GB2558419B - Identifying an attacked computing device - Google Patents

Identifying an attacked computing device Download PDF

Info

Publication number
GB2558419B
GB2558419B GB1721196.2A GB201721196A GB2558419B GB 2558419 B GB2558419 B GB 2558419B GB 201721196 A GB201721196 A GB 201721196A GB 2558419 B GB2558419 B GB 2558419B
Authority
GB
United Kingdom
Prior art keywords
network
attack
services
computing
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
GB1721196.2A
Other versions
GB201721196D0 (en
GB2558419A (en
Inventor
El-Moussa Fadi
Dimitrakos Theo
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
British Telecommunications PLC
Original Assignee
British Telecommunications PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by British Telecommunications PLC filed Critical British Telecommunications PLC
Publication of GB201721196D0 publication Critical patent/GB201721196D0/en
Publication of GB2558419A publication Critical patent/GB2558419A/en
Application granted granted Critical
Publication of GB2558419B publication Critical patent/GB2558419B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Description

IDENTIFYING AN ATTACKED COMPUTING DEVICE
The present invention relates to the detection of network attacks for a computer system.
Network-connected computer systems can include network-connected computing devices providing computing services. A computer network used for communication with the devices and services can be used by malicious entities to mount attacks on a computer system and the devices and/or services therein. Such attacks can include unauthorised access, use and/or modification of computing resources.
Thus there is a need to protect network-connected computer systems from such attacks.
The present invention accordingly provides, in a first aspect, a computer implemented method to identify an attacked computing device in a system of network-connected computing devices providing a plurality of computing services, the method comprising: receiving an attack graph as a first data structure including data modelling relationships between vulnerabilities of computing services in a first proper subset of the plurality of computing services and exploitation of such vulnerabilities to identify one or more series of exploits involved in a network attack; receiving a network map as a second data structure including data modelling the computing devices in the system including the network connections of each computing device; comparing the first and second data structures to identify the attacked computing device as an intermediate device in communications between at least two computer services in any of the one or more series of exploits.
Preferably the method further comprises, in response to the identification of the attacked computing device, implementing protective measures to protect the attacked computing device from the attack.
Preferably the attack graph is a directed acyclic graph data structure.
Preferably the second data structure is automatically generated by software adapted to map a networked computer system.
The present invention accordingly provides, in a second aspect, a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.
The present invention accordingly provides, in a third aspect, a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of the method set out above.
Embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 is a block diagram of a computer system suitable for the operation of embodiments of the present invention;
Figure 2 is a component diagram of an attack detector for identifying a network attack in a network-connected computer system in accordance with embodiments of the present invention;
Figure 3 depicts an exemplary attack graph for an attack in the computer system of Figure 2 in accordance with embodiments of the present invention;
Figure 4 is a flowchart of a method to identify a network attack in a network-connected computer system in accordance with embodiments of the present invention;
Figure 5 is a component diagram of an exemplary traffic filter for use with the attack detector of Figure 1 in accordance with embodiments of the present invention;
Figure 6 is a flowchart of a method to identify a network attack in a network-connected computer system using a traffic filter such as that illustrated in Figure 5 in accordance with embodiments of the present invention;
Figure 7 is a component diagram of an attack detector for identifying a network attack based on a network map in accordance with embodiments of the present invention; and
Figure 8 is a flowchart of a method to identify an attacked computing device in a network-connected computer system in accordance with embodiments of the present invention.
Figure 1 is a block diagram of a computer system suitable for the operation of embodiments of the present invention. A central processor unit (CPU) 102 is communicatively connected to a storage 104 and an input/output (I/O) interface 106 via a data bus 108. The storage 104 can be any read/write storage device such as a random access memory (RAM) or a non-volatile storage device. An example of a non-volatile storage device includes a disk or tape storage device. The I/O interface 106 is an interface to devices for the input or output of data, or for both input and output of data. Examples of I/O devices connectable to I/O interface 106 include a keyboard, a mouse, a display (such as a monitor) and a network connection.
Figure 2 is a component diagram of an attack detector 220 for identifying a network attack in a network-connected computer system 200 in accordance with embodiments of the present invention. The computer system 200 is a purely exemplary configuration of network-connected computing devices “Host 0”, “Host 1 ”, “Host 2” and a “Firewall” such that the Firewall is intermediate to Host 0, on one side of the Firewall, and Hosts 1 and 2 on another side of the Firewall. Each of the computing devices can be hardware, software, firmware or combination components that are adapted to communicate via a communications network 210. In some embodiments one or more of the computing devices can be virtualised devices. The network 210 can be a wired, wireless, local or wide area network or a combination of any or all of these types of network. In some embodiments, at least part of the network 210 is a public network such as the internet. For example, in one arrangement Host 0 and the Firewall are connected to the internet and each of Host 1 and Host 2 are connected to a private or intranet network separated from the internet by the Firewall.
At least some of the computing devices provide computing services in the system 200. In the exemplary arrangement of Figure 2: Firewall provides service “svO”; Host 1 provides services “sv1”, “sv2” and “sv3”; and Host 2 provides services “sv4” and “sv5”. Computing services can be hardware, software, firmware or combination services such as functions, facilities, routines, procedures, applications or the like. Such services typically involve a network communication component. For example, computing services can include: file transfer services such as software using a file transfer protocol (FTP); shell or remote desktop services such as remote shell (rsh), secure shell (ssh), telnet, remote desktop protocol (RDP), TeamViewer, Remote Utilities, Ammyy Admin, Virtual Network Computing (VNC), AeroAdmin, Windows Remote Desktop, Remote PC, Firnass, Chrome Remote Desktop, AnyDesk, Lync, Skype for Business or the like; mail, messaging, collaboration or communication software such as electronic mail software using a mail transport protocol such as the simple mail transfer protocol (SMTP), instant messaging applications such as Lync, Skype, Sametime, Facebook Messenger, WhatsApp, WeChat, Snapchat, Telegram, Line, Viber, Facetime and the like, and peer-to-peer communications services such as torrent software; name resolution and/or domain name services (DNS); host initialisation services such as bootstrap protocols; network host management services such as services employing the simple network management protocol (SNMP); applications such as a server using hypertext transfer protocol (HTTP), network news transfer protocol (NNTP), application server, media server including, inter alia, video, audio, image and/or document servers such as multimedia communications services using a H.323 protocol, network server, entertainment server such as a game server or the like; security or protective services such as a network proxy, firewall, intrusion detection, virus detection, malware detection and the like; services for peripheral devices such as network printer services, network scanner services, network attached storage, network file system (NFS), network attached manufacturing, machining, tooling or engineering devices or apparatus such as robots, additive manufacturing devices (such as 3D printers), formative manufacturing devices, physical transport devices, machine forming apparatus and the like; blockchain services; services providing remote procedure call or remote method invocation facilities over a network; anonymity services such as Tor; telephony such as voice over internet protocol, video conferencing protocols, audio and or video communication and the like; and other computing services as will be apparent to those skilled in the art.
Notably, any particular computer service can include an identification of a network configuration such as one or more particular network ports and/or protocols such that a single software component (e.g. server, web server or the like) can provide potentially multiple computing services such as via different ports and/or protocols.
The computer system 200 is arranged with one or more network security components such as an intrusion detection system (IDS) 232. The IDS 232 is a software, hardware, firmware or combination component adapted to monitor one or more aspects of the computer system 200 to identify one or more of: actual or potential malicious activity occurring in, by, to or in relation to computing devices in the system 200; and violations or deviations from a policy, acceptable or determined normal or typical behaviour or activity of computing devices in the system 200. For example, the IDS 232 can be a network intrusion detection system (NIDS) configured to monitor traffic to and from computing devices and/or services at one or more points in the network of the system 200. Additionally or alternatively, the IDS 232 can be a host intrusion detection system (HIDS) run on or in association with one or more computing devices of the system 200 to, for example, monitor inbound and outbound network communication such as network packets at those computing devices. Other such suitable IDS components may be apparent to those skilled in the art. Whichever type or types of IDS 232 are deployed, the IDS 232 detects attacks or potential attacks of computing services in the system 200. For example, the IDS 232 can employ a signature-based attack detection mechanism in which one or more rules and/or patterns indicating an attack are used, such as byte sequences in network traffic or known malicious instruction sequences used by malicious software. Additionally or alternatively, the IDS 232 can employ an anomaly-based attack detection mechanism where a model of trustworthy activity is used to identify a deviation from such activity as a potential attack. Thus, in use, the IDS 232 is operable to identify computer services in the system 200 for which attacks or potential attacks are detected. While a single IDS 232 is illustrated in Figure 2 it will be appreciated by those skilled in the art that any number of such facilities may be provided. Further, while the IDS 232 of Figure 2 is illustrated external to the system 200 it will be appreciated by those skilled in the art that such facilities may be provided internal to, in communication with, integral to or remote from devices and/or services of the system 200.
The arrangement of Figure 2 further includes an attack graph 230. The attack graph 230 is organised as a data structure including data modelling relationships between known vulnerabilities of one or more computing services in the system 200 and potential exploits of those vulnerabilities employed to achieve a particular network attack of the system 200. Thus the attack graph 230 identifies one or more series of exploits and/or steps involved in a network attack. The attack graph 230 is thus generated based on knowledge of vulnerabilities of computing services and how those vulnerabilities can be exploited. Extensive databases of vulnerability and exploit information can be used to inform the generation of such graphs such as the definition of Common Vulnerabilities and Exposures (CVE) maintained by MITRE Corporation as the National Cybersecurity Federally Funded Research and Development Center (FFRDC) in the USA. For example, MITRE Corporation provide CVE details at www.cvedetails.com including vulnerabilities categorised by type and providing information for each vulnerability including: a vulnerability score using the Common Vulnerability Scoring System (CVSS) indicating a severity of the vulnerability ("Common Vulnerability Scoring System, V3 Development Update". First.org, Inc., available at www.first.org/cvss); a potential impact of the vulnerability in a number of respects including an indication of impact on confidential information, integrity and availability of a computing service; an indication of a level of complexity involved to exploit the vulnerability; whether unauthorised or malicious access to computing services, resources, devices or systems can be gained by exploiting the vulnerability; and computing services such as products affected by the vulnerability. In CVE vulnerabilities are generally categorised into the following types: denial of service (DoS); code execution; overflow; memory corruption; structured query language (SQL) injection; cross-site scripting (XSS); directory traversal; HTTP response splitting; bypassing; gaining information; gaining privileges; cross-site request forgery (CSRF); and file inclusion.
Attack graphs are preferably structured as directed acyclic graphs indicating paths that an attacker can take to reach a given goal (the attack objective). Thus attack graphs indicate sequences of exploits of vulnerabilities, for example each successive exploit can result in an attacker obtaining additional security privileges towards the attack objective. Attack graphs are described in detail in “Measuring Network Security Using Bayesian Network-Based Attack Graphs” (Marcel Frigault and Lingyu Wang, January 2008, DOI: 10.1109/COMPSAC.2008.88 Source: lEEEXplore); “Measuring Network Security Using Bayesian Network-Based Attack Graphs - A Thesis in the Concordia Institute for Information Systems Engineering” (Marcel Frigault, March 2010, Concordia University, Montreal, available at spectrum.library.concordia.ca/979259); and “Exact Inference Techniques for the Dynamic Analysis of Bayesian Attack Graphs” (Luis Munoz-Gonzalez, Daniel Sgandurra, Martin Barrere, and Emil Lupu, October 2015).
Turning now to Figure 3 which depicts an exemplary attack graph 230 for an attack in the computer system 200 of Figure 2 in accordance with embodiments of the present invention. The illustrative exemplary attack graph 230 of Figure 3 relates to an attack in which the attack objective for an attacker with user access to Host 0 of Figure 2 to gain privileged root access on Host 2 through which the attacker may make malicious use of, or have malicious effect on, Host 2. In the attack graph 230 conditions or states are represented in boxes with rounded corners where a device involved is indicated inside parentheses (i.e. “(0)” indicates Host 0; “(1,2)” indicates some relationship between Host 1 and Host 2 etc.). Vulnerabilities are depicted in boxes with squared corners, indicating a source and destination device inside parentheses (i.e. “source, desination"). Thus according to the attack graph 230 an attacker can follow three paths starting from the topmost state “user(0)” to achieve the attack objective. Each path will be outlined briefly in turn.
According to a first attack path through the graph 230, at the initial state “user(0)” the attacker can exploit a vulnerability in computing service sv4 of Host 2 to achieve a state of trust between Host 0 and Host 2. Subsequently, in this state of trust the attacker can exploit a vulnerability in sv5 of Host 2 to achieve a state of user level access to Host 2. Finally the attacker can exploit a further vulnerability in sv5 of Host 2 to achieve a state of root level access to Host 2.
According to a second attack path through the graph 230, at the initial state “user(0)” the attacker can exploit a vulnerability in computing service sv2 of Host 1 to achieve a state of user level access to Host 1. The attacker can then exploit a vulnerability in service sv4 of Host 2 to achieve a state of trust between Host 1 and Host 2. Subsequently, in this state of trust the attacker can exploit a vulnerability in sv5 of Host 2 to achieve a state of user level access to Host 2. Finally the attacker can exploit a further vulnerability in sv5 of Host 2 to achieve a state of root level access to Host 2.
According to a third attack path through the graph 230, at the initial state “user(0)” the attacker can exploit a vulnerability in computing service sv3 of Host 1 to achieve a state of user level access to Host 1. The attacker can then exploit a vulnerability in service sv4 of Host 2 to achieve a state of trust between Host 1 and Host 2. Subsequently, in this state of trust the attacker can exploit a vulnerability in sv5 of Host 2 to achieve a state of user level access to Host 2. Finally the attacker can exploit a further vulnerability in sv5 of Host 2 to achieve a state of root level access to Host 2.
Notably, in addition to identifying the attack paths to achieve the attack objective in the system 200, the attack graph 230 identifies all computing services potentially exploited in an attack to achieve the attack objective. Thus, according to the exemplary attack graph 230, services sv2, sv3, sv4 and sv5 are potentially exploited though services svO and sv1 are not so indicated. Furthermore, the identification of exploited computing services in the attack graph 230 permits an identification of computing devices having the computing services exploited to achieve the attack objective. Thus compromised computing devices can also be identified from the attack graph 230.
Returning to Figure 2, an attack detector 220 is provided as a hardware, software, firmware or combination component for identify a network attack based on a signature of malicious network traffic identifying the attack. As previously described with respect to IDS 232, a signature includes a definition of one or more rules and/or patterns which, when applied to and/or compared with network traffic, can be used to identify a network attack. In some embodiments signatures can include, inter alia, byte sequences in network traffic or known malicious instruction sequences used by malicious software. Additionally or alternatively signatures can include metrics or measures evaluated for network traffic such as a measure of entropy (such as Shannon Entropy) for at least some portion of network traffic as described in detail in international patent publication WO/2015/128609 (British Telecommunications public limited company). Other patterns and/or rules indicated in a signature for attack detection include: the identification of particular network response data; network traffic having a particular size, length, volume, structure and/or constitution; a series of network communications occurring between two or more computing services of devices conforming to a particular rule or arrangement; a frequency or duration of network traffic or communications; an identification of one or more particular byte sequences, types of byte sequence, packet sequences, types of packet sequence, messages or the like including such as might be identified in no particular order to detect network traffic arising from a polymorphic attack; and other such signature features as will be known to those in the art or as may be conceived in future for detecting malicious network traffic.
The attack detector 220 according to embodiments of the present invention generates the attack signature using the signature generator 224 based on network traffic. Accordingly, in use the signature generator 224 operates on network traffic 234 that is known to include malicious network traffic for the network attack. In this way a generated signature can be known to be derived from known malicious network traffic for subsequent use in production computer systems on which basis potential attacks may be identified.
In contrast to the generation of attack signatures in the art, the signature generator 224 according to embodiments of the present invention operates on the basis of only a subset of network traffic obtained from the computing system 200. The subset of network traffic is obtained by filtering network traffic 234 obtained from the computing system by a traffic filter 222 as will be described below.
The traffic filter 222 is a software, hardware, firmware or combination component for filtering network traffic 234 obtained from the computing system 200. The network traffic 234 can be obtained and processed in real-time over a period of time or can be stored and accessed in batch. The traffic filter 222 identifies a proper subset of the network traffic 234 by filtering the network traffic 234 such that the subset includes only network traffic that is both associated with computing services being identified by the attack graph 230; and with computing services identified by the IDS 232 as being currently subject to a network attack. Thus, embodiments of the present invention generate an attack signature by the signature generator 224 based on a subset of the network traffic 234 being only the network traffic relevant to computing services indicated by the attack graph 230 and being identified by the IDS 232 as being currently subject to an attack. In this way, the basis for the definition of the attack signature is concentrated on a subset of pertinent network traffic resulting in more accurate and effective attack signature generation. Furthermore, the efficiency of the attack signature generation process is improved because the exclusion of network traffic data reduces the data processing requirements of the signature generator 224. Yet further the quality of the signature itself is improved as the signature is generated based only on pertinent network traffic without being affected by traffic associated with computing services not involved in the network attack or not identified as being subject to attack.
As will be apparent to those skilled in the art, a proper subset of a first set is a subset of the first set that is not equal to the first set.
As previously described the attack graph 230 can be used to identify a subset of computing services in the system 200 potentially involved in the network attack. Where the subset of computer services is a proper subset of the set of all computing services in the system 200 then advantages of embodiments of the present invention are realised because the signature generator 224 generates an attack signature on the basis of a reduced set of network traffic corresponding to a subset of network traffic associated with computing services involved in the network attack according to the attack graph 230 (i.e. a proper subset of the set of all network traffic 234).
Additionally, the subset of computer services is further refined to define a second subset of computer services containing only computer services identified by the IDS 232 as being subject to an attack. In this way a further subset of network traffic can be determined on which basis the signature generator 224 operates to generate the attack signature.
The attack signature is used by a traffic monitor 226 which is a hardware, software, firmware or combination component of the attack detector 220 to monitor production and/or operational network traffic 234 for the system 200. The traffic monitor 226 uses the generated attack signature to identify the network attack occurring in the system 200 and where such attacks are identified they are flagged as network attack identifications 250.
Figure 4 is a flowchart of a method to identify a network attack in a network-connected computer system 200 in accordance with embodiments of the present invention. The method operates with the system 200 known to be subject to the network attack such that the attack is exhibited in network traffic 234. Initially, at step 462, the traffic filter 222 filters the network traffic 234 to include only network traffic associated with computer services identified: by the attack graph 230 for the network attack; and by the IDS 232 as being subject to a network attack. At step 464 the signature generator 224 generates a signature of malicious network traffic based on only the filtered network traffic from step 462. At step 466 the traffic monitor 226 monitors network traffic 234 (where the system 200 now operates in a production or operational mode, not known to be subject to the network attack). At step 468, where the traffic monitor 226 identifies network traffic exhibiting or conforming to the signature the method proceeds to step 470 where, for example, the attack is identified, flagged and/or remedial or responsive measures are taken.
Figure 5 is a component diagram of an exemplary traffic filter 222 for use with the attack detector 220 of Figure 1 in accordance with embodiments of the present invention. Figure 5 is to be read in conjunction with Figure 6 which is a flowchart of a method to identify a network attack in a network-connected computer system 200 using a traffic filter 222 in accordance with embodiments of the present invention.
The traffic filter 222 according to Figure 5 includes two filters as software, hardware, firmware or combination components: a first filter 522 for filtering network traffic data 234 based on the attack graph 230 to generate a first proper subset of network traffic 524; and a second filter 528 for filtering the first proper subset of network traffic 524 based on computing services identified by the IDS 232 as being subject to an attack to generate the second subset of network traffic 530. The second filter thus operates on the basis of a service identifier 526 component as a hardware, software, firmware or combination component for identifying services indicated by the IDS 232 as being subject to an attack or intrusion. The second subset of network traffic 530 accordingly excludes network traffic associated with computing services not indicated by the attack graph 230 or identified as being subject to attack or intrusion by the IDS 232.
Thus the first filter 522 receives the attack graph 230 (step 682) as a data structure containing data identifying one or more series of exploits and/or steps involved in a network attack. The first filter 522 accesses (step 684) a set of all network traffic 234 known to include malicious network traffic to identify (step 686) a proper subset of network traffic 524 that excludes network traffic involved in communication with computing services other than those identified in the attack graph 230. At step 688 the service identifier 526 defines a subset of computer services identified by the IDS 232 as being subject to attack or intrusion. Subsequently, at step 690, the second filter 528 is applied to the proper subset of network traffic 524 to define the second subset of network traffic 530 that further excludes traffic involved in communication with computer services other than those identified as being subject to attack or intrusion. Subsequently, at step 692, the second subset of network traffic 530 is used by the signature generator 224 as previously described to generate a signature of malicious network traffic. Notably the steps 466, 468 and 470 of Figure 4 could further apply subsequent to step 692 in Figure 6 to monitor a production system 200 for network attack and respond accordingly.
Consideration now turns to the closely related challenge of identifying an attacked computing device in a system of network-connected computing devices providing computing services. In particular, while the attack graph 230 indicates computing services exploited to achieve a network attack (and correspondingly computing devices that provide or include those services), further advantages can be realised from the attack graph 230 in a production computer system to identify additional computing devices that are subject to attack where such an attack has not been previously known. Such attacks that have not been previously known are commonly referred to as “zero day” attacks because there may be little or no experience of the attacks or the attacks may have evaded detection such that intrusion detection systems and security software such as IDS 232 may not yet be configured to detect such attacks.
Figure 7 is a component diagram of an attack detector 770 for identifying a network attack based on a network map 772 in accordance with embodiments of the present invention.
Many of the features of Figure 7 are common with those of Figure 2 and these common features will not be repeated here. The network map 772 is a data structure representation including data modelling computing devices in the computing system 200 including the network connections of each computing device such that the map 772 provides an overall representation of the computing system 200. Such a network map 772 can be provided by an operator, designer or installer of the system 200 or the map 772 can be at least partly generated using an automatic network mapping tool such as OpNet (www.opnet.com) or SkyBox (www.skyboxsecurity.com). Thus based on the network map 772 network interconnections between computing devices can be identified and thus routes and/or paths through the network and between devices can be discerned. In practice, the illustration of the computing system 200 provided in the dashed box of Figure 7 constitutes a reasonable example of a network map (albeit with the addition of computing service information which may be absent in a map, and albeit without host device and configuration information which may additionally be present in a map).
The remainder of Figure 7 should be read with further reference to Figure 8 which is a flowchart of a method to identify an attacked computing device in a network-connected computer system 200 in accordance with embodiments of the present invention. The attack detector 770 of Figure 7 is a software, hardware, firmware or combination component adapted to identify an attacked computing device in the network-connected computing system 200. The detector 770 initially receives the attack graph 230 at step 802. Subsequently, at step 804, the detector 770 receives the network map 772. The detector 770 includes a comparator component 778 as a hardware, software, firmware or combination component for comparing the attack graph 230 and the network map 772. The comparison (step 806) of the graph 230 and map 772 provides for an identification of computing devices in the system 200 that are necessarily involved in malicious network communication but that are not identified (such as by reference to their computing services) in the attack graph 230. For example, the attack graph 230 illustrated in Figure 3 shows an attack path whereby the attacking user achieves trust between Flost 0 and Flost 2 by exploiting sv4 of Flost 2 (leftmost path in the graph 230 of Figure 3). Flowever, according to the network map (exemplified by the illustration of the computing system in the dashed box of Figure 7), Flost 0 is separated from Flost 2 by a Firewall. Thus a comparison of the attack path in the graph 230 and the network map 772 serves to identify a computing device (the Firewall) that must be involved in the malicious network communication. The comparison by the comparator 778 can be achieved by following each series of exploits in the graph 230, associating each exploit with a particular computing device in the system 200 (which may involve identifying candidate hosts based on exploited computing services), and identifying intermediate devices in communication between exploited devices as attacked computing devices.
Once identified, attacked computing devices can be subject to remedial and/or responsive measures or alerting can be performed to address the attack. Thus protective measures can be implemented to protect the computer system 200 from the attack. As will be appreciated by those skilled in the art, remedial and/or responsive measures as referred to herein can include: flagging an attack or malicious communication; disconnecting from the network one or more computing devices identified as being attacked or involved in malicious communication; performing anti-malware or anti-virus scans on identified computing devices; patching known vulnerabilities of identified computing services; and other responses and/or remediations as will be apparent to those skilled in the art.
Insofar as embodiments of the invention described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present invention. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilises the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present invention.
It will be understood by those skilled in the art that, although the present invention has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.

Claims (6)

1. A computer implemented method to identify an attacked computing device in a system of network-connected computing devices providing a plurality of computing services, the method comprising: receiving an attack graph as a first data structure including data modelling relationships between vulnerabilities of computing services in a first proper subset of the plurality of computing services and exploitation of such vulnerabilities to identify one or more series of exploits involved in a network attack; receiving a network map as a second data structure including data modelling the computing devices in the system including the network connections of each computing device; comparing the first and second data structures to identify the attacked computing device as an intermediate device in communications between at least two computer services in any of the one or more series of exploits.
2. The method of claim 1 further comprising, in response to the identification of the attacked computing device, implementing protective measures to protect the attacked computing device from the attack.
3. The method of claim 1 wherein the attack graph is a directed acyclic graph data structure.
4. The method of any preceding claim wherein the second data structure is automatically generated by software adapted to map a networked computer system.
5. A computer system including a processor and memory storing computer program code for performing the steps of a method as claimed in any of claims 1 to 4.
6. A computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of a method as claimed in any of claims 1 to 4.
GB1721196.2A 2016-12-30 2017-12-18 Identifying an attacked computing device Active GB2558419B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GBGB1622449.5A GB201622449D0 (en) 2016-12-30 2016-12-30 Identifying an attacked computing device

Publications (3)

Publication Number Publication Date
GB201721196D0 GB201721196D0 (en) 2018-01-31
GB2558419A GB2558419A (en) 2018-07-11
GB2558419B true GB2558419B (en) 2019-11-06

Family

ID=58412241

Family Applications (2)

Application Number Title Priority Date Filing Date
GBGB1622449.5A Ceased GB201622449D0 (en) 2016-12-30 2016-12-30 Identifying an attacked computing device
GB1721196.2A Active GB2558419B (en) 2016-12-30 2017-12-18 Identifying an attacked computing device

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GBGB1622449.5A Ceased GB201622449D0 (en) 2016-12-30 2016-12-30 Identifying an attacked computing device

Country Status (1)

Country Link
GB (2) GB201622449D0 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080046393A1 (en) * 2006-08-01 2008-02-21 Sushil Jajodia Interactive Analysis of Attack Graphs Using Relational Queries
US20130318615A1 (en) * 2012-05-23 2013-11-28 International Business Machines Corporation Predicting attacks based on probabilistic game-theory
WO2015160367A1 (en) * 2014-04-18 2015-10-22 Hewlett-Packard Development Company, L.P. Pre-cognitive security information and event management
EP3131261A1 (en) * 2015-08-13 2017-02-15 Accenture Global Services Limited Computer asset vulnerabilities

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080046393A1 (en) * 2006-08-01 2008-02-21 Sushil Jajodia Interactive Analysis of Attack Graphs Using Relational Queries
US20130318615A1 (en) * 2012-05-23 2013-11-28 International Business Machines Corporation Predicting attacks based on probabilistic game-theory
WO2015160367A1 (en) * 2014-04-18 2015-10-22 Hewlett-Packard Development Company, L.P. Pre-cognitive security information and event management
EP3131261A1 (en) * 2015-08-13 2017-02-15 Accenture Global Services Limited Computer asset vulnerabilities

Also Published As

Publication number Publication date
GB201721196D0 (en) 2018-01-31
GB2558419A (en) 2018-07-11
GB201622449D0 (en) 2017-02-15

Similar Documents

Publication Publication Date Title
US10771483B2 (en) Identifying an attacked computing device
US20210029156A1 (en) Security monitoring system for internet of things (iot) device environments
Eder-Neuhauser et al. Cyber attack models for smart grid environments
US11194901B2 (en) Detecting computer security threats using communication characteristics of communication protocols
US10476891B2 (en) Monitoring access of network darkspace
US9609019B2 (en) System and method for directing malicous activity to a monitoring system
EP2774070B1 (en) System and method for detecting a malicious command and control channel
US9306964B2 (en) Using trust profiles for network breach detection
US9769204B2 (en) Distributed system for Bot detection
US9544273B2 (en) Network traffic processing system
US10542020B2 (en) Home network intrusion detection and prevention system and method
WO2022072134A1 (en) Enhanced risk assessment
US11949694B2 (en) Context for malware forensics and detection
WO2016081561A1 (en) System and method for directing malicious activity to a monitoring system
Affinito et al. The evolution of Mirai botnet scans over a six-year period
US10205738B2 (en) Advanced persistent threat mitigation
Salehi et al. Increasing overall network security by integrating signature-based NIDS with packet filtering firewall
GB2558419B (en) Identifying an attacked computing device
Charan et al. DKaaS: DARK-KERNEL as a service for active cyber threat intelligence
US11570149B2 (en) Feedback mechanism to enforce a security policy
Fink Lessons learned from cyber security assessments of SCADA and energy management systems
GB2566561A (en) Network attack signature generation
Hajdarevic et al. Internal penetration testing of Bring Your Own Device (BYOD) for preventing vulnerabilities exploitation
EP3746926A1 (en) Context profiling for malware detection
Kumar A principled approach to measuring the IoT ecosystem