuzzy Rule logic in order to minimize computational load. However, other types of linear algorithms requiring low processing loads may certainly be used without departing from the scope of the disclosed embodiments. If the analysis performed by first linear algorithm module 404 determines that the UDP packets contain a DoS attack, then the UDP packets are forwarded as malicious packets, indicated at 418, to the validator and database component 222. Otherwise, the samples of UDP packets are forwarded as safe packets, indicated at 420, to the validator and database component 222.
Suspicious packets that were sent using TCP, indicated at 422, are forwarded to the second feature extraction module 406 for feature extraction. As with the first feature extraction module 402, the second feature extraction module 406 also operates in the same or nearly the same manner as the feature extraction module 304 in the protocol analyzer module 218 to extract features and attributes of the suspicious packets. These features and attributes, indicated at 424, are then provided to the second linear algorithm module 408 for analysis.
The second linear algorithm module 408 analyzes the TCP packets to detect other, non-DoS attacks. In some embodiments, in the second linear algorithm module 408 the Linear Algorithm II may be an algorithm that uses Support Vector Machine, Decision Tree, or Fuzzy Rule logic in order to minimize computational load. Of course, other types of linear algorithms requiring low processing loads may certainly be used without departing from the scope of the disclosed embodiments. If the analysis performed by the second linear algorithm module 408 determines that the TCP packets contain an attack, then the TCP packets are forwarded as attack packets, indicated at 426, to the rule extractor and duplicator module 410. Otherwise, the samples of TCP packets are forwarded as safe packets, indicated at 428, to the validator and database component 222.
The rule extractor and deduplicator module 410 operates to filter known attack packets against which the network is already protected by using information from other parallel- deployed security mechanisms. In some embodiments, the rule extractor and deduplicator module 410 uses a set of rules obtained from the other security mechanisms in the network to analyze (i.e., compare) the extracted features and attributes of the attack packets 426. These rules may be updated dynamically based on input from the parallel-deployed security mechanisms from time to time. If the rule extractor and deduplicator module 410 determines that the attack packets 426 reflect a known attack, the attack is ignored, as the network is already protected against such attacks. Following is an example of a rule for the Snort network intrusion detection system:
“alert ip 1.2.3.4 any -> 5.6.7.8 any (msg:"DOS Jolt attack"; dsize:408;
fragbits:M; reference: eve, 1999-0345; classtype:attempted-dos; sid:268;
rev:4;)”
The above rule sends an alert when there are network packets from source IP address 1.2.3.4 through any source port destined for IP address 5.6.7.8, which typically indicates a DoS Jolt attack. These network packets may therefore be ignored by the rule extractor and deduplicator module 410 as being indicative of a known attack. Otherwise, the rule extractor and deduplicator module 410 forwards the network packets as unknown attack, indicated at 430, to the second learning algorithm 412 for further analysis.
The second learning algorithm module 412 provides the final detection stage in some embodiments and the Learning Algorithm II therein may be any suitable type of unsupervised algorithms, such as Artificial Neural Networks (ANN), Genetic Algorithm (GA), SOM, Swarm intelligence (SI), and the like, as well as learning algorithms of the type commonly referred to as“deep neural networks.” In the second learning algorithm 412, an initial set of clusters are defined, for example, during the algorithm training process, that groups together attacks having similar features. The clusters may comprise clusters for botnet attacks (B), malicious codes (M), and the like. The unknown attack packets 430 are then labeled or otherwise assigned to one of the clusters based on the similarity of their features. Since the packets that arrive at this module have already been identified as attack packets, if the packets do not exhibit features belonging to any of the already defined clusters, then they are considered a new type of attack (N) and the second learning algorithm 412 creates a new cluster for the packets. In this way, the features of the new type of attack (N) may be added to the second learning algorithm 412 for subsequent detection. The second learning algorithm 412 then forwards the labeled attack packets as malicious packets 432 to the validator and database component 222.
FIG. 5 illustrates an exemplary implementation of the validator and database component 222 according to the disclosed embodiments. As with previous components, the validator and database component 222 comprises one or more functional modules and/or circuitries, such as a validator module and/or circuitry 500 and a database module and/or circuitry 502. These functional modules and/or circuitries 500 and 502 operate together to allow the validator and database component 222 to validate detected attacks, store them in a database, and share the updates with other modules. In one exemplary embodiment, the modules and/or circuitries 500 and 502 can be implemented in one or more circuitries and/or modules, in any combination.
The validator module 500 operates essentially as an error detection module in order to decrease occurrences of false positives (FP) (i.e., suspicious/malicious packets inadvertently labeled as safe) and false negatives (FN) (i.e., safe packets inadvertently labeled as attacks). To this end, the validator module 500 receives both suspicious/malicious packets and samples of safe packets from the protocol analyzer component 218 and the dynamic machine learning component 220. The validator module 500 then confirms whether these packets were correctly categorized (in the previous components) by comparing their features and attributes with those of known attack and safe traffic features and attributes. In some embodiments, the comparison is done on a numerical basis, with numerical values assigned to the features and attributes being compared. Thus, for example, the numerical values for the features and attributes of suspected botnet attacks should match those of known botnet attacks to within a predefined error margin, which may be a percentage (e.g., 5%, 10%, 15%, 20%, etc.) or a numerical value (e.g., 100, 200, 300, etc.). The numerical values for different features may vary and may be assigned by a user as needed along with the allowable deviation or error margin. For example, some Peer-to-Peer (P2P) hots may have an average packet size of 108.88 (actual), whereas the average packet size for P2P software considered to be safe is 872.23 (expected), and the allowable deviation set by the user is 200. The analysis (from the linear or learning algorithm) yields an output of 250 (actual result) and classifies the traffic as safe traffic. The comparison by the validator module 500 of the two average packet sizes (actual and expected) results in a difference of 622.23, which is greater the allowable deviation of 200. The validator module 500 therefore flags or otherwise indicates that the packets were incorrectly categorized. The output 504 of the validator 500 is then stored in the database 502.
The database module 502 operates to save the packets processed by the validator 500, such as samples of safe packets, packets from known (and hence dropped) attacks, and packets from unknown attacks. The sampling of safe traffic may be done using a suitable packet sampling tool, such as sFlow and the like. Because the volume of safe packets is extremely large, the sampling rate may be kept small (e.g., every lOOth packet, 200th packet, etc.) in order to reduce the load on the HADM. The packets from the unknown attacks along with their features and attributes are then provided as feedback to the protocol analyzer component 218 and the dynamic machine learning component 220 for use in subsequent detection. For example, the feedback may be used by the protocol analyzer component 218 to correct any false positives and false negatives that may have arisen.
Referring now to FIG. 6, a detailed view of the exemplary HADM 216 is shown according to the disclosed embodiments. From this view, many of the components, circuitries, and modules described above may be seen in context with one another. In addition, a plurality of clusters may be seen in the second learning algorithm 412, such as a cluster 600 for botnet (B) attacks, a cluster 602 for malicious codes (M), and clusters 604 and 608 for other types of attacks. Feedback is provided from the database module 502 to the decision module 300 of the protocol analyzer component 218. As can be seen, if a vulnerable protocol in the log file 308 had not been considered earlier as a vulnerable protocol, resulting in a false negative (FN), the feedback would allow the protocol to be added to the protocol analyzer 218 as a vulnerable protocol for future detection. Similarly, feedback from the database module 502 to the feature extraction modules 304, 402 and 406 allow any false negative (FN) to be corrected in the first and second linear algorithms 404 and 408 and the first learning algorithm 306, respectively. The above corrections apply equally for false positives (FP) (i.e., packets that were inadvertently designated as containing attacks).
Thus far, a number of specific embodiments have been described. Following now in FIG. 7 is flow chart 700, or portion thereof, outlining a high-level method that may be used to operate the HADM described herein. Those having ordinary skill in the art will understand of course that alternative arrangements may be derived from the teachings presented herein without departing from the scope of the disclosed embodiments.
As can be seen in FIG. 7, the flow chart 700, or portion thereof, begins with input of traffic in the form of network packets at block 702. When the network packets arrive, they first go through a data normalization process at block 704 where the data in the packets undergo data conversion, data enrichment and data scaling operations. More specifically, data conversion converts data into a format that subsequent processes can understand, such as converting hexadecimal into decimal. Data enrichment produces data elements by performing arithmetic and logical operations on the data in the packets. Data scaling scales the data so that data fields have the same range of values and the variance among data fields is reduced.
After data normalization, a determination is made at block 706 to determine whether the HADM has previously undergone training. If no training has been previously done, then training is needed and the flow chart 700 proceeds to block 708 where the HADM undergoes training. Such training may involve, for example, training the learning algorithms 306, 404, 408 and/or 412. Likewise, if the HADM has already been trained, but the training took place outside a predefined time window or after a predefined amount of data, then the flow chart 700 proceeds to block 708 where the HADM undergoes retraining to ensure it can handle data properly. The time window and the amount of data may be selected by a user based on the particular application. If it is determined at block 706 that no training is needed, then the flow chart 700 proceeds to block 710 where the HADM undergoes testing using test data. Thereafter, the results of the testing is evaluated at block 712 to confirm the effectiveness and efficiency of the training from block 708.
FIG. 8 illustrates a flow chart 800, or portion thereof, showing a more detailed method that may be used to operate the HADM described herein. As with the previous flowchart 700, the flow chart 800, or portion thereof, begins with input of traffic in the form of network packets at block 802. At block 804, a decision is made whether the input traffic is carried on a vulnerable protocol by a decision module configured with a list of vulnerable protocols. If the input traffic is carried on a vulnerable protocol, meaning the traffic is suspicious traffic, then at block 806, a counter and prioritization module prioritizes the traffic based on the number of occurrences of the vulnerable protocol against a predefined threshold n.
The flow chart 800 then proceeds to block 808 where a determination is made whether the prioritized traffic is carried over UDP or TCP. Traffic carried over UDP is processed at block 810 by a feature extraction module that extracts features of the traffic considered to be distinctive. At block 812, a first linear algorithm analyzes the traffic using the extracted features, and at block 814, a determination is made whether the traffic is suspicious or non- suspicious based on the analysis by the first linear algorithm at block 812. At block 816, a validator module validates the suspicious or non-suspicious traffic determination made at block 814 in the manner described above.
Traffic carried over TCP is processed at block 818 by another feature extraction module that extracts features of the traffic considered to be distinctive. At block 820, another linear algorithm analyzes the traffic using the extracted features, and at block 822, a determination is made whether the traffic is suspicious or non-suspicious based on the analysis by the second linear algorithm at block 820. Traffic determined to be suspicious is analyzed by a rule extractor module at block 824 using rules already utilized by other in-place security mechanisms to protect the network. At block 826, a determination is made whether the suspicious traffic resembles attacks already accounted for by other, in-place security mechanisms based on the analysis by the rule extractor module at block 824. In some embodiments, both blocks 824 and 826 may be performed by a rule extractor and deduplicator 830.
If the suspicious traffic resembles attacks against which the network is already being protected, then the traffic is stored in a database at block 828 and dropped (i.e., ignored) or otherwise designated as not an attack. If the suspicious traffic resembles attacks against which the network is not already being protected, then at block 832, the traffic is processed by yet another feature extraction module, which extracts features of the traffic considered to be distinctive and analyzes the features for assignment to one of several existing clusters. At block 834, a determination is made whether the suspicious traffic may be assigned to one of several existing attack clusters based on the feature analysis at block 832. If the determination is yes, meaning the features of the suspicious traffic have already been learned, then the suspicious traffic is validated by the validator module at block 816 in the manner described above. If the determination is no, meaning the features of the suspicious traffic have not been learned yet, then a new cluster is created at block 836 and used for feature analysis at block 832, and the process is repeated. In some embodiments, blocks 832, 834, and 836 may be performed by a learning algorithm 838.
Returning to block 804, if it is determined that the input traffic is not carried on a vulnerable protocol, meaning the traffic is non- suspicious, then the traffic is processed at block 840 by yet another feature extraction module that extracts features of the traffic considered to be distinctive. At block 842, another learning algorithm analyzes the non-suspicious traffic using the extracted feature to reconfirm that the traffic is not carried by a vulnerable protocol. A determination is made at block 844 as to whether the traffic is suspicious or non-suspicious based on the analysis by the learning algorithm at block 842. If the determination is yes, meaning the non-suspicious traffic is actually suspicious, then it is recorded in a log file at block 846 and subsequently provided to the database at block 828 for storage. As explained above, this database also stores the results from the determination at block 826 and the validator module at block 816, and therefore contains known attacks, new attacks, as well as dropped attacks. The database also provides feedback indicative of false positives (FP) and false negatives (FN) to the feature extraction modules at block 810, 818 and 840 and the decision module at block 804.
FIG. 9 illustrates an exemplary alternative implementation of the dynamic machine learning component 900 according to aspects of the disclosed embodiments. This alternative implementation of the dynamic machine learning component 900 is similar to the dynamic machine learning component 220 shown in FIG. 4 insofar as it comprises a feature extraction module and/or circuitry 406, a linear algorithm 408 module and/or circuitry comprising a Linear Algorithm II, a rule extractor and deduplicator module and/or circuitry 410, and a learning algorithm 412 module and/or circuitry comprising a Learning Algorithm II. However, unlike the dynamic machine learning component 220 depicted in FIG. 4, the alternative dynamic machine learning component 900 depicted here can receive and process all network packets 224 directly from the mobile network 100. There is no need to determine beforehand whether the network packets 224 are carried over a vulnerable or a non- vulnerable network protocol, or prioritize the network packets according to the frequency of occurrence of the network protocols, or distinguish between UDP and TCP network packets in these alternative embodiments. Such an arrangement allows the linear algorithm 408, the rule extractor and deduplicator module and/or circuitry 410, and the learning algorithm 412 to process all network packets.
While particular aspects, implementations, and applications of the present disclosure have been illustrated and described, it is to be understood that the present disclosure is not limited to the precise construction and compositions disclosed herein and that various modifications, changes, and variations may be apparent from the foregoing descriptions without departing from the spirit and scope of the disclosed embodiments as defined in the appended claims.

Claims

1. A computer-based method of detecting a cyber-attack on a communication network, comprising:
receiving, at a server connected to the communication network, a plurality of network packets from a computing device;
extracting one or more features of the network packets at the server, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic;
performing an analysis of the one or more features of the network packets at the server using at least one linear algorithm in conjunction with at least one learning algorithm; and
designating the network packets as suspicious traffic at the server based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
2. The computer-based method according to claim 1, wherein the network packets are received from the computing device over a network protocol, further comprising determining whether the network protocol is on a list of vulnerable network protocols at the server.
3. The computer-based method according to claim 2, further comprising prioritizing the network packets according to a frequency of occurrence of the network protocol at the server if the frequency of occurrence of the network protocol exceeds a predetermined threshold.
4. The computer-based method according to any one of claims 1 to 3, further comprising determining at the server whether the one or more features of the network packets correspond to one or more features of a cyber-attack against which the communication network is already protected based on the analysis of the one or more features.
5. The computer-based method according to claim 4, further comprising storing the network packets in a database as not being a cyber-attack if the one or more features of the network packets correspond to one or more features of a cyber-attack against which the communication network is already protected.
6. The computer-based method according to claim 5, further comprising validating the network packets at the server by comparing a numerical value of the one or more features of the network packets against a predefined expected value for the one or more features if the one or more features of the network packets do not correspond to one or more features of a cyber-attack against which the communication network is already protected.
7. The computer-based method according to claim 6, further comprising storing the network packets in the database as being a new cyber-attack if the numerical value of the one or more features of the network packets matches the predefined expected value to within a predefined error margin.
8. The computer-based method according to claim 7, further comprising determining whether the one or more features of the network packets correspond to any existing attack cluster of the at least one learning algorithm at the server and defining a new attack cluster for the one or more features of the network packets if the one or more features of the network packets do not correspond to any existing attack cluster of the at least one learning algorithm.
9. The computer-based method according to claim 7, further comprising using information stored in the database to correct incorrect designations of non-suspicious network packets as suspicious network packets or incorrect designations of suspicious network packets as non-suspicious network packets at the server.
10. The computer-based method according to claim 2, further comprising:
extracting one or more features of the network packets at the server if the network protocol is not on the list of vulnerable network protocols, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic;
performing an analysis of the one or more features of the network packets at the server using at least one learning algorithm; and
designating the network packets as suspicious traffic or non-suspicious traffic at the server based on the analysis performed using the at least one learning algorithm.
11. The computer-based method according to claim 10, further comprising recording the network protocol as a vulnerable network protocol in a log file at the server and adding the network protocol to the list of vulnerable network protocols at the server.
12. The computer-based method according to any one of claims 1 to 8, wherein the at least one linear algorithm comprises an algorithm that employs one of the following logic: Support Vector Machine, Decision Tree, or Fuzzy Rule.
13. The computer-based method according to any one of claims 1 to 11, wherein the at least one learning algorithm is one of the following algorithms: Artificial Neural Networks (ANN), Genetic Algorithm (GA), Extreme Learning Machines (ELM), Self-Organizing Map (SOM), Multi-Layer Perceptron (MLP), or Swarm intelligence (SI).
14. The computer-based method according to any one of claims 1 to 11, wherein the list of vulnerable network protocols comprises the following protocols: Hypertext Transfer Protocol, Transmission Control Protocol, and User Datagram Protocol.
15. A computer-based system comprising means for performing the method of any one of claims 1 to 14.
16. A computer-readable medium having a computer-program product stored thereon for causing a computer to perform the method of any one of claims 1 to 14.
17. A computer-based system for detecting a cyber-attack on a communication network, comprising:
at least one processor;
at least one memory connected to the at least one processor, the at least one memory having a plurality of processing components stored therein;
the at least one memory and the plurality of processing components are configured to, with the at least one processor, cause the system at least to perform the plurality of the processing components comprising:
a protocol analyzer component configured to receive a plurality of network packets from a computing device via the communication network; and
a dynamic machine learning component configured to extract one or more features of the network packets if the network protocol is on the list of vulnerable network protocols, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic;
the dynamic machine learning component further configured to perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm and designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
18. The computer-based system according to claim 17, wherein the network packets are received from the computing device over a network protocol and the protocol analyzer component is further configured to determine whether the network protocol is on a list of vulnerable network protocols.
19. The computer-based system according to claim 18, wherein the protocol analyzer component is further configured to prioritize the network packets according to a frequency of occurrence of the network protocol if the frequency of occurrence of the network protocol exceeds a predetermined threshold.
20. The computer-based system according to claims 17 to 19, wherein the dynamic machine learning component is further configured to determine whether the one or more features of the network packets correspond to one or more features of a cyber-attack against which the communication network is already protected.
21. The computer-based system according to claim 20, wherein the dynamic machine learning component is further configured store the network packets in a database as not being a cyber-attack if the one or more features of the network packets correspond to one or more features of a cyber-attack against which the communication network is already protected.
22. The computer-based system according to claim 21, wherein the plurality of processing components further comprise a validator and database component configured to validate the network packets by comparing a numerical value of the one or more features of the network packets against a predefined expected value if the one or more features of the network packets do not correspond to a cyber-attack against which the communication network is already protected.
23. The computer-based system according to claim 22, wherein the validator and database component is further configured to store the network packets in the database as being a new cyber-attack if the numerical value of the one or more features of the network packets matches the predefined expected value to within a predefined error margin.
24. The computer-based system according to claim 23, wherein the dynamic machine learning component is further configured to determine whether the one or more features of the network packets correspond to any existing attack cluster of the at least one learning algorithm and define a new attack cluster for the one or more features of the network packets if the one or more features of the network packets do not correspond to any existing attack cluster of the at least one learning algorithm.
25. The computer-based system according to claim 23, wherein the dynamic machine learning component is further configured to use information stored in the database to correct incorrect designations of non- suspicious network packets as suspicious network packets or incorrect designations of suspicious network packets as non-suspicious network packets.
26. The computer-based system according to claim 18, wherein the protocol analyzer component is further configured to:
extract one or more features of the network packets if the network protocol is not on the list of vulnerable network protocols, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic;
perform an analysis of the one or more features of the network packets using at least one learning algorithm; and
designate the network packets as suspicious traffic or non-suspicious traffic based on the analysis performed using the at least one learning algorithm.
27. The computer-based method according to claim 26, wherein the protocol analyzer component is further configured to record the network protocol as a vulnerable network protocol in a log file and add the network protocol to the list of vulnerable network protocols.
28. The computer-based system according to any one of claims 17 to 23, wherein the at least one linear algorithm comprises an algorithm that employs one of the following logic: Support Vector Machine, Decision Tree, or Fuzzy Rule.
29. The computer-based system according to any one of claims 17 to 27, wherein the at least one learning algorithm is one of the following algorithms: Artificial Neural Networks (ANN), Genetic Algorithm (GA), Extreme Learning Machines (ELM), Self-Organizing Map (SOM), Multi-Layer Perceptron (MLP), or Swarm intelligence (SI).
30. The computer-based system according to any one of claims 17 to 27, wherein the list of vulnerable network protocols comprises the following protocols: Hypertext Transfer Protocol, Transmission Control Protocol, and User Datagram Protocol.
31. A computer-based system for detecting a cyber-attack on a communication network, comprising:
one or more processors; one or more storage devices connected to the one or more processors, the one or more storage devices storing computer-readable instructions thereon, the computer-readable instructions executable by the one or more processors to cause the system to:
receive a plurality of network packets from a computing device via the communication network;
extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic;
perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm; and
designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
32. The computer-based system according to claim 31, wherein the network packets are received from the computing device over a network protocol and the computer-readable instructions are further executable by the one or more processors to cause the system to determine whether the network protocol is on a list of vulnerable network protocols.
33. The computer-based system according to claim 32, wherein the network packets are received from the computing device over a network protocol and the computer-readable instructions are further executable by the one or more processors to cause the system to prioritize the network packets according to a frequency of occurrence of the network protocol if the frequency of occurrence of the network protocol exceeds a predetermined threshold.
34. The computer-based system according to claims 31 to 33, wherein the computer- readable instructions are further executable by the one or more processors to cause the system to determine whether the one or more features of the network packets correspond to one or more features of a cyber-attack.
35. The computer-based system according to claim 34, wherein the computer-readable instructions are further executable by the one or more processors to cause the system to store the network packets in a database as not being a cyber-attack if the one or more features of the network packets correspond to one or more features of a cyber-attack against which the communication network is already protected.
36. The computer-based system according to claim 35, wherein the computer-readable instructions are further executable by the one or more processors to cause the system to validate the network packets by comparing a numerical value of the one or more features of the network packets against a predefined expected value for the one or more features if the one or more features of the network packets do not correspond to one or more features of a cyber-attack against which the communication network is already protected.
37. The computer-based system according to claim 36, wherein the computer-readable instructions are further executable by the one or more processors to cause the system to store the network packets in the database as being a new cyber-attack if the numerical value of the one or more features of the network packets matches the predefined expected value to within a predefined error margin.
38. The computer-based system according to claim 37, wherein the computer-readable instructions are further executable by the one or more processors to cause the system to determine whether the one or more features of the network packets correspond to any existing attack cluster of the at least one learning algorithm and define a new attack cluster for the one or more features of the network packets if the one or more features of the network packets do not correspond to any existing attack cluster of the at least one learning algorithm.
39. The computer-based system according to claim 37, wherein the computer-readable instructions are further executable by the one or more processors to cause the system to use information stored in the database to correct incorrect designations of non-suspicious network packets as suspicious network packets or incorrect designations of suspicious network packets as non-suspicious network packets.
40. The computer-based system according to claim 32, wherein the computer-readable instructions are further executable by the one or more processors to cause the system to: extract one or more features of the network packets if the network protocol is not on the list of vulnerable network protocols, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic;
perform an analysis of the one or more features of the network packets using at least one learning algorithm; and
designate the network packets as suspicious traffic or non-suspicious traffic based on the analysis performed using the at least one learning algorithm.
41. The computer-based method according to claim 40, wherein the computer-readable instructions are further executable by the one or more processors to cause the system to record the network protocol as a vulnerable network protocol in a log file and add the network protocol to the list of vulnerable network protocols.
42. The computer-based system according to any one of claims 31 to 39, wherein the at least one linear algorithm comprises an algorithm that employs one of the following logic: Support Vector Machine, Decision Tree, or Fuzzy Rule.
43. The computer-based system according to any one of claims 31 to 41, wherein the at least one learning algorithm is one of the following algorithms: Artificial Neural Networks (ANN), Genetic Algorithm (GA), Extreme Learning Machines (ELM), Self-Organizing Map (SOM), Multi-Layer Perceptron (MLP), or Swarm intelligence (SI).
44. The computer-based system according to any one of claims 31 to 41, wherein the list of vulnerable network protocols comprises the following protocols: Hypertext Transfer Protocol, Transmission Control Protocol, and User Datagram Protocol.
45. A computer program comprising instructions for causing an apparatus to perform at least the following:
receiving, at a server connected to a communication network, a plurality of network packets from a computing device;
extracting one or more features of the network packets at the server, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic;
performing an analysis of the one or more features of the network packets at the server using at least one linear algorithm in conjunction with at least one learning algorithm; and
designating the network packets as suspicious traffic at the server based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
46. The computer program according to the claim 45, further comprising instructions for causing the apparatus to perform any one of claims 2 through 14.
47. An apparatus comprising means for performing:
receiving, at a server connected to a communication network, a plurality of network packets from a computing device;
extracting one or more features of the network packets at the server, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic; performing an analysis of the one or more features of the network packets at the server using at least one linear algorithm in conjunction with at least one learning algorithm; and designating the network packets as suspicious traffic at the server based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
48. The apparatus according to the claim 47, wherein the means are further configured to perform any one of claims 2 through 14.
EP17832511.4A 2017-12-29 2017-12-29 Intelligent defense and filtration platform for network traffic Withdrawn EP3732844A1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2017/050953 WO2019129915A1 (en) 2017-12-29 2017-12-29 Intelligent defense and filtration platform for network traffic

Publications (1)

Publication Number Publication Date
EP3732844A1 true EP3732844A1 (en) 2020-11-04

Family

ID=61007714

Family Applications (1)

Application Number Title Priority Date Filing Date
EP17832511.4A Withdrawn EP3732844A1 (en) 2017-12-29 2017-12-29 Intelligent defense and filtration platform for network traffic

Country Status (2)

Country Link
EP (1) EP3732844A1 (en)
WO (1) WO2019129915A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113103535A (en) * 2021-03-17 2021-07-13 贵州大学 GA-ELM-GA-based injection molding part mold parameter optimization method

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111181930A (en) * 2019-12-17 2020-05-19 中移(杭州)信息技术有限公司 DDoS attack detection method, device, computer equipment and storage medium
FR3106914B1 (en) * 2020-01-31 2022-10-28 Orange Method for monitoring data exchanged on a network and intrusion detection device
CN113139598B (en) * 2021-04-22 2022-04-22 湖南大学 Intrusion detection method and system based on improved intelligent optimization algorithm
CN113242226A (en) * 2021-05-05 2021-08-10 航天云网云制造科技(浙江)有限公司 Big data-based intelligent network security situation prediction method
CN114866349B (en) * 2022-07-06 2022-11-15 深圳市永达电子信息股份有限公司 Network information filtering method
FR3142058A1 (en) * 2022-11-15 2024-05-17 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method and device for detecting network intrusion by anomaly in network communications

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110231564A1 (en) * 2000-09-25 2011-09-22 Yevgeny Korsunsky Processing data flows with a data flow processor
US8856926B2 (en) * 2008-06-27 2014-10-07 Juniper Networks, Inc. Dynamic policy provisioning within network security devices
US8418249B1 (en) * 2011-11-10 2013-04-09 Narus, Inc. Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113103535A (en) * 2021-03-17 2021-07-13 贵州大学 GA-ELM-GA-based injection molding part mold parameter optimization method

Also Published As

Publication number Publication date
WO2019129915A1 (en) 2019-07-04

Similar Documents

Publication Publication Date Title
Lima Filho et al. Smart detection: an online approach for DoS/DDoS attack detection using machine learning
US11985169B2 (en) Classification of unknown network traffic
EP3732844A1 (en) Intelligent defense and filtration platform for network traffic
US11899786B2 (en) Detecting security-violation-associated event data
US11394728B2 (en) Associating a user identifier detected from web traffic with a client address
US8418249B1 (en) Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats
US9426166B2 (en) Method and apparatus for processing finite automata
US9426165B2 (en) Method and apparatus for compilation of finite automata
JP5362669B2 (en) Efficient classification of network packets
Hatef et al. HIDCC: A hybrid intrusion detection approach in cloud computing
US20230025946A1 (en) Network Attack Detection Method and Apparatus
US20170034195A1 (en) Apparatus and method for detecting abnormal connection behavior based on analysis of network data
WO2019190403A1 (en) An industrial control system firewall module
Bensaid et al. Toward a Real‐Time TCP SYN Flood DDoS Mitigation Using Adaptive Neuro‐Fuzzy Classifier and SDN Assistance in Fog Computing
US11552986B1 (en) Cyber-security framework for application of virtual features
Shaikh et al. Advanced signature-based intrusion detection system
McLaren et al. Mining malware command and control traces
CN115086068B (en) Network intrusion detection method and device
Li et al. FusionTC: Encrypted App Traffic Classification Using Decision‐Level Multimodal Fusion Learning of Flow Sequence
Schumacher et al. One-Class Models for Intrusion Detection at ISP Customer Networks
KR102369240B1 (en) Apparatus and method for detecting network intrusion
Ismail et al. Stateless malware packet detection by incorporating naive bayes with known malware signatures
Lee et al. Malicious traffic compression and classification technique for secure internet of things
BS et al. P‐DNN: Parallel DNN based IDS framework for the detection of IoT vulnerabilities
Bahlali Anomaly-based network intrusion detection system: A machine learning approach

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20200729

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20220329

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20220809