Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1441—Countermeasures against malicious traffic
  • H04L63/1458—Denial of Service
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
  • H04L63/1416—Event detection, e.g. attack signature detection
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
  • H04L63/1425—Traffic logging, e.g. anomaly detection
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/16—Implementing security features at a particular protocol layer
  • H04L63/166—Implementing security features at a particular protocol layer at the transport layer
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
  • H04L2463/141—Denial of service attacks against endpoints in a network

Definitions

• the invention relates to the general field of telecommunications.
• Such a service can be, for example, an intrusion or computer attack detection service, a flow filtering service via a firewall, an address translation service (or NAT for Network Address Translation), etc.
• the invention applies in particular to computer attacks of the denial of service type (DoS (for "Deniai of Service” in English) or DDoS (for "Distributed DoS” in English)).
• DoS attack can be defined as an attempt to make resources in an IT domain, such as network or compute resources, for example, unavailable to their users.
• DDoS attacks are increasingly massive and likely to compromise several hundred thousand user equipment (fixed or mobile terminals, connected objects, servers, network resources, routers (CPE (for "Customer Premises Equipment” in English) for example), digital decoders of the STB type (for “Set Top Box” in English), service instances (or “Service Functions”, in English), etc.), which can in turn be used as relays for amplify the harmful power of these attacks.
• CPE Customer Premises Equipment
• STB type for “Set Top Box” in English
• service instances or “Service Functions”, in English
• etc. can in turn be used as relays for amplify the harmful power of these attacks.
• the company Symantec in its annual report for 2019, reports nearly 24,000 applications embedded in mobile devices blocked daily by such attacks, a 600% increase between 2016 and 2017 in attacks targeting objects. connected, and an increase in the volume of attack traffic between 2016 and 2017, which represented 5% of global web traffic in 2016 against 7.8% in 2017.
• DDoS attacks are also more and more frequent and intense. They are also protean, both in terms of their size (volume of attack traffic, amplitude of the attack, etc.) and in terms of their nuisance range (a single target machine, or several targeting the local network of a company, an operator's network, etc.).
• the targets of these attacks or the relays used to propagate them are also extremely varied: fixed or mobile terminals, connected objects, servers, network resources, etc.
• DPS protection services for "DDoS Protection Services" in English.
• DPS protection services for "DDoS Protection Services" in English.
• DPS protection services For "DDoS Protection Services" in English.
• DPS protection services When a DPS protection service is subscribed to with an access provider, it is generally present on the path taken by the traffic entering and / or leaving the computer domain monitored and protected by the DPS service.
• the task of such a DPS service can prove difficult in the case of encryption of incoming and / or outgoing traffic.
• today we are witnessing an increase in encrypted traffic in particular with the increasing use of the QUIC transport protocol, in particular by certain commonly used applications such as than browsers provided by companies like Mozilla or Google to access Internet websites. This increase responds to a major concern of users who wish to ensure the confidentiality of their communications and of the data exchanged during them.
• the QUIC protocol is a protocol which is based on the UDP protocol (User Datagram Protocol).
• UDP User Datagram Protocol
• the ambition of the QUIC protocol is in particular to reduce the latency times generally observed during the establishment of TCP (Transmission Control Protocol) connections (thus making it possible to exchange data more quickly), and to allow better accommodation of the presence of 'Intermediate entities (eg firewalls, NAT) on the paths supporting communications.
• TCP Transmission Control Protocol
• NAT Network Address Translation Protocol
• the QUIC protocol is described for example in the IETF document by J. Iyengar et al. titled “QUIC: A UDP-based multiplexed and secure transport”, draft- ietf-quic-transport, 2019.
• Such a packet comprises a public header 1 (that is to say unencrypted) comprising three elements: a first byte 1-1 comprising various indicators
• the packet also includes an encrypted part 2, containing in particular the payload data transported by the packet, as well as various connection control information, such as, for example, information concerning the number of channels supported, information relating to the migration of the connection. login, changing login credentials, etc.
• a QUIC packet does not expose useful information for filtering traffic entering a computer domain such as for example start information and end of connection, acknowledgments, etc.
• proxy responsible for intercepting, in a transparent manner for the users, the characteristic data of their QUIC communications and for analyzing these. characteristics to determine whether the traffic passing through them is legitimate (that is, consented by users) or suspicious (that is, likely to be associated with a computer attack).
• each proxy should maintain a connection with each of the devices involved in the communication, without however explicitly indicating this to the latter.
• Each proxy must also maintain a state for each of the connections that it maintains, which requires significant resources (network, CPU, etc.). It thus constitutes de facto a particularly sensitive and critical element in the event of failure (also referred to as SPOF (“Single Point of Failure”)).
• SPOF Single Point of Failure
• the devices at the origin of QUIC communications can be multi-interface (that is to say have several access interfaces offering them connectivity via one or more networks), and thus establish communications using multiple paths or, on the contrary, only one path.
• a proxy located on one of the paths has no visibility on the overall traffic associated with such a multi-interface device.
• the invention meets this need by proposing, according to a first aspect, a method of managing communications according to a given transport protocol of a first device of a network, this method being implemented by the first device. and comprising, following a detection of a computer attack, a step of activating at the level of the first device, a collaboration with at least one entity of the network to mitigate the computer attack, this collaboration comprising an execution by the first device of at least one determined action called collaboration, during at least one said communication of the first device according to the given transport protocol, via the network.
• the invention also relates to a first device of a network, comprising an activation module, triggered following a detection of a computer attack, and configured to activate at the level of the first device a collaboration with at least a network entity to mitigate the computer attack, this activation module being configured to perform, during this collaboration, at least one determined action called collaboration, during at least one communication from the first device according to a transport protocol given, through the network.
• the first device can be user equipment (acting either as client or server) such as a terminal, server, gateway, etc., to which the network provides connectivity, but it can also be user equipment.
• network infrastructure itself, participating in the management of communications within the network, such as a router.
• the network entity can be any network device likely to be involved in the management of the detected computer attack, such as, for example, a piece of equipment implements an intrusion detection and / or attack mitigation function (e.g. DPS service), a firewall function, a NAT function, or even a network controller.
• the first device and the network entity may be under the responsibility of the same administrative entity. This is typically the case of implementation within a corporate network.
• the invention applies in a privileged manner to the QUIC transport protocol, but it can also be implemented for other transport protocols for which problems similar to those mentioned above for the QUIC protocol. may arise (eg lack of access to communications control information, absence of an explicit consent signal in the packet, etc.).
• the invention proposes, when a computer attack is detected, to request or encourage the collaboration of the devices (“first devices” within the meaning of the invention) communicating via the network with one or more entities. network in order to mitigate the computer attack. All the devices participating in a communication or only a part of them can thus be brought to collaborate with the network.
• This collaboration consists of the execution of one or more determined actions which may typically depend on the transport protocol used to establish the communications and on its characteristics, these actions aiming to facilitate the task of the entities of the network responsible for mitigate the computer attack, to distinguish legitimate traffic (that is to say traffic authorized by the user of the device) from suspicious traffic likely to be attributed to the attack.
• Such actions can be, for example, for a communication according to a given transport protocol:
• actions have a privileged application in the context of the QUIC protocol for which the control information relating to communications is encrypted and inaccessible by the entities of the network. Thanks to such actions, the entities involved in the mitigation of the current computer attack have a better visibility on the overall traffic destined for or emitted by the first devices and can, by analyzing this traffic, determine more easily whether it is legitimate or associated with the attack, and take appropriate action accordingly.
• the invention by means of collaborative actions, moreover offers a less radical and more efficient solution in terms of performance than that consisting in a unilateral blocking by the network of the use of the transport protocol in question.
• the devices are avoided to undergo a long delay during the establishment of their communications linked to unilateral filtering by the communications network according to the QUIC protocol (this delay coming from the time taken by the positive devices to note the failure of the establishment of their communications according to the QUIC protocol due to the filtering operated by the network).
• the collaborative actions are activated by the device itself, including the (temporary) deactivation of the use of the QUIC protocol.
• collaboration activated in accordance with the invention can also consist of the execution of a combination of actions, for example a disclosure of the control information and a freeze of the migration of the communication identifiers.
• the collaboration proposed by the invention therefore advantageously makes it possible to improve the efficiency of the mitigation efforts undertaken within the network by targeting risky communications more easily. It also makes it possible to avoid a sudden interruption of communications following the detection of a computer attack.
• the invention makes it possible to associate the ("first") communicating devices with the management of attacks. They are the ones who remain masters of the collaborative actions that are implemented (that is to say they who carry them out during their communications), even though these can be chosen in association with the entities of the network. involved in or suggested by attack mitigation.
• the invention thus offers transparency as to the processing carried out by the network.
• said at least one collaborative action is executed by the first device for a determined period.
• This duration can be defined by default, or be fixed by the network or by the first device, and if necessary, be readjusted or renewed, for example as long as the computer attack is in progress. In this way, we ensure the exceptional nature of the collaboration thus put in place, so as to preserve the interests of users. Such a precaution allows the first device to control the information that it shares during the collaboration and to avoid abusive exploitation of this collaboration by the network.
• the duration of execution of said at least one collaborative action is chosen to be greater than 60 minutes. Indeed, studies show that the vast majority of recent attacks lasted more than an hour, a small percentage of them having lasted more than 12 hours or even more than a day. It is noted that it is also possible, in a particular embodiment, to limit the number of collaborations with the network that can be activated by the first device. For example, it is possible to envisage allowing the activation of only one collaboration as proposed by the invention every 24 hours to avoid the abuse of certain networks.
• the activation step is triggered by a reception from said at least one entity of the network, of a message proposing said collaboration.
• the collaboration can be at the initiative of an entity of the network involved in the mitigation of the attack in progress, for example because it encounters difficulties in qualifying the traffic coming from or intended for the first device. (consented versus suspect).
• the collaboration can be decided locally, at the level of the first device, for example because the latter has been informed or has detected a computer attack, or because it has been requested by one of its correspondents during a call.
• the implementation of the invention is therefore particularly flexible.
• the communications management method further comprises a sending step, to at least one second device participating in at least one said communication according to said given transport protocol with said first device , an information message informing said second device of the execution by the first device of said at least one collaborative action.
• the first device informs its correspondents of the fact that it wishes or has agreed to collaborate with entities of the network for all or part of its communications, and in particular those involving the second device thus informed.
• the collaboration is implemented in full transparency for each of the devices involved in the communications concerned by this collaboration.
• the execution of said at least one collaborative action by the first device can moreover be conditioned by the reception of an agreement from the second device.
• the information message sent by the first device to the second device comprises at least one condition for executing said collaborative action.
• Such an execution condition is for example a duration of execution of the collaboration action, or to which communications or applications the said collaboration action applies (for example in which direction the collaboration is applied, that is, i.e. first device to second device and / or second device to first device), etc.
• the invention is based, in order to implement a collaboration between the communicating devices and the entities of the network, not only on the communicating devices themselves (first and second devices within the meaning of invention), but also on the network entities benefiting from this collaboration.
• the invention also relates to a method of communication with a first device of a network, this method being implemented by a second device and comprising: A step of receiving an information message from the first device, informing the second device of an execution by the first device of at least one action determined during at least one communication according to a transport protocol given with the second device, said action, called collaboration, allowing collaboration with at least one entity of the network to mitigate a computer attack;
• the invention also relates to a device, said second device, comprising a communication module with a first device of a network, this communication module being configured for:
• the communication method and the second device benefit from the same advantages mentioned above as the management method and the first device according to the invention.
• At least one data packet exchanged during a said communication according to the transport protocol given between the first and second devices includes at least one header indicating in clear at least one piece of control information for this communication among:
• this control information in the headers of the packets exchanged between the first and second devices advantageously makes it possible not to increase the signaling exchanged on the network.
• this information can be encoded for example in reserved fields of the short or long header of QUIC packets.
• this control information can be transmitted in dedicated messages, provided specifically for this purpose.
• the invention also relates to a method of communication by an entity of a network to at least one device of the network, said method comprising, following an inability of said entity to determine whether a data flow intended for said or coming from said device is associated or not with a computer attack, a step of sending by said entity to said device a message proposing a collaboration of the device to mitigate said computer attack, said collaboration comprising an execution by the device of at least one determined action called collaboration, during at least one communication of said device according to a given transport protocol via said network.
• the invention also relates to an entity of a network comprising a communication module, triggered by an inability of said entity to determine whether a data flow intended for or coming from a (first) device of the network is associated or not with a computer attack, this communication module being configured to send to said device a message proposing a collaboration of the device to mitigate said computer attack, said collaboration comprising an execution by the device of at least one determined so-called collaboration action, during at least one communication of said device according to a given transport protocol via the network.
• the method of communication by the network entity and the network entity benefit from the same advantages mentioned above as the management method, the first device, the method of communication by the second device and the second device according to the invention.
• the method of communication by the entity of the network further comprises a step of receiving at least one piece of information identifying at least one flow intended for said device granted by the latter, or identifying the device. at least one stream intended for said device and considered by the latter as being a stream associated with a computer attack.
• This embodiment allows the first device to share with the entity of the network, independently or not of its current communications, the knowledge on the legitimate flows or on the contrary the suspect flows which it has locally.
• This information can be provided for example:
• This embodiment also makes it possible to activate easily and quickly upstream of the first device, at the level of the entity of the network, mechanisms for filtering the flows of the attack.
• the method of communication by the network entity further comprises a step of sending to said device an authorization request for routing to said device of at least one stream of data identified in said request.
• This embodiment allows the network entity to request explicit consent from the first device for the routing to the latter of the flows relating to its communications.
• the method of communication by the network entity further comprises:
• a step of receiving at least one data packet exchanged during said communication comprising at least one header in which at least one item of control information for said communication among a state of an establishment of said communication, a sending consent and / or reception of data packets by said device during said communication, and a consent or an absence of consent by said device of said communication is indicated in clear;
• the communication and management methods are implemented by a computer.
• the invention also relates to a computer program on a recording medium, this program being capable of being implemented in a computer or more generally in a first device in accordance with the invention and comprises suitable instructions. to the implementation of a management method as described above.
• the invention also relates to a computer program on a recording medium, this program being capable of being implemented in a computer or more generally in a second device in accordance with the invention and comprises suitable instructions. to the implementation of a communication method by a second device as described above.
• the invention also relates to a computer program on a recording medium, this program being capable of being implemented in a computer or more generally in an entity of a network in accordance with the invention and comprises instructions adapted to the implementation of a communication method by an entity of the network as described above.
• Each of these programs can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any other desirable shape.
• the invention also relates to an information medium or a recording medium readable by a computer, and comprising instructions of a computer program as mentioned above.
• the information or recording medium can be any entity or device capable of storing the programs.
• the medium may comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or else a magnetic recording means, for example a hard disk, or a flash memory.
• the information or recording medium can be a transmissible medium such as an electrical or optical signal, which can be routed via an electrical or optical cable, by radio link, by optical link without wire or by other means.
• the program according to the invention can in particular be downloaded over a network of Internet type.
• the information or recording medium can be an integrated circuit in which a program is incorporated, the circuit being adapted to execute or to be used in the execution of communication or management methods according to invention.
• the invention relates to a system comprising:
• said first device being configured to execute, following a detection of a computer attack, at least one action determined during at least one communication with the second device, so as to collaborate with said at least one entity to mitigate said computer attack.
• the second device and / or the entity of the network conform to the invention.
• the system benefits from the same advantages mentioned above as the communication and management methods, the first and second devices and the network entity according to the invention.
• the communication and management methods, the first and second devices, the network entity and the system according to the invention have in combination all or part of the aforementioned characteristics.
• FIG. 1 already described, represents the structure of a QUIC data packet with a short header
• FIG. 2 represents, in its environment, a system according to the invention in a particular embodiment
• FIG. 3 schematically represents the hardware architecture of devices and of an entity of a network in accordance with the invention, belonging to the system of FIG. 2;
• FIG. 4 illustrates, in the form of a flowchart, the main steps of a communication method according to the invention, as implemented in a particular embodiment by a network entity of the system of FIG. 2;
• FIG. 5 represents in flowchart form the main steps of a method for managing communications according to the invention, as implemented in a particular embodiment by one of the devices of the system of Figure 2;
• FIG. 6 represents in flowchart form the main steps of a communication method according to the invention, as implemented in a particular embodiment by another of the devices of the system of FIG. 2;
• FIG. 7 shows an example of modification of a short header of a QUIC data packet allowing the disclosure of control information in a particular embodiment of the invention
• FIG. 8 shows examples of modification of long headers of a QUIC data packet allowing the disclosure of control information in a particular embodiment of the invention.
• FIG. 9 represents two examples of use of the control information carried by the modified headers of QUIC data packets in a particular embodiment of the invention.
• FIG. 2 shows, in its environment, a system 3 in accordance with the invention in a particular embodiment, this system 3 making it possible to establish a collaboration between one or more communicating devices and one or more entities of a communications network NW, involved in the mitigation of an ongoing computer attack targeting, or likely to affect, resources protected by said entities.
• This collaboration is set up to manage communications passing through the network according to a given transport protocol in order to be able to share between the equipment (communicating devices and network entities) certain information making it possible to facilitate the mitigation of the computer attack.
• the transport protocol considered is the QUIC transport protocol based on the UDP protocol.
• the invention obviously applies to other transport protocols.
• communicating devices can also be user equipment (clients or servers, terminals, CPEs (for "Customer Premises Equipment” in English), digital decoders. (or “set top box” in English), etc.) to which the NW network provides connectivity, as equipment from the NW network.
• the term “communicating devices” is understood here to mean devices capable of establishing communication between them (also hereinafter referred to as connection in the context of the QUIC protocol). These communicating devices are distinguished here from entities located in the network proper, located on communication paths between communicating devices and via which passes the traffic exchanged between the communicating devices on these paths.
• NW network which can be a fixed or mobile network, whatever the generation (eg 3G, 4G, 5G, 6G) of the latter, etc.
• generation eg 3G, 4G, 5G, 6G
• the NW network implements the QUIC transport protocol.
• No limitation is attached either to the nature of the current computer attack that the system 3 is working to mitigate, or to the computer and / or network resources targeted by this attack. It may for example be a DDoS type attack as mentioned previously, or identity theft, ransomware, etc., which can impact any type of resources such as computing or memory resources, network (e.g. IP addresses, domain names, IP prefixes, etc.), interconnection links with other networks, etc.
• DDoS type attack e.g. IP addresses, domain names, IP prefixes, etc.
• interconnection links with other networks e.g. IP addresses, domain names, IP prefixes, etc.
• the system 3 is based, to mitigate an attack IT ATTACK in progress detected by the NW network (either directly by the latter or via an entity external to the NW network), on two communicating devices 4 and 5 and a network entity 6, the network entity 6 here offering a service Protective DPS against computer attacks and protecting the resources of the NW network.
• the ATTACK computer attack does not necessarily directly target resources of the NW network protected by the DPS entity 6 or the communicating devices 4 and 5.
• the resources targeted by the ATTACK computer attack can be of any nature: equipment connected to devices 4 and 5 if these are CPEs for example, applications embedded in devices 4 and 5, all or part of the resources protected by the DPS entity 6, etc. It may for example be that the resources protected by the DPS entity 6 and / or the devices 4 and 5 are not directly targets of the attack but serve as relays for the latter, or make it possible to reach the targets of the attack. the attack.
• the invention applies to other entities of the network 6 that can implement other functions than a function of protection against computer attacks, and playing a direct or indirect role in the mitigation of an ongoing computer attack.
• the invention applies generally to any entity located in the NW network, and configured to perform processing on the traffic routed via this network, such as mitigation, filtering (eg firewalls) or bypass processing.
• traffic classification core for example PCEF (Policy and Charging Enforcement Function)
• PCEF Policy and Charging Enforcement Function
• the devices 4 and 5 and the network entity 6 all conform to the invention, and have the hardware architecture of a computer 7, as shown schematically in FIG. 3.
• the devices 4 and 5 are configured here to act sometimes as a first, respectively a second, device within the meaning of the invention. It should be noted that they can act in this way depending on whether they are at the origin of the establishment of a communication and / or recipient of a communication.
• the devices 4 and 5 and the network entity 6 include in particular a processor 8, a random access memory 9, a read only memory 10, a non-volatile memory 11, and communication means 12 allowing them in particular to communicate with each other. .
• These communication means 12 are based on a wired or wireless communication interface, known per se and not described in more detail here.
• the communication means 12 are configured to implement the QUIC transport protocol, and to send and receive data streams in accordance with the QUIC protocol.
• Each stream comprises one or more QUIC data packets, each QUIC packet itself possibly comprising one or more QUIC frames.
• a QUIC frame can be a control frame (eg CONNECTION_CLOSE frame used to close a QUIC connection) or a data frame (eg STREAM frame).
• the read-only memory 10 of the computer 7 constitutes a recording medium in accordance with the invention, readable by the processor 8 and on which is or are recorded (s) one or more computer programs in accordance with the 'invention.
• the read only memory 10 of each of the devices 4 and 5 comprises a recording of two computer programs PROG4 and PROG5.
• the PROG4 program defines functional modules of a first device within the meaning of the invention which are based on or control the hardware elements 8 to 12 of the computer. nateur 7 cited above. These modules, triggered following the detection of the ATTACK computer attack, include in particular in the embodiment described here (see FIG. 2):
• an activation module 4A configured to activate, at the level of the first device, a collaboration with at least one entity of the NW network (and in particular with the DPS entity 6) in order to mitigate the ATTACK computer attack.
• This activation module 4A is configured to execute, during this collaboration, at least one determined action called collaboration, during at least one communication from the first device according to a given transport protocol (QUIC in the example considered here) via the NW network;
• a transmission / reception module 4B configured to send and receive messages to and from other communicating devices of the NW network. Such messages are described in more detail later.
• the PROG5 program defines functional modules of a second device within the meaning of the invention which are based on or control the hardware elements 8 to 12 of the computer 7 mentioned above. These modules, triggered following the detection of the ATTACK computer attack, include in particular in the embodiment described here (cf. FIG. 2), a transmission / reception (or more generally communication) module 5A configured for:
• each of the devices 4 and 5 can in turn be a first and a second device within the meaning of the invention, the transmission / reception modules 4B and 5A can be grouped together within a single module duly configured to perform the functions of each of the 4B and 5A modules.
• the read-only memory 10 of the DPS entity 6 comprises a recording of a computer program PROG6.
• This program PROG6 defines functional modules of the DPS entity 6 which are based on or control the hardware elements 8 to 12 of the computer 7 mentioned above. These modules, triggered following the detection of the ATTACK computer attack, include in particular in the embodiment described here (see FIG. 2):
• a module 6A for detecting computer attacks targeting resources protected by the DPS 6 entity This module 6A is equipped with means for analyzing the traffic passing through the DPS 6 entity and with information which is fed back to it where applicable. by third party equipment connected to the NW network and / or external to the NW network;
• module 6B • a module 6B for mitigating computer attacks detected by module 6A;
• a communication module 6C triggered here on detection of an inability of the DPS entity 6 and in particular of its module 6A to determine whether a data flow intended for or coming from a device of the network NW is associated or not To a computer attack that it has detected (for example here at the ATTACK computer attack), this communication module being configured to send the device a message offering it a collaboration to mitigate said computer attack, this collaboration comprising an execution by the device of at least one determined collaboration action, during at least one communication of the device according to a given transport protocol (QUIC protocol in the example considered here), via the network NW.
• a communication module 6C triggered here on detection of an inability of the DPS entity 6 and in particular of its module 6A to determine whether a data flow intended for or coming from a device of the network NW is associated or not To a computer attack that it has detected (for example here at the ATTACK computer attack), this communication module being configured to send the device a message offering it a collaboration to mitigate said computer attack, this collaboration comprising an execution by the device of at least one
• FIG. 4 represents the main steps of a communication method according to the invention as it is implemented, in the embodiment described here, by the DPS entity 6 of the network NW.
• FIG. 5 represents the main steps of a method of managing communications according to the invention as it is implemented, in the embodiment described here, by the communicating device 4 during its communications, in particular with the communicating device 5.
• FIG. 6 represents the main steps of a communication method according to the invention as implemented, in the embodiment described here, by the communicating device 5.
• the DPS entity 6 analyzes via its module 6A the traffic exchanged via the network NW and passing through it (step E20). It is assumed here in particular that the DPS entity 6 is located in the network NW on a path taken by the communications of the device 4, these communications being established here according to the QUIC transport protocol as mentioned above. There is no limitation on the nature of these communications: they may be voice communications, multimedia data transfer, etc., unilateral or bilateral. These communications result in the sending and / or receiving by the device 4 of data streams via the network NW, each data stream comprising a set of QUIC data packets.
• these data packets are encrypted: the QUIC protocol as defined by ITETF encrypts not only the payload data contained in these packets, but also the connection control information (or communication control, a connection referring to a communication according to the QUIC protocol), with the exception of a small number of them (e.g. connection identifiers), as already commented on with reference to figure 1.
• connection control information or communication control, a connection referring to a communication according to the QUIC protocol
• the DPS entity 6 therefore continuously analyzes here, via its module 6A, the traffic (that is to say the data flows) intended for the device 4 and coming from the device 4 (described below. of “associated with the device 4” for the sake of simplicity), to determine whether or not it is affected by the ATTACK computer attack (test step E30). It does this in a manner known per se, for example by examining whether this traffic originates from a known target of the attack, whether it has suspicious characteristics (e.g.
• the module 6A of the DPS entity 6 is based on statistics that it evaluates, or receives from other entities capable of collecting these statistics, from “public” data on the traffic associated with the device 4 at its disposal.
• SNMP protocol Simple Network Management Protocol
• NETCONF protocol NET- work CONFiguration
• the DPS entity 6 If during this analysis, the DPS entity 6 is able to qualify the traffic, that is to say to decide whether or not it is associated with the attack ("yes" response to the test step E30), the DPS entity 6 processes the traffic appropriately according to this qualification (step E40). Thereby :
• mitigation module 6B • if it determines that the traffic is associated with the ATTACK attack, it triggers, through its mitigation module 6B, one or more actions to mitigate the ATTACK computer attack.
• mitigation actions are known per se, and of course depend on the nature of the ATTACK computer attack, its extent, the way in which the traffic associated with the device 4 is infected, etc.
• Such actions may consist, for example, in blocking the attack traffic ("discard"), in notifying other entities of the NW network for the purpose of redirecting legitimate traffic, in dynamically setting up data wells.
• the DPS entity 6 detects that it does not have the information necessary to determine whether the traffic originating or terminating at the device 4 is associated or not with the device.
• ATTACK computer attack (“no” response to test step E30). For example, this traffic has suspicious characteristics as described above, but the DPS 6 entity is not in a position, on the basis of these characteristics, to decide whether it is “legitimate” traffic or not. 'it is associated with the ATTACK computer attack.
• the DPS entity 6 then requests the device 4 to switch to a collaborative mode (step E50).
• This collaboration consists, in accordance with the invention, in the execution by the device 4 of one or more determined actions called collaboration.
• the message sent by the DPS entity 6 to the device 4 is a control frame QUIC, called for example here COMIT (for "COIIaborative MITigation"), and comprising the following elements :
• a “Lifetime” parameter indicating the duration of the collaboration proposed by the DPS 6 entity; at the end of this deadline, the collaboration can be automatically deactivated by device 4. It is assumed here that a default value is defined for this parameter at the level of each device 4 (for example a value greater than or equal to 60 minutes ), so that if no value of the “Lifetime” parameter is explicitly indicated in the COMIT frame, the duration of the collaboration considered by the device 4 is set at least equal to this default value;
• a “Strategy_ID” parameter indicating the collaborative action or actions that the DPS entity 6 proposes to the device 4 to perform to help it mitigate the ATTACK computer attack.
• These actions can be of different types and include in particular the disclosure of communication control information from the device 4, the deactivation of the use of the encrypted transport protocol (QUIC here), or even the freezing of the migration of the communication identifiers. during the communications of the device 4 (so that the DPS entity 6 can more easily associate the data flows with the same communication, etc.).
• the “Strategy_ID” parameter can take the following values in the context of the QUIC protocol:
• CID connection identifiers
• the device 4 on reception of the COMIT frame (step F10), the device 4 has, in the embodiment described here, the possibility of accepting or refusing the collaboration required by the DPS entity. 6 (test step F20). In this way, even if the collabora- tion is at the initiative of the DPS entity 6, the freedom to the device 4 is advantageously left to refuse the collaborative actions that the latter asks it to carry out.
• the COMIT frame has the consequence of activating the collaboration at the level of the device 4, without requiring an explicit agreement from the latter.
• step F20 If the device 4 refuses the collaboration ("no" response to test step F20), it informs the DPS entity 6 thereof or ignores the message (step F30).
• the device 4 If the device 4 accepts the collaboration ("yes" response to test step F20), the device 4 saves the information contained in the COMIT frame (address of the DPS entity 6, duration of the collaboration, actions, etc.) in its non-volatile memory for example, and sends a collaboration confirmation message to the DPS entity 6 (step F40).
• the collaboration is then activated within the device 4 via its activation module 4A for a minimum duration equal to the duration indicated in the “Lifetime” parameter. It should be noted that if necessary, this duration can be renewed, for example at the initiative of the DPS entity 6 if the ATTACK computer attack is not absorbed when the “Lifetime” period expires.
• the COMIT frame does not contain a "Lifetime" parameter, no value is defined by default, and the collaboration can be activated for an indefinite period of time until a message is received putting an end to this. collaboration from the DPS 6 entity.
• the activation of the collaboration at the level of the device 4 results in the execution by the device 4 of the collaboration actions proposed by the DPS entity 6 in the COMIT frame.
• the device 4 can also request during this collaboration the DPS entity 6 or another entity of the NW network, to notify it of the data flows that it consents and / or the data flows that it accepts. considers as suspects, in other words as associated with a computer attack and in particular with the ATTACK computer attack, taking into account the local knowledge at his disposal of his communications. This can be done outside of any communication established by device 4.
• the device 4 sends the DPS entity 6 a message comprising information identifying at least one flow intended for the device 4 granted by the latter, or identifying at least one. flow intended for the device 4 and considered by the latter as being a flow associated with a computer attack.
• This message here takes the form of one of the following commands, each command possibly being associated with a dedicated QUIC control frame:
• Data flow identifiers can be populated with connection identifiers (CID) or other information to identify the affected data flows, such as source address, source port, etc. ;
• the DPS entity 6 can itself request the device 4 to ask it for its explicit authorization to route one or more communications to it (or similarly one or more data streams) .
• it can send it for example a message in the form of a QUIC control frame called CONSENT_CHECK here, comprising the following parameters:
• a “FLOW_ID” parameter indicating the identifier of at least one communication (or connection), this identifier possibly being, as indicated above, a connection identifier, a source address, a source port, and so on. ;
• a “Magic Nonce” parameter comprising an identifier generated randomly, the purpose of which is to allow the DPS entity 6 to correlate the CON- SENT_CHECK frame with the response to this frame sent by the device 4.
• the DPS entity 6 stores in its non-volatile memory the filtering or routing rules agreed with the device 4, and the therefore applies to incoming communications intended for device 4.
• this information can be sent by the device 4 to the DPS entity 6 outside the communications of the device 4 according to the QUIC protocol, via dedicated messages (or QUIC frames) provided for this purpose. .
• These messages can be intended for the DPS 6 entity or be broadcast in the network on a predetermined address provided for this purpose, and shared for example by the entities involved in the security of the NW network (for example an IP multicast address reserved for this effect and corresponding to a multicast group to which the entities of the NW network concerned are subscribed).
• the collaboration actions can be executed by the device 4 during all or part of its communications.
• the device 4 can, in one embodiment, decide on the communications to which it decides to apply the collaborative actions.
• a negotiation phase is implemented between the device 4, which has agreed to collaborate with the DPS entity 6 of the NW network , and its correspondents, in other words the devices with which it has established communications during which it plans to execute the collaboration actions (step F50).
• the execution of collaborative actions by device 4 is conditioned here by the success of this negotiation phase (“yes” response to test step F60): in other words, collaboration actions are only executed by device 4 during its communications if they are approved by its correspondents or under conditions approved by its correspondents .
• the device 4 may only apply the collaborative actions with some of its correspondents.
• FIG. 6 represents the main steps implemented by the device 5 during this negotiation phase. These steps are executed in the context of the communication method according to the invention implemented by the device 5.
• the device 4 sends a message to the device 5 informing it of the execution of collaborative action (s) during the process. its communications with the device 5.
• This information message is received by the device 5 via its transmission / reception module 5A. It takes the form here of a QUIC frame, encrypted in accordance with the principles of the QUIC protocol.
• the information message sent by device 4 depends on the collaborative action performed by device 4 (a separate frame depending on the action), and includes one or more conditions for executing collaborative action.
• the collaborative action executed by the device 4 is the disclosure of control information on the communications of the device 4
• the information message sent by the device 4 is a QUIC frame named here CON- TROL_REVEAL and comprising in particular the following parameters to specify the conditions for executing the disclosure of the control information:
• this parameter can take the following values:
• the device 5 accepts the collaboration (response "yes” to the test step G20 and response "yes” to the step F60) and the execution of the collaboration action consisting in disclosing the information. of control of its communications with the positive device 4.
• the device 5 then sends to the device 4 an acknowledgment message to inform it of its agreement (step G30).
• the acknowledgment message is received by the positive device 4 via its transmission / reception module 4B.
• the two devices 4 and 5 can be called upon independently to collaborate by the DPS entity 6 or by entities distinct from the network NW, or even if they belong to different networks, by entities distinct from their own. respective networks.
• the devices 4 and 5 can then both send each other QUIC CONTROL_REVEAL frames as part of the same communication if, for example, they have respectively accepted such a collaboration.
• the negotiation phase which has just been described is carried out for the communications (or connections) QUIC existing of the device 4, in other words for the communications already established.
• a similar negotiation phase can also be conducted for future QUIC communications from device 4 (i.e., those to be established after a trigger event has been received / detected).
• the device 4 when it sends a request for setting up a QUIC communication to a remote device (for example to the device 5), it uses a QUIC frame in which the communication control information are disclosed. It also sends, during this establishment request, a CONTROL_REVEAL frame to inform the device 5 of the conditions of execution of the collaboration actions (eg duration, direction).
• the processing of the CONTROL_REVEAL frame by the device 5 is identical to what has been described previously for the communications in progress. It is therefore noted that for the processing of future communications, the negotiation comes second, and does not preclude the disclosure of the communication control information in the request for establishment of the communication.
• the device 4 can therefore continue to disclose during its communications with the device 5 the information of control relating to these communications, during the period defined by the “Lifetime” parameter, and according to the execution conditions negotiated with the device 5 (step F70 in FIG. 5).
• the communication control information is exposed in the public header of the QUIC data packets sent and / or received by the device 4.
• a function located in the network NW through which these QUIC data packets transit (typically in the example considered here, the DPS entity 6), is able to access the control information disclosed by the device 4 (and / or by its correspondents ).
• the inventors propose to modify the public part of the headers of the QUIC packets as currently defined in the QUIC protocol to indicate explicitly and in clear information of control of a communication.
• Such information is for example:
• FIG. 7 illustrates an example of such a modification for a short header of a QUIC packet.
• the (reserved) indicator C of the first byte of the short header (cf. byte 1-1 shown in figure 1) is set to "1" to indicate that the QUIC packet contains a new field.
• "Public Control Status” reflecting various communication control information (in the current state of the art, the reserved indicator C is generally valued at 0; if it is valued at 1, it is not taken. into account).
• the “Public Control Status” field can be filled in, for example, with the following values:
• a modification of the long headers to include a new “Public Control Status” field can also be envisaged as a variant, as illustrated by FIG. 8.
• This field is positioned at “0x0” for the Initial packets (illustrated by the figure 8B) and 0-RTT (illustrated by figure 8A).
• the advantage of this variant is that it allows the network function to detect in advance the connections established in a collaborative way.
• said function can keep the CID (Source and Destination) identifiers in memory to facilitate the correlation of the packets sent with the packets received and characteristic of the same QUIC communication.
• the communicating devices involved in a communication can be configured. transiting through the DPS 6 entity, so that they do not send more than three QUIC packets revealing the control information for this communication.
• FIG. 9 shows examples of uses by an entity of the network, for example here, by the DPS entity 6, of the control information disclosed in the headers of the QUIC packets exchanged between the devices 4 and 5, to mitigate a computer attack.
• an agreed collaborative communication at the origin of the device 4, is characterized by the observation by the DPS entity 6 of the following elements:
• the consent message corresponding to the "Public Control Status ”set to 0x3
• the DPS entity 6 can decide to redirect the data packets of said communication to a cleaning center (more commonly called “Scrubbing center” in English) for processing these data packets or to block these data packets.
• a cleaning center more commonly called "Scrubbing center” in English
• All the packets of this communication, or even the packets of all the communications received from the device 5 are then blocked by the DPS entity 6 and rejected (rejects of the items (QUIC9) and (QUIC10)). These filterings can be removed after the expiration of a specific deadline. It is noted that preferably, the message intercepted by the DPS entity 6 is not routed to the device 5 to prevent the latter from using it to adjust its attack strategy.
• control information within the framework of the QUIC protocol advantageously allows the DPS entity 6 to better differentiate the traffic authorized by the device 4 from the traffic of the. attack, and take appropriate and effective actions to mitigate the attack.
• the DPS entity 6 can propose to the device 4 (and where appropriate to the positive device 5) other collaborative actions, and in particular the freezing of the migration of the communication identifiers during the communications established by the device 4 (corresponding to the “Strategy_ID” parameter valued at 0x2 in the COMIT frame transmitted by the DPS entity 6 to the device 4).
• connection identifiers More commonly referred to as connection identifiers or CID in the context of the QUIC protocol
• CID connection identifiers
• This change also known as the “migration of connection identifiers”, is conventionally done via the exchange of QUIC frames provided for this purpose and whose content is encrypted, in particular the connection identifiers to which the communication is intended. to set up so that it is not possible for network entities to make the link between the new connection identifiers of a communication used after migration by the communicating devices and the previous connection identifiers used before migration.
• the invention offers the possibility of freezing the migration of the connection identifiers relating to a communication during a determined period which may be equal to the value of the "Lifetime" parameter supplied in the COMIT frame, or as a variant, correspond to the time that will last. Communication.
• the classification by a network function such as the entity DPS 6 of the data packets characteristic of this communication is simplified, because this makes it possible to correlate the packets sent with the packets received during the same communication.
• the same communication is uniquely identified while one or more mitigation action (s) is / are in progress.
• the analysis of the packets by the entity DPS6 to determine whether they belong to traffic authorized by the device 4 or to attack traffic is therefore greatly simplified.
• the device 4 can initiate a negotiation phase with its correspondents, and in particular here with device 5 (step F50 figure 5, steps G10 and G20 figure 6).
• the device 4 sends to the device 5 a message informing it of the freezing of the connection identifiers that it intends to execute.
• This message takes the form here of an encrypted QUIC frame called FREEZE_CID and notably comprising a “Lifetime” parameter indicating the duration during which the device 4 intends to maintain a unique connection identifier CID during its communication with the device 5.
• the “Lifetime” duration is chosen so that the CID connection identifier remains the same throughout the communication (it should be noted that therefore, the “Lifetime” duration of maintenance of the CID connection identifier does not match. not necessarily to the duration of activation of the collaboration provided by the entity DPS 6 in the COMIT message, in particular it may be less than the duration provided in the COMIT message).
• the FREEZE_CID frame can contain other parameters.
• a connection identifier CID comprises two parts, a source connection identifier or SCID and a destination connection identifier or DCID.
• the FREEZE_CID frame can indicate as an execution condition, to which part the maintenance recommended by the collaboration action applies.
• connection using the known QUIC frames NEW_CONNECTION_ID and RETI RE_CO NN ECTIO N_I D, according to conventional QUIC protocol mechanics known to those skilled in the art.
• the remote device 5 can accept (answer "yes” to the test step G20), respectively refuse (answer “no” to the test step G20), the freezing of the connection identifiers by responding with a message d 'acknowledgment ACK (step G30), or respectively by ignoring the FREEZE_CID message (step G40).
• connection identifier CID composed here of a connection identifier generated by the device 4 and a connection identifier generated by the device 5 (serving in turn as SCID and DCID depending on the direction of the messages exchanged during the communication) (steps G50 and F70).
• a negotiation phase similar or identical to those which have just been described for collaborative actions such as disclosure of control information and freezing of connection identifiers can also be implemented when the The DPS 6 entity proposes in its COMIT message a combination of several collaboration actions (for example, parameter “Strategy_ID” valued at 0x3 to request the freezing of connection identifiers and the disclosure of control information).
• the remote device 5 can, during the negotiation phase, accept or refuse one or more of these collaboration actions.
• another possible collaborative action may consist for the device 4 to deactivate the transport protocol QUIC to establish its communications and to use a transport protocol other than QUIC, such as for example the TCP transport protocol. to establish its future communications (that is to say, those to be established after a triggering event has been received / detected).
• a transport protocol other than QUIC such as for example the TCP transport protocol.
• a prior negotiation can be set up between the device 4 and its correspondents to ensure that the latter accept the deactivation of the QUIC protocol.
• the device 4 uses the TCP protocol for establishing its new communications, both that the collaboration is active.
• the device 4 can reuse the QUIC protocol for establishing its communications with its correspondents.
• the triggering of the collaboration of the device 4 with the network NW and more particularly with the entity DPS 6, is initiated by the entity DPS 6.
• the collaboration can be triggered by the device 4 itself.
• the device 4 does not receive an explicit message from the network, but relies on events that it has observed locally (for example the detection of an attack) or which are reported to it by an available device. remote endpoint or a third party (external or not to the network).
• the collaboration then concerns by default all of the QUIC communications of the device 4 via the network NW.
• the device 4 can however at any time decide to activate this collaboration only for a subset of its communications, for example according to the nature of the events reported by its correspondents or by the network used to route the data of a communication. .
• the device 4 is only connected to a single network NW and is only requested by a single network function, as seen by the DPS entity. 6.
• the same device can be connected to several distinct networks and decide to activate a collaboration with one or more distinct entities of these networks.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Data Exchanges In Wide-Area Networks (AREA)
• Computer And Data Communications (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=71662010

Family Applications (1)

Country Status (5)

Family Cites Families (1)

• 2020
  • 2020-03-26 FR FR2002986A patent/FR3108752A1/fr active Pending
• 2021
  • 2021-03-25 CN CN202180023405.5A patent/CN115380508A/zh active Pending
  • 2021-03-25 EP EP21732372.4A patent/EP4128701A1/de active Pending
  • 2021-03-25 US US17/913,596 patent/US20230146254A1/en active Pending
  • 2021-03-25 WO PCT/FR2021/050515 patent/WO2021191567A1/fr unknown

Also Published As

Similar Documents

Legal Events