GB2588905A - Device classification based network security - Google Patents

Device classification based network security Download PDF

Info

Publication number
GB2588905A
GB2588905A GB1916465.6A GB201916465A GB2588905A GB 2588905 A GB2588905 A GB 2588905A GB 201916465 A GB201916465 A GB 201916465A GB 2588905 A GB2588905 A GB 2588905A
Authority
GB
United Kingdom
Prior art keywords
network
security
computer
service discovery
machine learning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
GB1916465.6A
Other versions
GB201916465D0 (en
Inventor
Cheng Yipeng
El-Moussa Fadi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
British Telecommunications PLC
Original Assignee
British Telecommunications PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by British Telecommunications PLC filed Critical British Telecommunications PLC
Priority to GB1916465.6A priority Critical patent/GB2588905A/en
Publication of GB201916465D0 publication Critical patent/GB201916465D0/en
Publication of GB2588905A publication Critical patent/GB2588905A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method of security for a device 202 connected to a network 200. A specification of a set of services for the device is determined by a network attached component 204 based upon communication with the device using service discovery protocols (SDP) 206. The device is classified based on the specification, the classification having associated a predetermined set of acceptable states of operation of the device, 208-210. The classification is made using a supervised machine learning method whereby the classifier is trained by trainer 218 on the basis of training data 216. A security component 212 implements security measures 214 when a deviation from the acceptable state of operation of the device is detected. The service discovery protocols may include Simple SDP (SSDP) and universal Plug and Play (uPnP). The security measures may include filtering, intercepting, flagging, scanning, parsing and disconnection. The machine learning method may be a recurrent neural network such as long short-term memory (LSTM) or use a support vector machine (SVM). The device 202 may be an internet of things (IoT) device, a smart appliance, telephony device or other user equipment.

Description

Device Classification Based Network Security The present invention relates to the classification of devices connected to a computer network for security.
Automated network security for local networks, such as a home network, apply rules to 5 classify communicating devices in order to impose predetermine security controls in dependence on each device class. For example, devices can be classified as: predominantly traffic sinks (e.g. media streaming devices); predominantly traffic sources (e.g. internet cameras); high traffic volume devices (e.g. video players); low traffic volume devices (e.g. internet telephone); high traffic frequency devices (e.g. smartphones); and other classes.
Security controls can be applied automatically to devices according to their classification as a means to provide first-level security without intervention of a network operator. For example, deviations from normal network communication can be flagged and stopped.
Improvements to such techniques are desirable.
According to a first aspect of the present invention, there is a provided a computer implemented method of computer security for a network-connected device communicating via a computer network, the method comprising: accessing a specification of a set of services supported by the device, the specification being determined based on a communication with the device using one or more service discovery protocols; classifying the device based on the specification, the classification having associated a predetermined set of acceptable states of operation of the device; deploying security measures for the device responsive to a detection of a deviation of a state of operation of the device from the acceptable states of operation, wherein the classification is made using a supervised machine learning method trained using training data for a plurality of training network-connected devices each having a specification of a set of services and a definition of a set of acceptable states of operation.
Preferably, the service discovery protocols include the Simple Service Discovery Protocol (SSDP).
Preferably, the service discovery protocols include universal Plug and Play (uPnP) protocols.
Preferably, the specification is an Extensible Markup Language (XML) specification of services supported by the device.
Preferably, security measures include one or more of: any of interrupting, filtering, intercepting, precluding and flagging communications with the device; any of scanning, parsing, searching and logging communications with the device; and disconnecting the device from the network.
Preferably, the supervised machine learning method is a recurrent neural network such as a long-short term memory (LSTM).
Preferably, the supervised machine learning method includes a support vector machine (SVM).
According to a second aspect of the present invention, there is a provided a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.
According to a third aspect of the present invention, there is a provided a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.
Embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which: Figure 1 is a block diagram a computer system suitable for the operation of embodiments of the present invention; Figure 2 is a component diagram of an arrangement for providing computer security for a network-connected device in accordance with embodiments of the present invention; Figure 3 is a flowchart of a method of computer security for a network-connected 20 device in accordance with embodiments of the present invention; Figure 4 is a component diagram of an arrangement for providing computer security for a network-connected device in accordance with embodiments of the present invention; and Figure 5 is a flowchart of a method of computer security for a network-connected 25 device in accordance with embodiments of the present invention.
First-line defence automated network security for local networks depends on an appropriate classification of network-connected devices as they are introduced to, or discovered in, the network. For example, a media access control (MAC) address may be employed to classify a device. A MAC address includes a vendor portion and a device portion and devices can be classified based on their vendor on the basis that, for example, a vendor may specialise in a particular class of device. This is increasingly unreliable as vendors develop devices across many use cases.
The challenge of appropriate device classification is compounded by an increasing number of devices connecting to computer networks such as internet of things (loT) devices. 5 loT devices can be many and varied ranging from devices with specific application such as an internet camera, presence sensor or the like, to integrated connectivity in conventional devices such as smart televisions, smart appliances (cookers, fridges etc.), smart toys etc. Such devices can appear on, and disappear from, a network very quickly and with high frequency and a network operator may defer to automated security measures for such 10 devices rendering appropriate classification critical in first-line security.
Figure 1 is a block diagram of a computer system suitable for the operation of embodiments of the present invention. A central processor unit (CPU) 102 is communicatively connected to a storage 104 and an input/output (I/O) interface 106 via a data bus 108. The storage 104 can be any read/write storage device such as a random-access memory (RAM) or a non-volatile storage device. An example of a non-volatile storage device includes a disk or tape storage device. The I/O interface 106 is an interface to devices for the input or output of data, or for both input and output of data. Examples of I/O devices connectable to I/O interface 106 include a keyboard, a mouse, a display (such as a monitor) and a network connection.
Figure 2 is a component diagram of an arrangement for providing computer security for a network-connected device 202 in accordance with embodiments of the present invention. The network-connected device 202 can be any suitable device operable to communicate via a computer network 200 such as a wired, wireless or combination network. For example, the device 202 can be a computer system whether generalised or dedicated in nature, including pervasive devices, internet of things (loT) devices, smart appliances, network appliances or components, components of network-connected vehicles, telephony or other communications devices, user terminal equipment, or any other suitable device as will be apparent to those skilled in the art.
A further network attached component 204 is provided such as a network appliance, router, network security component, firewall, proxy, or other suitable computer system. The component 204 provides security facilities for the device 202 and, as such, can be provided with, as part of, or in conjunction with the device 202. Alternatively, the component 204 can be provided as part of the network 200 or as part of one or more services or facilities provided via the network 200 such as a domestic network router, access point or network hub, a switch, security server or the like.
Notably, either or both the device 202 and component 204 can be provided as physical devices, virtual devices, or combination of physical and virtual devices. Further, while the component 204 is depicted in Figure 2 as including other features 206 to 214 it will be appreciated by those skilled in the art that such other features may be provided by other, further, components or the device 202 itself and the arrangement of Figure 2 is not to be considered limiting on the particular configuration of the component 204.
In use, the component 204 provides, obtains, accesses or generates a classifier 208 as one or more software components for classifying input data sets into classes as output data. The classifier 208 is provided by way of a machine learning method such as a recurrent neural network as will be apparent to those skilled in the art. For example, the classifier 208 is a long-short-term memory (LSTM) or a support vector machine (SVM). In accordance with embodiments of the present invention, the classifier 208 is arranged to classify a device specification 206 into a class of device, each class of device having associated a set 210 of acceptable states of operation of a device within such class. These features are considered in more detail below.
The device specification 206 is a specification of a set of service supported by the device 202. In a preferred embodiment, the specification 206 is obtained by way of a service discovery protocol such as the Simple Service Discovery Protocol (SSDP) specified by the Internet Engineering Taskforce (IETF) (available at tools.ietf.org/pdf/draft-cai-ssdp-v1-03.pdf) according to which "the SSDP provides a mechanism whereby network clients, with little or no static configuration, can discover network services. SSDP accomplishes this by providing for multicast discovery support as well as server based notification and discovery routing." Thus, using SSDP or any suitable service discovery protocol, a specification of a set of services supported by the device 202 can be obtained. For example, using SSDP such specification can take the form of an extensible markup language (XML) document specifying supported services, and thus would constitute a textual specification.
Thus, in use, the classifier 208 is operable to classify the device 202 on the basis of the device specification 206 for the device 202. To achieve this, the classifier 208 is trained by a trainer component 218 as a hardware, software, firmware or combination component arranged to train the classifier 208 on the basis of training data 216. The training data 216 includes device specifications for a range of devices such that devices exhibiting commonality in respect of their specifications may be classified in like classes. Such training processes for machine learning methods are known to those skilled in the art.
For each class to which devices may be classified by the classifier 208, a set of 35 acceptable states of operation 210 for the devices is associated with the class. An acceptable state of operation is a state of operation of a device in a class that is determined to be normal, typical, usual or non-deviant for devices in the class. Such determinations can be made based on prior analysis of devices in operation and may, in some embodiments, themselves arise from a machine learning method on which basis typical behaviours are learned. For example, behaviours can be characterised in terms of: resource consumption of devices such as processor, memory, network bandwidth and the like; network activity such as a number of, frequency or and/or nature of network communications performed by, with or via devices; a frequency of connection, disconnection and/or a duration of connection of devices; and other operational characteristics of devices as will apparent to those skilled in 10 the art.
Thus, in use, the component 204 is operable to access or receive a device specification 206 for the device 202, such as based on communication with the device 202 using the SSDP protocol including, for example: one or more SSDP "SEARCH" messages; one or more SSDP "NOTIFY" messages; and one or more service requests under the SSDP protocol. Further, the component 204 is operable to classify the device 202 by way of the classifier 208 based on the device specification 206 to determine a set of acceptable states of operation for the device 202.
The component 204 additionally includes a security component 212 as a hardware, software, firmware or combination component arranged to provide security services for the device 202. In particular, the security component 212 is operable to implement security measures 214 in respect of the device 202 where the device 202 is determined to have a state of operation that deviates from the acceptable states of operation 210 for the device as determined based on the classification of the device by the classifier 208. Such deviation represents, for example, a state of operation of the device 202 that is inconsistent with acceptable states of operation 210.
Security measures are processes, procedures, operations, facilities, configuration changes, constraints or other measures as may be employed and/or effected by the security component 212 in respect of the device 202. For example, security measures 214 can be effected to mitigate a potential attack, vulnerability or other security threat in respect of the device 202 indicated by an operation of the device 202 outside the set of acceptable states of operation 210. For example, security measures can include one or more of: any of interrupting, filtering, intercepting, precluding and flagging communications with the device; any of scanning, parsing, searching and logging communications with the device; disconnecting the device from the network; and other security measures as will be apparent to those skilled in the art.
Thus, in this way, the device 202 is classified automatically on the basis of security services supported by the device to determine a set of acceptable states of operation 210 on which basis security measures 214 can be deployed to provide protection for the device 202 or the network 200 from security threats.
Figure 3 is a flowchart of a method of computer security for a network-connected device in accordance with embodiments of the present invention. Initially, at step 302, the method accesses a specification 206 of a set of services supported by the device 202, the specification 206 being determined based on a communication with the device using one or more service discovery protocols. At step 304 the method classifies the device 202 based on the specification 206, the classification having associated a predetermined set of acceptable states of operation 210 of the device 202. Security measures for the device 202 are deployed at step 308 responsive to a detection, at step 306, of a deviation of a state of operation of the device 202 from the acceptable states of operation 210.
Figure 4 is a component diagram of an arrangement for providing computer security for a network-connected device in accordance with embodiments of the present invention. Many of the elements of Figure 4 are identical to those described above with respect to Figure 2 and these will not be repeated here. Figure 4 differs in that the classifier 408 is differently configured to classify the device 402 on the basis of attributes 406 of communications undertaken by the device 402, as will be described below. Thus, this differing basis for the classification of the device 402 in Figure 4 requires a different basis in the training data 416 for training the classifier 408 by the trainer 418 such that the training data 416 includes communication attributes of training devices. Notably, the nature of the classifier 408 for classifying the device 402 into a class having associated a set 410 of acceptable states of operation is unchanged vis-a-vis Figure 2.
The communication attributes 406 are attributes of communication performed by the device 402 when the device is communicating in accordance with a service discovery protocol such as the SSDP or, in particular, the Universal Plug and Play (uPnP) protocol. Such attributes 406 can include raw communications data from a portion of communication performed according to such protocols -such portion being predetermined and consistently used in both classifying functions of the component 404 and training functions of the trainer 418. For example, a setup portion of communication under the uPnP protocol may be employed, where such setup portion can be specifically defined in terms of a stage or phase of communication under a uPnP communications procedure. For example, uPnP communications with devices can be considered as taking place in a number of phases as outlined in the presentation "UPnP Technical basics: UPnP Device Architecture (UDA)" (UPnP Forum, upnp.org, July 2014, available at www.upnp.orgiresourcesidocuments/UPnP_UDA_tutorial_July2014.pdf). Such phases include: discovery; description; control; and protocol. Thus, one or more of these phases may be considered a requisite portion of communication under the uPnP protocol for the purpose 5 of determining characteristics of the communication as attributes 406 thereof.
While the attributes of the communication 406 can include raw communication data, depending upon the nature of a machine learning algorithm employed for the classifier 408, attributes can alternatively or additionally include one or more of, inter alia: a number of messages communicated with the device 402; a number of messages communicated by the device 402; a number of messages communicated to the device 402; a volume of data in the communication; a number of HTTPU (hypertext transport protocol -unicast) requests issued; one or more particular message types; and other attributes as will be apparent to those skilled in the art. Preferably, the attributes selected for the classifier 408 are determined based on their suitability for classifying the device 402.
Thus, according to the arrangement of Figure 4, the device 402 is classified automatically on the basis of communication attributes 406 to determine a set of acceptable states of operation 410 on which basis security measures 414 can be deployed to provide protection for the device 402 or the network 400 from security threats.
Figure 5 is a flowchart of a method of computer security for a network-connected device in accordance with embodiments of the present invention. Initially, at step 502, the method accesses communication attributes 406 for the device 402, the attributes 406 being determined based on a communication with the device 402 using one or more service discovery protocols. At step 504 the method classifies the device 402 based on the attributes 506, the classification having associated a predetermined set of acceptable states of operation 510 of the device 402. Security measures for the device 402 are deployed at step 508 responsive to a detection, at step 506, of a deviation of a state of operation of the device 402 from the acceptable states of operation 410.
Insofar as embodiments of the invention described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present invention. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilises the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present invention.
It will be understood by those skilled in the art that, although the present invention has been described in relation to the above described example embodiments, the invention is not 10 limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.
The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.

Claims (9)

  1. CLAIMS1. A computer implemented method of computer security for a network-connected device communicating via a computer network, the method comprising: accessing a specification of a set of services supported by the device, the specification being determined based on a communication with the device using one or more service discovery protocols; classifying the device based on the specification, the classification having associated a predetermined set of acceptable states of operation of the device; deploying security measures for the device responsive to a detection of a deviation of a state of operation of the device from the acceptable states of operation, wherein the classification is made using a supervised machine learning method trained using training data for a plurality of training network-connected devices each having a specification of a set of services and a definition of a set of acceptable states of operation.
  2. 2. The method of any preceding claim wherein the service discovery protocols include the Simple Service Discovery Protocol (SSDP).
  3. 3. The method of any preceding claim wherein the service discovery protocols include universal Plug and Play (uPnP) protocols.
  4. 4. The method of any preceding claim wherein the specification is an Extensible Markup Language (XML) specification of services supported by the device.
  5. 5. The method of any preceding claim wherein security measures include one or more 25 of: any of interrupting, filtering, intercepting, precluding and flagging communications with the device; any of scanning, parsing, searching and logging communications with the device; and disconnecting the device from the network.
  6. 6. The method of any preceding claim wherein the supervised machine learning method 30 is a recurrent neural network such as a long-short term memory (LSTM).
  7. 7. The method of any preceding claim wherein the supervised machine learning method includes a support vector machine (SVM).
  8. 8. A computer system including a processor and memory storing computer program code for performing the steps of the method of any preceding claim.
  9. 9. A computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of a method as claimed in any of claims 1 to 7.
GB1916465.6A 2019-11-13 2019-11-13 Device classification based network security Pending GB2588905A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1916465.6A GB2588905A (en) 2019-11-13 2019-11-13 Device classification based network security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1916465.6A GB2588905A (en) 2019-11-13 2019-11-13 Device classification based network security

Publications (2)

Publication Number Publication Date
GB201916465D0 GB201916465D0 (en) 2019-12-25
GB2588905A true GB2588905A (en) 2021-05-19

Family

ID=69062209

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1916465.6A Pending GB2588905A (en) 2019-11-13 2019-11-13 Device classification based network security

Country Status (1)

Country Link
GB (1) GB2588905A (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112085837B (en) * 2020-09-10 2022-04-26 哈尔滨理工大学 Three-dimensional model classification method based on geometric shape and LSTM neural network

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016148840A1 (en) * 2015-03-18 2016-09-22 Qualcomm Incorporated Methods and systems for automated anonymous crowdsourcing of characterized device behaviors

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016148840A1 (en) * 2015-03-18 2016-09-22 Qualcomm Incorporated Methods and systems for automated anonymous crowdsourcing of characterized device behaviors

Also Published As

Publication number Publication date
GB201916465D0 (en) 2019-12-25

Similar Documents

Publication Publication Date Title
CA3018022C (en) Systems and methods for automatic device detection
US11722458B2 (en) Method and system for restricting transmission of data traffic for devices with networking capabilities
CA2998049A1 (en) Monitoring device data and gateway data
EP1738562B1 (en) Server apparatus, client apparatus and network system
US20160308875A1 (en) Internet security and management device
US20200314107A1 (en) Systems, methods, and media for securing internet of things devices
CN111405042B (en) Electronic device discovery method and device, storage medium and electronic device
US10078746B2 (en) Detecting unauthorized devices
US10484416B2 (en) System and method for repairing vulnerabilities of objects connected to a data network
US20240061935A1 (en) Systems and methods for a virus scanning router
US20240195782A1 (en) Systems and methods for a computer network security manager
US20160308870A1 (en) Network access method and apparatus
GB2588905A (en) Device classification based network security
US20220407884A1 (en) Device communication class based network security
EP3220595A1 (en) Method and system of eliminating vulnerabilities of smart devices
CN107204869B (en) Method and system for eliminating vulnerability of intelligent device
CN107204969B (en) Method and system for eliminating vulnerabilities on data networks
EP4266627A1 (en) System and method for securing iot devices through a gateway
GB2566010A (en) Method and system for network devices
US20230344797A1 (en) SYSTEM AND METHOD FOR SECURING IoT DEVICES THROUGH A GATEWAY
CN116938504A (en) System and method for protecting internet of things devices through gateway
CN117675173A (en) System and method for providing security for internet of things devices