JP2007512745A - How to detect and prevent unauthorized use of several network protocols without compromising their legal use - Google Patents

Abstract

The present invention relates to a method for detecting and preventing unauthorized use of several network protocols without compromising their legal use. In accordance with the present invention, each new stream is assigned a counter CPT (27). Each time a data packet is received, a delay function (25) is applied that reduces the abuse flow without disturbing the legitimate usage flow. The delay function is increased by the counter CPT, especially depending on the flow rate for the monitored flow.

Description

  The present invention relates to a method for detecting and preventing unauthorized use of several network protocols without compromising their legal use.

  The present invention is particularly used for IP network security. The present invention provides an effective defense against various types of attacks, denial of service, especially attacks that are concealed, characterized by a sudden increase in the flow of tampered protocols. . The present invention is particularly effective when used in a public wireless network (hot spot) for which access is charged.

  The present invention particularly comprises two elements. The flow rate of the related protocol is a reference for detection, and is a radical solution to attacks. The second factor is that the present invention is based on using a delay function that retransmits all packets received by the system in time. This is negligible when there is no attack, but is important in that if an attack is detected, the network is not available to those who are doing the attack.

  The method of the present invention is independent of the technology underlying the IP network: Ethernet, IEEE 802.11, GPRS, etc.

  The method of the present invention provides a particularly effective solution to fraud known by the name of firewall piercing (or path hiding).

  Such fraud techniques allow a normally forbidden flow of information to pass through a filtering device by enclosing it in a licensed bundle. The present invention makes it possible to solve such problems in difficult cases that have not been found before.

  The method of the present invention offers the advantage of preventing fraud without significantly affecting the legitimate use of the network.

  In a more general way, any attack based on the exchange of unusual data outside of the local network would be possible according to the present invention, provided that a significant increase in the flow normally achieved by a tampered protocol can be arranged. It can be processed easily.

  In this way, an attack by denial of some services (an attack intended to make simple disruption impossible to use other users' services) can be handled. This applies especially to networks called “hot spots”, which are radio frequency coverage areas where properly equipped terminals can be connected and access to the Internet established. Yes, the payment is made by prepaying a certain amount or by collecting on a bill to a subscriber of an access provider such as the customer's GSM network. This is true if the hotspot is connected with a mobile network operator to use GSM authentication.

  In such a case, if another attack is possible on the machine that manages user authentication from the hot spot, it is a crisis because it is a server of the GSM network. The reason why mobile network operators are seriously afraid of denying such service rights is that the function of the authentication server of the GSM network is put in a dangerous state. It is because it falls into a remote place.

  The present invention automatically detects abnormal increases in the number of requests and makes it possible to limit them.

  There are also "how to pierce firewalls" techniques for carrying prohibited protocols, and they are often used in corporate networks. The present invention applies in particular to “signature” protocols such as DNS, ICMP or EAP (which carry authentication methods there), ie protocols that help to work other protocols of the Internet. Although they do not directly carry useful data belonging to the user. However, these “tag” protocols differ greatly from data transport protocols in that they operate at known, usually low flow rates. If these indicator protocols are used as transport protocols in the case of unauthorized intrusion, they will appear as an abnormal increase in the number of requests and responses.

  However, it should be noted that the present invention also applies to transport protocols. The present invention applies in particular to the protection of low flow rate transport protocols in whole or in part.

  The present invention enables inter alia processing of a DNS-like protocol (of the so-called labeling protocol). In fact, for example, in public hotspots, by default, all information flows, except for the signing protocol that is essential for the user to initiate a connection (carrying authentication data, gathering information about the network configuration, derivation of names) Is often prohibited. Thus, fraudsters who want to use hotspots for free can only use the sign protocol to hide the route. Conversely, "beneficial" protocols such as http and telnet are forbidden by firewalls as long as user connections are forbidden, so they cannot be used to hide routes for fraud Can not.

  There is another aspect of the present invention, which handles protocols such as “http” and “ftp”. In fact, in the current usage, the “http” protocol is a protocol that exhibits a very high asymmetry: the flow from the terminal towards the server corresponding to the request is low, but it corresponds to the html page used for the response. The flow rate to another method is high. If an http fraud by hiding the route eliminates the flow characteristics of an http connection, that is, if the upstream flow rate suddenly increases abnormally, The present invention will prevent this distribution.

  To achieve this objective, the network protocol protection method with which the present invention is concerned does not adversely affect the legal use of the protocol. In short, the bundle of input data packets must be used legally for each packet. Applying a delay function is sufficient to prevent illegal use, but not enough to prevent it.

  In particular, in the labeling protocol, the present invention applies a delay function that increases with the flow rate of the supervised bundle, which means that illegal use of the protocol in the name of private data transport exceeds the standard flow rate. In this case, the delay is increased indefinitely so as to effectively cut off the illegally used path without disturbing other flows.

Other features and advantages of the present invention will be better understood from the following description and accompanying drawings:
FIG. 1 shows a sequence according to the protocol to be protected.
FIG. 2 shows a time graph of the case where the attack of the flow monitored by another protocol to be protected cannot be prevented and the case where the attack is prevented by the method of the present invention.
FIG. 3 is a block diagram of equipment for processing the monitored flow in the present invention.
FIG. 4 is a flowchart of a specific embodiment of the method according to the invention.
FIG. 5 is a diagram for explaining various things that can be assumed in the first embodiment of the present invention.
FIG. 6 is a time graph illustrating what can be assumed in the second embodiment of the present invention.

  Two attack techniques that are actually used will be described below. The first attack technique can be used in an IP type network. Such networks can be corporate networks, the Internet, “hot spots”, and the like. Conversely, the second attack technique is specialized for “hot spot” networks, particularly for GSM authentication servers interconnected with “hot spot” networks.

  In general, a terminal connected to an IP network using a company, a telecommunications carrier, or an Internet access provider cannot make any type of connection freely. There are three main reasons for this.

  The first reason is that the network is a production network, and the user does not want to divert it for the purpose of diverting, gaining personal gain, or disturbing others.

  The second reason is that the network can be used for a fee, and it is desirable to allow the flow only to the user who paid the fee.

  The third reason is that allowing more connections than are necessary for the organization that owns the network to function effectively can provide an opportunity for unauthorized use.

  The filtering operation of the flow in and out of the network is also reused in devices at the boundary of the network such as filtering routers or fire devices (“firewalls”) (hereinafter this type of device is referred to as “fire device” or “ (It shall be collectively referred to as “Firewall”). In addition, because of the effective functionality of the allowed protocols, these devices must pass unrestricted other protocols such as the ICMP (RFC 792) protocol or the DNS (RFC 1034) protocol without restriction. Don't be.

There are software means that make it possible to use a protocol with the permission of the fire protection device to pass the prohibited protocol. These techniques are known as “path concealment” or “how to drill a hole in the firewall”, and they all consist of the same diagram, which is explained with reference to FIG. As it goes, the figure shows this type of attack when the DNS protocol is used to import data through a firewall:
a) A hacker can make a server freely accessible somewhere on the Internet, outside the network to which the terminal is connected. This server has two functions:
i. Encapsulate / uncapsulate packets from a hacker's computer.
ii. The extracted packet is retransmitted to the final destination, and the packet is received from this same destination in order to send the received packet back to the hacker (relay function).
b) The hacker's terminal copies the packet of the prohibited protocol data to the vacant area of the permitted protocol packet and sends it to its own server that processes it.

In this way, hackers will accomplish the entry and exit by enclosing the normally prohibited exchange of data in packets of permitted protocols. This fraud is dangerous for two reasons:
• In practice, the protocol is what allows all encapsulation.
The fire protection device must inevitably pass some protocol known to have such an encapsulated capacity, such as DNS or ICMP. The mere pure blockage of such a protocol will work fine for legitimate users, while the network will function well and will not meet the recommendations for interoperability. It will also prevent you.

  A hot spot type network using an authentication method using a SIM card is based on a communication protocol called “EAP-SIM” defined in a published standard. This protocol allows GSM authentication to be performed between hotspot service customers and GSM mobile phone operators. GSM authentication requires several means (billing system). A large number of authentication requests can impair the quality of service for both traditional GSM service customers and Wi-Fi network service customers.

  FIG. 1 shows a diagram of authentication by the EAP-SIM method. The applicant 1 on the communication network transmits an authentication request 2 to the authentication means 3 according to the protocol 802.11.

  The authentication means executes an authentication operation and creates an authentication response 4 toward the authentication server 5 in accordance with the protocol AAA. The authentication server 5 creates an authentication message 6 as an answer, and the message is transmitted to the authentication center 7 according to the protocol SS7.

Applying the EAP-SIM scheme when attacked, the mode of work is as follows:
The attacker informs the access point that he is ready to authenticate (EAPOL_Start);
The access point then asks the attacker for proof of identity (EAP-Request / Identity);
Therefore, the attacker responds with (Network Access Identifier (REC 2486) or NAI possessed by EAP-Response / Identity as proof of identity;
The access point relays the attacker's answer to Proxy-RADIUS;
proxy-RADIUS analyzes the NAI identity content and relays the answer to the operator's RADIUS server using the NAI content (after the @ symbol);
The operator's RADIUS server analyzes requests with NAI credentials (especially IMSI codes);
The operator's RADIUS server asks the attacker to authenticate with GSM authentication (EAP-Request / SIM / Start) via proxy-RADIUS at the hotspot that is visited;
Therefore, the attacker responds with EAP-Response / SIM / Start (Nonce);
Proxy-RADIUS then relays the answer to the operator's RADIUS server;
The operator's RADIUS server then queries the GSM authentication base to retrieve n GSM triplets (where n = 2 or 3).

  This is the last expensive step. This is because it allows an attacker to calculate n GSM triplets.

  Therefore, in short, the attack is to maximize the reuse of the previous mode of operation by sending a packet (packet EAPOL_Start) of the type that initiates the authentication phase. Therefore, it becomes possible to perform an attack by denying the right of service by saturating the means at the location of the authentication center 7, thereby causing the GSM network to be trapped at the same time as the hotspot network. .

In order to solve the problems related to communication protocol attacks, the current technology provides three means-"Firewall", called fire protection device,
・ Flow inspection system, and ・ Intrusion detection and prevention system.

A firewall is a system that is typically used to inspect the flow on a network. The firewall is typically installed at the break between two subordinate networks and analyzes packets that cross them. Firewalls can filter at different locations:
IP / ICMP: The system analyzes the contents of the letter header field (IP source / destination, type and ICMP code).
IP / TCP UDP: The system analyzes the contents in the letter / head column (IP source / destination, TCP UDP port).
Session: Perform a complete analysis of the start of a session to establish communication in a particular protocol, thereby ensuring that incoming packets actually correspond to outgoing packets.
Analyze the content of data exchanged with applicable protocols, thereby prohibiting some content (eg pornographic site URLs).

  However, if the flow is determined to be valid, the firewall cannot prevent the flow from the path concealment attack because “all or nothing” filtering works. In this case, if the packet passes completely or if it is determined that the flow is invalid, no packet passes. It should be noted that the attack by path concealment is more difficult to catch because it uses a permitted (and indispensable) flow such as DNS. Therefore, the only factor that can identify such attacks is an abnormally high flow rate that makes their legitimate protocol work when used in path concealment attacks. . No firewall allows these filtering criteria.

Also, the method of the present invention provides for “auto-adaptive” filtering of suspicious interactions, enabling the following:
-Quickly stop suspicious flows;
-As soon as the situation returns to normal, the prevention is automatically relaxed;
Provide a response adapted to various attacks in terms of speed of prevention, flow rate limitation, and speed of relaxation of the prevention as described below for the function f ().
Avoid legal blockage of legitimate but too much flow by performing only appropriate deceleration, as described below for the “quasi-normal” mode of operation.

  Therefore, traffic will continue to pass even if the quality of service is slightly degraded. Traditional firewalls completely block it.

  The flow inspection system makes it possible to assign a usable part of the entire passband to a certain flow in order not to create a particularly congested state. They are part of the service quality management system. To some extent, these systems make it possible to prevent unauthorized use of the passband in the network. For example, they limit the overall flow rate of DNS requests, thereby making it possible to reduce the attack range due to path hiding in DNS. Software such as open source IP filter software provides such flow restriction functionality through its “restriction” module.

  However, this does not completely silence the attacker, since data can always be transmitted at the maximum flow rate authorized by the system.

  FIG. 2 shows the response to an attack by route concealment on DNS by date.

The same time graph shown in FIG.
A flow rate 12 characterized by a protocol, protected by the method of the invention in the event of a surprise attack;
A flow rate 8 characterized by a protocol, protected by a flow rate inspection system when subjected to the same attack;
A flow rate 9 characterized by a protocol that does not provide any protection when subjected to the same attack as expected for the flow rates 8 and 12.

  When attacked, the flow increases relatively rapidly following the uphill 10 and then the traffic is around the normal constant flow value with no looseness, but with messy vibrations, almost It remains unchanged.

  Applying the flow inspection, current technology flow inspection system, the attacker's flow increases more slowly than the previous example, and then at least corresponds to the flow 8 of the sign protocol that requires more conditions for the flow. Stopped at the threshold and stays constant.

  When the method of the present invention is applied, the attacker's flow rate passes the maximum value 13 and then decreases until it is offset by some degree of speed, as will be described later.

  As can be seen from FIG. 2, the flow inspection system cannot do more than limit the passbands available for attack. Conversely, the method of the present invention allows the flow rate to approach zero with a parameterizable convergence rate. From this point of view, the present invention can prevent an attack caused by path concealment more efficiently than a system for checking the flow.

  An intrusion detection system (IDS) operates by analyzing the flow circulating through the transmission line using sensors. This returns the collected data back to a system with “artificial intelligence” that interprets them and triggers an alarm if something suspicious occurs. Even in such a system, in some cases, the firewall can be ordered to cut traffic.

  Therefore, an active IDS system will be described. Another evolution of this system is known by the name “Prevention System” of “IPS”.

  In this case, the IDS system is directly coupled to the firewall, and the analyzed stream traverses the device. Thus, this creates the possibility of traffic disruption similar to an active IDS system, but the response time is much higher performance. The principle of detection remains the same, and the relevant data on which the analysis is based is generally a known sequence of message transmissions (called attack signatures).

The IDS system is known to have significant disadvantages:
It is very expensive because it uses sensor technology that must be capable of analyzing large amounts of traffic;
・ Similar to most automatic recognition systems, it sends a positive error that gives an invalid alarm and a false negative that causes the attack to pass. Therefore lack of reliability;
• Try to capture only known attacks.

  The response provided to the attack is not sufficient. In the case of an IDS system, the alert is sent to a human operator and therefore the human must react. It is unthinkable for operators to reside on a small network. In the case of an IPS system, the response is not superior to a firewall and see above for analysis.

  The method of the present invention can be implemented in a specific device as a supplemental function to existing flow processing devices such as routers, firewalls and DNS servers. In any case, it is essential to pass all traffic to be inspected through this device. Such a flow processing apparatus schematically shown in FIG. 3 comprises an input interface 15 and an output interface 17, and traffic arriving at the input interface is defined by software defined according to the method of the present invention. , Resent to the output interface.

  It is based on the following principle executed in the processor 16 of the device that processes the flow, and the flow Fie retransmits to the output interface like the flow Fjs, which is not less than a long period of time, but “honestly It's not so short that a user cannot perceive or that a tricky user cannot circulate unauthorized data.

  From a physical point of view, the two interfaces can run on the same network card.

  The distinction between input and output is valid for traffic going in one direction. If the present invention also handles traffic in the opposite direction, the order of the roles of both interfaces is reversed.

  In the method of the present invention, the designation of the classification of the monitored flow is first executed.

  The designation of the monitored flow classification may be based on the values in several fields of the IP packet, as is done for the IPsec link configuration (RFC 2401) and firewall.

  For example, the flow classification designation can be maintained by combining the following values: source address or IP address band, destination address or IP address band, upper protocol (UDP, TCP, ICMP ...), port number, value in one column of upper protocol part.

  In general, all protocol fields that can be read and translated by the device can be maintained as selection criteria regardless of the level of the protocol layer.

  Specifically, if the present invention operates only as an addition to a particular service, it is not necessary to implement a complete flow classification and designation system. For example, when the method of the present invention is added to a DNS name resolution server for the purpose of hiding a hidden route on the DNS protocol, only the DNS flow classification is monitored, as will be described later. Therefore, there is no need to leave the possibility of specifying other classifications of flows.

  In one embodiment of the present invention, interrupt permission is implemented for a mechanism that constrains the monitored flow.

When a flow Fie originating from a particular machine and belonging to the monitored flow classification is detected at the flow processing device input interface 15, a counter associated with this flow is dynamically generated. For indexed stream N, mark the associated counter as CPT _N.

  In one embodiment of the present invention, the processor 16 processing the flow takes advantage of the unauthorized flow bridging mechanism.

  Each time a data packet arrives at the input interface 15 during step 21;

  A test placed under monitoring is executed during the procedure 22, but if it does not belong to the monitored flow, it is immediately retransmitted to the output interface 17 in a procedure 23.

  During test 24, it is verified whether the arrived packet belongs to the monitored flow.

If it belongs to the monitored stream, that is, if the counter CPT _N is already associated with it, during step 25, the counter CPT _N is incremented by one unit of 1 and the period D The counter CPT _N after the lapse of _N = f (CPT _N ) retransmits the packet to the output interface 17 during the procedure 23 according to the function f () determined in advance according to the value in progress.

  The function f () is called a delay function.

In one embodiment, each time a packet is retransmitted to the output interface 17, during the procedure 26, the counter CPT _N is decremented by one step and unit.

  In one embodiment, the method of the present invention then has a mechanism to mitigate flow monitoring.

Once the counter CPT _N reaches a sufficiently low value, it means that there is no longer any attempt to send illegal traffic. Then, the counter CPT _N may be discarded, traffic is also no longer monitored. However, this priority is not indispensable and traffic may remain under surveillance without restriction.

If the result of test 24 is that the packet is not identified as belonging to the monitored flow classification, a new counter CPT _N is assigned to the flow and procedure 25 is performed.

  The delay function f is not limited to one for all flow classifications. Therefore, the flow DNS can be delayed by the function f1, and the flow ICMP can be delayed by the function f2.

  The delay function f must be minimally increased so that the traffic is delayed as the attacker sends traffic.

A delay function f with a positive second derivative will block the attacker's flow very quickly. For example, f (CPT _N ) = exp (α * CPT _N + β), where α ≧ 0.

If you are trying to saturate the inspection device, you can also use the counter CPTMAX _N , and wait if the number of packets waiting to be sent exceeds the value of CPTMAX _N parameterized by the administrator. The inside packet will be discarded according to the selected algorithm. This functionality is to avoid saturation of the means of the present invention.

  The method embodiment of the present invention shown here is implemented in a local DNS server of a protected network.

  The attack to be described will be developed without using the method of the present invention.

  The local network 30 that has undergone the flow inspection is often constructed according to the plan shown in the diagram of FIG. The local network includes a terminal exemplified by 34, a DNS server named local DNS 31, and a router / firewall 32 that secures interconnection between the local network 30 and another network 33 such as the Internet network. Included.

  The router / firewall 32 is configured to prohibit some flows, such as the “ftp” flow. To circumvent the prohibition 36, the terminal 34 encodes information in a particular column of the packet into, for example, a packet “ip” that flows the flow “ftp” and carries the packet DNS in the path 37 of the DNS. Encapsulate. It also ensures that DNS requests can only be processed by a hacker DNS server 38 under the supervision of hackers outside the local network by appropriately selecting the name of the request domain. The hacker DNS personal computer 38 can then forward the packet to the “ftp” server 39 sought by the terminal. Traffic in the opposite direction takes the exact opposite path.

When the present invention is implemented in a local DNS server, path concealment attacks on the DNS will be completely prevented.
1) In this example described in FIG. 5, it is not necessary to manage the flow classification and the flow under monitoring. In fact, only the flow DNS passes through this machine.
2) In addition, by associating the flow under surveillance, i.e., it generates a counter CP _T to each terminal, that never remove it, it is possible to monitor all flow DNS. To fix the maximum value of the CP _T CPTMAX, as CPTMAX = 2000.
3) For services allowed in the local network, such as an http service, a flow rate threshold represented by the maximum number of DNS requests, such as 30 per terminal per second, is acceptable. Decide freely.
4) An attack that conceals the route by the terminal is predicted to cause a sudden increase in the number of DNS requests of about 100 per second.
5) Select f (CPT) = exp (CPT / 15) as the delay function (expressed in milliseconds).

The operation of a DNS system can be differentiated into three aspects:
Normal operation: The user is not malicious and the system is used as expected.
Abnormal behavior: The user is malicious and apparently attacking the system.
・ Semi-normal operation: The user is not malicious, but the system works on time slightly beyond the assumed limit.

  Through the following analysis, the system will automatically adapt to these three cases, so that the user can use the DNS service correctly in “normal” and “semi-normal” cases. However, it becomes clear that in the case of “quasi-normal” the quality of service is degraded, and in the case of “abnormal” traffic can be blocked. The following analysis is not rigorous, but it is therefore a digital number that can be traced with the time graph of FIG. 6 showing the number of requests per second as a function of time. It becomes possible to draw.

  FIG. 6 shows changes in the number of DNS requests per second according to time. From the DNS server structure, the counter assigned to the monitored stream is incremented according to line 41. Curve 42 shows the incoming requests during the attack, and curve 40 shows the number of requests that can be accepted by the DNS server. Finally, curve 43 shows the transition of the number of requests retransmitted to the output interface of the flow DNS processing device to which the protection method of the present invention is applied.

1) “Normal” When the system is not attacked, a DNS request to be processed at a frequency of about 30 per second according to the level 40 is received (FIG. 6). The delay applied to each packet is then exp (30/15) = 7.39 ms. This value indicates that the maximum packet delay is 7.39 ms. This means that in practice, all packets that arrive in a second are retransmitted in that same second. In fact, the 30 packets that are blocked at 7.39 ms at the maximum total 221.7 ms, which is well under one second. Therefore, the counter CPT maintains a value close to zero.

2) Case of “Abnormal” When the system is being attacked on a DNS server, the method of the present invention assigns a counter CPT that will transition according to curve 41 to the attacker's flow. For example, an average of 100 requests per second are transmitted in one second. The packet is decelerated by exp (100/15) = 785.77 ms. Therefore, during this period, the CPT increases by the value of δCPT, roughly between 50 and 100, since there are few packets to be retransmitted so far. Next, the delay applied to the packet that arrives in the second second is exp ((100 + δCPT) / 15) = exp (δCPT) * 785.77 ms >> 20 s.

  It is therefore understood that the applied period will be fast enough to be able to do a complete block (20s) and will continue to increase until reaching a limit fixed at the maximum value of CPT.

3) “Quasi-normal” case When the system is not attacked, it simply suffers a rapid and accurate increase in the number of requests. That is exactly the case when the user displays a number of html pages with as many as, for example, 40 URLs. In that case, the CPT will be temporarily removed from the “good operating” area. At maximum, a delay of exp (40/15) = 14.39 ms will be applied, which is not felt by the user viewing the html page in the browser. Furthermore, with such a value, CPT was extraordinary because the arrival of 40 packets could be restarted in the same second when it arrived, even though there was a delay of 14.39 ms. You cannot increase it. An “all or nothing” system will completely block traffic because it is out of the good working area (CPT <30). Conversely, the quality of service that the present invention provides is only marginally low (14.39 ms delay), which will diminish as the system returns to the “normal” mode of operation. .

  As a second embodiment, it is shown how the present invention is implemented in a local Proxy-RADIUS server in a protected network.

  Overall, the operation is similar to that already described in the implementation in the DNS service. In fact, the idea for limiting the impact of an attack on GSM authentication is to use the present invention at the break of GSM authentication transport. Therefore, the explanation will be more concise and GSM authentication will only be delayed for certain points.

  There are several reasons why proxy-RADIUS is the simplest arrangement of inspection systems.

  Regardless of the intended GSM operator (roaming), authentication passes through proxy-RADIUS.

  Modifications to the operator's GSM network are very heavy and can have a strong impact on GSM customers.

  The field used for the inspection mechanism will be included in the data of the EAP-SIM authentication mechanism. In fact, it is possible to know (in the form of user @ operator GSM) which operator is applying for EAP-SIM authentication. It is therefore possible to install the present invention at a hotspot location to protect all GSM operators from this type of attack that denies service rights.

  Next, the inspection mechanism is implemented within the normal framework of the present invention (see FIG. 3), thanks to the ability to limit the number of authentication applications by analyzing the behavior of authentication transport.

  It should be noted that the present invention can also be used to detect unauthorized use. In fact, the protocol in one embodiment of the present invention has a procedure for detecting flow transitions associated with the monitored flow characteristic of unauthorized use. This is especially true when the counter associated with the monitored flow passes a maximum value and then decreases rapidly towards zero flow. In such a case, the method of the present invention can issue such an unauthorized use warning. Such warning signals can take all measures, in particular, taking into account the history of the event, asking for the identity of those who have made such unauthorized use, and of such unauthorized users Communicate to the network administrator who will trigger all subsequent actions to reduce access.

Abbreviation DNS: Domain Name Service
EAP: Extensible Authentication Protocol
EAP-SIM: EAP-Subscriber Identity Module
GSM: Global System for Mobile Communications
ICMP: Internet Control Message Protocol
IP: Internet Protocol
NAI: Network Access Identifier
RADIUS: Remote Authentication Dial In User Service (Remote Authentication Dial-in User Service)
TCP: Transport Control Protocol (Transport Control Protocol)
UDP: User Datagram Protocol (protocol using datagram)
IDS: Intrusion Detection System (Unauthorized Intrusion Detection System)
IPS = Intrusion Prevention System (Unauthorized Intrusion Prevention System)
RFC: Request For Communication
HTTP: Hyper Text Transfer Protocol (Hypertext File Transfer Protocol)
FTP: File Transfer Protocol (file transfer protocol)
HTML: Hyper Text Mark-up Language (Hypertext Markup Language)

The sequence according to the protocol to be protected is shown. The time graph shows the case where the attack of the flow rate monitored by another protocol to be protected cannot be prevented and the case where the attack is prevented by the method of the present invention. The block diagram of the equipment which processes the flow monitored in this invention. 2 is a flow chart of a specific embodiment of the method according to the invention. The figure explaining various things which can be assumed in the 1st Example of this invention. The time graph explaining what can be assumed in the 2nd Example of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Applicant 2 Request 3 Authentication means 4 Reply 5 Authentication server 6 Authentication message 7 Authentication center 8 Flow rate 9 Flow rate 10 Uphill 12 Flow rate 13 Maximum value 15 Input interface 17 Output interface 16 Processor 21 Procedure 22 Procedure 23 Procedure 24 Test 25 Procedure 30 Local network 32 Router / firewall 33 Other network 34 Terminal 36 Prohibited 37 Route 38 Hacker DNS
39 ftp server 40 level 41 straight line 42 curve 43 curve

Claims (10)

  A method for detecting and preventing unauthorized use of several network protocols without impairing their legal use, characterized by applying a delay function f () to each packet for the flow of incoming data packets The detection and prevention method, wherein the delay function is insufficient to prevent legitimate use, but causes a delay sufficient to prevent unauthorized use.   Especially in the signing protocol, if the illegal use of the protocol with the name of private data transport exceeds the standard flow rate, it will effectively cut off the misused path without disturbing other flows 2. A method according to claim 1, characterized in that the delay is made to increase indefinitely and comprises selecting a delay function that increases with the flow rate of the monitored flow.   Detecting the arrival of a data packet (21), determining whether it belongs to the monitored flow (22), and if the determination result is negative, assigning a counter (CPT) to it The method according to claim 1, wherein the method comprises: After detecting the arrival of a data packet (21), a predetermined step of the counter (CPT _N ) associated with the monitored stream is incremented by one (25) and before the data packet is released to the output stream 4. The method according to claim 3, characterized in that the ongoing value of the counter is applied as an argument of the delay function.   The method according to claim 4, comprising selecting a delay function having a positive second derivative. The delay function is an exponential function according to the counter associated with the monitored flow according to the relation f (CPT _N ) = exp (α * CPT _N + β), where α ≧ 0. The method of claim 5. Since the maximum value CPTMAX _N that can be accepted for the monitored flow is determined, then it is determined whether the number of packets waiting for transmission exceeds the value CPTMAX _N, and depending on the response, the waiting packets are discarded. 7. A method according to any one of claims 3 to 6, characterized in that it consists of: 8. A method according to any one of claims 1 to 7, characterized in that for a DNS system it consists of automatically adapting when:
Normal operation: The user is not malicious and is using the system as expected, and the associated counter CPT maintains a value close to 0;
Abnormal behavior: The user is malicious, apparently in the middle of attacking the system, the delay applied to DNS packets is increasing, and the associated counter CPT is also increasing;
Semi-normal operation: The user is not malicious, but the system is operating on time slightly beyond the assumed limit, and the counter CPT remains at a moderate level.   Determining the fields used for the inspection mechanism included in the data of the EAP-SIM authentication mechanism, and then executing the inspection mechanism to limit the number of authentication requests by analyzing the behavior of the authentication transport and protecting The method according to any one of claims 1 to 7, characterized in that it is implemented with a Proxy-RADIUS server local to the target GSM network. 10. A method according to any one of claims 3 to 9, characterized in that it also comprises a procedure for detecting a transition of the flow rate associated with the monitored flow characteristic of unauthorized use and issuing such an unauthorized use alarm. The method described in 1.

Images