JP2019165493A - System and method for detecting and preventing network intrusion of malicious data flow - Google Patents

Abstract

To provide a system for detecting and preventing malicious data flow intrusion in an SDN (Software Defined Network).SOLUTION: A system 100 includes: at least one data storage or memory 101 for storing a flow state of data flow 103, share and update the flow state across the system; at least one shared state transfer element (FE102) for blocking, transferring, or replicating the received data flow on the basis of a comparison of the flow state of the data flow and/or data flow with a predetermined pattern; and at least one test element (IE104) for receiving the replicated data flow 105 and classifying whether the data flow is malicious or permitted. The IE changes the flow state of the data flow according to the classification result.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a system and method for detecting and preventing intrusion of malicious data flows into a network, and in particular, a protected area or protected service of a plurality of software defined networks (SDNs).

  One of the main components of organizational security is an intrusion detection system (IDS) and an intrusion prevention system (IPS). These two systems have a lot in common, for example, both to detect malicious attempts to attack private networks (protected areas) and “Low & Slow” Advanced Persistent Threats (APT). A pattern is used to detect this. As can be seen in FIG. 7, IDS is usually placed off-line and operates on replicated data streams. The IDS can analyze all packets and then report to a so-called “expert system” (eg, SIEM (Security Information and Event Management)), which can properly initiate active measures. The IPS can be deployed like a firewall and typically operates directly on the data path of the network. The IPS parses the packets, classifies the flows, and blocks or allows them. IPS can also be deployed like IDS, pulling in replicated data paths, and then utilizing the integration with firewalls to block flows classified as "malicious" Can do.

  Typically, IPS has added a “Fast Path” mechanism (usually implemented by a hardware-based forwarding element) to deal with the amount of data that IPS must analyze, and IPS has already classified ( Flows (either as “permitted” or “blocked”) can be left to the “Fast Path” mechanism. Regardless of whether "Fast Path" is used or not, if the IPS is placed on the circuit, the IPS creates a single point of failure (SPOF) in the organizational network, for example, the IPS is malfunctioning Sometimes it is necessary to implement an expensive high availability solution to ensure service continuity. Since the processing capability of a single IPS device is limited, it is usually configured to fail-open (ie, allow everything) if the IPS is overwhelmed by data traffic. However, placing the IPS out of the line pays the price of handling replicated network traffic (similar to a typical IDS) and close coordination with “running” network elements (eg firewalls). Can alleviate some of these problems with IPS on the line and, as a result, block malicious attacks on the main data path. Also, IPS outside the line reacts much more slowly to network attacks.

  In summary, off-line IDS and IPS, on the other hand, have some limitations. Detection time and response time are slow. The system also tends to be noisy, i.e. it generates a large amount of data that must be considered by a security expert. A system is typically a resource-intensive resource. Ultimately, custom coordination is needed to provide proactive protection.

  On the other hand, IPS within a line has its own restrictions within the line. First of all, changing the scale is very difficult. In addition, the IPS in the circuit requires dedicated hardware to handle the “Fast Path” of the classified traffic. As described above, it represents a SPOF that requires an expensive high availability model. Furthermore, the limited processing power of the IPS in the circuit leads to the “fail open” (ie, allow everything) in the traffic surge described above. Ultimately, the IPS silo data model that is typically used limits information sharing with other IT assets, and consequently hinders the ability to detect APT.

  In view of the above problems and drawbacks, the present invention aims to improve conventional IDS and IPS. From a security perspective, an object of the present invention is to provide a system and method that can immediately block malicious traffic across the network. Furthermore, better APT detection and mitigation capabilities should be achieved. The present invention also aims to remove SPOF from the network. From an efficiency standpoint, it is an object of the present invention to provide a system and method that eliminates intrusion detection from the data path without compromising the ability to detect, inspect, and block malicious traffic. A general purpose is to reduce the load of intrusion detection and prevention, for example, only by monitoring suspicious traffic. Also, collaboration across vendors should not be required, and overall costs should be reduced.

  The above object of the invention is achieved by a solution provided in the attached independent claims. Advantageous embodiments of the invention are further defined in the dependent claims.

  A first aspect of the present invention is to store at least one data storage or memory configured to store a flow state of a data flow and share and update the flow state across the system; and Receives the replicated data flow with at least one shared state transfer element (FE) configured to block, forward, or replicate the received data flow based on a comparison of the data flow with a predetermined pattern And at least one test element (IE) configured to classify whether the data flow is malicious or allowed, and the IE changes the flow state of the data flow according to the classification result SDN is configured to detect and prevent malicious data flow intrusion in SDN. Provides a stem.

  The invention according to the first aspect shares the flow state of the data flow, and preferably additional metadata, across the system, i.e. in particular between individual FEs, IEs and possibly service applications. To implement a mechanism. As a result, the system can react immediately to suspected or detected threats, that is, at least much faster than conventional systems. For example, at least one FE can immediately block a suspicious data flow if the FE classifies the suspicious data flow as malicious and updates the flow state of the suspicious data flow accordingly. Flow state sharing can be conveniently performed via distributed connection tracking (DCT), which is a network of information such as network state and flow state across specific SDNs, systems. Implementation of sharing.

  By sending only a duplicate of the suspicious data flow to at least one IE, intrusion detection is removed from the legitimate path without compromising the ability to detect, inspect and block malicious traffic. The burden of intrusion detection and prevention is greatly reduced by only sending suspicious data flows to IE and by further using predetermined patterns and shared flow states at the FE.

  In a first implementation form of the system according to the first aspect, the FE is when the flow state of the data flow is “permitted” and / or when the data flow matches a predetermined permitted traffic pattern Forwards received data flow packets and is received if the flow state of the data flow is “block” and / or if the data flow matches a predetermined malicious traffic pattern. If the data flow's flow state is “suspicious” and / or the data flow matches a given suspicious traffic pattern, the received data flow packet is duplicated. Is configured to do.

  In response, the at least one FE can process the data flow based on the shared flow state on the one hand and on the other hand on the predetermined pattern. Accordingly, the overall efficiency of the system is increased and at the same time the IE load is reduced. The system can react quickly to any changes or updates in the flow state. Furthermore, the system is sufficiently scalable.

  In a second implementation form of the system according to the first aspect itself or according to the first implementation form of the first aspect, the FE is provided that the received data flow is at least one data storage or Determine if it already has a flow state stored in memory, and if the received data flow has a stored flow state, the flow state of the data flow, or the received data flow However, if it does not have a stored flow state, it is configured to block, forward, or duplicate the data flow based on a comparison between the data flow and a predetermined pattern.

  Thus, when there is a shared flow state, the comparison with a predetermined pattern can be omitted, resulting in faster traffic processing. In this case, there is no load on IE.

  In a third implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the FE `` blocks the flow state of the data flow '' When set or updated, the data flow packet is immediately blocked.

  As a result, the system can react very quickly and efficiently to detect threats, increasing the security of the network in which the system resides.

  In a fourth implementation form of the system according to the first aspect itself or according to any of the previous implementation forms of the first aspect, the FE has a predetermined suspicious traffic pattern and If there is a match, it is configured to set or update the flow state of the data flow to “suspicious” and to replicate the data flow to IE for classification.

  In response, only suspicious data flows are sent to IE for classification. As a result, the load of intrusion detection and prevention is greatly reduced.

  In a fifth implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the FE is able to determine the flow state of any received data flow. It is configured to change to “suspicious”.

  Accordingly, the data flow can be rechecked. This improves overcoming specific APTs that randomize their attack vectors.

  In a sixth implementation form of the system according to the fourth or fifth implementation form of the first aspect, the FE is a packet of data flow that matches a predetermined suspicious traffic pattern until classification by the IE is complete. Depending on the result of the classification, the packet is then blocked or forwarded normally.

  This option increases the security of protected areas or services of the network.

  In the seventh implementation form of the system according to the fourth or fifth implementation form of the first aspect, the FE duplicates the IE and the predetermined suspicious until the classification by the IE is complete It is configured to normally transmit a packet of data flow that matches the traffic pattern and then block the packet or continue forwarding normally depending on the result of the classification.

  This option increases traffic efficiency by maintaining the flow of traffic without interruption.

  In an eighth implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the FE is a predetermined period, regardless of the result of the classification, It is configured to leave the flow state of the data flow “suspicious”.

  This allows IE to specifically detect “low & slow” attacks, ie increase the security of the system against APT.

  In the ninth implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the IE “ends” the flow state of the replicated data flow. And the FE is configured to stop replicating the data flow to the IE if the IE changes the slow state to “end”.

  As a result, duplication of suspicious data flows can be stopped immediately, thereby avoiding unnecessary resource consumption.

  In the tenth implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the FE is data that has been previously classified as a permit. The flow packet is configured to bypass IE.

  Correspondingly, the load of intrusion detection and intrusion prevention can be greatly reduced.

  In an eleventh implementation form of the system according to the first aspect itself or according to any implementation form of the first aspect, the at least one data storage or memory is data flow metadata. And FE is configured to block, forward, or replicate the received data flow based on the flow state and metadata of the data flow. ing.

  If additional metadata is shared, intrusion detection and prevention in the system becomes even more accurate and efficient.

  In a twelfth implementation form of the system according to the first aspect itself or according to any implementation form of the first aspect, the FE is connected to an SDN controller, and the SDN controller is The FE is configured to supply a predetermined pattern.

  This implementation allows an easy and flexible configuration of at least one FE. As a result of this, the system can be customized and is also fully extensible.

  The second aspect of the present invention includes a step of storing a flow state of a data flow, sharing and updating the flow state over a software defined network (SDN), a flow state of the data flow, and / or a data flow and a predetermined pattern. Block, forward, or duplicate the received data flow, classify whether the duplicated data flow is malicious or allowed, and depending on the classification result A method for detecting and preventing malicious data flow intrusion in an SDN is provided that includes changing a flow state of the data flow.

  In a first implementation form of the method according to the second aspect, the FE is when the flow state of the data flow is “permitted” and / or the data flow matches a predetermined permitted traffic pattern Forwards received data flow packets and is received if the flow state of the data flow is “block” and / or if the data flow matches a predetermined malicious traffic pattern. If the data flow's flow state is “suspicious” and / or the data flow matches a given suspicious traffic pattern, the received data flow packet is duplicated. Is configured to do.

  In a second implementation form of the method according to the second aspect itself or according to the first implementation form of the second aspect, the FE is provided that the received data flow is at least one data storage or Determine if it already has a flow state stored in memory, and if the received data flow has a stored flow state, the flow state of the data flow, or the received data flow However, if it does not have a stored flow state, it is configured to block, forward, or duplicate the data flow based on a comparison between the data flow and a predetermined pattern.

  In a third implementation form of the method according to the second aspect itself or according to any implementation form of the second aspect, the FE `` blocks the flow state of the data flow '' When set or updated, the data flow packet is immediately blocked.

  In a fourth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the FE has a data flow with a predetermined suspicious traffic pattern. If there is a match, it is configured to set or update the flow state of the data flow to “suspicious” and to replicate the data flow to IE for classification.

  In a fifth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the FEs can determine the flow state of any received data flow. It is configured to change to “suspicious”.

  In a sixth implementation form of the method according to the fourth or fifth implementation form of the second aspect, the FE is a packet of data flow that matches a predetermined suspicious traffic pattern until classification by the IE is complete. Depending on the result of the classification, the packet is then blocked or forwarded normally.

  In the seventh implementation form of the method according to the fourth or fifth implementation form of the second aspect, the FE duplicates the IE and the predetermined suspicious until the classification by the IE is complete It is configured to normally transmit a packet of data flow that matches the traffic pattern and then block the packet or continue forwarding normally depending on the result of the classification.

  In an eighth implementation form of the method according to the second aspect itself or according to any implementation form of the second aspect, the FE is a predetermined period, regardless of the result of the classification, It is configured to leave the flow state of the data flow “suspicious”.

  In the ninth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, IE “ends” the flow state of the replicated data flow. And the FE is configured to stop replicating the data flow to the IE if the IE changes the slow state to “end”.

  In the tenth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the FE is data that has been previously classified as a permit. The flow packet is configured to bypass IE.

  In an eleventh implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the at least one data storage or memory is data flow metadata. And FE is configured to block, forward, or replicate the received data flow based on the flow state and metadata of the data flow. ing.

  In a twelfth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the FE is connected to an SDN controller, and the SDN controller is The FE is configured to supply a predetermined pattern.

  The method of the second aspect itself and its implementation achieve the same advantages as the system of the first aspect itself and its implementation, respectively.

  A third aspect of the present invention relates to a software defined network (SDN) according to the second aspect itself or according to any implementation form of the second aspect when executed on an arithmetic device. Provides a computer program product that implements a method for detecting and preventing network intrusion of malicious data flows.

  With the computer program product of the third aspect, all the advantages of the method of the second aspect and its implementation are achieved.

  It should be noted that all devices, elements, units and means described in this application may be implemented with software or hardware elements or any kind of combination thereof. All steps performed by the various entities described in this application, and the functions described as being performed by the various entities, are adapted to each entity performing its respective steps and functions. Or configured to execute. In the following description of a specific embodiment, a particular function or step that is to be formed entirely by a permanent entity is reflected in the description of a particular detailed element of that entity that performs that particular step or function. Even if not, it should be apparent to those skilled in the art that these methods and functions may be implemented by respective software or hardware elements, or any kind of combination thereof.

  The above aspects and implementations of the present invention will be described in the following description of specific embodiments in conjunction with the accompanying drawings.

1 illustrates a system according to an embodiment of the present invention. 1 illustrates a system according to an embodiment of the present invention. 1 shows components of a system according to an embodiment of the present invention. 1 illustrates a system according to an embodiment of the present invention. 1 illustrates a system according to an embodiment of the present invention. 1 illustrates a method according to an embodiment of the invention. The IPS / IDS system related to the technical level is shown.

  FIG. 1 shows a system 100 according to one embodiment of the present invention. System 100 can detect and prevent malicious data flow intrusions in SDN. In particular, the system 100 can prevent malicious data flows from entering the protected areas and services of the network.

  System 100 includes at least one data storage or memory 101 for storing flow states of data flows and for sharing and updating flow states across system 100. Data storage or memory 101 is preferably a high-speed, low-latency distributed memory (such as a distributed memory database or similar technology) and its distribution, preferably by system entities, to share flow state across system 100 A flow state can be written to the memory, and the flow state can be read from the distributed memory. In response, a shared flow state is provided across the system 100, allowing the system 100 to have a quick reaction time to a threat. Preferably, the data storage or memory 101 is also configured to store metadata for the data flow and share and update the metadata across the system 100 in the same manner as the flow state.

  The system 100 is configured to block, forward, or duplicate the received data flow 103 based on the flow state of the data flow and / or based on a comparison of the data flow with a predetermined pattern, It further has at least one shared state FE 102. Preferably, the predetermined pattern may be stored in the FE 102 or in the data storage or memory 101. Preferably, the FE 102 can be connected to an SDN controller, and the SDN controller can provide predetermined data to the FE 102.

  The FE 102 can obtain the flow state of the received data flow 103 from the data storage or memory 101. For example, the FE 102 can query the data storage or memory 101 for the corresponding flow state. However, preferably the data storage or memory 101 actively distributes the latest flow state of the flow of data to all FEs 102. At least one FE 102 may block, forward, or duplicate the received data flow 103 based on the flow state of the data flow and such metadata if additional metadata is also shared across the system 100. Can be specifically configured.

  System 100 further includes at least one IE 104 configured to receive replicated data flow 105 from at least one FE 102 and to classify whether the data flow is malicious or allowed. . The IE 104 is configured to change the flow state of the data flow according to the classification result. That is, IE 104 can access data storage or memory 101 to update the flow state of the classified data flow. The updated flow state can then be shared across the system 100 to ensure that the latest flow state is available on each of the at least one FE 102. As a result of this, the system 100 can react immediately to detected threats.

  FIG. 2 shows an embodiment according to the invention and is based on the embodiment represented in FIG. As shown in FIG. 1, the system 100 includes at least one FE 102, at least one data storage or memory 101, and at least one IE 104. Here, the FE 102 is, for example, a core router. FIG. 2 also shows two network endpoints: a client 201 and a protected service 202 (or protected area) of the network.

  As shown in the table of FIG. 2, the network endpoint 201 may generate and / or receive a network data flow, and the generated and / or received data flow is at least as a data flow 103 on a regular data path. It can be transferred to one FE102. Accordingly, at least one FE 102 is provided on the data path from the client 201 to the protected service 202. As shown in FIG. 2, the FE may implement the function of a “shared state transfer element”, that is, the FE can transfer the data flow, and the flow state of the data flow is transferred to other network elements and / or Can be shared with service applications. At least one IE 104 may implement “shared state service application” and “state sharing” functionality, ie, function as a service application that shares network state and flow state with other network elements and service applications. . At least one data storage or memory 101 may also implement “state sharing” functionality, ie, network state and flow state may be shared with other network elements and service applications.

  In FIG. 2, when network packets arrive at a client 201 (eg, gateway router, firewall, etc.), these network packets may be forwarded as data flow 103 to at least one FE 102. The network packet of data flow 103 can be associated with one of the following groups: The “new and authorized” or arriving network packet is the first packet of a new data flow 103 that matches a predetermined authorized traffic pattern. A “new and malicious” or arriving network packet is the first packet of a new data flow 103 that matches a predetermined blocked traffic pattern. A “new and suspicious” or arriving network packet is the first packet of a new data flow 103 that does not match a predetermined pattern or matches a predetermined suspicious traffic pattern. An “intermediate and suspicious” or arriving network packet is a packet that has advanced beyond the suspicious data flow 103. An “intermediate and authorized” or arriving network packet is a packet that has advanced beyond the authorized data flow 103. An “intermediate and malicious”, ie arriving network packet, is a packet that has advanced beyond the malicious data flow 103. At least one FE 102 can determine to which group the arriving network packet belongs, for example, by comparing the data flow 103 with a predetermined pattern.

  However, the FE 102 may also be provided with a shared flow state of the data flow via at least one data storage or memory 101 or directly from the IE 104 via a “state sharing” function. That is, the FE 102 can also determine the type of network packet that has arrived based on the shared flow state. Preferably, the FE 102 determines whether the received data flow 103 already has a flow state stored in at least one data storage or memory 101, and the received data flow is stored in the stored flow. If so, the data flow is configured to block, forward, or duplicate based only on the flow state of the data flow. Alternatively, the FE 102 preferably routes the data flow 103 based solely on the comparison of the data flow with a predetermined pattern if the received data flow 103 does not have a stored flow state. Configured to block, forward, or duplicate.

  Preferably, the FE 102 receives the received data flow 103 if the shared flow state of the data flow is “permitted” and / or if the data flow matches a predetermined permitted traffic pattern. Configured to forward network packets (to the protected service 202). Alternatively, the FE 102 may use the data flow packet if the shared flow state of the data flow is “block” and / or if the data flow matches a predetermined malicious traffic pattern. Configured to block. Alternatively, FE102 may (IE104) if the flow state of the data flow is “suspicious” and / or if the data flow matches or does not match the predetermined suspicious traffic pattern. Configured to replicate data flow packets). In response, FE102 directs suspicious data flow packets to IE104, bypasses IE104 for packets belonging to authorized dataflow 103, and completely blocks malicious dataflow 103 packets. Configured. As a result, the load on the IE 104 can be minimized.

  Only duplicated packets of suspicious data flow 103 are forwarded to IE 104 for further examination. In particular, the inspection of suspicious traffic may be performed by at least one IE 104 that implements the functionality of a “shared state service application”. The IE 104 may further use a DCT mechanism to change the flow state of the data flow in at least one data storage or memory 101 (eg, from “grant” to “block”). The changed flow state is then shared. Processing of the data flow packet is then performed by the FE 102 configured to react to a change in the flow state of the data flow in the data storage or memory 101 (eg, to “block”).

  FIG. 3 shows possible components for one embodiment using a DCT mechanism. The FE 102 may be included in the first network node (Node A). Node A may also include a kernel 301 with a connection tracking module 302 configured to perform connection tracking for at least one network packet belonging to the received data flow. At least one data storage and memory 101 may also be provided at node A and configured to store connection tracking data obtained by at least one connection tracking module 302. Specifically, the flow state can be part of connection tracking data. Preferably, metadata can also be included in the connection tracking data. Stored connection tracking data is shared across the system 100. The functionality of the “shared state service application” of the IE 104 may be included in another network node (Node B). The IE 104 is configured to update the connection tracking data stored in the data storage or memory 101, specifically the flow state, based on the result of the suspicious data flow classification. The patent applications PCT / EP2015 / 070160 and PCT / EP2015 / 079117 provide further details regarding the DCT mechanism. Specifically, DCT is described in PCT / EP2015 / 070160 and can be used here to share flow state and metadata between FE 102 and IE 104. Also, a “common application layer using DCT” is described in PCT / EP2015 / 079117, and can be used here to perform suspicious packet flow guidance to the IE 104.

  FIG. 4 shows an embodiment of the present invention based on the previous embodiment of FIGS. 1 and 2 and also suitable for DCT implementation. The data flow 103 (1) of arriving network packets may include new and intermediate packets as described above. At least one FE 102 (2) blocks, permits (normally forwards to protected area 202), or permits and IE 104 based on shared flow state and / or predetermined pattern Duplicate. A data flow that matches (3) and is blocked as a result is discarded by the FE. The data flow that matches and is allowed as a result is normally forwarded to the protected area 202 or service (4). Suspicious data flows are consequently replicated to IE 104 for classification (5). In this case, the FE 102 may be configured to defer the transfer of a packet with a suspicious data flow until classification by the IE 104 is complete. Alternatively, FE 102 may be configured to normally forward packets of suspicious data flow to protected region 2β03 until classification by IE 104 is complete.

  IE 104 receives the replicated data flow 105 for further classification (6). When the IE 104 determines whether the data flow is malicious or not, the flow state of the data flow in the data storage and / or memory 101 is described in detail, in particular the DCT mechanism (PCT / EP2015 / 070160 and PCT / EP2015 As implemented by / 079117. See also Figure 3). Further, preferably, the IE 104 cancels the data flow duplication operation. That is, preferably the IE 104 is configured to change the flow state of the replicated data flow 105 to “finished”, and then preferably the FE 102 stops replicating the data flow to the IE 104. Configured.

  At the time when the flow state of the data flow is changed, at least one FE 102 is updated accordingly, and for the data flow set to “block”, the block is executed. Preferably, the FE 102 blocks a data flow packet immediately (ie, already starting with the next data packet in the data flow) when the IE 104 sets or updates the flow state of the data flow to “block”. Configured to do.

  FIG. 5 illustrates one embodiment of the present invention based on the embodiment of FIGS. 1 and 2, and illustrates some important points. As shown in FIGS. 1 and 2, the system 100 includes at least one FE 102, at least one data storage or memory 101, and at least one IE 104. As in FIG. 2, the system 100 may include a client 201 and a protected service 202 or region.

  Traffic from the client 201 (ie, data flow) destined for the protected service 202 arrives at the FE 102. FE102 creates a new data flow named “F1” in the table of FIG. 5 and having a flow status of “new”, for example, in data storage or memory 101 (eg, implemented by DCT) Can do. IE104 may actively suspect that the data flow “F1” is malicious and may update the status of “F1” in the data storage or memory 101 to “suspicious” with a “duplicate” action it can. In response, FE102 is updated for data flow “F1” via data storage or memory 101 with the flow status “suspect” and as a result sent to at least one IE 104 as “F1R” A duplication operation is performed to replay the duplicated data flow labeled, ie, the packet flow duplicate between the client 201 and the protected service 202. On the other hand, at least one FE 102 may continue to forward the data flow “F1” normally to the protected service 202.

  The IE 104 can receive the replicated data flow 105 and, for example, can classify the data flow after several packets. The IE 104 then updates the flow state of “F1” in the data storage or memory 101 to “malicious” with an operation “block”, for example. The IE 104 can then update the flow state of “F1R” in the data storage or memory 101 to “finished”, thereby stopping replication. In response, FE102 updates data flow “F1” via data storage or memory 101 with flow state “block” and immediately blocks that data flow “F1” and data flow “F1R” Is updated to the flow state “Release” and replication of this data flow is immediately stopped.

  In the scenario described in FIG. 5, the malicious data flow is blocked from entering the organization, ie protected service 202, as soon as it is so classified. Data flow classification is performed "just in time" and in "just the time needed" without placing any additional elements in the network data path.

  At the moment when the flow state is updated by the IE 104, for example due to the shared flow state state characteristics shared via the DCT mechanism, for example, when a data flow needs to be blocked, , Implemented immediately by all FEs 102 of system 100, ie, across the network in which system 100 resides (switches, routers, load balancers, etc.). Since the IE 104 is located outside the critical data path to the protected area 202, the processing is simplified, the availability is high, and it can be easily expanded.

  The above-described embodiments in FIGS. 1-5 can be provided with additional functionality. For example, the processing of allowed and blocked data flows can be optimized by bypassing IE 104 for already classified data flows. Specifically, the FE 102 may be configured to bypass the IE 104 for data flow packets that have been previously classified as grants.

  The FE102 can also be connected to an SDN controller, which uses OpenFlow rules as a predetermined pattern that should match the network data flow to perform “permit”, “block” and “duplicate” operations (Or OpFlex, or the like) can be used to implement. That is, the SDN controller is configured to provide the FE 102 with a predetermined pattern.

  FE102 directs the data flow of suspicious traffic towards IE 104, classification of the data flow is performed, and then the data flow is blocked or until it is directed directly to its destination bypassing IE 104 It can also be configured to temporarily place the data flow in the line. Alternatively, the traffic is classified and then the network packet flow remains blocked or allowed, and traffic is normally forwarded to its destination until replication for IE 104 is released. While being done, FE 102 may initiate duplication of the suspicious data flow and direct that duplication towards IE 104. In other words, FE102 either defers the transfer of data flow packets that match a given suspicious traffic pattern, or replicates data flow packets that match a given suspicious traffic pattern to IE104 until classification by IE104 is complete. And configured to forward normally.

  A data flow suspected of being APT can be handled by leaving it “suspicious” for an extended period of time and allowing IE 104 to detect “low & slow” attacks. To this end, the FE 102 may be configured to leave the flow state of the data flow “suspect” for a predetermined period regardless of the classification result.

  The allowed data flow may be randomly (or periodically) entered into a “suspicious” flow state, eg for re-examination and to overcome some APT that randomizes its attack vector Is possible. To this end, at least one FE 102 may be configured to change the flow state of any received data flow to “suspicious”.

  FIG. 6 illustrates a method 600 according to one embodiment of the present invention. The method 600 may be performed to detect and prevent malicious data flow intrusions in the SDN. In a first step 601, the flow state of the data flow is stored and shared and updated across the SDN. In a second step 602, the received data flow is blocked, forwarded, or replicated based on the flow state of the data flow and / or the comparison of the data flow with a predetermined pattern. Then, in a third step 603, the replicated data flow is classified as malicious or allowed. Finally, in the fourth step 604, the flow state of the data flow is changed according to the classification result. The method 600 can of course be extended with additional and detailed method steps according to the description of the functionality of the system 100 above.

  In summary, according to embodiments of the present invention, IPS is removed from the data path without compromising IPS 'ability to detect, inspect and block malicious traffic. Also, the IPS is removed from the network as a SPOF, and the load on the IPS is reduced to include only valid suspicious data flows, while all already classified data flows are not transferred to the IPS. Malicious data flow blocks occur instantaneously across the system and thus across the network in which the system resides. It also does not require cross-vendor collaboration to implement IPS block and data flow replication mechanisms.

  The present invention has been described in conjunction with various embodiments as examples and implementations. However, other variations can be understood and attained by those skilled in the art based on a study of the drawings, the present disclosure and the independent claims, and by practicing the claimed invention. In the claims and in the description, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measured cannot be used in advantageous embodiments.

100 system
101 Data storage or memory
102 FE
103 Data flow
104 IE
105 Replicated data flow
201 clients
202 Protected services
301 kernel
302 Connection tracking module
600 methods
601 1st step
602 second step
603 3rd step
604 Fourth Step

Cross-reference of related applications
This application is a continuation of International Application No. PCT / EP2016 / 064422 filed on June 22, 2016, the entirety of which is incorporated herein by reference.
The present disclosure relates to a system and method for detecting and preventing malicious data flow intrusion into a network, and in particular, a protected area or protected service of multiple software defined networks (SDNs).

  One of the main components of organizational security is an intrusion detection system (IDS) and an intrusion prevention system (IPS). These two systems have a lot in common, for example, both to detect malicious attempts to attack private networks (protected areas) and “Low & Slow” Advanced Persistent Threats (APT). A pattern is used to detect this. As can be seen in FIG. 7, IDS is usually placed off-line and operates on replicated data streams. The IDS can analyze all packets and then report to a so-called “expert system” (eg, SIEM (Security Information and Event Management)), which can properly initiate active measures. The IPS can be deployed like a firewall and typically operates directly on the data path of the network. The IPS parses the packets, classifies the flows, and blocks or allows them. IPS can also be deployed like IDS, pulling in replicated data paths, and then utilizing the integration with firewalls to block flows classified as "malicious" Can do.

  Typically, IPS has added a “Fast Path” mechanism (usually implemented by a hardware-based forwarding element) to deal with the amount of data that IPS must analyze, and IPS has already classified ( Flows (either as “permitted” or “blocked”) can be left to the “Fast Path” mechanism. Regardless of whether "Fast Path" is used or not, if the IPS is placed on the circuit, the IPS creates a single point of failure (SPOF) in the organizational network, for example, the IPS is malfunctioning Sometimes it is necessary to implement an expensive high availability solution to ensure service continuity. Since the processing capability of a single IPS device is limited, it is usually configured to fail-open (ie, allow everything) if the IPS is overwhelmed by data traffic. However, placing the IPS out of the line pays the price of handling replicated network traffic (similar to a typical IDS) and close coordination with “running” network elements (eg firewalls). Can alleviate some of these problems with IPS on the line and, as a result, block malicious attacks on the main data path. Also, IPS outside the line reacts much more slowly to network attacks.

  In summary, off-line IDS and IPS, on the other hand, have some limitations. Detection time and response time are slow. The system also tends to be noisy, i.e. it generates a large amount of data that must be considered by a security expert. A system is typically a resource-intensive resource. Ultimately, custom coordination is needed to provide proactive protection.

  On the other hand, IPS within a line has its own restrictions within the line. First of all, changing the scale is very difficult. In addition, the IPS in the circuit requires dedicated hardware to handle the “Fast Path” of the classified traffic. As described above, it represents a SPOF that requires an expensive high availability model. Furthermore, the limited processing power of the IPS in the circuit leads to the “fail open” (ie, allow everything) in the traffic surge described above. Ultimately, the IPS silo data model that is typically used limits information sharing with other IT assets, and consequently hinders the ability to detect APT.

In view of the above problems and disadvantages, the present disclosure aims to improve conventional IDS and IPS. From a security point of view, the purpose of this disclosure is to provide a system and method that can immediately block malicious traffic across the network. Furthermore, better APT detection and mitigation capabilities should be achieved. The present disclosure is also aimed at removing the SPOF from the network. It is an object of this disclosure to provide a system and method that eliminates intrusion detection from the data path without compromising the ability to detect, inspect, and block malicious traffic from an efficiency perspective. A general purpose is to reduce the load of intrusion detection and prevention, for example, only by monitoring suspicious traffic. Also, collaboration across vendors should not be required, and overall costs should be reduced.

The objects of the present disclosure as described above are achieved by the solution provided in the attached independent claims. Useful embodiments of the present disclosure are further defined in the dependent claims.

A first aspect of the present disclosure includes at least one data storage or memory configured to store a flow state of a data flow and share and update the flow state across the system; and a flow state of the data flow; and / or Receives the replicated data flow with at least one shared state transfer element (FE) configured to block, forward, or replicate the received data flow based on a comparison of the data flow with a predetermined pattern And at least one test element (IE) configured to classify whether the data flow is malicious or allowed, and the IE changes the flow state of the data flow according to the classification result SDN is configured to detect and prevent malicious data flow intrusion in SDN. Provides a stem.

The present disclosure according to the first aspect shares the flow state of data flow, and preferably additional metadata, across the system, i.e., in particular, between individual FEs, IEs, and possibly service applications. To implement a mechanism. As a result, the system can react immediately to suspected or detected threats, that is, at least much faster than conventional systems. For example, at least one FE can immediately block a suspicious data flow if the FE classifies the suspicious data flow as malicious and updates the flow state of the suspicious data flow accordingly. Flow state sharing can be conveniently performed via distributed connection tracking (DCT), which is a network of information such as network state and flow state across specific SDNs, systems. Implementation of sharing.

  By sending only a duplicate of the suspicious data flow to at least one IE, intrusion detection is removed from the legitimate path without compromising the ability to detect, inspect and block malicious traffic. The burden of intrusion detection and prevention is greatly reduced by only sending suspicious data flows to IE and by further using predetermined patterns and shared flow states at the FE.

  In a first implementation form of the system according to the first aspect, the FE is when the flow state of the data flow is “permitted” and / or when the data flow matches a predetermined permitted traffic pattern Forwards received data flow packets and is received if the flow state of the data flow is “block” and / or if the data flow matches a predetermined malicious traffic pattern. If the data flow's flow state is “suspicious” and / or the data flow matches a given suspicious traffic pattern, the received data flow packet is duplicated. Is configured to do.

  In response, the at least one FE can process the data flow based on the shared flow state on the one hand and on the other hand on the predetermined pattern. Accordingly, the overall efficiency of the system is increased and at the same time the IE load is reduced. The system can react quickly to any changes or updates in the flow state. Furthermore, the system is sufficiently scalable.

  In a second implementation form of the system according to the first aspect itself or according to the first implementation form of the first aspect, the FE is provided that the received data flow is at least one data storage or Determine if it already has a flow state stored in memory, and if the received data flow has a stored flow state, the flow state of the data flow, or the received data flow However, if it does not have a stored flow state, it is configured to block, forward, or duplicate the data flow based on a comparison between the data flow and a predetermined pattern.

  Thus, when there is a shared flow state, the comparison with a predetermined pattern can be omitted, resulting in faster traffic processing. In this case, there is no load on IE.

  In a third implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the FE `` blocks the flow state of the data flow '' When set or updated, the data flow packet is immediately blocked.

  As a result, the system can react very quickly and efficiently to detect threats, increasing the security of the network in which the system resides.

  In a fourth implementation form of the system according to the first aspect itself or according to any of the previous implementation forms of the first aspect, the FE has a predetermined suspicious traffic pattern and If there is a match, it is configured to set or update the flow state of the data flow to “suspicious” and to replicate the data flow to IE for classification.

  In response, only suspicious data flows are sent to IE for classification. As a result, the load of intrusion detection and prevention is greatly reduced.

  In a fifth implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the FE is able to determine the flow state of any received data flow. It is configured to change to “suspicious”.

  Accordingly, the data flow can be rechecked. This improves overcoming specific APTs that randomize their attack vectors.

  In a sixth implementation form of the system according to the fourth or fifth implementation form of the first aspect, the FE is a packet of data flow that matches a predetermined suspicious traffic pattern until classification by the IE is complete. Depending on the result of the classification, the packet is then blocked or forwarded normally.

  This option increases the security of protected areas or services of the network.

  In the seventh implementation form of the system according to the fourth or fifth implementation form of the first aspect, the FE duplicates the IE and the predetermined suspicious until the classification by the IE is complete It is configured to normally transmit a packet of data flow that matches the traffic pattern and then block the packet or continue forwarding normally depending on the result of the classification.

  This option increases traffic efficiency by maintaining the flow of traffic without interruption.

  In an eighth implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the FE is a predetermined period, regardless of the result of the classification, It is configured to leave the flow state of the data flow “suspicious”.

  This allows IE to specifically detect “low & slow” attacks, ie increase the security of the system against APT.

  In the ninth implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the IE “ends” the flow state of the replicated data flow. And the FE is configured to stop replicating the data flow to the IE if the IE changes the slow state to “end”.

  As a result, duplication of suspicious data flows can be stopped immediately, thereby avoiding unnecessary resource consumption.

  In the tenth implementation form of the system according to the first aspect itself or according to any previous implementation form of the first aspect, the FE is data that has been previously classified as a permit. The flow packet is configured to bypass IE.

  Correspondingly, the load of intrusion detection and intrusion prevention can be greatly reduced.

  In an eleventh implementation form of the system according to the first aspect itself or according to any implementation form of the first aspect, the at least one data storage or memory is data flow metadata. And FE is configured to block, forward, or replicate the received data flow based on the flow state and metadata of the data flow. ing.

  If additional metadata is shared, intrusion detection and prevention in the system becomes even more accurate and efficient.

  In a twelfth implementation form of the system according to the first aspect itself or according to any implementation form of the first aspect, the FE is connected to an SDN controller, and the SDN controller is The FE is configured to supply a predetermined pattern.

  This implementation allows an easy and flexible configuration of at least one FE. As a result of this, the system can be customized and is also fully extensible.

A second aspect of the present disclosure includes a step of storing a flow state of a data flow, sharing and updating the flow state over a software defined network (SDN), a flow state of the data flow, and / or a data flow and a predetermined pattern Block, forward, or duplicate the received data flow, classify whether the duplicated data flow is malicious or allowed, and depending on the classification result A method for detecting and preventing malicious data flow intrusion in an SDN is provided that includes changing a flow state of the data flow.

  In a first implementation form of the method according to the second aspect, the FE is when the flow state of the data flow is “permitted” and / or the data flow matches a predetermined permitted traffic pattern Forwards received data flow packets and is received if the flow state of the data flow is “block” and / or if the data flow matches a predetermined malicious traffic pattern. If the data flow's flow state is “suspicious” and / or the data flow matches a given suspicious traffic pattern, the received data flow packet is duplicated. Is configured to do.

  In a second implementation form of the method according to the second aspect itself or according to the first implementation form of the second aspect, the FE is provided that the received data flow is at least one data storage or Determine if it already has a flow state stored in memory, and if the received data flow has a stored flow state, the flow state of the data flow, or the received data flow However, if it does not have a stored flow state, it is configured to block, forward, or duplicate the data flow based on a comparison between the data flow and a predetermined pattern.

  In a third implementation form of the method according to the second aspect itself or according to any implementation form of the second aspect, the FE `` blocks the flow state of the data flow '' When set or updated, the data flow packet is immediately blocked.

  In a fourth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the FE has a data flow with a predetermined suspicious traffic pattern. If there is a match, it is configured to set or update the flow state of the data flow to “suspicious” and to replicate the data flow to IE for classification.

  In a fifth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the FEs can determine the flow state of any received data flow. It is configured to change to “suspicious”.

  In a sixth implementation form of the method according to the fourth or fifth implementation form of the second aspect, the FE is a packet of data flow that matches a predetermined suspicious traffic pattern until classification by the IE is complete. Depending on the result of the classification, the packet is then blocked or forwarded normally.

  In the seventh implementation form of the method according to the fourth or fifth implementation form of the second aspect, the FE duplicates the IE and the predetermined suspicious until the classification by the IE is complete It is configured to normally transmit a packet of data flow that matches the traffic pattern and then block the packet or continue forwarding normally depending on the result of the classification.

  In an eighth implementation form of the method according to the second aspect itself or according to any implementation form of the second aspect, the FE is a predetermined period, regardless of the result of the classification, It is configured to leave the flow state of the data flow “suspicious”.

  In the ninth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, IE “ends” the flow state of the replicated data flow. And the FE is configured to stop replicating the data flow to the IE if the IE changes the slow state to “end”.

  In the tenth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the FE is data that has been previously classified as a permit. The flow packet is configured to bypass IE.

  In an eleventh implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the at least one data storage or memory is data flow metadata. And FE is configured to block, forward, or replicate the received data flow based on the flow state and metadata of the data flow. ing.

  In a twelfth implementation form of the method according to the second aspect itself or according to any previous implementation form of the second aspect, the FE is connected to an SDN controller, and the SDN controller is The FE is configured to supply a predetermined pattern.

  The method of the second aspect itself and its implementation achieve the same advantages as the system of the first aspect itself and its implementation, respectively.

A third aspect of the present disclosure relates to a software defined network (SDN) according to the second aspect itself, or according to any implementation form of the second aspect, when executed on an arithmetic device. Provides a computer program product that implements a method for detecting and preventing network intrusion of malicious data flows.

  With the computer program product of the third aspect, all the advantages of the method of the second aspect and its implementation are achieved.

  It should be noted that all devices, elements, units and means described in this application may be implemented with software or hardware elements or any kind of combination thereof. All steps performed by the various entities described in this application, and the functions described as being performed by the various entities, are adapted to each entity performing its respective steps and functions. Or configured to execute. In the following description of a specific embodiment, a particular function or step that is to be formed entirely by a permanent entity is reflected in the description of a particular detailed element of that entity that performs that particular step or function. Even if not, it should be apparent to those skilled in the art that these methods and functions may be implemented by respective software or hardware elements, or any kind of combination thereof.

The above aspects and implementations of the present disclosure will be described in the following description of specific embodiments in conjunction with the accompanying drawings.

1 illustrates a system according to an embodiment of the present disclosure . 1 illustrates a system according to an embodiment of the present disclosure . 2 illustrates components of a system according to an embodiment of the present disclosure . 1 illustrates a system according to an embodiment of the present disclosure . 1 illustrates a system according to an embodiment of the present disclosure . 1 illustrates a method according to an embodiment of the present disclosure . The IPS / IDS system related to the technical level is shown.

FIG. 1 illustrates a system 100 according to one embodiment of the present disclosure . System 100 can detect and prevent malicious data flow intrusions in SDN. In particular, the system 100 can prevent malicious data flows from entering the protected areas and services of the network.

  System 100 includes at least one data storage or memory 101 for storing flow states of data flows and for sharing and updating flow states across system 100. Data storage or memory 101 is preferably a high-speed, low-latency distributed memory (such as a distributed memory database or similar technology) and its distribution, preferably by system entities, to share flow state across system 100 A flow state can be written to the memory, and the flow state can be read from the distributed memory. In response, a shared flow state is provided across the system 100, allowing the system 100 to have a quick reaction time to a threat. Preferably, the data storage or memory 101 is also configured to store metadata for the data flow and share and update the metadata across the system 100 in the same manner as the flow state.

  The system 100 is configured to block, forward, or duplicate the received data flow 103 based on the flow state of the data flow and / or based on a comparison of the data flow with a predetermined pattern, It further has at least one shared state FE 102. Preferably, the predetermined pattern may be stored in the FE 102 or in the data storage or memory 101. Preferably, the FE 102 can be connected to an SDN controller, and the SDN controller can provide predetermined data to the FE 102.

  The FE 102 can obtain the flow state of the received data flow 103 from the data storage or memory 101. For example, the FE 102 can query the data storage or memory 101 for the corresponding flow state. However, preferably the data storage or memory 101 actively distributes the latest flow state of the flow of data to all FEs 102. At least one FE 102 may block, forward, or duplicate the received data flow 103 based on the flow state of the data flow and such metadata if additional metadata is also shared across the system 100. Can be specifically configured.

  System 100 further includes at least one IE 104 configured to receive replicated data flow 105 from at least one FE 102 and to classify whether the data flow is malicious or allowed. . The IE 104 is configured to change the flow state of the data flow according to the classification result. That is, IE 104 can access data storage or memory 101 to update the flow state of the classified data flow. The updated flow state can then be shared across the system 100 to ensure that the latest flow state is available on each of the at least one FE 102. As a result of this, the system 100 can react immediately to detected threats.

FIG. 2 illustrates an embodiment according to the present disclosure and is based on the embodiment depicted in FIG. As shown in FIG. 1, the system 100 includes at least one FE 102, at least one data storage or memory 101, and at least one IE 104. Here, the FE 102 is, for example, a core router. FIG. 2 also shows two network endpoints: a client 201 and a protected service 202 (or protected area) of the network.

  As shown in the table of FIG. 2, the network endpoint 201 may generate and / or receive a network data flow, and the generated and / or received data flow is at least as a data flow 103 on a regular data path. It can be transferred to one FE102. Accordingly, at least one FE 102 is provided on the data path from the client 201 to the protected service 202. As shown in FIG. 2, the FE may implement the function of a “shared state transfer element”, that is, the FE can transfer the data flow, and the flow state of the data flow is transferred to other network elements and / or Can be shared with service applications. At least one IE 104 may implement “shared state service application” and “state sharing” functionality, ie, function as a service application that shares network state and flow state with other network elements and service applications. . At least one data storage or memory 101 may also implement “state sharing” functionality, ie, network state and flow state may be shared with other network elements and service applications.

  In FIG. 2, when network packets arrive at a client 201 (eg, gateway router, firewall, etc.), these network packets may be forwarded as data flow 103 to at least one FE 102. The network packet of data flow 103 can be associated with one of the following groups: The “new and authorized” or arriving network packet is the first packet of a new data flow 103 that matches a predetermined authorized traffic pattern. A “new and malicious” or arriving network packet is the first packet of a new data flow 103 that matches a predetermined blocked traffic pattern. A “new and suspicious” or arriving network packet is the first packet of a new data flow 103 that does not match a predetermined pattern or matches a predetermined suspicious traffic pattern. An “intermediate and suspicious” or arriving network packet is a packet that has advanced beyond the suspicious data flow 103. An “intermediate and authorized” or arriving network packet is a packet that has advanced beyond the authorized data flow 103. An “intermediate and malicious”, ie arriving network packet, is a packet that has advanced beyond the malicious data flow 103. At least one FE 102 can determine to which group the arriving network packet belongs, for example, by comparing the data flow 103 with a predetermined pattern.

  However, the FE 102 may also be provided with a shared flow state of the data flow via at least one data storage or memory 101 or directly from the IE 104 via a “state sharing” function. That is, the FE 102 can also determine the type of network packet that has arrived based on the shared flow state. Preferably, the FE 102 determines whether the received data flow 103 already has a flow state stored in at least one data storage or memory 101, and the received data flow is stored in the stored flow. If so, the data flow is configured to block, forward, or duplicate based only on the flow state of the data flow. Alternatively, the FE 102 preferably routes the data flow 103 based solely on the comparison of the data flow with a predetermined pattern if the received data flow 103 does not have a stored flow state. Configured to block, forward, or duplicate.

  Preferably, the FE 102 receives the received data flow 103 if the shared flow state of the data flow is “permitted” and / or if the data flow matches a predetermined permitted traffic pattern. Configured to forward network packets (to the protected service 202). Alternatively, the FE 102 may use the data flow packet if the shared flow state of the data flow is “block” and / or if the data flow matches a predetermined malicious traffic pattern. Configured to block. Alternatively, FE102 may (IE104) if the flow state of the data flow is “suspicious” and / or if the data flow matches or does not match the predetermined suspicious traffic pattern. Configured to replicate data flow packets). In response, FE102 directs suspicious data flow packets to IE104, bypasses IE104 for packets belonging to authorized dataflow 103, and completely blocks malicious dataflow 103 packets. Configured. As a result, the load on the IE 104 can be minimized.

  Only duplicated packets of suspicious data flow 103 are forwarded to IE 104 for further examination. In particular, the inspection of suspicious traffic may be performed by at least one IE 104 that implements the functionality of a “shared state service application”. The IE 104 may further use a DCT mechanism to change the flow state of the data flow in at least one data storage or memory 101 (eg, from “grant” to “block”). The changed flow state is then shared. Processing of the data flow packet is then performed by the FE 102 configured to react to a change in the flow state of the data flow in the data storage or memory 101 (eg, to “block”).

  FIG. 3 shows possible components for one embodiment using a DCT mechanism. The FE 102 may be included in the first network node (Node A). Node A may also include a kernel 301 with a connection tracking module 302 configured to perform connection tracking for at least one network packet belonging to the received data flow. At least one data storage and memory 101 may also be provided at node A and configured to store connection tracking data obtained by at least one connection tracking module 302. Specifically, the flow state can be part of connection tracking data. Preferably, metadata can also be included in the connection tracking data. Stored connection tracking data is shared across the system 100. The functionality of the “shared state service application” of the IE 104 may be included in another network node (Node B). The IE 104 is configured to update the connection tracking data stored in the data storage or memory 101, specifically the flow state, based on the result of the suspicious data flow classification. The patent applications PCT / EP2015 / 070160 and PCT / EP2015 / 079117 provide further details regarding the DCT mechanism. Specifically, DCT is described in PCT / EP2015 / 070160 and can be used here to share flow state and metadata between FE 102 and IE 104. Also, a “common application layer using DCT” is described in PCT / EP2015 / 079117, and can be used here to perform suspicious packet flow guidance to the IE 104.

FIG. 4 shows an embodiment of the present disclosure that is based on the previous embodiment of FIGS. 1 and 2 and that is also suitable for DCT implementation. The data flow 103 (1) of arriving network packets may include new and intermediate packets as described above. At least one FE 102 (2) blocks, permits (normally forwards to protected area 202), or permits and IE 104 based on shared flow state and / or predetermined pattern Duplicate. A data flow that matches (3) and is blocked as a result is discarded by the FE. The data flow that matches and is allowed as a result is normally forwarded to the protected area 202 or service (4). Suspicious data flows are consequently replicated to IE 104 for classification (5). In this case, the FE 102 may be configured to defer the transfer of a packet with a suspicious data flow until classification by the IE 104 is complete. Alternatively, FE 102 may be configured to normally forward packets of suspicious data flow to protected region 2β03 until classification by IE 104 is complete.

  IE 104 receives the replicated data flow 105 for further classification (6). When the IE 104 determines whether the data flow is malicious or not, the flow state of the data flow in the data storage and / or memory 101 is described in detail, in particular the DCT mechanism (PCT / EP2015 / 070160 and PCT / EP2015 As implemented by / 079117. See also Figure 3). Further, preferably, the IE 104 cancels the data flow duplication operation. That is, preferably the IE 104 is configured to change the flow state of the replicated data flow 105 to “finished”, and then preferably the FE 102 stops replicating the data flow to the IE 104. Configured.

  At the time when the flow state of the data flow is changed, at least one FE 102 is updated accordingly, and for the data flow set to “block”, the block is executed. Preferably, the FE 102 blocks a data flow packet immediately (ie, already starting with the next data packet in the data flow) when the IE 104 sets or updates the flow state of the data flow to “block”. Configured to do.

FIG. 5 illustrates one embodiment of the present disclosure based on the embodiment of FIGS. 1 and 2, and illustrates some important points. As shown in FIGS. 1 and 2, the system 100 includes at least one FE 102, at least one data storage or memory 101, and at least one IE 104. As in FIG. 2, the system 100 may include a client 201 and a protected service 202 or region.

  Traffic from the client 201 (ie, data flow) destined for the protected service 202 arrives at the FE 102. FE102 creates a new data flow named “F1” in the table of FIG. 5 and having a flow status of “new”, for example, in data storage or memory 101 (eg, implemented by DCT) Can do. IE104 may actively suspect that the data flow “F1” is malicious and may update the status of “F1” in the data storage or memory 101 to “suspicious” with a “duplicate” action it can. In response, FE102 is updated for data flow “F1” via data storage or memory 101 with the flow status “suspect” and as a result sent to at least one IE 104 as “F1R” A duplication operation is performed to replay the duplicated data flow labeled, ie, the packet flow duplicate between the client 201 and the protected service 202. On the other hand, at least one FE 102 may continue to forward the data flow “F1” normally to the protected service 202.

  The IE 104 can receive the replicated data flow 105 and, for example, can classify the data flow after several packets. The IE 104 then updates the flow state of “F1” in the data storage or memory 101 to “malicious” with an operation “block”, for example. The IE 104 can then update the flow state of “F1R” in the data storage or memory 101 to “finished”, thereby stopping replication. In response, FE102 updates data flow “F1” via data storage or memory 101 with flow state “block” and immediately blocks that data flow “F1” and data flow “F1R” Is updated to the flow state “Release” and replication of this data flow is immediately stopped.

  In the scenario described in FIG. 5, the malicious data flow is blocked from entering the organization, ie protected service 202, as soon as it is so classified. Data flow classification is performed "just in time" and in "just the time needed" without placing any additional elements in the network data path.

  At the moment when the flow state is updated by the IE 104, for example due to the shared flow state state characteristics shared via the DCT mechanism, for example, when a data flow needs to be blocked, , Implemented immediately by all FEs 102 of system 100, ie, across the network in which system 100 resides (switches, routers, load balancers, etc.). Since the IE 104 is located outside the critical data path to the protected area 202, the processing is simplified, the availability is high, and it can be easily expanded.

  The above-described embodiments in FIGS. 1-5 can be provided with additional functionality. For example, the processing of allowed and blocked data flows can be optimized by bypassing IE 104 for already classified data flows. Specifically, the FE 102 may be configured to bypass the IE 104 for data flow packets that have been previously classified as grants.

  The FE102 can also be connected to an SDN controller, which uses OpenFlow rules as a predetermined pattern that should match the network data flow to perform “permit”, “block” and “duplicate” operations (Or OpFlex, or the like) can be used to implement. That is, the SDN controller is configured to provide the FE 102 with a predetermined pattern.

  FE102 directs the data flow of suspicious traffic towards IE 104, classification of the data flow is performed, and then the data flow is blocked or until it is directed directly to its destination bypassing IE 104 It can also be configured to temporarily place the data flow in the line. Alternatively, the traffic is classified and then the network packet flow remains blocked or allowed, and traffic is normally forwarded to its destination until replication for IE 104 is released. While being done, FE 102 may initiate duplication of the suspicious data flow and direct that duplication towards IE 104. In other words, FE102 either defers the transfer of data flow packets that match a given suspicious traffic pattern, or replicates data flow packets that match a given suspicious traffic pattern to IE104 until classification by IE104 is complete. And configured to forward normally.

  A data flow suspected of being APT can be handled by leaving it “suspicious” for an extended period of time and allowing IE 104 to detect “low & slow” attacks. To this end, the FE 102 may be configured to leave the flow state of the data flow “suspect” for a predetermined period regardless of the classification result.

  The allowed data flow may be randomly (or periodically) entered into a “suspicious” flow state, eg for re-examination and to overcome some APT that randomizes its attack vector Is possible. To this end, at least one FE 102 may be configured to change the flow state of any received data flow to “suspicious”.

FIG. 6 illustrates a method 600 according to an embodiment of the present disclosure . The method 600 may be performed to detect and prevent malicious data flow intrusions in the SDN. In a first step 601, the flow state of the data flow is stored and shared and updated across the SDN. In a second step 602, the received data flow is blocked, forwarded, or replicated based on the flow state of the data flow and / or the comparison of the data flow with a predetermined pattern. Then, in a third step 603, the replicated data flow is classified as malicious or allowed. Finally, in the fourth step 604, the flow state of the data flow is changed according to the classification result. The method 600 can of course be extended with additional and detailed method steps according to the description of the functionality of the system 100 above.

In summary, according to embodiments of the present disclosure , an IPS is removed from the data path without compromising IPS 'ability to detect, inspect and block malicious traffic. Also, the IPS is removed from the network as a SPOF, and the load on the IPS is reduced to include only valid suspicious data flows, while all already classified data flows are not transferred to the IPS. Malicious data flow blocks occur instantaneously across the system and thus across the network in which the system resides. It also does not require cross-vendor collaboration to implement IPS block and data flow replication mechanisms.

The present disclosure has been described in conjunction with various embodiments as examples and implementations. However, other variations are drawings based on the consideration of the present disclosure and independent claims, by a person skilled in the art, and the implementation form of claim, it can be realized and attained. In the claims and in the description, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measured cannot be used in advantageous embodiments.

100 system
101 Data storage or memory
102 FE
103 Data flow
104 IE
105 Replicated data flow
201 clients
202 Protected services
301 kernel
302 Connection tracking module
600 methods
601 1st step
602 second step
603 3rd step
604 Fourth Step

Claims (15)

At least one data storage or memory (101) configured to store a flow state of a data flow and share and update said flow state across a system;
At least one shared state configured to block, forward, or duplicate the received data flow (103) based on the flow state of the data flow and / or a comparison of the data flow with a predetermined pattern Transfer element FE (102);
SDN (Software) comprising: a replicated data flow (105); and at least one test element IE (104) configured to classify whether the data flow is malicious or authorized A system (100) that detects and prevents malicious data flow intrusions in the Defined Network
The IE (104) is configured to change the flow state of the data flow in response to a classification result. The FE (102) is
If the flow state of the data flow is “permitted” and / or if the data flow matches a predetermined permitted traffic pattern, forward the received data flow (103) packet;
Block the received data flow (103) packet if the flow state of the data flow is “block” and / or if the data flow matches a predetermined malicious traffic pattern;
Configured to replicate received data flow (103) packets if the flow state of the data flow is "suspicious" and / or if the data flow matches a predetermined suspicious traffic pattern The system (100) of claim 1, wherein: The FE (102) is
Determining whether the received data flow (103) already has a flow state stored in the at least one data storage or memory (101);
If the received data flow has a stored flow state, the flow state of the data flow, or the received data flow (103) has a stored flow state. 3. A system (100) according to claim 1 or 2, wherein if not, the system (100) is configured to block, forward or duplicate the data flow based on a comparison of the data flow and the predetermined pattern. . The FE (102) is configured to immediately block a packet of a data flow when the IE (104) sets or updates the flow state of the data flow to “Block”.
System (100) according to claim 1 or 2. The FE (102) is configured to set or update the flow state of the data flow to “suspicious” if the data flow matches a predetermined suspicious traffic pattern; Configured to replicate to the IE (104) for
The system (100) according to any one of claims 1 to 4. The FE (102) is configured to change the flow state of any received data flow (103) to "suspicious";
The system (100) according to any one of the preceding claims. The FE (102) is
Until the classification by the IE (104) is complete, defer the transfer of data flow packets that match a given suspicious traffic pattern;
7. The system (100) according to claim 5 or 6, wherein the system (100) is then configured to block or normally forward the packet depending on the classification result. The FE (102) is
Until the classification by the IE (104) is complete, duplicate and normally forward packets of data flow matching a predetermined suspicious traffic pattern to the IE (104);
The system (100) according to claim 5 or 6, wherein the system (100) is then configured to continue to block or normally forward the packet depending on the classification result. The FE (102) is configured to leave the state of the data flow “suspicious” for a predetermined period of time regardless of the classification result;
A system (100) according to any one of the preceding claims. The IE (104) is configured to change the flow state of the replicated data flow to “end”;
The FE (102) is configured to stop replicating the data flow to the IE (104) when the IE (104) changes the flow state to "end".
The system (100) according to any one of the preceding claims. The FE (102) is configured to bypass the IE (104) for data flow packets that have been previously classified as allowed,
A system (100) according to any one of the preceding claims. The at least one data storage or memory (101) is configured to store metadata of a data flow and share and update the metadata across the system (100);
The FE (102) is configured to block, forward, or duplicate the received data flow (103) based on the flow state and metadata of the data flow;
A system (100) according to any one of the preceding claims. The FE (102) is connected to an SDN controller,
The SDN controller is configured to provide the predetermined pattern to the FE (102);
System (100) according to any one of the preceding claims. Storing the flow state of the data flow (601), sharing and updating the flow state across a software defined network (SDN);
Blocking, forwarding or replicating the received data flow based on the flow state of the data flow and / or a comparison of the data flow with a predetermined pattern (602);
Categorizing whether the replicated data flow is malicious or allowed (603);
A method (600) of detecting and preventing intrusion of malicious data flow in the SDN, comprising: (604) changing a flow state of the data flow according to a classification result.   A computer program product that implements a method (600) for detecting and preventing malicious data flow network intrusion in an SDN (Software Defined Network) according to claim 14, when executed on a computing device.