FR3105486A1 - Method for detecting malicious behavior in a communication network, device, equipment for accessing said network, method for detecting a distributed attack in said network, device, node equipment and corresponding computer programs - Google Patents

Abstract

Method for detecting malicious behavior in a communication network, device, equipment for accessing said network, method for detecting a distributed attack in said network, device, node equipment, system, data file and computer programs The invention relates to a method for detecting malicious behavior on the part of a communicating object connected to a remote telecommunications network via a local telecommunications network managed by an access device to said network of remote telecommunications, said method being implemented by a local agent connected to the local telecommunications network, said method comprising:- obtaining (31) by the access equipment information representative of a sequence of network events dated, occurring within a predetermined time window; - the detection of a malicious behavior by matching (33) the information obtained with a signature, among a plurality of signatures of malicious behaviors, stored in at least one signature table; and- the decision (34) to trigger at least one action to protect the local telecommunications network and/or the remote telecommunications network against the malicious behavior detected. Fig. 3

Description

Method for detecting malicious behavior in a communication network, device, equipment for accessing said network, method for detecting a distributed attack in said network, device, node equipment and corresponding computer programs

Field of the invention

The field of the invention is that of telecommunication networks, in particular the security of such networks.

The invention relates more specifically to the detection by a telecommunications network of malicious behavior of one or more terminals or communicating objects connected to this network.

In particular, it finds an application for improving the security of telecommunications networks which are currently facing an increased risk of attacks, increasingly coming from within these networks themselves.

Prior art and its drawbacks

Security management of home networks is problematic. Indeed, user terminals and more generally the communicating objects that connect to them are today subject to an increased risk of attacks, through an installation, without the knowledge of their user, of malicious software (for “ malware ”, in English). It is a computer program developed with the aim of harming a computer system, which is installed in the operating system of a communicating object, without the consent and without the knowledge of its user. Nowadays, the term " virus " is often used, wrongly, to refer to all kinds of malicious software that " infects " communicating objects. It includes in particular worms and Trojan horses.

To fight against this type of so-called "local" attack, computer programs called "anti-virus" (or " anti-malware " in English) are known, specializing in the detection of malicious software on a computer-type terminal. staff for example. Such computer programs are previously installed in the terminal and monitor the software installed on this terminal. When they detect new malware, they alert the user and offer corrective action, such as uninstalling the offending software.

There are also, on the operator side of a telecommunications network, solutions for combating a so-called "global" attack of the dormant agent network (for "botnet") type, when it comes from outside the network. In this type of attack, again, malicious software is installed on a terminal without the knowledge of its user, but its activation is not immediately necessary. Indeed, once installed, this type of software takes advantage of the terminal's access to the telecommunications network to connect to a remote master device (server) and wait for its orders. Alternatively, it can open a port to the access point, using a UPnP (Universal Plug and Play) type protocol that allows peer-to-peer networking of two devices without any wire and therefore a communication between the software and a remote device, via the access point.

In both cases, malware detection is most often based on the local recognition of a digital signature representative of already known and monitored malware. In other words, the signature of software is a sequence of bytes used to identify it. Anti-malware software must therefore maintain a database of already known software signatures and update it as soon as a new attack is discovered. For example, MD5 and SHA1 algorithms are used to generate the hash signature of an executable file (16 bytes for MD5 and 20 bytes for SHA1). Signature-based detection is easy, fairly quick, and effective against common types of malware. The disadvantage of this method is that, in order to be effective, it requires a very regular update of the signature database, since, if the signature of a malicious software is not present in it, it will not be detected as such.

However, attackers know very easily how to modify the signatures of their malware to make them undetectable by “anti-malware” software, which drastically reduces the effectiveness of current anti-malware software. For example, a simple obfuscation technique can be used to change the signature of the same malware and therefore evade signature detection. There is even so-called polymorphic malware, whose signature changes with each new contamination of a communicating object or terminal.

With regard to botnets originating from inside the operator's network, i.e. from an attacker connected to this network, this difficulty is compounded by the fact that it is often not not possible to identify them from isolated local detections. In addition, the solutions that currently exist at the operator level do not make it possible to detect the botnet, therefore to counter it before it starts, that is to say until the local malware has not been activated. At best, existing solutions are corrective, rather than preventive.

Finally, apart from personal computers and mobile phones of the smart phone type (for "smartphone", in English), communicating objects are generally not equipped with "anti-malware" devices.

There is therefore a need to improve the situation.

In particular, there is a need for a technique for detecting malicious software from a user terminal or, more generally, from any communicating object connected to a remote telecommunications network, at the level of a local area network. managed by an access point to this remote network or at the level of a node device of this network. There is also a need for a malware detection technique that is more effective against attacks, whether local or distributed.

Finally, there is a need for a malware detection solution that is more robust with respect to the modifications of its signature made by the attacker.

The invention meets this need by proposing a method for detecting malicious behavior on the part of a communicating object connected to a remote telecommunications network via a local telecommunications network managed by an equipment of access to said remote telecommunications network, said method being implemented by a local agent connected to the local telecommunications network.

According to the invention, said method comprises:
- the obtaining by the access equipment of information representative of a sequence of dated network events, occurring in a predetermined time window;
- the detection of a malicious behavior by matching the information obtained with a signature, among a plurality of signatures of malicious behaviors, stored in at least one signature table; And
- the decision to trigger at least one action to protect the local telecommunications network and/or the remote telecommunications network against the malicious behavior detected.

Contrary to the prior art, the invention proposes an entirely new and inventive approach in the field of the protection of telecommunications networks, which consists in detecting malicious behavior, rather than the presence of malicious software. . To do this, it relies on matching dated network event sequences, collected by network access equipment, with local malicious behavior signatures stored in memory. When a signature has been recognized, a local or remote network protection action is triggered.

Thus the invention makes it possible on the one hand to abstract from the problem of polymorphism of malicious software and on the other hand to monitor any type of user equipment or communicating object connected to the local network managed by the access equipment. In this way, the network is better protected against attacks perpetrated via communicating objects that have no anti-malware protection system.

According to one aspect of the invention, the plurality of signatures comprises signatures of malicious behaviors located in the local telecommunications network, called local behaviors, said signature being associated with at least one local protection action in the local telecommunications network and signatures local malicious behaviors suspected of belonging to a distributed attack in the remote telecommunications network, said signature being associated with an action of transmission of an alert message to a global agent of the remote telecommunications network, configured to detect an attack distributed in said network.

In this way, the invention makes it possible to distinguish local malicious behaviors from local malicious behaviors which are local manifestations of distributed attacks and to adapt its response to the type of behavior detected.

According to another aspect of the invention, the signature of the malicious behavior comprises information representative of network events and a set of rules governing temporal constraints between said network events, called chronic.

A major interest of the formalization by a chronicle is the simple modeling of a partial order. Indeed, a chronicle takes into consideration the dates of occurrence of events without imposing an exact sequence of these events in relation to each other. It also makes it possible to express an absence of occurrence of an event over a given time interval.

According to yet another aspect of the invention, the method comprises a normalization of the information representative of the sequence of dated network events.

One advantage is to homogenize the information received from different sources.

According to yet another aspect of the invention, the alert message comprises information representative of the sequence of network events occurring in the local network within a predetermined time window and recognized as the signature of local malicious behavior suspected of belong to a distributed attack on the remote telecommunications network.

An advantage is that the global agent can aggregate the network events received with others from other local networks to form new sequences of network events and reveal patterns of distributed attacks already monitored.

According to yet another aspect, the alert message includes information representative of the detected local malicious behavior.

An advantage is that the global agent that receives the message immediately identifies malicious behavior detected locally. For example, the occurrence of detected malicious behavior is described as an event inferred from the sequence of events detected by the local agent, this inferred event being specified in the distributed attack signatures stored in memory, in the form of chronicles .

Correlatively, the invention relates to a method for detecting a distributed attack in a remote telecommunications network, comprising:
- obtaining at least one alert message from a local agent connected to a local telecommunications network managed by an access point to said network, said alert message comprising information representative of a sequence network events occurring in the local network within a predetermined time window and recognized as the signature of local malicious behavior suspected of belonging to a distributed attack on the remote telecommunications network;
- the aggregation with information representative of at least one sequence of dated network events, obtained from at least one other local agent connected to another local telecommunications network managed by another access point to said remote network, and recognized by said other local agent as the signature of said or other local malicious behavior suspected of belonging to a distributed attack on the remote telecommunications network;
- the detection of a distributed attack in the remote network, by matching the aggregated information with a signature from among a plurality of distributed attack signatures stored in at least one signature table; And
- the decision to trigger at least one action to protect the network against the detected distributed attack.

The invention thus proposes a distributed attack detection solution in the telecommunications network. The fact of relying on the detection of local malicious behavior and aggregating them to recognize a distributed attack, makes it possible to set up protection in advance, from the first local manifestations of attack preparation.

The invention also relates to a computer program product comprising program code instructions for implementing a method for detecting malicious behavior and a computer program product comprising program code instructions for implementation of a method for detecting a distributed attack in a remote telecommunications network according to the invention as described previously, when it is executed by a processor.

The invention also relates to a recording medium readable by a computer on which the computer programs as described above are recorded.

Such recording medium can be any entity or device capable of storing the program. For example, the medium may comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or else a magnetic recording means, for example a USB key or a hard disk.

On the other hand, such a recording medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means, so that the program computer it contains is executable remotely. The programs according to the invention can in particular be downloaded from a network, for example the Internet network.

Alternatively, the recording medium may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the aforementioned detection methods.

The invention also relates to a device for detecting malicious behavior on the part of at least one communicating object connected to a local telecommunications network managed by equipment for access to a remote telecommunications network.

Said device is configured for:
- obtain by the access equipment information representative of a sequence of dated network events, occurring in a predetermined time window;
- detecting malicious behavior by matching the information obtained with a signature, among a plurality of signatures of malicious behavior, stored in at least one signature table; And
- decide to trigger at least one action to protect the network against the malicious behavior detected.

Advantageously, said device is configured to implement the aforementioned method for detecting malicious behavior, according to its various embodiments.

Advantageously, said device is integrated into equipment for access to a remote telecommunications network, configured to manage a local telecommunications network to which at least one communicating object is connected.

It is for example a residential gateway or a collector node of a network of sensors or IoT (for "Internet of Things", in English), a wifi access point or even a Wi-Fi repeater.

The access equipment, the device for detecting malicious behavior or local agent and the aforementioned corresponding computer program have at least the same advantages as those conferred by the method for detecting malicious behavior according to the present invention. .

The invention also relates to a device for detecting a distributed attack in a remote telecommunications network, called a global agent, configured for:
- receive at least one alert message from a local agent connected to a local telecommunications network managed by an access device to said network, said alert message comprising information representative of a sequence of network events occurring within a predetermined time window and recognized as the signature of local malicious behavior detected by said local agent and suspected of belonging to a distributed attack in said network;
- aggregating the information received with information obtained from at least one other local agent connected to another local telecommunications network managed by another access point to said remote network, and recognized by said other local agent as the signature of said or 'other local malicious behavior suspected to be part of a remote network distributed attack;
- detecting a distributed attack by matching the aggregated information with a signature from among a plurality of distributed attack signatures stored in at least one signature table; And
- decide to trigger at least one action to protect the network against the detected distributed attack.

Advantageously, said device is configured to implement the aforementioned distributed attack detection method, according to its various embodiments.

Advantageously, said device is integrated into a node equipment of a remote telecommunications network.

The node equipment, the device for detecting a distributed attack or global agent and the aforementioned corresponding computer program have at least the same advantages as those conferred by the method for detecting a distributed attack according to the present invention.

Correlatively, the invention also relates to a data file comprising a table of signatures comprising entries, an entry comprising information representative of a sequence of network events occurring within a predetermined time window, forming a signature of malicious behavior or of a distributed attack, and at least one network protection action, associated with said signature.

The invention finally relates to a system for protecting a remote telecommunications network against malicious behavior or a distributed attack, comprising at least two aforementioned local agents, each connected to a local telecommunications network, said local network being managed by equipment access to said remote telecommunications network, an aforementioned global agent and at least one aforementioned data file, comprising a table of signatures of malicious behavior or distributed attacks.

List of Figures

Other aims, characteristics and advantages of the invention will appear more clearly on reading the following description, given by way of a simple illustrative example, and not limiting, in relation to the figures, among which:

This figure schematically represents a system for detecting malicious behavior of a user terminal connected to a local telecommunications network managed by an access point to a remote network, according to an exemplary embodiment of the invention. ;

This figure schematically represents a local agent device capable of detecting malicious behavior in a telecommunications network according to an exemplary embodiment of the invention;

This figure represents in flowchart form the different steps of a method for detecting local malicious behavior of terminal equipment connected to a telecommunications network, according to one embodiment of the invention;

This figure schematically represents a global agent device capable of processing an alert relating to local malicious behavior of a terminal detected in a telecommunications network according to an embodiment of the invention;

This figure represents in flowchart form the different steps of a method for processing an alert relating to local malicious behavior detected in a telecommunications network, according to one embodiment of the invention;

This figure schematically represents a distributed system for detecting malicious behavior of user terminals connected to a telecommunications network according to an embodiment of the invention;

This figure proposes a block diagram of equipment for access to a telecommunications network comprising a device for detecting malicious behavior of a user terminal in a telecommunications network according to an embodiment of the invention; And

This figure proposes a block diagram of a node or server equipment of a communication network comprising a device for processing an alert relating to at least one local malicious behavior detected in said according to an exemplary embodiment of the invention.

Detailed Description of Embodiments of the Invention

The general principle of the invention is based on the detection, from information relating to a sequence of network events recorded during a predetermined time period, of malicious behavior on the part of communicating objects connected to a local telecommunications network managed by an access point to a remote telecommunications network. A local agent is configured to recognize the signature of malicious behavior monitored from information received by the access point or generated at this access point and to trigger a network protection action associated with the recognized signature . Advantageously, when the malicious behavior detected is suspected of belonging to a distributed attack in the remote telecommunications network, the protective action includes the transmission of an alert message to a global agent. According to the invention, the global agent is configured to aggregate the information received from several local agents with a view to detecting and recognizing a distributed attack in the remote telecommunications network and in turn triggering one or more actions to protect this network, associated with the recognized attack.

The invention finds numerous applications, in particular in equipment for access to a telecommunications network of an operator, of the residential gateway type (for "home gateway", in English), and more generally in any node equipment of this network. .

In the rest of the description, we endeavor to describe in detail an example of implementation of the invention.

In relation to FIG. 1 , a system 10 in accordance with the invention, in one embodiment, is presented in its environment.

In the example envisaged by FIG. 1 , the telecommunications network RT is a WAN network (for “Wide Access Network”) of an operator, which is accessed by user equipment or communicating objects OC1, OC2…OCM, with Whole M. In the embodiment described here, the term “communicating object” denotes both a user's terminal equipment, such as for example a personal computer OC3, OC8, an intelligent telephone (for “smartphone”) OC2, OC7, or a tablet, an object capable of connecting to a telecommunications network and communicating with other connected equipment or machines, such as a weather station, an actuator, an OC5 printer, an OC4 camera, OC6 etc, or any other type of communicating object (not shown) such as a weather station, an actuator, or any type of sensor, known as M2M (for "machine to machine", in English), provided that it is capable of connecting to the local network LAN1, LAN2, LAN3.

These communicating objects connect to the WAN network via local networks LAN (for "Local Access Network") LAN1, LAN2, LAN3 of particular users, via equipment called access points AP1, AP2, AP3 such as residential gateways or public access points (for "hotspots") via a wired or wireless link. Such access points are configured to route communications from user equipment on their LAN network to the operator's remote telecommunications network and vice versa. They are therefore equipped with a routing function.

Of course, the invention is not limited to this example and also relates to a cellular RT network, such as for example a 2G, 3G, 4G or 5G network defined by the 3GPP standard. It can also be implemented in a wireless network of the sensor network or IoT type (for "Internet of Things", in English), in which the access points are nodes collecting data measured by sensor nodes TU , or in any other type of wireless network based on wireless communication technology such as Wi-Fi®, Bluetooth®, ZigBee, Z-Wave®, etc.

According to the invention, the system 10 is configured to detect at least locally malicious behavior on the part of a communicating object or terminal connected to this telecommunications network RT and to react to this detection by triggering one or more protective actions. of the network.

In the example considered in FIG. 1 , the system 10 comprises, to detect malicious behavior in the network RT:

- at least one device for detecting malicious behavior or local agent LA, 100, which can be integrated into an access point AP1, AP2, AP3;

a table of local malicious behavior signatures representative of a local attack TS _Loc and a table of local malicious behavior signatures suspected of belonging to a global attack TS _Susp stored in a memory M;

- a device for detecting a distributed attack or global agent GA, 200, which can be integrated into a node equipment of the network RT, such as for example the server equipment SR, 300;

a table of signatures of malicious behavior representative of a global attack TS _Susp stored in a memory M′;

The memory M can be integrated in the device 100, or else in an access point AP1, AP2, AP3. It can also be stored in equipment remote from the network RT to which the local detection device LA, 100 can access. Alternatively, the two tables TS _Loc and TS _Susp can be merged into a single table.

The memory M′ can be integrated in the device 200, or else in the node equipment SR. It can also be stored in another piece of equipment remote from the network RT to which the global detection device GA,200 can access.

Advantageously, within the system 10, the devices 100 of the various access points AP1, AP2, AP3 are arranged to communicate with the device 200. The device 200 can also communicate with the IS information system of the network operator RT.

A description will now be given in relation to FIG. 2 of a device 100 or local agent LA according to one embodiment of the invention. The device 100 comprises a collection module COLL configured to collect dated network events originating from various sources located in the network RT and from which the device 100 receives data traffic. In this example, the local agent 100 is integrated into an access point/router AP1, AP2, AP3. The latter being configured to perform various services such as for example firewall services 22 (for “firewall”, in English), Web client 21, DNS address resolution 23 (for “Domain Name System”, in English) , dynamic configuration of addresses for example according to the DHCP 24 protocol (for “Dynamic Host Configuration Protocol”, in English) as well as data routing functions 25 coming from a communicating object OC1,…, OC8 which is connected, these sources are therefore of varied natures.

The device 100 optionally comprises a normalization module NORM for information relating to the network events received, capable of homogenizing the information describing each of these events and a recognition module RECO for a signature of a malicious behavior from a collected event. or preferably several events collected in a predetermined time window and known malicious behavior patterns or signatures previously stored in memory in the TS _Loc and TS _Susp signature table. Finally, it comprises a decision module DEC capable of triggering at least one processing action associated with the recognized malicious behavior.

We will now describe in relation to the flowchart of FIG. 3 , the different steps of a method for detecting malicious behavior implemented by the detection device LA, 100 according to one embodiment of the invention.

At 31, the device 100 obtains, from data received or generated by the access equipment, information representative of a plurality of dated network events occurring in a predetermined time window and it stores them in memory.

Here, network event refers to any dated event that has given rise to the recording by software or an operating system of equipment connected to the network, of a line in an event log, known as a log engine. Examples are system access, file modification, UPnP port open request, packet traffic destined for a target IP address and target port, a quantity of information sent etc.

Optionally, at 32, a standardization of the information relating to the events received is implemented to standardize the information describing each of these events.

As an example, consider the following record from a firewall log:
2019 Aug 4 13:23:00 centos kernel: IPTables-Dropped: IN=em1 OUT= MAC=a2:be:d2:ab:11:af:e2:f2:00:00 SRC=193.252.19.3 DST=80.11. 95.103 LEN=52 TOS=0x00 PREV=0x00 TTL=127 ID=9434 DF PROTO=TCP SPT=58428 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0.

We also consider a record from the web client log 21:
193.252.19.3 - peter [9/Feb/2019:10:34:12 -0700] "GET /sample-image.png HTTP/2" 200 1479.

A normalization of these two examples of events advantageously consists of:
- keep only essential information;
- standardize the presentation of the information they contain, for example by observing the same ordering of their fields;
- standardize date information.

We choose for example the following formalism:
“service-event date param1 param2 param3”.

Or :
- "date" is the number of seconds elapsed since ¹ January 1970;
- “service-event” is the name of the event as it appears in the monitored malicious behavior patterns or signatures stored in memory;
- “param1..paramn” are the parameters making up the models or signatures.

In 33, the local agent 100 seeks to match at least some of the network events received in the time window and optionally normalized, with signatures or patterns of malicious behavior monitored beforehand stored in memory in the signature table(s).

Advantageously, a malicious behavior signature according to the invention is described in the form of a chronicle, that is to say as a set of dated events associated with time constraints, represented by a tuple. In computer language, this tuple takes the form of a tuple (S,T), where S designates the set of events and T the temporal constraints on these events.

A major interest of the formalization by a chronicle is the simple modeling of a partial order. Indeed, a chronicle takes into consideration the dates of occurrence of events without imposing an exact sequence of these events in relation to each other. It also makes it possible to express an absence of occurrence of an event over a given time interval.

For example, the occurrence of three events A, B and C in a time window of less than 5 seconds can be written using the following chronicle:
C=(S,T)
S={(A,?tA), (B,?tB), (C,?tC)}
T={(?tA<?tB), (?tC<?tA+5)}.

In computer language, it would translate as follows:
chronicle c {
event (a, Ta)
event(b,Tb)
event(c,Tc)
Ta < Tb < Tc
}

To describe the fact that two events A,B occur consecutively, without the occurrence of a third event C between them within a time interval of less than 5 seconds, we would define the following chronicle:
chronicle c {
event(a, Ta)
event(b, Tb)
Ta < Tb
noevent (c, (Ta,Tb))
}

It should be noted that if the examples which have just been given for illustrative purposes are simple, it is nevertheless possible to configure the events and the chronicles themselves, to take account of variables relating to an event recorded in a log of events:
- PID identifier of a process;
- IP address of a request;
- name of a user;
- URL accessed
- etc.

In this exemplary embodiment of the invention, the recognition module RECO of the device 100 is therefore configured to recognize a chronicle. At this stage, two scenarios are considered:
- According to a first scenario, no signature has been recognized and the method resumes at step 31 for obtaining new network events;
- According to a second scenario, a signature has been recognized at 33. According to the invention, the signature model stored in memory comprises at least one associated action. Step 34 for deciding on a processing action extracts this action and triggers its execution. Note that it can be local or remote.

A local action is a remedial action executed by the device 100 itself or the execution of which is commanded to a device of the LAN network to which it is connected. These include, for example, modifying the behavior of a firewall, shutting down a local service, prohibiting traffic to a particular IP address. For example, if the source IP address at the origin of the recognized malicious behavior is that of a communicating object connected to the LAN network, an action can be to block it and at least to cut off the fraudulent communication. For example, a feedback loop would allow the access point/router of the LAB network to cut off the fraudulent communication, by isolating the communicating object at the origin of these communications and to invite the administrator of the LAN network, for example the user of the domestic gateway, to disinfect their machines.

A remote action is the transmission of all or part of the events forming the recognized signature to a global agent 200 so that it aggregates them with other events collected from other local agents with a view to detecting a signature of malicious behavior. representative of a distributed attack on several LAN networks. It is understood that a remote action is advantageously associated with malicious behavior suspected of being a local manifestation of a distributed attack, for example of the “botnet” type. The global agent 200 is advantageously configured to receive the sequence of network events recognized as suspicious by the local agent and to aggregate it with other sequences received from other local agents, according to a method which will be detailed below.

Whether local or remote, the triggering of the action associated with the recognized chronicle is implemented in the form of a computer program that calls for action through a callback function (for "call back", in English), i.e. as a function which is passed as an argument to another function. The latter can then make use of this callback function like any other function, even though it does not know it in advance. For example, several "callback" functions can be called by this computer program:
- a function cutting off all communication from or to an IP address;
- a function recording all network signaling linked to an IP address;
- a function sending an email to the client user of the access point/router, informing him of fraudulent activity on his local LAN network;
- etc.

In the embodiment described here, the local agent LA 100 advantageously accesses two tables of signatures or models:
- a local table TS _Loc , comprising entries each associating a known and monitored local malicious behavior signature, with at least one local processing action;
- a TS _Susp table, comprising entries each associating a local malicious behavior signature suspected of belonging to a distributed attack, to a remote processing action.

Alternatively, the entries of the two tables can of course be stored in one and the same table of signatures.

A description will now be given in relation to FIG. 4 of a device 200 or global agent GA according to one embodiment of the invention. In addition to the COLL collection, NORM normalization, RECO recognition and DEC decision modules already described for the local agent 100, the global agent 200 comprises a module REC for receiving alert messages comprising all or part of the sequences dated network events originating from local agents 100 ₁ , 100 ₂ , 100 ₃ , for example integrated into access points AP1, AP2, AP3 to the communication network RC, these sequences of network events having been recognized as local malicious behavior signatures suspected of being part of a global attack. The global agent GA 200 further comprises a module AGGR for aggregating the sequences of events received from the various local agents, the aggregated sequences then being presented to the recognition module RECO. In this respect, the recognition module of the global agent GA 200 relies on a table of signatures TS _Dist specific to the global agent GA, 200, and different from that of the local agent 100 which has just been described in relation with FIG. 2. The signatures or models stored in the table TS _Dist are representative of attacks distributed in the WAN network, and are for example of the “botnet” type.

Of course, a global agent can also play the role of local agent and process sequences of network events by accessing the TS _Loc and TS _Susp tables previously described.

We will now describe in relation to the flowchart of FIG. 5 , the different steps of a method for detecting a distributed attack by the device 200 according to one embodiment of the invention.

At 51, the device 200 obtains at least one alert message from a local detection device LA 100, for example one of the devices 100 ₁ , 100 ₂ , 100 ₃ integrated into the access points AP1, AP2, AP3 to said network, said alert message comprising information representative of a sequence of network events occurring in a predetermined time window and recognized as the signature of local malicious behavior suspected by said device 100 of belonging to a distributed attack in the remote WAN network. The device 200 therefore receives sequences of events transmitted by local agents LA 100, which it extracts and stores in memory.

At 52, optionally, the global agent 200 normalizes the sequences of network events received from the various local agents to standardize the information that they contain. Note that the global agent receives events that may already have been normalized by the local agents.

When a local agent LA, 100 recognizes a signature of malicious behavior suspected of belonging to a distributed attack, it can propagate all or part of the events that it has recognized as a signature of this behavior to the global agent 200 Alternatively, he can also create a new event to indicate to the global agent that he has recognized a malicious behavior suspected of belonging to a distributed attack, at a given moment, and sends him in an alert message .

At 53, the device 200 aggregates information extracted from the alert messages received and relating to malicious behavior recognized locally by distinct local devices 100 ₁ , 100 ₂ , 100 ₃ , such as signatures of malicious behavior suspected of belonging to an attack distributed. At this stage, two options are considered:
- the alert message includes information relating to the events detected by the local agent and from which it recognized the malicious behavior. The global agent can exploit them to form new sequences from events coming from distinct local agents and occurring in a time window which can be different from that used by the local agents, for example larger;
- the alert message includes information representative of an event deduced by the local agent, which identifies the local malicious behavior detected. This other type of event can also be used by the global agent to form a new sequence of events to be compared with its own signature table.

At 54, device 200 maps the newly formed event sequences to distributed attack signatures or patterns stored in the TS _Dist signature table.

As with the local agent 100, the signatures advantageously take the form of chronicles.

At this stage, two scenarios are considered:
- according to a first scenario, no signature has been recognized and the method resumes at step 51 in order to obtain new alert messages, comprising new sequences of events detected as suspected local malicious behaviors to belong to a distributed attack, or directly an event representative of the local malicious behavior detected.
- According to a second scenario, a signature has been recognized at 54. According to the invention, the signature model stored in memory comprises at least one associated action. The step 55 of deciding a processing action comprises obtaining the action associated with the recognized signature and the decision to trigger the execution of this action. Note that it can be local and/or remote.

A local action is a remedial action executed by the global agent 200 itself or the execution of which is ordered from a local agent 1001, 1002, 1003 to which it is connected. These include, for example, modifying the behavior of a firewall, shutting down a local service, prohibiting traffic to a particular IP address.

It is understood that the global agent is configured to orchestrate a global response to the distributed attack scenario that has been recognized, by controlling the processing actions to be implemented with the various local agents or access points. Such actions may include the blocking of terminals or communicating objects at the origin of fraudulent communications.

According to a first example, following the detection of the opening of a UPnP port suspected of being used by the botnets, the local agent LA, 100, transmits an alert message to the global agent GA, 200, including information relating to an event of the type “suspected botnet in UPnP”. Assume that the GA global agent, 200, receives 1000 such alert messages in a one hour time window. It forms a sequence of events from which it recognizes the signature of a distributed botnet-type attack, which triggers a protective action which consists of ordering each of the local access points to close the port incriminated.

According to a second example, a firewall identifies abnormal data traffic to an IP address located in a territory considered to be at risk, recognizes the signature of malicious behavior suspected of belonging to a distributed attack of the botnet type and sends a message alert to the global agent GA, 200. It is assumed that the global agent receives a large number of alerts of the same type in a given time interval and there again recognizes the signature of a distributed attack. It then triggers a protective action aimed at the local access points/routers so that they cut off the offending communication and prohibit any communication to this IP address. The global agent can also make a global decision to deny traffic from the entire carrier WAN to that IP address.

A remote action is the transmission of an alert message comprising all or part of the events forming the signature recognized by the global agent 200 to a more central equipment of the telecommunications network RT, for example an equipment of the information system IS of the operator of this network, so that it takes specific actions, such as issuing Hadopi recommendation letters or blocking access to certain equipment or alerting an operational security center for the detection of security incidents ( “cybersoc”), so that it correlates this information in real time with other data available to it.

Thus, the system 10 according to the invention, comprising a global agent 200 and several local agents 100, makes it possible to perform distributed detection of malicious behavior in the telecommunications network RC.

Indeed, with the invention, it is advantageously possible to chain the local and global agents together in order to set up a distributed detection system. For example, as illustrated by FIG. 6 , it is possible to envisage integrating a local agent device 100 into equipment of the wireless network REP repeater type (for “extender” in English) in a LAN network, integrating a global agent GA 200 in a residential gateway AP1, AP2, AP3 and to integrate a global agent GA, 200 in a network server equipment SR which itself sends alerts to the information system of the network operator RC.

Examples of monitored malicious behaviors detected by the invention are now detailed.

First example: port scanning from a WAN network device

According to a first example, a firewall device is considered, for example the "IPtables" firewall of the Linux operating system, for example integrated into an access point/router AP1, AP2, AP3 of the local network LAN1, LAN2, LAN3 of a user. Such an access point forms the interface between the local network and the WAN telecommunications network of an operator. The firewall is configured to generate an event log relating to attempts to connect to the access point AP1, AP2, AP3 via the WAN network, and for example the following event:
2019 Aug 4 13:23:00 centos kernel: IPTables-Dropped: IN=em1 OUT= MAC=a2:be:d2:ab:11:af:e2:f2:00:00 SRC=193.252.19.3 DST=80.11. 95.103 LEN=52 TOS=0x00 PREV=0x00 TTL=127 ID=9434 DF PROTO=TCP SPT=58428 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0.

This is a single event dated August 4, 2019 at 1:23 p.m. and 0 seconds, from the Linux kernel (“Centos kernel”). It was saved by the firewall in a "DROPPED" table of the Linux firewall.

- IN designates the network interface through which the data packet arrived
- OUT: does not include any information because the packet was dropped (“dropped”);
- MAC: designates the MAC address that sent the packet;
- SRC: designates the IP address from which the packet originated;
- DST: designates the destination IP address of the packet;
- PROTO designates the communication protocol used by layer 3 of the OSI model (TCP);
- SPT: designates the packet dispatch port on the source equipment or machine;

- DPT: designates the reception port on the target equipment or machine (443 -> HTTPS).

Once normalized, this event takes a simplified form of the following type:
iptables-in(interface,source_ip,dest_port,date).

It therefore specifies the interface concerned, the source IP address which is trying to connect, the destination port to which it is trying to connect and the date and time of the attempt.

With the example above, we get:
iptables-in(em1,193.252.19.3,443,1564924980)

The date is expressed here as the number of seconds elapsed since January 1 ^, 1070, according to a standard UNIX format.

It is assumed that a suspect scenario model could be formulated in natural language as follows:
“The same IP address attempts, within a 10-second time window, to connect to ports 21 (FTP), 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS). »

Indeed, such an event is symptomatic of abnormal behavior that should not occur.

The firewall transmits, at each connection attempt detected, a message intended for a local agent LA, 100, comprising the essential information to define this event, relating to the interface concerned, the source IP address, the IP address destination. Such a message takes for example the following form:
message iptables-in [?interface,?source_ip,?dest_port]

It is assumed that a message is sent for each connection attempt to the 5 addresses mentioned above.

This message is dated by the local agent LA 100 upon receipt. It thus becomes a new event to be processed by the local agent LA 100.

It is assumed that the local agent LA 100 has received the 5 events mentioned above and that its RECO recognition module seeks to match them with the following chronicle, stored in its table of local malicious behavior signatures:
chronicle wan-scan {
event(iptables-in[“em1”,?SRC_IP1,21], T_FTP)
event(iptables-in[“em1”,?SRC_IP2,22], T_SSH)
event(iptables-in[“em1”,?SRC_IP3,23], T_TELNET)
event(iptables-in[“em1”,?SRC_IP4,80], T_HTTP)
event(iptables-in[“em1”,?SRC_IP5,44], T_HTTPS)

T0 < T_FTP < T0+10
T0 < T_SSH < T0+10
T0 < T_TELNET < T0+10
T0 < T_HTTP < T0+10
T0 < T_HTTPS < T0+10

With such a chronicle, a chronicle recognition engine implemented by the RECO module or step 33, from a sequence of network events received, must satisfy the following constraint:
constraint match[?ip1,?ip2,?ip3,?ip4,?ip5] {
?ip1 == ?ip2 == ?ip3 == ?ip4 == ?ip5
}

This constraint is defined as a predicate which is an integral part of the chronicle. It means that the 5 IP addresses ip1 to ip5 are equal.

This constraint is then verified by the chronicle recognition engine, by performing the following test:
match [?SRC_IP1,?SRC_IP2,?SRC_IP3,?SRC_IP4,?SRC_IP5]
}

This test therefore consists in verifying that the 5 addresses SRC_IP1 to SRC_IP5 are in fact one and the same address and therefore that it is the same communicating object which tries to connect simultaneously to several services.

In this example, the "wan-scan" chronicle is purely local and requires local processing. A local processing AC action is associated with it in the TS _Loc table.

The recognition module RECO of the device 100, LA is for example implemented in the form of a computer program in which the action AC is implemented in the form of a callback or callback function. For example, the local processing action is to drop all data packets received by the firewall device from the source IP address. It can be formulated as a rule whose device 100, LA controls the installation in the firewall.

2 ^th example: suspected presence of a botnet

As a reminder, a botnet is a “network of sleeper agents” set up without the knowledge of users of terminal equipment or communicating objects connected to the RT telecommunications network. As a general rule, the user of a terminal is the victim of phishing (for “phishing”, in English), which takes for example the form of a fraudulent e-mail which invites him to click on a link or to download a file. This operation triggers the installation of malicious software without the knowledge of the user, who can then command the terminal or the communicating object, for example to:
- connect to a remote server, in order to wait for orders from its master;
- to open a port in UPnP on the router, so that his master warns him when he will need him.

Such events can be detected, the first by a connection event log generated by the iptables firewall, for example integrated in the access point/router AP1, AP2, AP3, in particular an event of the following type:
iptables-out(interface,source_ip,dest_port,date)

The second is recorded in a port opening event log generated by the UPnP service integrated in the access point/router, in particular an event of the following type:
upnp-port(ext_port,in_port,in_ip,date)

In this embodiment of the invention, a chronicle model has been created for each of these two types of events. Each of these chronicles is based on the prior determination of the characteristics of known and monitored malicious behavior.

In a known manner, each so-called “standard” service is associated with a known port number. For example, port number 80 is associated with the “http” web service, and port number 443 is associated with the https web service, which makes it possible to address a website without the need to specify “:80” or “:443” at the end of each web address.

By contrast, a non-standard port is any port that does not appear in a list of standard ports used by an operating system (for example, the /etc/services file under Linux), or in another list of standard ports. managed by the WAN telecommunications network operator.

For the first case, a simple connection on a non-standard port can be considered suspicious.

For the second case, we can consider that a communicating object which requests the opening of a port in UPnP has suspicious behavior. We then define the following message:
message upnp-port [?ext_port, ?in_port,?in_ip]
deduced message upnp-suspicious [?ext_port]
constraint is_iot[?ip] {
?ip in {192.168.1.23, 192.168.1.27}
}

It incorporates a predicate defining a constraint on a type of user equipment having the IP address, in this case a user equipment of the M2M (for "Machine to Machine") or IoT (for "Internet of Thing") communicating object type. , in English.

It also defines a message, said to be inferred for the local agent, entitled “ upnp-suspicious ”, to be sent to a global agent to alert it to the occurrence of a suspicious port opening.

We deduce the following chronicle:
chronicle local-botnet-upnp {
event(upnp-port[?EXT_PORT,?IN_PORT,?IN_IP], T_UPNP))
is_iot[?IN_IP]
when recognized {
emit event (upnp-suspicious [?EXT_PORT], T_UPNP)
}
}

These two chronicles are each the expression of the signature of a local malicious behavior suspected of belonging to the scenario of a distributed attack of the "botnet" type. They are therefore stored in the local TS _Susp database.

Each of them is based on the detection of a single trigger event and is associated with a processing action, including sending the trigger event to a global agent GA 200.

The structure of such a chronicle is interesting, because it defines within the chronicle a constraint making it possible to determine whether a source IP address corresponds to that of a connected object or not.

We note that the column, written here, will trigger an alert as soon as an IoT communicating object whose IP is between 192.168.1.23 and 192.168.1.27 tries to open a UPnP port.

On the side of the global agent, a chronicle is defined which counts the detection of events considered locally suspicious and which have been the subject of information feedback (attempt to connect to a non-standard port or request for UPnP port openings by a communicating object) and over a predetermined time window. For example, we can define that five occurrences of an event of the first or second type in a time window of 60 seconds are sufficient to decide that a “botnet” type attack is looming.

The event is defined by the following inferred message: message upnp-suspicious [?ext_port]

It is associated with the following constraint:

constraint match[?port1, ?port2, ?port3, ?port4, ?port5] {
?port1 == ?port2 == ?port3 == ?port4 == ?port5
}

For example, the resulting chronicle is expressed as follows:
chronicle global-botnet-upnp {
event (upnp-suspicious [?EXT_PORT1],T1)
event (upnp-suspicious [?EXT_PORT2],T2)
event (upnp-suspicious [?EXT_PORT3],T3)
event (upnp-suspicious [?EXT_PORT4],T4)
event (upnp-suspicious [?EXT_PORT5],T5)
T0 < T1 < T0+60
T0 < T2 < T0+60
T0 < T3 < T0+60
T0 < T4 < T0+60
T0 < T5 < T0+60

The global agent 200 decides that this chronicle is recognized, if the following matching is obtained, that is to say if the constraint defined by the “match” predicate mentioned above is verified:
match [?EXT_PORT1, EXT_PORT2,?EXT_PORT3,?EXT_PORT4,?EXT_PORT5]
}

The chronicle means in natural language: “if within 60 seconds, 5 “upnp-suspicious” alerts are received from 5 local agents on the same port, then the processing action associated with the chronicle is triggered!”

Upon recognition of this chronicle on the global agent, the associated action is therefore executed. For example, a simple callback function will suffice to make a decision at the network level, depending on the parameters that have been uploaded. For example, the callback function could either consist of:
- ask the local routers to close the port which has been opened and cut off the traffic coming from and going to the incriminated communicating object;
- in a more constructive approach, record all connections to this port, in order to determine the origin of this traffic.

Third example: Local threat

In this example, we consider the case of a user who tries to attack his own access point to the WAN network of his operator, and to the Internet, that is to say his residential gateway ("for "home gateway », in English), to obtain information from the operator, stored on this gateway, to take control of it or to try to attack the operator network.

The invention makes it possible to protect the telecommunications network RC against this type of practice. Simply define a purely local composite chronicle, based on the detection of the following network events:
- made a number of erroneous web requests;
- attempted to execute erroneous DNS queries;
- attempted a certain number of authentications on a service reserved for the operator.

It is then associated with a local processing action of the “ cut all services ” type.

In this case, we would define simple chronicles for each of the network events listed above.

For example, events received from local agents include the following inferred messages:
deduced message web-suspicious
deduced message dns-suspicious
deduced message auth-suspicious

These messages are emitted by the local chronicles of Web, DNS and authentication services:

chronicle web-errors {
...
when recognized {`emit event(web-suspicious,T)
}
}

chronicle dns-errors {
...
when recognized {
emit event(dns-suspicious,T)
}
}

chronicle auth-requests {
...
when recognized {
emit event(auth-suspicious,T)
}
}

At the level of the local agent, we define for example a composite chronicle, called a local threat, which is recognized when one of the three previous suspicious events occurs in its local network.

chronicle local-threat {
event (web-suspicious,T1)
event (dns-suspicious,T2)
event (auth-suspicious,T3)
T0<T1<T0+1800
T0<T2<T0+1800
T0<T3<T0+1800
}

Thus, even for purely local malicious behaviors, the invention makes it possible to define so-called “drawer” chronicles.

With the invention, it is thus possible to monitor any type of behavior, from the moment one is able to model it expertly, or to learn it.

We now present, in relation to FIG. 7 , the hardware structure of a device 100 for detecting malicious behavior, or local agent LA, comprising a module for obtaining from data received by the access equipment information representative of a sequence of dated network events, occurring in a predetermined time window, a module for detecting malicious behavior by matching the information obtained with a signature, among a plurality of signatures of monitored behaviors, stored in a table of signatures TS _Loc and a decision module for triggering at least one action for protecting the network against the malicious behavior detected. Advantageously, the plurality of signatures comprises signatures of localized malicious behaviors in the local telecommunications network, called monitored local behaviors, said signature being associated with at least one local protection action to the local telecommunications network and signatures of suspected local malicious behaviors to belong to a distributed attack on several local telecommunications networks, said signature being associated with an action of transmission of an alert message to a node equipment of the remote telecommunications network.

Optionally, the device 100 also comprises a module for normalizing the information obtained.

Advantageously, the device 100 also comprises a storage module or memory M, of the signature table TS _Loc , for example a read only memory or a non-volatile memory NVRAM. Advantageously, the memory M comprises another table of signatures TS _Susp representative of local malicious behaviors suspected of belonging to a global attack.

The term "module" can correspond both to a software component and to a hardware component or a set of hardware and software components, a software component itself corresponding to one or more computer programs or sub-programs or in a more general to any element of a program able to implement a function or a set of functions.

More generally, such device equipment 100 comprises a random access memory 103 (for example a RAM memory), a processing unit 102 equipped for example with a processor, and controlled by a computer program Pg1, representative of the modules for obtaining , optionally of normalization, recognition and decision mentioned above, stored in a read only memory 101 (for example a ROM memory or a hard disk). On initialization, the code instructions of the computer program are for example loaded into the random access memory 103 before being executed by the processor of the processing unit 102. The random access memory 103 contains in particular the information relating to the sequences events received. It can also include a copy of the signature table or tables TS _Loc , TS _Susp , also loaded during initialization.

The processor of the processing unit 102 drives the obtaining, normalization, recognition and decision, in accordance with the flowchart of FIG. 3.

The figure7only illustrates one particular way, among several possible, of making the detection device 100, so that it performs the steps of the method for detecting malicious behavior detailed above, in relation to the face3. Indeed, these steps can be carried out either on a reprogrammable calculation machine (a PC computer, a DSP processor or a microcontroller) executing a program comprising a sequence of instructions, or on a dedicated calculation machine (for example a set of logic gates like an FPGA or an ASIC, or any other hardware module).

In the case where the device 100 is produced with a reprogrammable calculating machine, the corresponding program (that is to say the sequence of instructions) could be stored in a removable storage medium (such as for example a diskette, a CD-ROM or a DVD-ROM) or not, this storage medium being partially or totally readable by a computer or a processor.

The different embodiments have been described above in relation to a device LA, 100 integrated into an access equipment AP1, AP2, AP3 to a wireless telecommunications network, such as for example a residential gateway, a Wifi repeater , or even a collector node of a network of sensors, but it can also be integrated into the terminal TU itself, such as a mobile telephone of the smart phone type (for “smartphone”, in English), a computer of the type PC (for “Personal computer”, in English) or a tablet, when it is configured to make the function of access point to the RT network.

According to a variant embodiment of the invention (not shown), the device 100 is based on the hardware structure of the access point AP1, AP2, AP3 which here has the hardware structure of a computer and more particularly comprises a processor , a random access memory, a more memory, a non-volatile flash memory as well as wireless communication means which enable it to communicate with the terminal respectively the access point(s) via the RT network. The read only memory constitutes a recording medium in accordance with the invention, readable by the processor and on which is recorded the computer program Pg1 in accordance with the invention, comprising instructions for the execution of the location method according to the invention.

Finally, in relation to FIG. 8 , the hardware structure of a device 200, GA for detecting a distributed attack in a remote telecommunications network, comprising a module for receiving at least one alert message from a local agent connected to a local telecommunications network managed by access point to said remote network, said alert message comprising information representative of a sequence of network events occurring in a predetermined time window and recognized as the signature of local malicious behavior detected by said local agent and suspected of belonging to a distributed attack in the remote network, a module for aggregating the information received with information obtained from at least one other local agent and recognized by said other local agent as the signature of said or another monitored malicious behavior, a module for detecting a distributed attack in the network by matching the aggregated information with a signature among a plurality of signatures of monitored distributed attack patterns stored in memory; and a decision module for triggering at least one action for protecting the network against the detected distributed alert.

Advantageously, the device 200 also comprises a storage module or memory M′, of the signature table TS _Dist , for example a read only memory or a non-volatile memory NVRAM.

The term "module" can correspond both to a software component and to a hardware component or a set of hardware and software components, a software component itself corresponding to one or more computer programs or sub-programs or in a more general to any element of a program able to implement a function or a set of functions.

More generally, such a device 200 for detecting a distributed attack comprises a random access memory 203 (for example a RAM memory), a processing unit 202 equipped for example with a processor, and controlled by a computer program Pg1, representative of the reception, aggregation, recognition and decision modules, stored in a read only memory 101 (for example a ROM memory or a hard disk). On initialization, the code instructions of the computer program are for example loaded into the random access memory 203 before being executed by the processor of the processing unit 202. The random access memory 203 can also contain the signature table TS _Glo .

FIG. 8 illustrates only one particular way, among several possible, of making the device 200, GA for detecting a distributed attack in a telecommunications network so that it performs the steps of the method for detecting a distributed attack such as detailed above, in relation to FIG. 5 in its various embodiments. Indeed, these steps can be carried out either on a reprogrammable calculation machine (a PC computer, a DSP processor or a microcontroller) executing a program comprising a sequence of instructions, or on a dedicated calculation machine (for example a set of logic gates like an FPGA or an ASIC, or any other hardware module).

In the case where the device 200 is produced with a reprogrammable calculating machine, the corresponding program (that is to say the sequence of instructions) could be stored in a removable storage medium (such as for example a diskette, a CD-ROM or a DVD-ROM) or not, this storage medium being partially or totally readable by a computer or a processor.

The various embodiments have been described above in relation to a device 200 integrated into node equipment of a remote telecommunications network WAN.

According to a variant embodiment of the invention (not shown), the device 200 relies on the hardware structure of the node equipment in which it is integrated, which here has the hardware structure of a computer and more particularly comprises a processor , a random access memory, a more memory, a non-volatile flash memory as well as means of communication which allow it to communicate with the access equipment AP1, AP2, AP3 to said network. The read only memory constitutes a recording medium in accordance with the invention, readable by the processor and on which is recorded the computer program Pg2 in accordance with the invention, comprising instructions for the execution of the method for detecting a global malicious behavior according to the invention.

The invention which has just been described in its various embodiments has numerous advantages. In particular, it proposes to detect malicious behavior, rather than the presence of malicious software, which allows it to overcome polymorphism issues. It detects malicious behavior on the part of any user equipment, terminal or communicating object connected to the communication network, without requiring it to be equipped with an anti-malware device. When malicious behavior has been recognized by matching a sequence of dated network events with a malicious behavior pattern signature stored in memory, the invention triggers the previously associated network protection action(s) to this model, therefore appropriate.

According to one embodiment, the distributed approach proposed by the invention makes it possible to aggregate the detections of malicious behavior carried out by different local agents in order to detect a distributed attack in the remote network. In this way, local preparations for this attack can be detected, which makes it possible to trigger actions to protect the WAN network, before the attack itself is really launched, thus anticipating it and limiting it. the effects.

Claims (15)

Method for detecting malicious behavior on the part of a communicating object connected to a remote telecommunications network (WAN) via a local telecommunications network (LAN) managed by equipment for accessing said network of remote telecommunications network (WAN), said method being implemented by a local agent (LA, 100) connected to the local telecommunications network, characterized in that said method comprises:
- the obtaining (31) by the access equipment of information representative of a sequence of dated network events, occurring in a predetermined time window;
- the detection of a malicious behavior by matching (33) the information obtained with a signature, among a plurality of signatures of malicious behaviors, stored in at least one signature table; And
- the decision (34) to trigger at least one action to protect the local telecommunications network and/or the remote telecommunications network against the malicious behavior detected. Method for detecting a malicious behavior according to claim 1 , characterized in that the plurality of signatures comprises signatures of malicious behaviors located in the local telecommunications network (LAN), said local behaviors monitored, a said signature being associated with at least a protection action local to the local telecommunications network (LAN) and signatures of local malicious behavior suspected of belonging to a distributed attack in the remote telecommunications network, said signature being associated with an action of transmission of an alert message to a global agent (GA, 200) of the remote telecommunications network (WAN), configured to detect a distributed attack in said network (WAN). Method for detecting malicious behavior according to one of Claims 1 or 2 , characterized in that the signature of the malicious behavior comprises information representative of network events (S) and a set of rules governing time constraints (T) between said network events, known as a chronicle. Method for detecting malicious behavior according to one of Claims 1 to 3 , characterized in that it comprises a normalization of the information representing the sequence la of dated network events. Method for detecting malicious behavior according to one of Claims 2 to 4 , characterized in that the alert message comprises information representative of the sequence of network events that have occurred in the local network in a predetermined and recognized time window. as the signature of local malicious behavior suspected of belonging to a distributed attack on the remote telecommunications network (WAN). Method for detecting malicious behavior according to one of Claims 2 to 4, characterized in that the alert message comprises information representative of the local malicious behavior detected. Device (LA, 100) for detecting malicious behavior on the part of at least one communicating object connected to a local telecommunications network (LAN) managed by equipment for access to a remote telecommunications network (WAN), characterized in that it is configured for:
- obtaining (COLL) by the access equipment information representative of a sequence of dated network events, occurring in a predetermined time window;
- detecting (RECO) a malicious behavior by matching the information obtained with a signature, among a plurality of signatures of malicious behaviors, stored in at least one signature table; And
- deciding (DEC) to trigger at least one action to protect the network against the malicious behavior detected. Equipment for access (AP1, AP2, AP3) to a remote telecommunications network (LAN) configured to manage a local telecommunications network to which at least one communicating object is connected, characterized in that it comprises a device (LA, 100 ) for detecting malicious behavior, said local agent, according to claim 7 . Method for detecting a distributed attack in a remote telecommunications network (WAN), characterized in that it comprises:
- obtaining at least one alert message from a local agent connected to a local telecommunications network (LAN1, LAN2, LAN3) managed by an access point (AP1, AP2, AP3) to said network , said alert message comprising information representative of a sequence of network events occurring in the local network within a predetermined time window and recognized as the signature of local malicious behavior suspected of belonging to a distributed attack on the network remote telecommunications (WAN);
- the aggregation with information representative of at least one sequence of dated network events, obtained from at least one other local agent connected to another local telecommunications network managed by another access point to said remote network, and recognized by said other local agent as the signature of said or other local malicious behavior suspected of belonging to a distributed attack on the remote telecommunications network (WAN);
- the detection of a distributed attack in the remote network, by matching the aggregated information with a signature from among a plurality of distributed attack signatures stored in at least one signature table (TS _Dist ); And
- the decision to trigger at least one action to protect the network against the detected distributed attack. Device (200) for detecting a distributed attack in a remote telecommunications network, called global agent (GA), characterized in that said device is configured for:
- receiving at least one alert message from a local agent connected to a local telecommunications network (LAN1, LAN2, LAN3) managed by an access point (AP1, AP2, AP3) to said network, said message d alert comprising information representative of a sequence of network events occurring in a predetermined time window and recognized as the signature of local malicious behavior detected by said local agent and suspected of belonging to a distributed attack in said network (WAN );
- aggregating the information received with information obtained from at least one other local agent connected to another local telecommunications network managed by another access point to said remote network, and recognized by said other local agent as the signature of said or 'other local malicious behavior suspected to belong to a distributed remote network (WAN) attack;
- detecting a distributed attack by matching aggregated information with a signature from among a plurality of signatures of distributed attacks, stored in at least one signature table (TS _Dist ); And
- decide to trigger at least one action to protect the network against the detected distributed attack. Node equipment (SR) of a remote telecommunications network (WAN), characterized in that it comprises a device for detecting a distributed attack in said network, called global agent according to claim 10 . Data file (FD) comprising a table of signatures comprising entries, an entry comprising information representative of a sequence of network events occurring within a predetermined time window, forming a signature of a malicious behavior or a distributed attack , and at least one network protection action (AC), associated with said signature. System (10) for protecting a remote telecommunications network (WAN) against malicious behavior or a distributed attack, characterized in that it comprises at least two local agents (LA, 100) each connected to a local telecommunications network (LAN1, LAN2, LAN3), said local network being managed by an access device (AP1, AP2, AP3) to said remote telecommunications network (WAN), according to claim 7 , a global agent (GA, 200) according to claim 10 and at least one data file comprising a table of signatures of malicious behavior or distributed attacks (TS _Loc , TS _Susp , TS _Dist ) according to claim 12 . computer program product comprising program code instructions for carrying out a method according to any one of the claims1To6And9, when executed by a processor. A computer-readable recording medium on which a computer program according to claim 14 is recorded.