FR3113962A1 - Method and system for monitoring a computer system - Google Patents

Abstract

A method of protecting a computer system, the computer system comprising computer devices (U1, V1), the method comprising at least: a step of applying primary security rules (R1) by at least one computing device (U1) belonging to a first level so as to generate a primary surveillance report (PU1-PU2), a step of transmitting the surveillance report primary (PU1-PU2) to at least one computing device (V1) belonging to a second level, a step of applying secondary security rules (R2) to the data received (DATA2) and the primary monitoring report (PU1- PU2) received by the computing device (V1) so as to generate a secondary monitoring report (PV1), a step of determining a global monitoring report (RSG) by a central server (SC) by processing the monitoring reports secondary (PV1) by application of global security rules (RG). Abstract Figure: Figure 3

Description

Method and system for monitoring a computer system

The present invention relates to the field of computer security in a company or in industry in order to reactively detect a computer attack.

A computer system is crucial for its activity. This is likely to be attacked from the outside, for example via the Internet, or from the inside, by a malicious person with access to the computer system.

With reference to FIG. 1, in order to reactively detect any attack by a pirate PIR, it is known to install monitoring software on each computer station U1-U3 which transmits monitoring files LOG1-LOG3 to a database DBA data linked to a central SCA server, also known to those skilled in the art as a “log sink”. The monitoring files LOG1-LOG3 are transmitted to the DBA database via the Internet network INT on a periodic basis.

The SCA central server is in the form of a supercomputer which is linked to the DBA database containing all the LOG1-LOG3 monitoring files. The SCA central server executes business algorithms on all of the LOG1-LOG3 monitoring files and makes it possible to issue a global RSGA monitoring report indicating the level of threat as well as the corrective measures to be taken. Such a central SCA server is efficient and ensures significant security.

In recent years, business computer systems have grown significantly and computer stations are more and more numerous. This increased the number of LOG1-LOG3 monitoring files to be processed by the central SCA server, which has several disadvantages.

First of all, the transfer of many surveillance files via the Internet consumes a significant part of the company's bandwidth, which affects the company's productivity and increases its costs. In terms of storage, the database, which keeps the monitoring files LOG1-LOG3 in memory, sees its volume increase exponentially, which has disadvantages in terms of management and cost. In addition, to process increasingly numerous monitoring files LOG1-LOG3, it is necessary to provide a central server SCA whose power is increasingly high, which increases the cost. Finally, all of the aforementioned constraints increase the calculation time of the global RSGA monitoring report, which affects the responsiveness and effectiveness of IT protection.

The invention thus aims to eliminate at least some of these drawbacks by proposing a new method for protecting a company's computer system.

PRESENTATION OF THE INVENTION

• une étape d’application de règles de sécurité primaires sur des données reçues par au moins un dispositif informatique appartenant à un premier niveau de manière à générer un rapport de surveillance primaire,
• une étape de transmission du rapport de surveillance primaire à au moins un dispositif informatique appartenant à un deuxième niveau, hiérarchiquement supérieur au premier niveau,
• une étape d’application de règles de sécurité secondaires sur les données reçues et le rapport de surveillance primaire reçus par le dispositif informatique appartenant au deuxième niveau de manière à générer un rapport de surveillance secondaire,
• une étape de réception par une base de données, par le réseau internet, de rapports de surveillance finaux, correspondant aux rapports de surveillance secondaires ou issus de ceux-ci,
• une étape de détermination d’un rapport de surveillance globale par un serveur central par traitement des rapports de surveillance finaux par application de règles de sécurité globales.

The invention relates to a method for protecting a computer system, the computer system comprising computer devices connected in a network, the computer devices belonging to levels organized according to a hierarchy determined by the network, the method comprising at least:

• a step of applying primary security rules to data received by at least one computing device belonging to a first level so as to generate a primary monitoring report,
• a step of transmitting the primary monitoring report to at least one computer device belonging to a second level, hierarchically higher than the first level,
• a step of applying secondary security rules to the data received and the primary monitoring report received by the computing device belonging to the second level so as to generate a secondary monitoring report,
• a step of reception by a database, via the internet network, of final monitoring reports, corresponding to the secondary monitoring reports or derived from them,
• a step of determining a global monitoring report by a central server by processing the final monitoring reports by applying global security rules.

Thanks to the invention, only the final monitoring reports are processed by the central server and a limited but very relevant amount of information is sent to the central server. This makes it easier to store and process data for large computer systems. In addition, the company's bandwidth is preserved.

The use of hierarchical levels to carry out differentiated processing is advantageous and makes it possible to obtain, by capillarity, increasingly relevant data. In addition, this makes it possible to deport processing and distribute it over several levels. This eliminates the need for a high-cost, sophisticated central server.

Preferably, each first level computing device generates a primary monitoring report. More preferably, each second level computing device generates a secondary monitoring report. All IT devices participate, at their level, in security and implement their own rules. This advantageously makes it possible to define rules specific to the protocols used by each computing device. The rules advantageously depend on the environment of the computing device.

Preferably, the secondary monitoring report is obtained by correlating at least two primary monitoring reports. Such a correlation makes it possible, on the one hand, to detect global security events and, on the other hand, to reduce the amount of information transmitted between each level. Security events are grouped together following the correlation so as to be more easily interpretable by higher levels.

Also preferably, the secondary monitoring report is obtained by correlating at least two primary monitoring reports and the data received by the computing device belonging to the second level and having generated the secondary monitoring report. The use of the data received makes it possible to increase the relevance of the secondary monitoring report which processes all the primary and secondary data on which the said computing device belonging to the second level depends.

Preferably, the global security rules are machine learning rules. This is particularly advantageous considering that the security data has been processed and grouped together. Learning rules (neural network, artificial intelligence, etc.) perform particularly well on limited and qualitative data. The processing times are improved in order to be able to obtain a global report in a reactive way to counter any computer attack.

Preferably, the step of applying primary security rules to received data is implemented on at least two computing devices belonging to networks of different natures or functions. Advantageously, the protection method allows global protection independent of the networks and protocols used.

• au moins un dispositif informatique appartenant à un premier niveau étant configuré pour appliquer des règles de sécurité primaires sur les données reçues de manière à générer un rapport de surveillance primaire,
• le dispositif informatique étant configuré pour transmettre le rapport de surveillance primaire à au moins un dispositif informatique appartenant à un deuxième niveau, hiérarchiquement supérieur au premier niveau,
• au moins un dispositif informatique, appartenant à un deuxième niveau, configuré pour appliquer des règles sécurité secondaires sur les données reçues et le rapport de surveillance primaire reçu de manière à générer un rapport de surveillance secondaire,
• au moins une base de données configurée pour recevoir, par le réseau internet, des rapports de surveillance finaux, correspondant aux rapports de surveillance secondaires ou issus de ceux-ci, et
• au moins un serveur central configuré pour déterminer un rapport de surveillance globale par traitement des rapports de surveillance finaux par application de règles de sécurité globales.

The invention also relates to a computer system comprising computer devices connected in a network, the computer devices belonging to levels organized according to a hierarchy determined by the network, the method comprising at least:

• at least one computer device belonging to a first level being configured to apply primary security rules to the data received so as to generate a primary monitoring report,
• the computing device being configured to transmit the primary monitoring report to at least one computing device belonging to a second level, hierarchically superior to the first level,
• at least one computing device, belonging to a second level, configured to apply secondary security rules to the data received and the primary monitoring report received so as to generate a secondary monitoring report,
• at least one database configured to receive, via the internet network, final monitoring reports, corresponding to the secondary monitoring reports or derived from them, and
• at least one central server configured to determine a global monitoring report by processing the final monitoring reports by applying global security rules.

PRESENTATION OF FIGURES

The invention will be better understood on reading the following description, given by way of example, and referring to the following figures, given by way of non-limiting examples, in which identical references are given to similar objects. .

FIG. 1 is a schematic representation of a method for monitoring a computer system according to the prior art.

Figure 2 is a schematic representation of a method of monitoring a computer system according to one embodiment of the invention.

FIG. 3 is a schematic representation of the successive processing steps of the monitoring method.

It should be noted that the figures expose the invention in detail to implement the invention, said figures can of course be used to better define the invention if necessary.

DETAILED DESCRIPTION OF THE INVENTION

The invention relates to a method for protecting a computer system of a company or an industry.

Referring to Figure 2, the computer system includes a plurality of computer devices U1-U3, V1-V2. Computer devices U1-U3, V1-V2 come in various forms, for example, computer stations, connected objects, application servers, industrial equipment, probes, intermediation servers, PLCs, routers, etc. The computing devices U1-U3, V1-V2 are connected in a network and belong to levels organized according to a hierarchy determined by the network.

The computer system comprises, in a remote manner, a database DB and a central server SC configured to generate an overall monitoring report RSG by processing final monitoring reports from the database DB.

Unlike the prior art which considered all computer devices as equivalent for monitoring, the present invention proposes to take advantage of the hierarchy between computer devices U1-U3, V1-V2.

Indeed, the computer devices U1-U3, V1-V2 are connected in a network which defines hierarchically organized levels. In this example, the hierarchical levels can be determined in relation to a sub-network level, a functional level (administrative, production, commercial, environment, etc.), an application level (Enterprise Information System or IT, Industrial Information System or OT, Internet of Things or IOT etc.), a protocol level, etc. Thus, a rank n computing device U1-U3 communicates with a rank n+1 device V1-V2 with which it exchanges data.

Subsequently, for the sake of clarity and conciseness, only computer devices U1, U2, U3 belonging to a first level and computer devices V1, V2 belonging to a second level, directly superior to the first level, are represented. It goes without saying that the number of computing devices and as well as the number of levels could be greater.

According to the invention, each computer device U1-U3, V1-V2 receives security data DATA1, DATA2 (user connection, peripheral connection, computer message, sensor data, system status data, network information , System log (server event logs, etc.), application server logs and logs generated by third-party libraries, Wifi log, cloud, BMS (technical building management), mobile logs, etc.) and implements rules security determined by a monitoring program previously installed on said computer device U1-U3, V1-V2.

Each computing device U1-U3, V1-V2 implements security rules R1, R2 which are specific to its hierarchical level. Thus, the computer devices U1-U3 belonging to the first level implement primary security rules R1 while the computer devices V1-V2 belonging to the second level implement secondary security rules R2. The nature of the security rules R1, R2 depends on the data processed.

Each set or subset of an organization or system is in a particular environment (technical environment). The security rules are adapted to the computer system and optimized in relation to the vulnerabilities likely to be present.

If the computer system is of the OT (Industrial Information System) type, it implements its own protocol and implements security rules that make it possible to detect OT security events (production monitoring rules). The security rules of another environment are not applicable (Ex: rules related to a data server, a WEB server, etc.).

If the computer system is of the IT (Company Information System) type, it implements its own protocol and implements security rules that make it possible to detect IT security events (Ex: rules related to a server data, to a WEB server).

Similarly, if the computer system is of the IOT (Internet Of Things Information System) type, it implements its own protocol and implements security rules that make it possible to detect IOT security events (rules for monitoring connected objects). The security rules of another environment are not applicable (Ex: rules related to a data server, a WEB server, etc.).

The different steps of the process according to the invention will now be presented in detail.

With reference to FIGS. 2 and 3, the method comprises a step of application of the primary security rules R1 by each computer device U1-U3 belonging to the first level on the data received DATA1 so as to issue primary monitoring reports PU1-PU3 which include all detected abnormalities. In other words, unlike the prior art which provided a complete monitoring file with all the relevant data so that the central server SC can carry out the determination of abnormalities remotely, the present invention proposes to carry out local processing of the data in order to to locally determine an abnormality.

In this example, the first level device U1 is a second server SB which receives a communication from a first server SA having administrator rights on a management network. The primary monitoring report PU1 includes the security event (communication from an administrator server SA) as well as all the elements that made it possible to detect this event.

Similarly, the first level device U2 is a third server SC which receives a communication from the second server SB having administrator rights according to a particular protocol on a production network. The primary monitoring report PU2 includes the security event (communication from an administrator server SB) as well as all the elements that made it possible to detect this event.

Each primary monitoring report PU1-PU3 thus includes the abnormalities detected at the first level. Subsequently, these abnormalities will be referred to as primary abnormalities.

According to the invention, the method comprises a step of transmission by each computing device of the first level U1-U3 of its primary monitoring report PU1-PU3 to at least one computing device V1, V2 belonging to the second level. In other words, the primary abnormalities go up by capillarity in the computer system according to the hierarchy of the network.

In this example of implementation, the computing devices of the first level U1-U2 are hierarchically linked in a network to a single computing device of the second level V1 while the computing device of the first level U3 is hierarchically linked in a network to a single computing device of the second level V2.

The monitoring method comprises a step of application of secondary security rules R2 by each computer device belonging to the second level V1, V2 so as to determine a secondary monitoring report PV1, PV2 which includes all the abnormalities detected. In this example, with reference to Figure 3, the second level computer device V1 processes the rank 2 data it receives (DATA2) as well as the two primary monitoring reports PU1, PU2 using the security rules secondary R2 so as to generate a secondary monitoring report PV1.

Preferably, the secondary security rules R2 implement a correlation of the primary monitoring reports PU1, PU2, preferably also a correlation with the rank 2 data. Thus, any security event is collected globally by the second level computer device V1, which limits the amount of security data in the secondary monitoring report PV1. Safety data is less numerous but more relevant.

In this example, the second level computer device V1 learns from the two primary monitoring reports PU1, PU2, in particular, by correlating them, a command order by rebound from the first server SA to the second server SB and from the second server SB to the third server SC. A correlation rule between the various primary monitoring reports PU1, PU2 raises a security incident (bounce attack between the servers SA, SB, SC) which is recorded in the secondary monitoring report PV1.

Similarly, the computing device V2 generates a secondary monitoring report PV2 as illustrated in FIG. 3. In this example, the secondary monitoring report PV2 also detects a rebound attack sent by the first server SA.

In this example, the computing devices V1, V2 belong to the last level and the secondary monitoring reports PV1, PV2 are transmitted by the internet network INT in the database DB. In other words, the secondary monitoring reports PV1, PV2 are final monitoring reports which can be transmitted to the database DB in order to be stored. The final surveillance reports include all security events and the data at the origin of said security events.

In a computer system with more than two levels, the final monitoring reports correspond to those of the highest level. Similar to the example presented above, abnormalities go up hierarchically and are dealt with by each higher level.

The central server SC processes the final monitoring reports by applying global security rules RG so as to generate a global monitoring report RSG, for example, computer learning rules. In this example, the central server SC can conclude that the first server SA has been compromised.

Advantageously, the secondary monitoring reports PV1, PV2 are few in number compared to the prior art and less voluminous because the raw data have been processed in a hierarchical manner in order to extract only the relevant data, i.e. ie, abnormalities.

This data relief has many benefits. First of all, the bandwidth required to transmit the secondary monitoring reports PV1, PV2 is low compared to the prior art. This further limits the size of the DBA database and its growth over time.

Finally, the processing of the secondary monitoring reports PV1, PV2 is more efficient and responsive compared to the prior art since it benefits from refined data at each hierarchical level. This results in the generation of an overall monitoring report which is very relevant, obtained in a short time given that the number and the size of the reports are reduced compared to the prior art.

Claims (8)

Method for protecting a computer system, the computer system comprising computer devices (U1-U2, V1) connected in a network, the computer devices (U1-U2, V1) belonging to levels organized according to a hierarchy determined by the network, the method comprising at least:

• a step of applying primary security rules (R1) to data received (DATA1) by at least one computing device (U1-U2) belonging to a first level so as to generate a primary monitoring report (PU1-PU2) ,
• a step of transmitting the primary monitoring report (PU1-PU2) to at least one computer device (V1) belonging to a second level, hierarchically higher than the first level,
• a step of applying secondary security rules (R2) to the data received (DATA2) and the primary monitoring report (PU1-PU2) received by the computing device (V1) belonging to the second level so as to generate a secondary monitoring (PV1),
• a step of reception by a database (DB), by the Internet network (INT), of final monitoring reports (PV1, PV2), corresponding to the secondary monitoring reports (PV1) or resulting from these,
• a step of determining a global monitoring report (RSG) by a central server (SC) by processing the final monitoring reports by applying global security rules (RG).

A method according to claim 1, wherein each first level computing device (U1-U2) generates a primary monitoring report (PU1-PU2). Method according to one of Claims 1 and 2, in which each second-level computing device (U1-U3) generates a secondary monitoring report (PV1-PV2). Method according to one of Claims 1 to 3, in which the secondary monitoring report (PV1-PV2) is obtained by correlating at least two primary monitoring reports (PU1-PU2). Method according to one of Claims 1 to 4, in which the secondary monitoring report (PV1-PV2) is obtained by correlating at least two primary monitoring reports (PU1-PU2) and the data received (DATA2) by the computer device (V1, V2) belonging to the second level and having generated the secondary monitoring report (PV1-PV2). Method according to one of Claims 1 to 5, in which the global security rules (RG) are machine learning rules. Method according to one of Claims 1 to 6, in which the step of applying primary security rules (R1) to received data (DATA1) is implemented on at least two computing devices (U1-U2) belonging networks of different natures or functions. Computer system comprising computer devices (U1-U2, V1) connected in a network, the computer devices (U1-U2, V1) belonging to levels organized according to a hierarchy determined by the network, the method comprising at least:

• at least one computer device (U1-U2) belonging to a first level being configured to apply primary security rules (R1) on the received data (DATA1) so as to generate a primary monitoring report (PU1-PU2),
• the computing device (U1-U2) being configured to transmit the primary monitoring report (PU1-PU2) to at least one computing device (V1) belonging to a second level, hierarchically superior to the first level,
• at least one computing device (V1), belonging to a second level, configured to apply secondary security rules (R2) on the data received (DATA2) and the primary monitoring report (PU1-PU2) received so as to generate a report secondary monitoring (PV1),
• at least one database (DB) configured to receive, via the Internet network (INT), final monitoring reports (PV1, PV2), corresponding to the secondary monitoring reports (PV1) or resulting from these, and
• at least one central server (SC) configured to determine a global monitoring report (RSG) by processing the final monitoring reports by applying global security rules (RG).