GB2570543A8 - Detecting triggering events for distributed denial of service attacks - Google Patents

Detecting triggering events for distributed denial of service attacks Download PDF

Info

Publication number
GB2570543A8
GB2570543A8 GB1817377.3A GB201817377A GB2570543A8 GB 2570543 A8 GB2570543 A8 GB 2570543A8 GB 201817377 A GB201817377 A GB 201817377A GB 2570543 A8 GB2570543 A8 GB 2570543A8
Authority
GB
United Kingdom
Prior art keywords
remediation
endpoints
computer program
proxies
requests
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1817377.3A
Other versions
GB2570543A (en
GB2570543B8 (en
GB201817377D0 (en
GB2570543B (en
Inventor
Ackerman Karl
David Harris Mark
Neil Reed Simon
J Thomas Andrew
D Ray Kenneth
Stutz Daniel
Howard Fraser
Samosseiko Dmitri
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sophos Ltd
Original Assignee
Sophos Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US15/136,762 external-priority patent/US10938781B2/en
Priority claimed from US15/136,687 external-priority patent/US11277416B2/en
Application filed by Sophos Ltd filed Critical Sophos Ltd
Publication of GB201817377D0 publication Critical patent/GB201817377D0/en
Publication of GB2570543A publication Critical patent/GB2570543A/en
Application granted granted Critical
Publication of GB2570543B publication Critical patent/GB2570543B/en
Publication of GB2570543A8 publication Critical patent/GB2570543A8/en
Publication of GB2570543B8 publication Critical patent/GB2570543B8/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3055Monitoring arrangements for monitoring the status of the computing system or of the computing system component, e.g. monitoring if the computing system is on, off, available, not available
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method, computer program and device for malicious proxy detection. Outbound traffic is monitored 1502 (in a computer program implementation traffic to remote addresses outside of the enterprise network is monitored). Secure communication protocol requests (e.g. HTTPS, SSL, TLS) from endpoints are detected 1504 (in a computer program implementation, requests are from endpoints remote network addresses). Plaintext network addresses (e.g. URLs, alphanumeric address other than an IP address) within requests are identified 1506. Remediation is performed on potentially malicious local proxies on endpoints. In the computer program implementation remediation is initiated 1508. Monitoring may include monitoring outbound traffic at enterprise network gateways or looking up reputations for destinations of outbound communications. Remediation may include quarantining endpoints until potentially malicious local proxies can be removed. Remediation may include reversing malware identification for potentially malicious proxies by identifying non malicious sources for local proxies. Malware verification may be performed on potentially malicious proxies, which may include, identifying processes that initiate requests, determining reputations of processes and if process reputation is low or unknown confirming malware identification, and if process reputation is good, confirming malware identification only when a calling process for the process has a low or unknown reputation.
GB1817377.3A 2016-04-22 2016-06-29 Detecting triggering events for distributed denial of service attacks Active GB2570543B8 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US15/136,762 US10938781B2 (en) 2016-04-22 2016-04-22 Secure labeling of network flows
US15/136,687 US11277416B2 (en) 2016-04-22 2016-04-22 Labeling network flows according to source applications
GB1816827.8A GB2564357B8 (en) 2016-04-22 2016-06-29 Detecting triggering events for distributed denial of service attacks

Publications (5)

Publication Number Publication Date
GB201817377D0 GB201817377D0 (en) 2018-12-12
GB2570543A GB2570543A (en) 2019-07-31
GB2570543B GB2570543B (en) 2020-05-20
GB2570543A8 true GB2570543A8 (en) 2020-09-30
GB2570543B8 GB2570543B8 (en) 2021-12-08

Family

ID=60116990

Family Applications (3)

Application Number Title Priority Date Filing Date
GB1816827.8A Active GB2564357B8 (en) 2016-04-22 2016-06-29 Detecting triggering events for distributed denial of service attacks
GB1817377.3A Active GB2570543B8 (en) 2016-04-22 2016-06-29 Detecting triggering events for distributed denial of service attacks
GB1817376.5A Active GB2574283B8 (en) 2016-04-22 2016-06-29 Detecting triggering events for distributed denial of service attacks

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GB1816827.8A Active GB2564357B8 (en) 2016-04-22 2016-06-29 Detecting triggering events for distributed denial of service attacks

Family Applications After (1)

Application Number Title Priority Date Filing Date
GB1817376.5A Active GB2574283B8 (en) 2016-04-22 2016-06-29 Detecting triggering events for distributed denial of service attacks

Country Status (2)

Country Link
GB (3) GB2564357B8 (en)
WO (1) WO2017184189A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10986109B2 (en) 2016-04-22 2021-04-20 Sophos Limited Local proxy detection
US11277416B2 (en) 2016-04-22 2022-03-15 Sophos Limited Labeling network flows according to source applications
US10938781B2 (en) 2016-04-22 2021-03-02 Sophos Limited Secure labeling of network flows
US11102238B2 (en) 2016-04-22 2021-08-24 Sophos Limited Detecting triggering events for distributed denial of service attacks
US11165797B2 (en) 2016-04-22 2021-11-02 Sophos Limited Detecting endpoint compromise based on network usage history
RU2740027C1 (en) * 2020-02-12 2020-12-30 Варити Менеджмент Сервисез Лимитед Method and system for preventing malicious automated attacks
US11381594B2 (en) * 2020-03-26 2022-07-05 At&T Intellectual Property I, L.P. Denial of service detection and mitigation in a multi-access edge computing environment
US20220239634A1 (en) * 2021-01-26 2022-07-28 Proofpoint, Inc. Systems and methods for sensor trustworthiness
US20240007483A1 (en) * 2022-07-01 2024-01-04 Nozomi Networks Sagl Method for automatic signatures generation from a plurality of sources
CN115589307A (en) * 2022-09-07 2023-01-10 支付宝(杭州)信息技术有限公司 Risk monitoring method and device for distributed system

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7930740B2 (en) * 2005-07-07 2011-04-19 International Business Machines Corporation System and method for detection and mitigation of distributed denial of service attacks
US8490190B1 (en) * 2006-06-30 2013-07-16 Symantec Corporation Use of interactive messaging channels to verify endpoints
US8156557B2 (en) * 2007-01-04 2012-04-10 Cisco Technology, Inc. Protection against reflection distributed denial of service attacks
US8782786B2 (en) * 2007-03-30 2014-07-15 Sophos Limited Remedial action against malicious code at a client facility
US8769702B2 (en) * 2008-04-16 2014-07-01 Micosoft Corporation Application reputation service
US8561181B1 (en) * 2008-11-26 2013-10-15 Symantec Corporation Detecting man-in-the-middle attacks via security transitions
AU2010223925A1 (en) * 2009-03-13 2011-11-03 Rutgers, The State University Of New Jersey Systems and methods for the detection of malware
KR100942456B1 (en) * 2009-07-23 2010-02-12 주식회사 안철수연구소 Method for detecting and protecting ddos attack by using cloud computing and server thereof
US8832835B1 (en) * 2010-10-28 2014-09-09 Symantec Corporation Detecting and remediating malware dropped by files
US20120324568A1 (en) * 2011-06-14 2012-12-20 Lookout, Inc., A California Corporation Mobile web protection
CN104718721A (en) * 2012-08-17 2015-06-17 诺基亚通信公司 Data services in a computer system
US9503324B2 (en) * 2013-11-05 2016-11-22 Harris Corporation Systems and methods for enterprise mission management of a computer network
US9967282B2 (en) * 2014-09-14 2018-05-08 Sophos Limited Labeling computing objects for improved threat detection
US20170091482A1 (en) * 2015-09-30 2017-03-30 Symantec Corporation Methods for data loss prevention from malicious applications and targeted persistent threats

Also Published As

Publication number Publication date
GB2574283B (en) 2020-05-20
GB2564357A (en) 2019-01-09
GB2570543A (en) 2019-07-31
WO2017184189A1 (en) 2017-10-26
GB2564357B8 (en) 2021-12-08
GB2574283A (en) 2019-12-04
GB201816827D0 (en) 2018-11-28
GB2564357B (en) 2020-10-07
GB2570543B8 (en) 2021-12-08
GB2574283B8 (en) 2021-12-08
GB201817376D0 (en) 2018-12-12
GB201817377D0 (en) 2018-12-12
GB2570543B (en) 2020-05-20

Similar Documents

Publication Publication Date Title
GB2570543A8 (en) Detecting triggering events for distributed denial of service attacks
US9680795B2 (en) Destination domain extraction for secure protocols
Durumeric et al. An {Internet-Wide} view of {Internet-Wide} scanning
US9985981B2 (en) Monitoring traffic in a computer network
US10104119B2 (en) Short term certificate management during distributed denial of service attacks
US10313372B2 (en) Identifying malware-infected network devices through traffic monitoring
KR101486307B1 (en) Apparatus and method for security monitoring
US9407650B2 (en) Unauthorised/malicious redirection
US9621544B2 (en) Computer implemented method of analyzing X.509 certificates in SSL/TLS communications and the data-processing system
US11388188B2 (en) Systems and methods for automated intrusion detection
EP3041190A1 (en) Dynamic service handling using a honeypot
US11483339B1 (en) Detecting attacks and quarantining malware infected devices
US10263975B2 (en) Information processing device, method, and medium
US20170070518A1 (en) Advanced persistent threat identification
CN108259473B (en) Web server scanning protection method
US20170331853A1 (en) Security system
WO2014062629A1 (en) System and method for correlating security events with subscriber information in a mobile network environment
US10142360B2 (en) System and method for iteratively updating network attack mitigation countermeasures
CN110061998B (en) Attack defense method and device
Yamada et al. Using abnormal TTL values to detect malicious IP packets
US10205738B2 (en) Advanced persistent threat mitigation
US10079857B2 (en) Method of slowing down a communication in a network
US10778708B1 (en) Method and apparatus for detecting effectiveness of security controls
Malik et al. LAN Based Intrusion Detection And Alerts
Jhala et al. Dearth the Security of Smartphone Messaging Application: WhatsApp

Legal Events

Date Code Title Description
S117 Correction of errors in patents and applications (sect. 117/patents act 1977)

Free format text: REQUEST FILED; REQUEST FOR CORRECTION UNDER SECTION 117 FILED ON 18 OCTOBER 2021

S117 Correction of errors in patents and applications (sect. 117/patents act 1977)

Free format text: CORRECTIONS ALLOWED; REQUEST FOR CORRECTION UNDER SECTION 117 FILED ON 18 OCTOBER 2021 ALLOWED ON 25 NOVEMBER 2021