GB2494384A - Handling Potentially Malicious Communication Activity - Google Patents

Handling Potentially Malicious Communication Activity Download PDF

Info

Publication number
GB2494384A
GB2494384A GB1115023.2A GB201115023A GB2494384A GB 2494384 A GB2494384 A GB 2494384A GB 201115023 A GB201115023 A GB 201115023A GB 2494384 A GB2494384 A GB 2494384A
Authority
GB
United Kingdom
Prior art keywords
traffic
communication activity
group
potentially malicious
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1115023.2A
Other versions
GB2494384B (en
GB201115023D0 (en
Inventor
David Hammond
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Metaswitch Networks Ltd
Original Assignee
Metaswitch Networks Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Metaswitch Networks Ltd filed Critical Metaswitch Networks Ltd
Priority to GB1115023.2A priority Critical patent/GB2494384B/en
Publication of GB201115023D0 publication Critical patent/GB201115023D0/en
Priority to PCT/GB2012/052146 priority patent/WO2013030594A1/en
Publication of GB2494384A publication Critical patent/GB2494384A/en
Application granted granted Critical
Publication of GB2494384B publication Critical patent/GB2494384B/en
Priority to US14/194,483 priority patent/US9537875B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

At least some incoming traffic from a plurality of traffic sources 110, 120, 130 is distributed into a first set 170 of traffic groups according to a first grouping scheme by a traffic handler 140 which acts to protect a server system 150 from malicious activity, such as DoS attacks. Communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped. Potentially malicious communication activity is detected in the given traffic group. Detection may be based on a traffic characteristic such as the amount of traffic distributed into the traffic group exceeding a threshold. Traffic in the given traffic group is processed using a first traffic processing mode associated with potentially malicious communication activity, in which at least some traffic that is distributed into the given traffic group is discarded. In response to a dynamic trigger the grouping scheme is altered to one or more further grouping schemes in order that the communication activity from the acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped. The number of traffic groups N may be chosen in a trade off decision taking into account reliability and/or scalability. A large number for N causes less disruption for legitimate traffic source but required more memory/storage. The grouping scheme may use a hashing scheme.

Description

Handling Potentially Malicious Communication Activity Technical Ficld The present invention relates to a method of handling potentially malicious communication activity, a computer program product for enabling performance of such a method and to apparatus for handling potentially malicious communicatioa activity.
Background
One of the hazards faced by servers and other communication deyices that are exposed to public networks, such as the Internet, is that they may be subject to a Denial of Service (DoS) aftack. During a convcntional DoS attack, a number of rcmote hosts send a large amount of traffic to the server, in an attcmpt to overwhelm it.
A standard approach taken to deal with such attacks is rate-limiting. This involves categorising incoming traffic into a set of source groups based on thc source Internet protocol (IP) address, assigning a permitted maximum rate of incoming traffic per group, and rejecting any traffic from the group that would cause the rate limit to be exceeded. Unfortunately, this approach has a number of drawbacks.
One drawback is that state has to be stored in memory for each source group.
Anothcr drawback is that if the granularity of the source grouping is too small -in the extreme if there is just onc IP address per group -then the grouping may take up a prohibitively large amount of memory.
However, if the traffic rate limit of a particular source group is exceeded, traffic is droppcd from all traffic sources in tim group. If there is one malicious traffic sourcc in the group and scvcral lcgitimate traffic sourccs, traffic from the legitimate sources is dropped along with the traffic from the malicious traffic source. The larger the granularity of the source group -that is the more source IP addresses there are in the source group -the larger the scope for collateral damage caused by blocking traffic from legitimate sources.
Most systems, therefore, trade off these two considerations. In general, they tend to use relatively large source groups in order to avoid running out of memory.
However, this comes at the cost of potentially denying service to a substantial number of egitimate traffic sources that are in the same source group as the malicious traffic source.
It would be desirable to provide an improved method of and apparatus for hand ling such traffic.
Summary
According to a first aspect of the invention, there is provided a method of handling potentially malicious communication activity in a communication system, including processing communication activity which is potentially malicious differently to communication activity which is acceptable, the method comprising: distributing at least some incoming traffic into a first set of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped; processing the traffic in the given traffic group using a first traffic processing mode associated with potentially malicious communication activity; processing the traffic in at least one other traffic group using a second traffic processing mode associated with acceptable communication activity; and in response to a dynamic trigger, altering the grouping scheme to one or more further grouping schemes and distributing at least some subsequent incoming traffic into one or more further sets of traffic groups according to the one or more further grouping schemes in order that the communication activity from the acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped.
Embodiments use first and second, different grouping schemes, which are triggered dynamically such that at least some of the plurality of different traffic sources that were grouped into the given group in the first set are grouped into at least two different traffic groups in the second set, the likelihood of potentially malicious communication activity impacting upon a legitimate traffic source in both thc first and second groupings is rcduced.
Some embodiments may comprise: in response to the dynamic trigger, distributing at least some subsequent incoming traffic into a second set of traffic groups according to a second, different grouping scheme, wherein the first grouping scheme is configured to group traffic originating from each of a plurality of different traffic sources into the given traffic group in the first set, and the second grouping scheme is configured to group traffic originating from at least some of the plurality of different traffic sources into at least two different traffic groups in the second set.
Some embodiments may comprise: detecting potentially malicious communication activity in the given traffic group in the first set based on at least one characteristic of the traffic distributed into the given traffic group; categorising communication activity in the given traffic group in the first set as potentially malicious communication activity and processing the traffic in the given traffic group using the first traffic processing mode; and categorising communication activity in at least one other traffic group in the first set as acceptable communication activity and processing the traffic in the at least one other traffic group using the second traffic processing mode.
In some embodiments, the at least one characteristic includes an amount of traffic, and the method comprises: monitoring an amount of traffic distributed into a traffic group; and detecting potentially malicious communication activity if the amount of traffic in the traffic group exceeds a threshold value.
Such embodiments provide a mechanism for detecting potentially malicious activity that is particularly suited to DoS attacks.
In some embodiments, the first grouping scheme comprises using a first hashing scheme and one or more further grouping schemes comprise using one or more further hashing schemes. Such embodiments provide for efficient distribution of traffic into traffic groups by using hashing schcmcs which are typically relatively fast to calculate and require relatively small amounts of memory usage.
In some embodiments, the first hashing scheme comprises using a first hash function and the one or more further grouping schemes comprise using one or more further hash functions.
Some embodiments comprise: using at least one parameter in the at least some incoming traffic as an input to a first hashing scheme; using an output of the first hashing scheme to distribute the at least some incoming traffic into the first set of traffic groups; using at least one parameter in the at least some subsequent incoming traffic as an input to the one or more further hashing schemes; and using an output of the one or more further hashing schemes to distribute the at least some subsequent incoming traffic into the one or more further sets of traffic groups.
Such embodiments use hashing schemes to distribute the traffic, which, as explained above, are typically relatively fast to calculate and require relatively small amounts of memory usage. By using at least one parameter in the incoming traffic and the subsequent traffic as inputs to the first and second hashing schemes respectively, traffic can grouped according to at least one attribute of the traffic. In some embodiments, the parameter may be a source identifier associated with a traffic source from which the incoming traffic originated. In some such embodiments, the source identifier may be the source IF address of the traffic source from which the incoming traffic originated.
Some embodiments comprise using a nondcterministic grouping scheme selection algorithm to select the respective grouping schemes. Such embodiments may further minimise the impact of a potentially malicious traffic source on a legitimate traffic source in cases in which an attacker wishes to deny service to a given legitimate traffic source by analysing a grouping scheme and attempting to have its traffic distributed into the same traffic group as the legitimate traffic source. By using the nondeterministic scheme selection algorithm, it is unlikely that the attacker will be able to predict which grouping scheme the traffic handler is using at any given time and the grouping scheme that the traffic handler is likely to use when it changes the grouping scheme. Thus, the impact of the attacker on the given source is minimised. Some embodiments may comprise changing the grouping scheme periodically.
In some embodiments, the dynamic trigger is repeatedly refreshed and a series of different grouping schemes are used in response to the trigger being refreshed.
In some embodiments, the dynamic trigger is based on a timing characteristic.
In some embodiments, the dynamic trigger is periodically or intermittently refreshed.
In some embodiments, the dynamic triggcr is refreshed upon the cxpiration of a monitoring time period over which an amount of traffic distributed into a traffic group is monitored.
Such embodiments seek to minimise the impact of potentially malicious traffic sources on legitimate traffic sources by reliably changing to a further grouping scheme upon refreshing of the dynamic trigger.
In some embodiments, the first traffic processing mode associated with potentially malicious communication activity comprises dropping at least some traffic that is distributed into the traffic group in which the potentially malicious communication activity is detected. Such embodiments can be used to prevent at least some of the traffic from being communicated to a device in the communication system, which may otherwise overwhelm the device.
In some embodiments, the first traffic processing mode associated with potentially malicious communication activity comprises dropping all of the traffic that is distributed into the traffic group in which the potentially malicious communication activity is detected. Such embodiments can be used to prevent all of the traffic from being communicated to a device in the communication system, which may otherwise overwhelm the device.
Some embodiments comprise processing traffic that is distributed into a traffic group using the second traffic processing mode associated with acceptable communication activity unless and until communication activity in the given traffic group in the first set is categorised as potentially malicious. Such embodiments seek to minimise the impact of potentially malicious traffic sources on legitimate traffic sources by processing at least some traffic using the second traffic processing mode associated with acceptable communication activity.
Some embodiments comprise: classifying at least some incoming traffic into at least one traffic class, a given traffic class being associated with a given class of incoming traffic; and distributing traffic in a traffic class according to the first grouping scheme if the traffic class is to be subject to potentially malicious communication activity handling.
Such cmbodiments provide for diffcrcnt handling of differcnt classes of incoming traffic. In some cases, certain types of incoming traffic may be more prone to being used in potentially malicious communication activity and can, therefore, be subject to such handling whereas certain other types of incoming traffic that may be less prone to being used in potentially malicious communication activity may not be subject to such handling. Incoming traffic may be classified based on attributes other than the type of incoming traffic, for example based on whether the traffic source from which traffic is received is associated with a premium subscriber or to a designated safe' traffic source whose traffic is not to be subject to such handling.
Some embodiments comprise: identifying at least one traffic source from which traffic is categorised as potentially malicious in the given traffic group in the first set and in a group in the one or more further sets; and identifying the at least one traffic source as a potentially malicious traffic source.
Such embodiments facilitate identification of a potentially malicious traffic source. An appropriate action may be taken once the potentially malicious traffic source is identified.
According to a second aspect of the invention, there is provided apparatus for handling potentially malicious communication activity in a communication system, including processing communication activity which is potentially malicious differently to communication activity which is acceptable, the apparatus being arranged to: distribute at least some incoming traffic into a first set of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped; process the traffic in the given traffic group using a first traffic processing mode associated with potentially malicious communication activity; process the traffic in at least one other traffic group using a second traffic processing mode associated with acceptable communication activity; and iu responsc to a dynamic trigger, altcr the grouping scheme to one or more further grouping schemes and distributing at least some subsequent incoming traffic into one or more further sets of traffic groups according to the one or more further grouping schemes in order that the communication activity from an acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped.
According to a third aspect of the invention, there is provided a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method of handling potentially malicious communication activity in a communication system, including processing communication activity which is potentially malicious differently to communication activity which is acceptable, the method comprising: distributing at least some incoming traffic into a first set of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped; processing the traffic in the given traffic group using a first fraffic processing mode associated with potentially malicious communication activity; processing the traffic in at least one other traffic group using a second traffic processing mode associated with acceptable communication activity; and in response to a dynamic trigger, altering the grouping scheme to one or more further grouping schemes and distributing at least some subsequent incoming traffic into one or more fhrthcr sets of traffic groups according to the one or more further grouping schemes in order that the communication activity from an acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped.
Furthcr fcaturcs and advantages of thc invention will become apparcnt from the following description of preferred embodiments of the invention, given by way of example only, which is made with reference to the accompanying drawings.
Brief Description of the Drawings
Figure 1 is a schematic block representation of a communication system according to some embodiments; Figures 2A and B are schematic block representations of a communication system in which a traffic handler is handling traffic according to some embodiments; and Figure 3 is a flowchart showing a method of handling potentially malicious communication activity according to some embodiments.
Detailed Description
Figure 1 is a schematic block representation of a communication system 100 according to some embodiments.
The communication system 100 includes a plurality of traffic sources 110, 120, 130, a traffic handler 140 and a server system 150 that is liable to being attacked.
In some embodiments, the traffic sources 110, 120, 130 are computing devices, such as Personal Computers (PCs). The traffic sources 110, 120, 130 are communicatively connected to the traffic handler 140 via respective communication links 115, 125, 135. Although shown as singlc links in Figure 1, it will bc appreciated that the traffic sources 110, 120, 130 may be connected to the traffic handler 140 via one or more intermediatc nodcs, such as switches, bridges, hubs, routers and the like.
Although only three traffic sources 110, 120, 130 are shown in Figure 1, in reality, the communication system 100 may include many more traffic sources.
The server system 150 that is liable to being attacked may be one more central servers of an organisation, one or more gateways to the organization or the like. The server system 150 is communicatively connected to the traffic handler 140 by means of an appropriate communication link 145.
The traffic handler 140 is responsible for handling potentially malicious communication activity in the communicatioll system 100 and acts to protcct the servcr system 150 from malicious activity, such as DoS attacks. The traffic handler includes one or more processor 160 that is arranged to halldle traffic processing. The traffic handler 150 is arranged to categorise incoming traffic from the traffic sources 110, 120, 130 and to process communication activity that is categorised as potentially malicious differently to communication activity that is categorised as acceptable.
In use, the traffic handler 140 receives incoming traffic from the plurality of traffic sources 110, 120, 130. The traffic handler 140 distributes at least some of the incoming traffic into a first set 170 of traffic groups according to a first grouping scheme.
The traffic handler 140 may select the number of traffic groups, N, in the first set 1 70 based on at least one trade off dccisioll which takes into account reliability and/or scalability rcquirements for the communication system 1 00. For cxamplc, a larger number of traffic groups, N, causcs lcss disruption for legitimatc traffic sourccs because legitimatc traffic is less likely to be distributcd into the same traffic group as traffic from a malicious traffic source as the number of traffic groups is increased.
However, a larger number of traffic groups, N, requires more memory usage to store state relating to each of the traffic groups. Therefore, the traffic handler 140 may select the number of traffic groups,N, in the first set 170 on the basis of trading off minimising disruption to legitimate traffic sources against increased memory usage.
By way of an example, the number of traffic groups, N, may be selected to be4096=212.
The traffic handler 140 detects potentially malicious communication activity in a given traffic group in the first set 170 based on at least one characteristic of the traffic distributed into thc givcn traffic group, categorises communication activity in thc givcn traffic group in thc first sct 170 as potentially malicious communication activity and processes the traffic in the given traffic group using a first traffic processing mode associated with potentially malicious activity.
In some embodiments, the at lcast one characteristic may include the amount of traffic distributed into the given traffic group in a given time period. In some such embodiments, the traffic handler 140 may monitor an amount of traffic distributed into a particular traffic group in the first set 170 and may detect potentially malicious communication activity in the particular traffic group if the amount of traffic distributed into the traffic group exceeds a threshold value. In somc embodiments, the threshold value may be a threshold rate limit, R. In such embodiments, the traffic handler 140 catcgoriscs the communication activity in the particular group as potentially malicious communication activity if thc amount of traffic catcgoriscd into the particular group in a monitoring timc pcriod,T, exceeds the threshold rate limit, R, for that particular group.
In some embodiments, each traffic group in the first set 170 may be associated with the same threshold rate limit,R, and each traffic group may be monitored for the same monitoring time period,T. In other embodiments, different groups in the first set may be associated with different threshold rate limits, R and!or different monitoring time periods, T. In some embodiments, the traffic handler 140 selects the monitoring time period,T,bascd on at least one trade off decision which takes into account reliability and/or scalability requirements for the communication system 1 00. For example, shortcr monitoring timc pcriods, T, may cause less disruption to legitimate traffic sources whose traffic is distributed into a traffic group in which potentially malicious communication activity is detected than longer monitoring time periods,T. However, the traffic handler 140 is more sensitive to variances in legitimate incoming traffic rates over shorter monitoring time periods, T. Therefore, the traffic handler 140 may select the monitoring time period, T, on the basis of trading off minimising disruption to legitimate traffic sources against increased sensitivity to fluctuations in legitimate incoming traffic rates. By way of an example, the monitoring time period, I, may be selected to be 200 milliseconds (ms).
In some embodiments, a traffic counter 175 is associated with each of the traffic groups in the first set 170 to count the amount of traffic being distributed into that traffic group during the monitoring time period,T. If the counter 175 associated with a given traffic group indicates that the amount of traffic exceeds the threshold rate limit, R, for the given group, further traffic, whether originating from a legitimate or a potcntially malicious source, that is distributcd into the given traffic group is processed using the first traffic processing mode associated with potentially malicious activity.
The size of the counter 175 used to count the amount of traffic distributed into a particular traffic group may be selected based on the product of the interface line-rate and the monitoring time period, T. This value is equal to the maximum amount of traffic that could be distributed into a particular traffic group before the counter 175 for the particular traffic group is reset. If the value is less than 232, then a 32-bit counter 175 may be used; otherwise, a 64-bit counter 175 may be used.
In some embodiments, the first traffic processing mode associated with potentially malicious activity includes dropping or discarding at least some further traffic distributed into the given traffic group during the remainder of the monitoring time period,T. In some embodiments, the first traffic processing mode associated with potentially malicious activity includes forwarding at least some further traffic distributed into the given traffic group to a traffic analyser 190 during the remainder of the monitoring time period,T. In such embodiments, potentially malicious traffic can be analysed, for example to attempt to identi' a potentially malicious traffic source from which the potentially malicious traffic was transmitted.
The traffic handler 140 categorises communication activity in at least one other traffic group in the first set 170 as acceptable communication activity and processes the traffic in the at least one other traffic group using a second traffic processing mode associated with acceptable activity.
In some embodiments, the second traffic processing mode associated with acceptable activity involves forwarding the traffic to the server system 150 that is liable to being attacked. In some embodiments, the traffic handler 140 processes traffic that is distributed into a traffic group using the second traffic processing mode associated with acceptable activity unless and until it categorises communication activity in the traffic group as potentially malicious communication activity in which case it processes the traffic in the traffic group using the first traffic processing mode associated with potentially malicious activity.
In response to a dynamic trigger, the traffic handler 140 distributes at least some subsequent incoming traffic, reccivcd from a plurality of traffic sources 110, 120, 130, into a second set 180 of traffic groups according to a second, different grouping scheme. The first grouping scheme is configured to group traffic originating from each of the different traffic sources 110, 120, 130 into the given traffic group in the first set 170 and the second grouping scheme is configured to group traffic originating from at least some of the plurality of different traffic sources 110, 120, into at least two different traffic groups in the second set 180. Each of the traffic groups in the second set may be associated with a respective counter 185 that counts the amount of traffic being distributed into the traffic group with which it is associated.
In some embodiments, the dynamic trigger may be the expiration of the monitoring time period, T. In some embodiments, the dynamic trigger may be the detection of potentially malicious communication activity during a given monitoring time period, T. For example, it may be undesirable to change the grouping scheme eveiy time the monitoring time period, T, expires if none of the communication activity in a preceding monitoring time period, T, was classified as potentially malicious communication activity.
In some embodiments, the traffic handler 140 intermittently or periodically selects different grouping schemes. The periodicity with which the traffic handler 140 selects different grouping schemes may be the same as the monitoring time period, T, an integer multiple of the monitoring time period, T, or some other time period.
In some embodiments, the first grouping scheme comprises using a first hashing scheme and the second group[ng scheme comprises using a second hashing scheme.
In some embodiments, the traffic handler 150 uses at least one parameter in the at least some incoming traffic as an input to a first hashing scheme, uses an output of the first hashing scheme to distribute the at least some incoming traffic into the first set of traffic groups, uses at least one parameter in the at least some subsequent incoming traffic as an input to a second hashing scheme, and uses an output of the second hashing scheme to distribute the at least some subsequent incoming traffic into the second sct of traffic groups. In somc cmbodimcnts, the at least one paramctcr may be a traffic source identifier associated with a traffic source 110, 120, 130 from which the incoming traffic originates. In some such embodiments, the traffic source identifier may be an IP address and/or a port or transport of the traffic source 110, 120, 130 from which the traffic originates.
In some embodiments, the first and second grouping schemes may involve using a hash table. A hash table uses a hash function to map an input value into an output value. The hash ftrnction transforms the input value, sometimes called an input key, into an index. The index is used to idcntiii an entry in the hash table in which the output valuc is sorted.
In some such embodiments, the input key to a hash function is a source identifier included in incoming traffic and the output value of the hash function is an integer in the set{0 N-1}. The output of the hash function is used to identif' a particular group in the first set 170 of N' traffic groups to which the traffic having that identifier should be distributed. In some embodiments, the value stored in the entry associated with a particular integer in the set{0 N-1}, and hence one of the traffic groups in the first set 170, may provide the counter value of the amount of traffic distributed into that traffic group in the monitoring time period,T.
In some embodiments, the traffic handler 140 uses a nondeterministic grouping scheme selection algorithm to select the first and second grouping schemes.
In such embodiments, the first and second grouping schemes are not selected in a
predictable manner.
In some cases, an attacker may wish to cause the traffic handler 140 to treat traffic from a given traffic source as being potentially malicious so that the traffic is handled using the first traffic processing mode associated with potentially malicious activity to deny or limit service to the given traffic source. In some cases, the attacker may be able to do this by spoofing its IP address in such a way that its traffic is distributed into the same traffic group as the given traffic source. This may be possible, for example, if the way in which traffic is grouped is predictable and/or if the grouping schcmcs are changed in a prcdictable way. By using the nondctcrministic scheme selection algorithm, it is unlikely that the attacker can predict which grouping scheme the traffic handler 140 is using at any given time and the grouping scheme that the traffic handler 140 is likely to use when it changes the grouping scheme. Thus, the impact of the attacker on the legitimate source is minimised.
As explained above, the grouping schemes may involve using hash algorithms to distribute the traffic into the traffic groups. In some such cases, the grouping schemes may be changed by changing a parameter, such as a seed, in a given hash algorithm each time the grouping scheme is to be changed. In these cases, the grouping schemes may usc a randomised' hash algorithm. In other such cases, the grouping schemes may be changed by changing the hash algorithm itself each time the grouping scheme is to be changed.
In this way, the first grouping scheme is configured to group traffic originating from each of a plurality of different traffic sources into the given traffic group in the first set 170 and the second grouping scheme is configured to group traffic originating from at least some of the plurality of different traffic sources into at least two different traffic groups in the second set 180. As such, the collateral effect of potentially malicious communication activity on legitimate traffic sources is minimised. In particular, assuming that the grouping scheme substantially uniformly distributes traffic across the traffic groups, any given legitimate traffic source has only a 1/N chance of its traffic being distributed into the same traffic group as the traffic from a potentially malicious traffic source in a particular monitoring time period,T.
Furthermore, any disruption to the traffic from a legitimate traffic source only lasts until the traffic handler 140 redistributes the traffic from the legitimate traffic source according to the second grouping scheme. After the redistribution, the probability of subsequent traffic from the legitimate traffic source being distributed into a different traffic group to the traffic from the potentially malicious traffic source is (N -1)/N = 1-Furthermore, since the second grouping scheme is different from the first grouping scheme, it is difficult for a malicious entity to deny service to a legitimate traffic source by spoofing its source address in an attempt to force the traffic handler to distribute its traffic into the same traffic group as the traffic from the legitimate source, because the malicious entity only has a limited time during which to analyse the first grouping scheme before the traffic handler 140 distributes the subsequent incoming traffic according to the second, different grouping scheme.
In some embodiments, selecting the first and second grouping schemes may comprise selecting a plurality of hash algorithms, H(l,S), each of which maps an input, 1, to an output number between 0 and N -1, where N' is the number of traffic groups, using a random seed, S. In some embodiments, the hash algorithms are selected so that the output values of two different hash algorithms that have the same input, H1(I,S1)and H1(I,S), are as uncorrelated as possible. As such, using the same input to hash algorithms with a different seed should be unlikely to produce the same output value.
In some embodiments, the hash algorithms are selected so that the output values of a given hash algorithm using two different input values, H (i1,S1) and H1(I,,S1), are as uncorrelated as possible. As such, using two different inputs into the same hash algorithm with the same seed should be unlikely to produce the same output value.
In some embodiments, the hash algorithms may be relatively quick to calculate, for example having a time complexity of O(size of input) or less. In some embodiments, a relatively complex hash algorithm may be used as it may provide a more uniform distribution of output values. However, the performance cost of executing a large number of hash lookups, in the case of a relatively complex hash algorithm, could itsclf create a vulnerability in extreme cases since the traffic handler could be overwhelmed by having to perform the large number of such hash lookups.
In some embodiments, the size of the random seed,S, may be selected to be the same as the size of the input,T,to the hash algorithm.
In some such embodiments, one possible hash algorithm pcrforms a bitwise XOR operation on corresponding bits of the input, I, and the seed, 5, and calculates the value of the resulting string modulo the number of traffic groups, N: HO,S)=(IXORS)moduloN.
In other such embodiments, another possible hash algorithm performs a bitwise XOR operation on corresponding bits of the input,T, and the secd,S, sums the result of each individual XOR operation and then calculates the result of the summation modulo the number of traffic groups, N: H(I,S)=(I[OJXORS[0]+I[1]XORS[1]+...I[m-1]XORS[m-1])moduloN, where the input, I, and the seed, S. are both m-bit strings and where I[k] and S[k] are the kth bits of the input, I, and the seed, S, respectively.
In some embodiments, for example where the input, I, is an IPv4 address, which is made up of four bytes of address information, the first byte, [01, of the input, I, is used as an index into an array, A, of the integers 0 N-I, where the arrangement of the integers within the array, A, is randomly shuffled by the seed, S. The value in the array, A, associated with that index is then XORed with the second byte, i[i], of the input, I, and the result of the XOR operation is used as an index into the array, A. The value from the array, A, associated with that index is then XORed with the third byte, I[21, of the input,T, and so on until a final value from the array, A, is retrieved. The final value retrieved from the array, A, is one of the integers 0 N-i. This maybe represented as: F1(I, s) = A[A[A[A[l[0]]XOR i [i]]xoi I[2j1X0R I[3]].
An example is now given of a situation in which there are 217 = 131072 legitimate traffic sources that transmit audio traffic to the traffic handler 140, the audio traffic being destined for the server system 150 that is liable to being attacked.
In this example, there are four malicious traffic sources that each transmits significant amounts of audio traffic to the traffic handler 140 in an attempt to overwhelm it. In line with some of the examples given above, the number of traffic groups,N, is 4096 and the monitoring time period, T, is 200ms.
In any given monitoring time period, 1, the probability of a legitimate traffic source having its traffic distributed into the same traffic group as that of a potentially malicious traffic source is4x)/N =4x,J/4096=/024. Since the monitoring time period,T, is 200ms, in any given second, the probability of a legitimate traffic source having its traffic distributed into the same traffic group as that of a potentially malicious traffic source is 5 x /024 = /024 Therefore, a given legitimate traffic source is likely to have its traffic distributed into the same traffic group as a potentially malicious traffic source once every 1 02% 205 seconds, or approximately once every 20% 3.5 minutes.
As such, each legitimate traffic source is likely experience (up to) a 200ms drop in their audio traffic approximately once every three-and-a-half minutes. This can be contrasted with an approach in which the grouping scheme is not changed, where approximately 4x (13 107%096) = 128 legitimate traffic sources would have their traffic distributed into the same traffic group as the traffic from a potentially malicious traffic source for the entire duration of the potentially malicious communication activity. This may, at the least, significantly detract from user experience.
Handling traffic in a manner in which the grouping schemes are dynamically changed, therefore, has a relatively low impact on legitimate traffic sources. In particular, the traffic handler 140 effectively distributes the impact of potentially malicious communication activity across the legitimate traffic sources over time, such that a relatively large number of legitimate traffic sources may expect to experience a relatively minor disruption, rather than relatively few legitimate traffic sources expecting to experience severe disruption.
In some embodiments, the traffic handler 140 selects the number of traffic groups, N, the monitoring time period, T, and the threshold value, R, according to scalability and/or reliability requirements of the communication system 100.
In some embodiments, the number of traffic groups, N, is selected according to available memory constraints. For example, in some embodiments, each counter 175, 185 associated with each of the traffic groups stores thirty-two bits (four bytes), so that each counter 175, 185 can record up to 232 = 4,294,967,296 traffic counts. In such cases, the memory required to implement the counters 175, 185 for a total of N' traffic groups is4xNbytes(or32xNbits). As such, ifa traffic handler 140 has between, for example, 100 kilobytes (kB) and 10 megabytes (MB) of spare memory for implementing such counters, the number of traffic groups, N, could be selected to be up to 1OOOOOO9/ = 2,500,000. En some embodiments, the number of traffic groups, N, may be selected with a constraint that it be a power of two since this can facilitate selection of a suitable hash scheme.
In practice, particularly large numbers of traffic groups,N, might not be desirable. This is because, for larger numbers of traffic groups, N, the threshold ratc limit, R, for each traffic group is smaller. The smaller the threshold rate limit, R, the more sensitive the traffic handler 140 is to fluctuations in the traffic from legitimate traffic sources. Larger numbers of traffic groups, N, may also increase the processing overhead each time the grouping scheme is changed, since each of the counters for each of the (large number of) traffic groups is reset upon expiry of the monitoring time period, T. In practice, therefore, the number of traffic groups, N, may generally be selected in the range of 4000 to 100000 to trade off the above considerations.
In some embodiments, the monitoring time period,T, may be selected so that any processing of legitimate traffic using the first traffic processing mode associated with potentially malicious communication activity is substantially unnotiecable to a user of the legitimate traffic source. Tf the traffic is multimedia traffic, then the extent to which such processing is noticeable depends upon human perception times. For example, loss of multimedia traffic for periods over one second is likely to be clearly noticeable and will noticeably detract from user experience. Howcver, loss of multimcdia traffic for pcriods under one second are less likely to be clearly noticeable and, thus, are unlikely to detract from user experience.
However, similarly to increasing the number of traffic groups, N, reducing the monitoring time period, T, incrcascs the processing overhead on thc traffic handler in that the grouping scheme may need to be changed relatively more frequently and any counters may also need to be reset relatively more frequently. Furthermore, shorter monitoring time periods, 1, also make the traffic handler 140 more sensitive to fluctuations in traffic from legitimate traffic sources.
Once the number of traffic groups, N, and the monitoring time period, 1, have been selected, the threshold rate limit, R, may also be selected. In some PxT embodiments, the threshold rate limit, R, may be calculated to be R = N where P is the maximum amount of traffic that the traffic handler 140 can handle per second. In practice, the threshold rate limit, R, could be set at 50 to 100% above the value calculated using the above formula. This may provide better handling of bursts of legitimate traffic. 1-lowever, the traffic handler 140 may need to implement other rate-limiting mechanisms to handle situations in which the amount of traffic in each of the traffic groups exceeds the threshold rate limit, R In some embodiments, the traffic handler 140 classifies at least some incoming traffic into at least one traffic class, a given traffic class being associated with a given class of incoming traffic and distributes traffic in a traffic class according to thc first grouping scheme if the traffic class is to be subject to potentially malicious communication activity handling.
For example, the traffic handler 140 may be able to handle a variety of traffic types, for example signaling and media traffic. Thc different traffic typcs may cach have diffcrcnt overall bandwidth requirements, processing priorities or thc like. The above-described handling of potentially malicious communication activity may bc performed on a subset of the incoming traffic in a traffic class that is to be subject to malicious communication activity handling. For example, the traffic handler 140 may classify the incoming traffic into signaling' and media' traffic classes, and may only subject the traffic in the media traffic class to potentially malicious communication activity handling. In some embodiments, some traffic sources may be exempt from potentially malicious communication activity handling, for example if they are premium subscribers or if they are designated as being safe' traffic sources. In such embodiments, traffic associated with those traffic sources may be classified into a traffic class that is not to be subject to potentially malicious communication activity handling.
In some embodiments, the traffic handler 140 detects potentially malicious communication activity in a given traffic group in the second set 180 based on at least one characteristic of the traffic distributed into the given traffic group and categorises the traffic in the given traffic group as potentially malicious and processes the given traffic group using malicious activity processing. The traffic handler 140 also identifies at least one traffic source from which traffic is categorised as potentially malicious in the given traffic group in the first set 170 and the given group in the second set 180 identifies the at least one traffic source as a potentially malicious traffic source. Such identification may be performed by the traffic analyser 1 90.
Figures 2A and 2B are schematic block representations of a communication system 200 in which a traffic handler 240 is handling traffic according to some embodiments. Similar elements between Figure 1 and Figures 2A and 2B are shown and described using the same reference number but incremented by 100.
One of the traffic sources 220, labelled in Figures 2A and 2B and described herein as traffic source B, is a potentially malicious traffic source. The other two traffic sources 210, 230, labelled in Figure 2 and described herein as traffic sources A and C respectively, are legitimate traffic sources. All three traffic sources 210, 220, 230, are transmitting traffic to the traffic handler 240. Traffic from a particular traffic source 210, 220, 230 is identifiable in Figurcs 2A and 2B by the letter associatcd with the particular traffic source 210, 220, 230 from which it originatcs. It will be apprcciated that, in reality, thcrc may be many more traffic sources in thc communication system than the three shown in Figures 2A and 2B.
As shown in Figure 2A, the traffic handler 240 receives incoming traffic from traffic sources A, B and C and distributcs at Icast some of the incoming traffic into a first sct of traffic groups according to a first grouping schcmc. In this case, the traffic handler 240 distributes the traffic from legitimate traffic source A into a first group in the first set 270 and the traffic from potentially malicious traffic source B and legitimate traffic source C into a second group in the first set 270. The traffic handler 240 detects potcntially malicious communication activity in the second group in the first sct 270 based on at least onc characteristic of thc traffic distributed into thc second traffic group in the first set 270. The at least one characteristic may be the total amount of traffic distributed into the second group in the first set 270. The traffic handler 240 catcgorises communication activity in the second traffic group in thc first set 270 as potentially malicious communication activity and processes the traffic in the second traffic group in the first set 270 using the first traffic processing mode associated with potentially malicious activity. This may involve dropping some or all of the traffic distributed into the second traffic group in the first sct 270. The traffic handlcr 240 catcgorises communication activity in the first traffic group in the first sct 270 as acceptablc communication activity and proccsscs thc traffic in the first traffic group in the first set 270 using the second traffic processing mode associated with acceptable activity. This may involve forwarding the traffic distributed into the first traffic group in thc first set 270 to thc scrvcr systcm 250.
The traffic handler 240 rcccives subsequent incoming traffic from traffic sources A, B and C as shown in Figure 2B. In response to a dynamic trigger, the traffic handler 240 distributes at least some of the subsequent incoming traffic into a second set 280 of traffic groups according to a second, different grouping scheme. In this case, the traffic handler 240 distributes the traffic from legitimate traffic source A and from potentially malicious traffic source B into a first group in the second set 280 and the traffic from legitimate traffic source C into a second group in the second set 280.
As such, the first grouping scheme groups traffic originating from cach of a plurality of different traffic sources, in this case traffic sources B and C, into the second group in the first set 270, and the second grouping scheme groups traffic originating from at least some of the plurality of different traffic sources, again traffic sources B and C, into at least two different traffic groups in the second set 280, in this case into both the first and the second traffic groups in the second set 280.
The traffic handler 240 detects potentially malicious communication activity in the first group in the second set 280 based on at least one characteristic of the traffic distributed into the first traffic group in the second set 280. The at least one characteristic may bc the total amount of traffic distributed into the first traffic group in the second set 280. The traffic handler 240 categorises communication activity in the first traffic group in the second set 280 as potentially malicious communication activity and processes the traffic in the first traffic group in the second set using the first traffic processing mode associated with potentially malicious activity. This may involve dropping some or all of the traffic distributed into the first traffic group in thc second set 280. The traffic handler 240 categorises communication activity in the second traffic group in the second set 280 as acceptable communication activity and processes the traffic in the second traffic group in the second set 280 using the second traffic processing mode associated with acceptable activity. Th[s may involve forwarding the traffic distributed into the second traffic group in the second set 280 to the server system 250.
As such, the activity of potentially malicious traffic source B has a relatively low impact on both of the legitimate traffic sources A and C, compared to what would have been a relatively high impact on traffic source C, had the grouping scheme not been changed in response to the event trigger.
Figure 3 is a flowchart showing a method of handling potentially malicious communication activity according to some embodiments.
At step 3a, incoming traffic is monitored.
At step 3b, the incoming traffic is distributed into a set of traffic groups according to a grouping scheme. In somc cascs, at least some incoming traffic is distributed into a first set of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped.
At step 3c, traffic in a particular traffic group is processed using a traffic processing mode associated with a particular type of communication activity in that traffic group. In some cases, the traffic in the given traffic group is processed using a first traffic processing mode associated with potentially malicious communicatioa activity and the traffic in at least one other traffic group is processed using a second traffic processing mode associated with acceptable communication activity.
At step 3d, a decision is made as to whether or not the dynamic trigger is detected. If the result of the decision of step 3d is that the dynamic trigger is not detected, then processing returns to step 3a, where incoming traffic is monitored. If however, the result of the decision of step 3d is that the dynamic trigger is detected, then the grouping scheme is altered at step 3e and processing returns to step 3a where incoming traffic is monitored.
The above embodiments are to be understood as illustrative examples of the invention. Further embodiments of the invention are cuvisaged.
For example, although the traffic sources 110, 120, 130, 210, 220, 230 have been dcscribed as being PCs, other communications devices, such as mobile telephones, laptop computers, tablet computing devices and the like, may serve as traffic sources.
In some of the embodiments described above, the first and second grouping schemes involve using a hash table. The use of a hash table facilities quick changes from the first grouping scheme to the second grouping scheme because the array elements in the hash table can be cleared before the second grouping scheme is used and it is not necessary to reallocate memory when changing to the second grouping scheme. Furthermore, hash algorithms are fast to calculate, as they do not involve following pointers and memory usage for hash algorithms is efficient, which reduced caching-related performance issues. However, the first and second grouping schemes may use another type of data structure, such as a trie.
Although some embodiments have been described above in which the traffic source identifier in the incoming traffic is a 32-bit, IP version 4 (lPv4 address), the traffic handler 140, 240 may be able to handle traffic in communication systems in which the source identifier is a different size. For example, the traffic handler 140, 240 may be able to handle 128-bit, IP version 6 (IPv6), addresses and may be scalable to potentially larger IP or other address spaces. In some cases, for example where the grouping scheme uses a hash algorithm and where the hash algorithm includes bitwise XORing of the source identifier, I, and a seed, S, the size of the random seed may be sclcctcd to be the same as that of thc address space.
As explained above, various types of traffic, such as signaling and media traffic, may be subject to handling in the manner described above. In particular, types of traffic (such as standard audio or video telephony) where small losses are tolerable by end-users, or traffic which is in accordance with a protocol that includes error- correction or recovery, such as Transmission Control protocol (TCP) traffic, is well-suited to being processed in this way. Support for other similar types of traffic is envisaged, for example to support future forms of media, such as 3D video.
In some embodiments described above, the server system 150, 250 that is liable to potentially malicious communication activity is one or morc central servers of; or a gateway to, an organisation. However, the above-described methods of handling potentially malicious communication activity are also applicable to peer-to-peer communications, where an individual host may be protected from overwhelming traffic, although such attacks on the host arc likely to have a lesser impact on the communication system as a whole.
In some embodiments, a leaky bucket' algorithm may be used in relation to each traffic group to process the traffic in that group. In such embodiments, a counter 175, 185, 275, 285 associated with a particular traffic group is incremented as traffic is distributed into that particular traffic group. However, the counter 175, 185, 275, 285 is also decremented periodically, at a predetermined rate. Normally, a processing mode is used (in which it can be said that the leaky bucket is not full) in which no incoming traffic is dropped. However, if the counter 175, 185, 275, 285 indicates an amount of traffic great er than a threshold value, the traffic handler 140, 240 may use a processing mode (in which it can be said that the leaky bucket is full) in which potentially malicious communication activity in the particu'ar traffic group is discarded. Using a leaky bucket algorithm may provide better tolerance of traffic bursts from legitimate traffic sources, at a cost of store more state on a per-traffic group basis.
It is to be understood that any feature described in relatLon to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. Furthermore, equivalents and modifications not describcd above may also be employed without departing from the scope of the invention, which is defined in the accompanying claims.

Claims (16)

  1. <claim-text>Claims 1. A method of handling potentially malicious communication activity in a communication system, including processing communication activity which is potentially malicious differently to communication activity which is acceptable, the method comprising: distributing at least some incoming traffic into a first set of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped; processing the traffic in the given traffic group using a first fraffic processing mode associatcd with potentially malicious communication activity processing the traffic in at least one other traffic group using a second traffic processing mode associated with acceptable communication activity; and in response to a dynamic trigger, altering the grouping scheme to one or more further grouping schemes and distributing at least some subsequent incoming traffic into one or more fhrther sets of traffic groups according to the one or more fiarther grouping schemes in order that the communication activity from the acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped.</claim-text> <claim-text>2. A method according to claim I, comprising: in response to the dynamic trigger, distributing at least some subsequent incoming traffic into a second set of traffic groups according to a second, different grouping scheme, wherein the first grouping scheme is configured to group traffic originating from each of a plurality of different traffic sources into the given traffic group in the first set, and the second grouping scheme is configured to group traffic originating from at least some of the plurality of different traffic sources into at least two different traffic groups in the second set.</claim-text> <claim-text>3. A method according to claim 1 or 2, comprising: detecting potentially malicious communication activity in the given traffic group in the first set based on at least one characteristic of the traffic distributed into the given traffic group; catcgorising communication activity in the given traffic group in the first set as potentially malicious communication activity and processing the traffic in the givea traffic group using the first traffic proccssing mode; and categorising communication activity in at least one other traffic group in the first set as acceptable communication activity and processing the traffic in the at least one other traffic group using the second traffic processing mode.</claim-text> <claim-text>4. A method according to claim 3, wherein the at least one characteristic includes an amount of traffic, and wherein the method comprises: monitoring an amount of traffic distributed into a traffic group; and detecting potentially malicious communication activity if the amount of traffic in the traffic group excecds a threshold value.</claim-text> <claim-text>5. A method according to any preceding claim, wherein the first grouping scheme comprises using a first hashing scheme and one or more further grouping schemes comprise using one or more thrthcr hashing schemes.</claim-text> <claim-text>6. A method according to claim 5, comprising: using at least one parameter in the at least some incoming traffic as an input to the first hashing scheme; using an output of the first hashing scheme to distribute the at least some incoming traffic into the first set of traffic groups; using at least one parameter in the at least some subsequent incoming traffic as an input to the one or more further hashing schemes; arid using an output of the one or more further hashing schemes to distribute the at least some subsequent incoming traffic into the one or more further sets of traffic groups.</claim-text> <claim-text>7. A method according to any preceding claim, comprising: using a nondeterministic grouping scheme selection algorithm to select the respective grouping schemes.</claim-text> <claim-text>8. A method according to any preceding claim, wherein said dynamic trigger is repeatedly refreshed and a series of different grouping schemes are used in response to the trigger being refreshed.</claim-text> <claim-text>9. A method according to any preceding claim, wherein the dynamic trigger is based on a timing characteristic.</claim-text> <claim-text>10. A method according to claim 9, wherein the dynamic trigger is periodically or intermittently refreshed.</claim-text> <claim-text>11. A method according to any preceding claim, wherein the first traffic processing mode associated with potentially malicious communication activity comprises dropping at least some traffic that is distributed into the traffic group in which the potentially malicious communication activity is groupcd.</claim-text> <claim-text>12. A method according to claim 11, wherein the first traffic processing mode associated with potentially malicious communication activity comprises dropping all of the traffic that is distributed into the traffic group in which the potentially malicious communication activity is grouped.</claim-text> <claim-text>13. A method according to any preceding claim, comprising: processing traffic that is distributed into a traffic group using the second traffic processing mode associated with acceptable communication activity unless and until communication activity in the given traffic group in the first set is detected to be potentially malicious.</claim-text> <claim-text>14. A method according to any preceding claim, comprising: classifying at least some incoming traffic into at least one traffic class, a given traffic class being associated with a givcn class of incoming traffic; and distributing traffic in a traffic class according to the first grouping schcmc if thc traffic class is to be subjcct to potentially malicious communication activity handling.</claim-text> <claim-text>15. A method according to any preceding claim, comprising: identifying at least one traffic sourcc from which traffic is catcgoriscd as potentially malicious in thc givcn traffic group in the first sct and in a group in the one or more further sets; and identifying the at least one traffic source as a potentially malicious traffic source.</claim-text> <claim-text>16. Apparatus for handling potentially malicious communication activity in a communication system, including processing communication activity which is potentially malicious differently to communication activity which is acccptablc, the apparatus bcing arranged to: distribute at least somc incoming traffic into a first sct of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptablc sourcc is also grouped; process the traffic in thc givcn traffic group using a first traffic processing mode associated with potentially malicious communication activity; process the traffic in at least one other traffic group using a second traffic processing modc associated with acceptable communication activity; and in response to a dynamic trigger, alter the grouping schcmc to one or more further grouping schemes and distributing at least some subsequent incoming traffic into one or more further sets of traffic groups according to the one or more further grouping schemes in order that the communication activity from an acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentiaHy malicious source is subsequently grouped.</claim-text> <claim-text>17. A computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method of handling potentially malicious communication activity in a communication system, including processing communication activity which is potentially malicious differently to communication activity which is acceptable, the method comprising: distributing at least some incoming traffic into a first set of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped; processing the traffic in the given traffic group using a first traffic processing mode associated with potentially malicious communication activity; processing the traffic in at least one other traffic group using a second traffic processing modc associated with acceptable communication activity; and in response to a dynamic trigger, altering the grouping scheme to one or more further grouping schemes and distributing at least some subsequent incoming traffic into one or more further sets of traffic groups according to the one or more further grouping schemes in order that the communication activity from an acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped.AMENDMENTS TO THE CLAIMS HAVE BEEN FILED AS FOLLOWSClaims 1 A method of handling potentially malicious communication activity in a communication system, including processing communication activity which is potentially malicious diffcrently to communication activity which is acceptable, the method comprising: distributing at least somc incoming traffic into a first set of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious sourcc may bc grouped in a givcn traffic group in which communication activity from an acceptable source is also grouped; detecting potentially malicious communication activity in the given traffic group; processing the traffic in the given traffic group using a first traffic processing mode associated with potentially malicious communication activity, the first traffic processing mode comprising discarding at least some traffic, both from the acceptable source and the potentially malicious source, that is distributed into the given traffic O group; processing the traffic in at least one other traffic group using a second traffic processing mode associated with acceptable communication activity; and in response to a dynamic trigger, altering the grouping scheme to one or more further grouping schemes and distributing at least some subsequent incoming traffic into one or more further sets of traffic groups according to the one or more further grouping schemes in order that the communication activity from the acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped.
  2. 2. A method according to claim, comprising: in response to the dynamic trigger, distributing at least some subsequent incoming traffic into a second set of traffic groups according to a second, different grouping scheme, wherein the first grouping scheme is configured to group traffic originating from each of a plurality of different traffic sourccs into the given traffic group in the first set, and the second grouping scheme is configured to group traffic originating from at least some of the plurality of different traffic sources into at least two different traffic groups in the second set.
  3. 3. A method according to claim 1 or 2, comprising: detecting potentially malicious communication activity in the given traffic group in the first set based on at least one characteristic of the traffic distributed into the given traffic group; categorising communication activity in the given traffic group in the first set as potentially malicious communication activity and processing the traffic in the given traffic group using the first traffic processing mode; and categorising communication activity in at least one other traffic group in the first set as acceptable communication activity and processing the traffic in the at least one other traffic group using the second traffic processing mode.
  4. 4. A method according to claim 3, wherein the at least one characteristic includes an amount of traffic, and wherein the method comprises: monitoring an amount of traffic distributed into a traffic group; and detecting potentially malicious communication activity if the amount of traffic in the traffic group exceeds a threshold value.
  5. 5. A method according to any preceding claim, wherein the first grouping scheme comprises using a first hashing scheme and one or more further grouping schemes comprise using one or more further hashing schemes.
  6. 6. A method according to claim 5, comprising: using at least one parameter in the at least some incoming traffic as an input to the first hashing scheme; using an output of the first hashing scheme to distribute the at least some incoming traffic into the first set of traffic groups; using at least one parameter in the at least some subsequent incoming traffic as an input to the one or more further hashing schemes; and using an output of the one or more further hashing schemes to distribute the at least some subsequent incoming traffic into the one or more further sets of traffic groups.
  7. 7. A method according to any preceding claim, comprising: using a nondctcrministic grouping schcmc selection algorithm to select the respective grouping schemes.
  8. 8. A method according to any preceding claim, wherein said dynamic trigger is repeatedly refreshed and a series of different grouping schemes are used in response to the trigger being refreshed. 0)O
  9. 9. A method according to any preceding claim, wherein the dynamic trigger is based on a timing characteristic.
  10. 10. A method according to claim 9, wherein the dynamic trigger is pcriodically or intermittently refreshed.
  11. 11. A method according to any preceding claim, wherein the first traffic processing mode associated with potentially malicious communication activity comprises dropping all of the traffic that is distributed into the traffic group in which the potentially malicious communication activity is grouped.
  12. 12. A method according to any preceding claim, comprising: processing traffic that is distributed into a traffic group using the second traffic processing mode associated with acceptable communication aclivity unless and until communication activity in the given traffic group in the first set is detected to be potentially malicious.
  13. 13. A method according to any preceding claim, comprising: classifying at least some incoming traffic into at least one traffic class, a given traffic class being associated with a given class of incoming traffic; and distributing traffic in a traffic class according to the first grouping scheme if the traffic class is to be subject to potentially malicious communication activity handling.
  14. 14. A method according to any preceding claim, comprising: identifying at least one traffic source from which traffic is categorised as __ potentiallymaliciousinthegiventrafficgroupinthefirstsetandinagroupintheone or more further sets; and ___ 15 idcntiIing the at least one traffic source as a potentially malicious traffic C) source.
  15. 15. Apparatus fir handling potentially malicious communication activity in a communication system, including processing communication activity which is potcntially malicious differently to communication activity which is acceptablc, thc apparatus being arrangcd to: distribute at least some incoming traffic into a first set of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity flxm an acceptable source is also grouped; detect potentially malicious communication activity in the given traffic group; process the traffic in the given traffic group using a first traffic processing mode associated with potentially malicious communication activity, the first traffic processing mode comprising discarding at least some traffic, both from the acceptable source and the potentially malicious source, that is distributed into the given traffic group; process the traffic in at least one other traffic group using a second traffic processing mode associated with acceptable communication activity; and in response to a dynamic trigger, alter the grouping scheme to one or more further grouping schemes and distributing at least some subsequent incoming traffic into one or more further sets of traffic groups according to the one or more further grouping schemes in order that the communication activity from an acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped.
  16. 1 6. A computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the Ct1⁄4I computer readable instructions being executable by a computerized device to cause the computerized device to perform a method of handling potentially malicious communication activity in a communication system, including processing communication activity which is potentially malicious differently to communication O activity which is acceptable, the method comprising: detecting potentially malicious communication activity in the given traffic group; distributing at least some incoming traffic into a first set of traffic groups according to a first grouping scheme such that communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped; processing the traffic in the given traffic group using a first traffic processing mode associated with potentially malicious communication activity, the first traffic processing mode comprising discarding at least some traffic, both from the acceptable source and the potentially malicious source, that is distributed into the given traffic group; processing the traffic in at least one other traffic group using a second traffic processing mode associated with acceptable communication activity; and in response to a dynamic trigger, altering the grouping scheme to one or more ffirther grouping schemes and distributing at least some subsequent incoming traffic into one or more frirther sets of traffic groups according to the one or more further grouping schemes in order that the communication activity from an acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped. (4 r 0)</claim-text>
GB1115023.2A 2011-08-31 2011-08-31 Handling potentially malicious communication activity Active GB2494384B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB1115023.2A GB2494384B (en) 2011-08-31 2011-08-31 Handling potentially malicious communication activity
PCT/GB2012/052146 WO2013030594A1 (en) 2011-08-31 2012-08-31 Handling potentially malicious communication activity
US14/194,483 US9537875B2 (en) 2011-08-31 2014-02-28 Handling potentially malicious communication activity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1115023.2A GB2494384B (en) 2011-08-31 2011-08-31 Handling potentially malicious communication activity

Publications (3)

Publication Number Publication Date
GB201115023D0 GB201115023D0 (en) 2011-10-12
GB2494384A true GB2494384A (en) 2013-03-13
GB2494384B GB2494384B (en) 2013-07-24

Family

ID=44838968

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1115023.2A Active GB2494384B (en) 2011-08-31 2011-08-31 Handling potentially malicious communication activity

Country Status (3)

Country Link
US (1) US9537875B2 (en)
GB (1) GB2494384B (en)
WO (1) WO2013030594A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9503465B2 (en) 2013-11-14 2016-11-22 At&T Intellectual Property I, L.P. Methods and apparatus to identify malicious activity in a network
US9083730B2 (en) 2013-12-06 2015-07-14 At&T Intellectual Property I., L.P. Methods and apparatus to identify an internet protocol address blacklist boundary
US9372610B2 (en) 2014-02-21 2016-06-21 Sonos, Inc. Media system controller interface
US9408008B2 (en) 2014-02-28 2016-08-02 Sonos, Inc. Playback zone representations
US20160344751A1 (en) * 2015-05-19 2016-11-24 Fastly, Inc. Customized record handling in a content delivery network
US9813387B2 (en) * 2015-12-18 2017-11-07 General Electric Company Vehicle communication network security system and method
US10708294B2 (en) * 2017-01-19 2020-07-07 Arbor Networks, Inc. System and method to select and apply hypothetical mitigation parameters
US11128665B1 (en) * 2018-09-06 2021-09-21 NortonLifeLock Inc. Systems and methods for providing secure access to vulnerable networked devices
US11218443B2 (en) * 2019-07-25 2022-01-04 Coupang Corp. Dynamic IP address categorization systems and methods
CN114301960B (en) * 2021-12-15 2024-03-15 山石网科通信技术股份有限公司 Processing method and device for cluster asymmetric traffic, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020035628A1 (en) * 2000-09-07 2002-03-21 Gil Thomer Michael Statistics collection for network traffic
EP1393194A2 (en) * 2001-04-27 2004-03-03 Wanwall, Inc. Weighted fair queuing-based methods and apparatus for protecting against overload conditions on nodes of a distributed network
WO2009064114A2 (en) * 2007-11-12 2009-05-22 Ahnlab., Inc. Protection method and system for distributed denial of service attack

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7743415B2 (en) * 2002-01-31 2010-06-22 Riverbed Technology, Inc. Denial of service attacks characterization
US7161904B2 (en) 2002-06-04 2007-01-09 Fortinet, Inc. System and method for hierarchical metering in a virtual router based network switch
US7203963B1 (en) * 2002-06-13 2007-04-10 Mcafee, Inc. Method and apparatus for adaptively classifying network traffic
US7752324B2 (en) 2002-07-12 2010-07-06 Penn State Research Foundation Real-time packet traceback and associated packet marking strategies
KR100481614B1 (en) * 2002-11-19 2005-04-08 한국전자통신연구원 METHOD AND APPARATUS FOR PROTECTING LEGITIMATE TRAFFIC FROM DoS AND DDoS ATTACKS
US20050021842A1 (en) 2003-03-17 2005-01-27 Network Equipment Technologies Real-time packet classification and rate-limiting control packets in a network processor based data-plane
US7698548B2 (en) * 2005-12-08 2010-04-13 Microsoft Corporation Communications traffic segregation for security purposes
US7849146B2 (en) 2008-02-21 2010-12-07 Yahoo! Inc. Identifying IP addresses for spammers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020035628A1 (en) * 2000-09-07 2002-03-21 Gil Thomer Michael Statistics collection for network traffic
EP1393194A2 (en) * 2001-04-27 2004-03-03 Wanwall, Inc. Weighted fair queuing-based methods and apparatus for protecting against overload conditions on nodes of a distributed network
WO2009064114A2 (en) * 2007-11-12 2009-05-22 Ahnlab., Inc. Protection method and system for distributed denial of service attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
3rd International Conference on Applied Cryptography and Network Security, 10 June 2005, pp104-121, ""Mitigating network Denial-Of-Service through diversity-based traffic management", Matrawy A. et al *

Also Published As

Publication number Publication date
WO2013030594A1 (en) 2013-03-07
US9537875B2 (en) 2017-01-03
US20140181977A1 (en) 2014-06-26
GB2494384B (en) 2013-07-24
GB201115023D0 (en) 2011-10-12

Similar Documents

Publication Publication Date Title
US9537875B2 (en) Handling potentially malicious communication activity
US10284594B2 (en) Detecting and preventing flooding attacks in a network environment
US11863570B2 (en) Blockchain-based network security system and processing method
US10951649B2 (en) Statistical automatic detection of malicious packets in DDoS attacks using an encoding scheme associated with payload content
US11539750B2 (en) Systems and methods for network security memory reduction via distributed rulesets
US11153334B2 (en) Automatic detection of malicious packets in DDoS attacks using an encoding scheme
US11316889B2 (en) Two-stage hash based logic for application layer distributed denial of service (DDoS) attack attribution
CN110198293B (en) Attack protection method and device for server, storage medium and electronic device
JP2010521839A (en) Method and system for protecting a computer system from denial of service attacks and other harmful resource exhaustion phenomena associated with communications
KR20130014226A (en) Dns flooding attack detection method on the characteristics by attack traffic type
US10693890B2 (en) Packet relay apparatus
WO2020037781A1 (en) Anti-attack method and device for server
CN108616488B (en) Attack defense method and defense equipment
Wu et al. Fmd: A DoS mitigation scheme based on flow migration in software‐defined networking
CN114830113A (en) System and method for securing resource allocation in a stateful connection manager
Junior et al. Apple’s lion vs Microsoft’s windows 7: Comparing built-in protection against ICMP flood attacks
TWI682644B (en) Dynamic protection method for network node and network protection server
Xiang et al. A defense system against DDOS attacks by large-scale IP traceback
Bellaïche et al. SYN flooding attack detection by TCP handshake anomalies
US20100157806A1 (en) Method for processing data packet load balancing and network equipment thereof
KR20210066432A (en) Method for detecting and mitigating interest flooding attack through collaboration between edge routers in Named Data Networking(NDN)
KR101553172B1 (en) Forensic based s a c t system and drive method
Parashar et al. Improved deterministic packet marking algorithm
Shi et al. Feedback based Sampling for Intrusion Detection in Software Defined Network
Adhikari et al. ProDetect: A Proactive Detection Approach of the TCP SYN Flooding Attack in the SDN Controller