JP2002189643A - Method and device for scanning communication traffic - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method and a device for scanning a communication traffic. SOLUTION: The present invention discloses a method and a device for analyzing network security, that is, for monitoring a communication stream outgoing from a communication network to determine whether information from the network is illegally transmitted or not.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

FIELD OF THE INVENTION The present invention relates generally to communication networks, and more particularly to analyzing communication streams to detect potential security leaks.

[0002]

BACKGROUND OF THE INVENTION Advances in communication technology and the proliferation of powerful desktop computer hardware have resulted in an ever-increasing opportunity for computers to access a variety of public computer networks. Today, vast amounts of information are being exchanged between individual users around the world via public computer networks, such as the well-known Internet. One class of users includes private and professional users interconnected via a private network, for example, a corporate intranet. The Internet, the expansive international public network of computer networks, is rapidly becoming an important source of information, electronic communications and electronic commerce for personal computer users in homes and businesses around the world. For example, World Wid
There is a great deal of information on e-Web (WWW), a network called “Web”. Well-known WWW
Is a graphical subnetwork of the Internet. The WWW is essentially a collection of formatted hypertext pages that reside in millions of computers worldwide and are logically connected by the Internet. The information present on the web, ie the content, is displayed in the form of so-called "web pages", which are referred to as "web browsers".
Accessed by a user interface program called As a result of the increased opportunity for information exchange between private and public computer networks, a variety of significant security issues have arisen regarding the protection of information on the private computer network and the overall functioning of the private computer network itself. It has occurred.

[0003] The security of computer networks is directed, at a minimum, to ensuring the reliable operation of computing and networking resources, and to protect the information in the network from unauthorized disclosure or access. With a variety of security threats, the challenge to network security is growing in sophistication. More specifically, some of the most sophisticated types of security threats use programs that exploit weaknesses in network confluent systems. Security threats using such programs include:
For example, the well-known logic bombs, trapdoors (t
rapdoors), trojan horses, viruses (virues), and worms. The threats from these known software programs are:
It can work alone to achieve the desired security breach (eg, like a worm), or it can host programs (such as a trapdoor, logic bomb, Trojan, virus, etc.) By arousing, they may perform their desired disruptive activity. In fact, there are countless well-known articles about such programs used to breach the security of private computer networks and cause serious damage. Such damage includes the destruction of electronic files, rewriting of databases, disabling of the computer network itself or computer hardware connected to the affected network.

[0004] In addition to the security issues described above, network administrators responsible for the operation of certain computer networks require highly classified information.
sified information), such as security information (c
care is taken that onfidential information is not illegally transmitted from the computer network to the public area via the Internet. For example, a network administrator of a large corporate computer network may want to ensure that company trade secrets or other proprietary information are not unauthorized from the corporate intranet to the Internet through email delivery. Take care Such fraudulent communications may occur essentially as a result of employee ignorance or carelessness, or as a result of intentional breach of company security guidelines by dissatisfied or neglected employees. There is also.

[0005]

In one conventional security measure for reducing the unauthorized leakage of information from a computer network, a communication stream selection check is performed. Such conventional techniques are similar to security measures used to verify credit card numbers when conducting automated purchase transactions over a network, for example, the Internet. In this transaction, the credit card number received as input at the time of purchase is compared to a master list of valid credit numbers stored, for example, at the merchant's network or at the financial institution that issues the card. You. One disadvantage of this scheme from a security perspective is that
Inspection programs that perform this comparison process are required to access the actual list of credit card numbers to successfully accomplish this process, and this access point can be a potential network security weakness. is there. In other words, so-called "hackers" can attack related servers, and this list can be compromised. That is, a hacker may break through network security measures, for example, a firewall, of a network in which a server including a master list of credit card numbers exists, and download this complete list. Such a scheme may be used for other security information (sensitive infor
mation), for example, company trade secrets
, These security information are also at great risk.

[0006] Accordingly, there is a need to improve the robustness of security measures to prevent unauthorized leakage of information from a communication network.

[0007]

SUMMARY OF THE INVENTION One aspect of the present invention is to analyze network security, i.e., monitor communication streams exiting a communication network, and illegally transmit certain information, such as security information, from the network. Is directed to determining if is not present.

In accordance with a preferred embodiment of the present invention, a communication network is composed of a plurality of components having different security ratings, for example, certain parts of the communication network may have a first security rating, eg, "".
Another part of the communication network has a second security rating, eg, "non-confidential".
As an example, the first security rating is "higher" than the second security rating, and the first security level provides a more stringent set of network security measures for its associated information and hardware configuration. impose. As mentioned above, unauthorized disclosure of information from this part of the network is avoided as much as possible. Thus, in accordance with this aspect of the invention, the use of a Bloom filter in conjunction with a wordlist allows for the analysis of a communication stream exiting a communication network without exposing the actual wordlist. That is, it is determined whether or not there is an unauthorized transmission of the security class information from the network. As an example, the word list may include a list of words relating to the technical details of a new product development project or a word relating to future sales plans for a particular product. In short, this word list is created here as a function of information that should not be leaked outside the network unless specifically allowed.

More specifically, according to the preferred embodiment, a hashed word table is created using a Bloom filter as a function of a word list. This hash word list prevents the original word list from being identified and makes it difficult for the original word list to be revealed or reassembled by computation. Thus, this hashed word table is used to perform an analysis of the communication stream in the part of the communication network having the first security level and to detect unauthorized leakage of confidential information. More specifically, according to this preferred embodiment of the present invention, a server is used to perform the analysis of the communication stream, the server comprising a Bloom filter and accessing a hashed word table. According to one aspect of the present invention, the Bloom Filter monitors a communication stream using a hashed word table and detects in real time whether there is any security information leakage from the communication network to a public area, for example, the Internet. I do.
Advantageously, in some embodiments of the present invention, the analysis of this communication is performed without directly accessing or exposing the original word list, thus making these security operations less secure. It is allowed to perform within the configuration, for example, outside the security measures of the firewall associated with the particular communication network.

[0010] Bloom filters are not new.
Bloom filters and their associated binary hash coding operations are well known and are described, for example, in Bloom, Burton,
H. , ”Space / Time Tradeoffs in Hash Coding wi
th Allowable Errors ”, Communications of the
ACM, Vol. 13, No. 7, pp. 422-426 (197
0), see this. Bloom filters have previously been used for a variety of applications to determine elements in a set, for example, to perform set element tests on large sets of data. In this regard, see, for example, R.S. J. "Metho issued to Cichellie et al.
d and Apparatus for Testing Membersip in a
Set Through Hash Coding with Allowable Err
See U.S. Pat. No. 4,290,105 entitled "ors". Another application that uses a Bloom filter to determine the validity of a key is described in US Pat.
As of February 23, D. W. "Para issued to Aucsmith
See also US Patent No. 5,701,464, entitled "Meterized Bloom Filter".

Thus, the Bloom filter is a well-known mechanism for performing hash coding and element tests. However, the inventor has come to recognize that the Bloom filter can be used as an elegant tool in the field of communication network security.
That is, they have found that a Bloom filter can be applied to analyze communication streams exiting a communication network without exposing the actual wordlist, and to determine if there is any unauthorized transmission of information from the network.

[0012]

DETAILED DESCRIPTION In the following description, unless otherwise specified, similar elements, blocks, components or sections in the drawings are indicated by the same reference numerals.

[0013] One aspect of the present invention is to analyze communication streams emanating from a particular communication network, and to disallow unauthorized transmission of certain information from the communication network.
thorized transmission). FIG. 1 shows a flow diagram of an example operation 100 for analyzing a communication stream exiting a communication network and determining whether there is any unauthorized transmission of specific information from the communication network. More specifically, according to the preferred embodiment, a word list is identified and received (at block 110 in FIG. 1). As mentioned above, as with other individuals,
In particular, the network administrator responsible for the operation of the computer network takes care to ensure that sensitive information is not transmitted from the computer network over the Internet to the public domain without permission. For example, a network administrator of a large corporate computer network may be concerned that trade secrets or other proprietary information of the company may be released without permission from the corporate intranet to the Internet along with e-mail distribution. Distribute. Thus, in some embodiments of the present invention, the word list includes words from the information to be protected, trade secrets, other security information, or descriptions thereof.

[0014] Such security issues are not limited to the corporate world, but also exist in the areas of government, military and judiciary. For example, the United States Department of Energy (Un
The itedStates Department of Energy (DOE) is responsible for classifying security that requires appropriate safeguards.
Maintain a public list of keywords for the material, including information. Thus, a list of DOE keywords (World Wide Web at www.Osti.gov/opennet/s
akwdhtm. (published via html) can be used by organizations to identify these particular security sensitive materials and thereby avoid unauthorized release. In addition, similar hashed lists can be provided that are security-grade in nature, but have a lower classification level than the list itself.

As a result of identifying and receiving the associated word list, according to one aspect of the invention, a so-called hashed word table is created using a Bloom filter (at block 120 in FIG. 1). Creation of the hashed word table is performed in a conventional manner using well-known operations with the Bloom filter and associated hash encoding parameters. In one embodiment of the present invention, a hashed word table is sent to the security server (at block 130 of FIG. 1), and the security server sends (at block 140 of FIG. 1) the communication stream exiting the particular communication network. Monitor as a hashed word table function. That is, according to one aspect of the present invention, by performing an analysis of the communication stream, certain parts of the information flow can potentially be shifted from the communication network to the public domain,
A decision is made to not represent an unauthorized transmission of information to the Internet. Importantly, as will be described in greater detail below, this analysis is performed, in various embodiments of the present invention, without directly accessing, ie, exposing, the complete original word list. Therefore, these security operations can be performed with a lower security configuration.

FIG. 2 illustrates an exemplary communications network configuration for analyzing communications in accordance with the principles of the present invention. Configuration 2 of this example communication network of FIG.
00 indicates a plurality of sub-networks, for example,
Includes an intranet 205, which may be a corporate intranet of sub-networks 215,245. These sub-networks may, among other things, have different security levels defined by the network administrator based on the type of information, activity, and / or user of these sub-networks.
have. These security levels, or ratings,
Used to control or limit access to information on a network. As an example, subnetwork 215 may be an intranet 205 engaged in a confidential project where uncontrolled release of security information about the project could result in potential damage.
Related to a development group within. The principles of the present invention are directed, within the context of the description, to enhance existing security measures to prevent such information leakage.

More specifically, within subnetwork 215 is located a server 225 comprising a conventional computer server having access to database 240. As described above, subnetwork 215 is different from, ie, has a higher security rating than, other subnetworks within intranet 205, for example, subnetwork 245. Thus, the information in subnetwork 215 also carries a particular security rating different from information associated with other subnetworks having lower security levels. Thus, according to one aspect of the present invention, a word list, eg, a security word list, is created for the dense information present in subnetwork 215 or some portion thereof. As you can easily understand, creating the contents of this wordlist
It can be done in various ways. For example, it can be compiled manually by a user or automatically compiled by an intelligence-based computer system. Thus, according to one embodiment of the present invention, word list 29
0 is stored in the database 240. As mentioned above, one aspect of the present invention is a communication stream,
For example, it is directed to analyzing a known packet stream to identify whether there is an unauthorized transmission of security information from a communication network. Importantly, as will be described in greater detail below, this analysis is performed in some embodiments of the present invention without having direct access to the original word list, e.g. , These security operations are allowed to take place in lower security configurations.

That is, in the intranet 205, a sub-network with a higher security level, for example, a sub-network with a lower security level which is allowed to access the sub-network 215 as necessary exists, for example, a sub-network 245. I do. For example, the server 250
Is allowed to access data residing in the server 225. However, as a result of such an authorized access, a portion of certain security information is illegally passed from the subnetwork 245 through the communication channel 260, through the firewall 265, and into the communication channel 285.
Through the public network 210, for example, the Internet. As can be appreciated, although the above-described embodiment is formed from two separate sub-networks, the principles of the present invention also
Other hardware or network configurations, such as
It can also be applied to a single server consisting of multiple discrete parts with different security levels.

Hereinafter, the present invention will be described in more detail with reference to FIGS. 1 and 2 simultaneously. According to one aspect of the invention, the server 225 in the sub-network 215
Includes a Bloom filter 230. Bloom filter 230 generates hashed word table 295 using word list 290 (as shown in blocks 120, 130 of FIG. 1). Hash encoding of the word list 290 by the Bloom filter 230 is performed in a conventional manner using well-known hashing parameters. According to one embodiment of the present invention, hashed word table 295 (as shown in block 130 of FIG. 1)
Is sent to the database 270 (e.g., via the communication channel 255) and stored there. Security server 27 (as shown in block 130 of FIG. 1)
5 accesses it and monitors the communication stream 285 leaving the intranet 205 (eg, via the communication channel 260) as shown in block 140 of FIG. 1 as a function of this hashed word table 295.

That is, the security server 275 stores the Bloom filter 280 in the hashed word table 29
5 together with the information being transmitted via the communication stream 285 (as shown in block 150 of FIG. 1) and the hashed word table 2
By examining the match between the security information represented in 95 and the potential security breach (securi
ty breaches). For example, a match between the content (or a portion thereof) of each transmitted packet and the hashed word table 295 is found. In accordance with one aspect of the present invention, this agreement is used to identify potential security leaks from intranet 205. As described above, this hashing encoding and comparison operation is performed in a conventional manner as a function of the Bloom filter. If a match is found, (block 1 in FIG. 1)
A security alert is generated (as shown at 60) indicating a possible unauthorized transmission of security information. As can be appreciated, this security alert can be implemented in a variety of forms, for example, by way of example only, as a message to a network administrator, or as an entry in a log file associated with a firewall. You can also. Such alerts are then sent, by way of example, to a network administrator for evaluation and resolution. According to this embodiment of the invention, monitoring of the communication stream (as indicated by block 170 in FIG. 1) continues until each transmission is completed.

As can be understood, the security server 2
75 comprises, among other things, a conventional processor (not shown) for performing the comparison operation in a conventional manner. As can be appreciated, in the embodiment of FIG. 2, the security server 275 and the database 270 are provided separately, but in some other embodiments of the present invention, the security server 275 includes a hashed word table 295.
Is stored directly, which is accessed by the server's internal processor.

Importantly, according to one aspect of the present invention, the analysis of the communication stream is based on the word list 2.
It is performed through a hashed word table without directly accessing or exposing 90, so that the security procedure of the present invention can be implemented in a lower security level network. That is, the hashed word table 295 is created by the Bloom filter 230. In this hashed word table, each word of the word list 290 is eventually hashed to a plurality of positions in the hashed word table 295, and often Word list 2 in the sense that it conflicts with other hashes of the word
Hide 90. Of course, the word list 290 is obtained from the hashed word table 295 by a so-called “dictionary attack (di
ctionary attack), but the procedure thus completes a given atypical or unusual word as found in security applications consistent with the principles of the present invention. Is difficult to calculate, for example,
Security information or commercial security information for a particular company is often described in unusual words so that it cannot be reassembled from a hashed word table through a dictionary attack. As an advantage,
In the embodiment of FIG. 1, the security server 275
Is located outside the firewall 265, and thus this server is located outside the security procedures managed by the firewall 265 on the intranet 205.

As described above, the present invention can be realized in the form of a method for implementing these methods or in the form of an apparatus. The present invention may also be in the form of program code embodied in a tangible medium, for example, a floppy diskette, CD-ROM, hard drive, or any other machine-readable medium. The program code may be loaded into a machine, for example, a computer, and executed so that the machine becomes an apparatus for implementing the present invention. The present invention may also be loaded into a machine as a form of program code implemented in a memory medium, executed, or transmitted via some transmission medium, for example, wires, cables, optical fibers, electromagnetic radiation. Above, the program code may be loaded into a machine, for example, a computer, and executed so that the machine becomes an apparatus for implementing the present invention. The program code may be implemented on a general-purpose processor, and the program code segment may be configured to cooperate with the processor to provide a unique device that operates analogously to dedicated logic circuitry.

Moreover, all embodiments and conditional language referred to herein are essentially merely teaching principles and concepts of the present invention and teaching purposes for disclosing contributions to advancements in the art to the reader. And should not be construed as limiting the invention to the embodiments and conditions described above. Furthermore, all statements describing features and embodiments of the invention and its embodiments are intended to encompass both structural and functional equivalents thereof. In addition, these equivalents include those already known in the art as well as those that may be developed in the future. That is, all elements developed that perform the same function are included, regardless of their structure.

Thus, for example, a block diagram shows a conceptual diagram of a circuit as an example that embodies the principle of the present invention. Similarly, any flowchart, flow diagram, state transition diagram, pseudo code, program The code, etc., is substantially implemented in a computer readable medium and executes the various processes performed by the computer, machine, or processor, whether or not the computer, machine, or processor is specified. Regardless, they represent.

The above description merely illustrates the principles of the invention. Although not specifically described herein, those skilled in the art can implement various principles that embody the principles of the present invention and fall within the spirit and scope of the present invention.

[Brief description of the drawings]

FIG. 1 illustrates a flow diagram of an example operation for analyzing a communication stream in accordance with the principles of the present invention.

FIG. 2 shows an exemplary communication network configuration for analyzing network security according to the exemplary operation of FIG.

[Explanation of symbols]

 200 Communication Network 205 Intranet 210 Internet 215, 245 Subnetwork 230, 280 Bloom Filter 225, 250, 275 Server 240, 270 Database 260, 285 Communication Channel 265 Firewall 290 Word List 295 Hashed Word List

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5B085 AA01 AA08 AC03 AC10 AC16 BG07 CA07 5B089 GA11 GB02 KA17 KB13 KC18 KC52

Claims (10)

[Claims] 1. A method for securing a communication network, the method comprising: receiving a word list, the word list including a plurality of words directed to information associated with the communication network, wherein the information is Having a specific security rating associated therewith; the method further generating a hashed word table from the word list using a Bloom filter; and monitoring a communication stream transmitted from the communication network using the hashed word table. Determining whether the communication stream includes any portion of the information, and if so, generating a security alert indicating a possible security breach in the communication network. To be Method. 2. The communication stream comprises a plurality of packets, and the monitoring operation determines whether the communication stream includes the information portion by comparing at least one packet with the hashed word table. 2. The security method for a communication network according to claim 1, wherein: 3. A method for analyzing network security of a communication network, the communication network including a first sub-network and a second sub-network, wherein the first sub-network is associated with a second sub-network. Have different security ratings, the method comprising: identifying a word list, wherein the word list includes a plurality of words associated with information stored in the first sub-network, wherein the information comprises Having a security rating consistent with the information of the first sub-network, wherein the security rating is used to restrict access to the information; the method further comprises generating a hashed word table from the word list using a Bloom filter. Generating; and said communication network Monitoring the communication stream transmitted from the network using the hashed word table to determine whether the communication stream contains any part of the information, and if so, breach security in the communication network. Generating a security alert indicating the likelihood of a security alert. 4. The method of claim 3, wherein the transmitted communication stream originates from within the second sub-network. 5. The monitoring operation according to claim 4, wherein the monitoring operation is performed by a security server external to the first sub-network and the second sub-network without directly accessing the word list. The described method. 6. A security server, comprising: a memory for storing a hashed word table, wherein the hashed word table is generated from a word list, and the word list is stored in information associated with a communication network. A plurality of words directed to said information, said information having a specific security rating associated therewith, said security rating being used to restrict access to said information; said security server further comprising a Bloom filter; A processor for monitoring a communication stream transmitted from a communication network, said processor using said Bloom filter in combination with said hashed word table, wherein said communication stream is Analyzing whether any part of the information is included, and if so, generating a security alert indicating a possible security breach in the communication network. 7. The communication stream comprises a plurality of packets, and the monitoring operation compares a part of a specific packet with the hashed word table to determine whether the communication stream includes the information part. The security server according to claim 6, wherein the security server is determined. 8. A communication system, the communication system comprising: a first server associated with a first communication network having a first security level; and a second security level different from the first security level. A second server associated with a second communication network having; a security server monitoring a communication stream transmitted from the second communication network using a Bloom filter in combination with a hashed word table; A word table is generated from a word list including a plurality of words associated with information stored in the first server, wherein the security server determines whether the communication stream includes a portion of the information; If included, the second communication network A communication system for generating a message indicating a potential security breach within a network. 9. The communication stream includes a plurality of packets, and the security server compares a portion of a specific packet with the hashed word table to determine whether the communication stream includes a portion of the information. 9. The communication system according to claim 8, wherein the determination is made. 10. A security device, comprising: means for storing a hashed word table, the hashed word table being generated from a word list, wherein the word list is stored in information associated with a communication network. The security device further comprising a bloom filter; and means for monitoring a communication stream transmitted from the communication network, the security device further comprising: a bloom filter; Means performing, in combination, the Bloom Filter and the Hashed Word Table to determine whether the communication stream contains any portion of the information, and if so, security within the communication network. A security device that generates a security alert indicating a possible breach.