OA17866A - Method for detecting anomalies in network traffic. - Google Patents

Abstract

The invention relates to a method for detecting anomalies in network traffic, said traffic being transmitted by a server (10) in response to requests from at least one client device (11), the method comprising: - a step ( E10) for receiving a request, said request being of a given type, - a step (E11) for receiving a response to the request, - a step (E13) for building a current bit vector ( VN), representative of the response, - a step (E17) of calculating a similarity index representative of a distance between the current vector of bits and a vector of model bits (Vmod) associated with the type of the request, - a step of verifying (E18) that the similarity index (ISc) does not belong to a conformity interval (1C) calculated for the type of request, an anomaly being detected when the similarity index does not belong to the compliance interval.

Description

Method for detecting anomalies in network traffic

The invention relates to the general field of telecommunications. It relates more particularly to computer security and relates to a method for detecting anomalies in network traffic.

The invention finds a particularly advantageous application in the context of the detection and prevention of intrusions into networks and service platforms. An intrusion into a network or a service platform constitutes a significant risk for companies since it can be the source of leaks of confidential data, such as customer data, competitive information. Such attacks can have significant financial consequences for the company and in any case damage the company's brand image.

Many methods have been developed with the aim of detecting such intrusions. Some are implemented during the design phase of a system, others once the system has been developed, by means of attack detection equipment. However, the methods implemented in the design phase are extremely complex and expensive to implement, especially when many players are involved. As for the detection methods once the system is designed, they are not foolproof and are known to be very sensitive to false positives. Another approach is also known which consists in analyzing responses to requests made to a server in order to detect the presence of sensitive information in the responses. This method is better known under the name of the data leak detection method, or “DLP” (standing for “Data Leakage Protection”). For example, such a method will detect signatures corresponding to credit card numbers and block responses to requests when the responses contain this type of information.

However, such a method faces performance issues. Indeed, the volume of responses is on average twenty times greater than the volume of requests. Thus, an analysis of the responses to the requests is costly in terms of processing time on the one hand, and in terms of memory load on the other hand. There are therefore few implementations of intrusion detection techniques based on this approach.

One of the aims of the invention is to remedy shortcomings / drawbacks of the state of the art and / or to make improvements thereto.

To this end, the invention proposes a method for detecting anomalies in network traffic, said traffic being transmitted by a server in response to requests from at least one client device, the method comprising:

- a step of receiving a request, said request being of a given type,

- a step of receiving a response to the request,

- a step of constructing a current vector of bits, representative of the response,

a step of calculating a similarity index representative of a distance between the current vector of bits and a vector of model bits associated with the type of the request,

a step of verifying that the similarity index belongs to a conformity interval calculated for the type of request, an anomaly being detected when the similarity index does not belong to the conformity interval.

The method described, based on a modeling and real-time analysis of the responses of an application server, makes it possible to detect abnormal responses, characteristic of an anomaly linked to an attack or to an abnormal behavior of an application. The method makes it possible to optimize the memory size necessary for this real-time analysis as well as the computing power. Indeed, the method is based on a binary representation of responses to requests and does not require storing the responses once their representation has been constructed. The saving in memory space is considerable. Furthermore, the calculation of data used by the method, as well as the comparisons necessary to detect abnormal behavior are based on these binary representations. The computing power required is therefore less than when the responses are manipulated in their initial form.

Furthermore, the method makes it possible to detect an information leak in a more generic manner than known methods based on the DLP approach.

Indeed, the known methods are suitable for detecting precise information in responses to requests, such as particular card numbers, and for blocking responses which include this information. On the contrary, the method proposed here makes it possible to detect generic information, such as types of information such as, for example, account numbers or passwords. In fact, since the method makes it possible to detect an abnormal response with respect to normal operation of the application, any form of abnormal response is detected. For example, if requests make it possible to obtain an e-mail address specific to a user named in the request, a response comprising more than one e-mail address, following a malicious request, will be detected as abnormal. The method also makes it possible to detect an anomaly other than a data leak. Such an anomaly is detected when the similarity index is greater than the upper limit of the compliance interval. In this case, the response approaches the theoretically calculated model bit vector, which is incompatible with dynamic behavior of the service.

Furthermore, the present method does not interfere with services intended to provide sensitive information in response to requests since it is based on the detection of a behavior deviating from a model of the normal operation of the service. The method therefore does not take into account the sensitivity of the data which must be sent in response to requests, but the form of the responses normally sent.

According to an exemplary embodiment, the method comprises a learning phase which comprises:

- a step of receiving an initial request, the initial request being of the given type,

- a step of receiving an initial response to the initial request,

- a step of constructing a vector of model bits, representative of the initial response,

- a step of updating the model vector from a next vector of bits, constructed from a following response received consecutively to a following request of the given type,

a step of calculating a similarity index between the updated model vector and the next bit vector, the steps of updating and calculating the similarity index being repeated at least once,

- a step of calculating an average of the calculated similarity indices and a standard deviation of these indices,

- a step of calculating the compliance interval from the average of the indices and the standard deviation.

The method includes a learning phase necessary for the calculation of the indicators used in the detection phase, in this case the vector of model bits, the similarity indices, their mean and the standard deviation between these indices and the variability threshold. which represents a tolerated variability for responses to queries of a given type.

Advantageously, the compliance interval is defined by means of the mean Mis of the calculated similarity indices and of the standard deviation ai _S of these indices, according to the following formula:

IC = [M _IS - 3 * σ, Mis + 3 * σ]

The formula for calculating the compliance interval makes it possible to greatly limit the number of false positives, that is to say responses to requests which would be identified as abnormal when in reality these responses are normal. In fact, the standard deviation and the mean make it possible to determine an interval in which the majority of a population of a sample of values is found. In this case, it is known that the distribution of the values of a sample conforms to a graphical representation of a normal law and that in an interval [- 3 * σι _δ , +3 * aïs] around the mean, lies 98% of the sample distribution. The majority of normal responses therefore fall within this compliance interval; it is therefore not detected as abnormal by the method.

In an exemplary embodiment, the construction of a vector of bits from a response to a request comprises the following steps:

- decomposition of the answer into words which compose it,

calculation of a position Pj, 1 <j <n, in the bit vector, said position being associated with one of the words by implementing the following steps:

- conversion of said word into binary form,

- obtaining the position Pj in the vector by modulo n application of a hash function to said obtained binary form, and

- positioning of the Pj-th bit at 1.

The method specifies how to represent the responses to requests of a given type by a vector of bits where each word of the response is represented by a bit of a given position in the vector. Such a representation contributes to the saving of the memory space used for the implementation of the method.

Advantageously, the method also comprises a filtering step during which a vector of filtering bits comprising a representation of a set of non-significant words is subtracted from the model vector and from the next vector of bits before updating the model vector. from the next bit vector.

A vector representative of a non-significant vocabulary is constructed and subtracted from the manipulated bit vectors. Thus, the bit vectors manipulated, be they the model vector or the following vectors, are representative only of data, that is to say of words, semantically significant in the context of application security. It is understood that in this case, all the indicators calculated from the bit vectors are defined more finely than when a non-significant vocabulary is represented. The method allows finer detection of abnormal responses. Moreover, by disregarding non-significant vocabulary, there is an additional gain in memory space.

In an exemplary embodiment, the size of the bit vector is a number of bytes between 4Kbits and 400Kbits.

The size of the bit vectors is between a minimum value of 4Kbits, which makes it possible to represent two thousand eight hundred words, and a maximum value of 400Kbits which corresponds to a reasonable value in relation to the memory capacity of a system. Note that a normal conversation uses about two thousand words. Thus, the range of values proposed makes it possible to best configure the method to take account of the capacities of the system and the needs inherent in the service considered.

In an exemplary embodiment, an order of magnitude of the size of the bit vector is 5% of an average size of responses to requests.

The size of the bit vectors used to represent the responses to requests of a given type, whether in the learning phase or in the detection phase, is fixed such that the probability of having a collision in a vector of bits is extremely low. A collision occurs when two different words in a response to a request are represented by the same bit in a vector of bits. Thus, the binary representation is reliable and therefore contributes to the reliability of the method.

In an exemplary embodiment, the steps of the learning phase are implemented according to a given frequency over a determined period.

A temporal sampling to implement the learning phase is interesting in the case of a service of which the evolution over time is known. For example, in the case of a web service whose home page varies temporally, according to a known frequency, it is interesting to sample, that is to say to model responses to requests from a user. given type, according to the same frequency of service evolution. The sampling is therefore carried out according to the evolution of the service. This makes it possible to implement a high-performance learning phase and contributes to the reliability of the method.

In an exemplary embodiment, the number of iterations of the steps of the learning phase is determined dynamically by comparing standard deviations obtained between an m-th iteration and (ml) -th and (m-2) -th iterations , with m> 4, the number of iterations being sufficient when a variation of the standard deviations obtained is less than a given value.

Thus, the number of iterations is dynamically defined and makes it possible to obtain a model vector and a reliable and precise compliance interval with an optimum number of iterations.

Advantageously, the method comprises a step of comparing the model bit vector and the current bit vector, implemented when the standard deviation calculated in the learning phase is equal to zero, an alert being raised when the vectors are different.

Thus, the detection method makes it possible to detect an attack of the disfigurement type (or “defacement” in English) of a site. Indeed, when the service 30 offered by the server is a web service for accessing a site with static content, the slightest difference between the current bit vector constructed consecutively to a request to the server and the model bit vector constructed in phase learning generates an alert. Indeed, in the case of an access to a site whose content is recognized as being static, the standard deviation calculated in the learning phase is zero since all the following bit vectors calculated from the following responses are identical. to bit vector pattern. Thus, it was identified during the learning phase that for a given type of request, the responses were all identical. A variation in a response to a request of the type given in the detection phase is therefore indicative of a modification of the site and therefore of an attack.

The invention also relates to a device for detecting anomalies in network traffic, said traffic being transmitted by a server in response to requests from a client device, the device comprising:

- reception means, adapted to receive a request, said request being of a given type, and to receive a response to the request,

- construction means, adapted to build a current vector of bits, representative of the response,

- calculation means, suitable for calculating a similarity index representative of a distance between the current bit vector and a model bit vector associated with the type of the request,

- verification means, adapted to verify that the similarity index does not belong to a conformity interval calculated for the type of request, an anomaly being detected when the similarity index does not belong to the interval of conformity.

The invention also relates to a computer program intended to be installed in a memory of a computer, comprising instructions for implementing the steps of the method for detecting anomalies in network traffic according to the invention, when the program is executed by a processor.

Finally, the invention also relates to a data medium on which the program according to the invention is recorded.

Other characteristics and advantages of the present invention will be better understood from the description and the accompanying drawings, among which:

FIG. 1 shows the steps of a learning phase of a method for detecting anomalies in network traffic, according to a first exemplary embodiment;

FIG. 2 shows the steps of a detection phase of the method for detecting anomalies, according to an exemplary embodiment;

FIG. 3 is a schematic representation of detection network equipment implementing the method described in relation to FIGS. 1 and 2, according to an exemplary embodiment of the invention.

The steps of a method for detecting an anomaly in network traffic, according to an exemplary embodiment of the invention will now be described in relation to FIGS. 1 and 2.

A server 10 capable of rendering a service stores sensitive data in a memory (not shown). The service is for example a web service. Sensitive data is, for example, data specific to users, such as e-mail addresses, account numbers, passwords, etc. The server 10 can be interrogated remotely by a client device 11, through a network, for example the Internet network, in order to provide a given service. For example, the service allows the client device 11 to query the server 10 by providing the name and first name of a user, and to obtain the user's e-mail address in response. A detection device 12, placed in cut-out between the client device 11 and the server 10 stores an application (not shown in FIG. 1) which comprises code instructions for implementing the steps of the anomaly detection method described here .

The method of detecting anomalies in network traffic comprises two phases: a learning phase PO, intended to construct a model bit vector representative of the responses received from the server 10 in response to a given type of request. The steps of the learning phase, according to an exemplary embodiment, are described in relation to FIG. 1;

- a detection phase P1, during which a response to a request of the given type is compared with the model bit vector constructed and updated during the learning phase and an anomaly is detected when the response to the request s' deviates from a conformance interval constructed for this model. The steps of the detection phase, according to an exemplary embodiment of the invention are described in relation to FIG. 2.

In the exemplary embodiment described here, the PO learning phase is implemented in a secure environment, that is to say in an environment where it is assumed that the requests which are sent to the server by the device client 11 and the responses received during this phase are correct. On the contrary, the detection phase P1 is implemented in an operational environment. In this environment, requests are likely to be sent from pirate client devices 11 attempting to perpetrate attacks against the server 10. However, for reasons of simplification, the same client device 11 is shown in FIGS. 1 and 2.

The learning phase PO comprises a plurality of steps, iterated a determined number of times in order to establish, from a sample of several responses received following several requests of a given type, a response model specific to this type of query. These iterations are intended to refine the indicators which will be used to detect anomalies during the subsequent detection phase P1.

Thus, in an initial step E00 of receiving the learning phase PO, the detection equipment 12 receives a request from the client device 11 and intended for the server 10. It stores a type of request associated with the request. and retransmits the request to the server 10. The type of request associated with the request is defined as being representative of a request, or common to a plurality of requests. Thus, in the example of an access to a web service allowing to obtain an email associated with a given user name, a request is of the form: "htlp.7 / www.webservice.corrVapplication / form1? User = namel ”, where“ namel ”specifies the name of the person whose e-mail address is to be obtained. The associated type of request is then of the form "http: //www.webservice.coin/application/form1". In other words, the request corresponds to an instantiation of the type of the request.

In a response step E01, the detection equipment 12 receives from the server 10 a response to the request received previously and intended for the client device 11. It stores this response and retransmits it to the client device.

11.

In a step E02 for breaking down the response, the detection device 12 breaks down the response received during step E01 into the words that compose it. In an exemplary embodiment, the decomposition of the response received into words is based on syntactic notions and uses separator characters such as spaces and punctuation marks such as periods, commas, dashes, etc. We assume that the answer consists of p words.

In a following step E03 for creating a vector of bits, the detection device 12 generates an initial model vector of n bits, denoted V _m od for the response received. The model vector V _mO d is initialized to zero. It is intended to model in the form of a vector of bits the responses received in response to requests of the given type.

In a following step E04 for calculating the vector, the detection device 12 calculates the model vector V _mod from the different words which make up the response received and which were obtained during the decomposition step E02. Each word M ,, 1 <i <p, of the response is thus converted into binary format from the numerical value of the characters which compose it. A hash function H is then applied to each word M, in binary format, in order to obtain an imprint E, of the word M, in the form of a numerical value. With each of the footprints E, generated, there is then associated a position Pj, 1 <j <n, in the model vector V _mO d according to the following formula: Pj = H (Mj) mod n. In other words, the position Pj in the model vector V _mO d is obtained by applying the hash function H to the word M ,, modulo the size n of the vector Vmod The Pj-th bit Bj of the model vector V _mO d is then positioned at 1.

Thus, a bit positioned at 1 in the Pj-th position is representative of the presence of the word Mj in the response to the request. In an exemplary embodiment, the hash function H is the SHA-1 function (standing for “Secure Hashing Algorithm 1”). The invention is of course not limited to this function and in other exemplary embodiments functions such as SHA2, MD-5 (standing for “Message Digest 5”) can be used.

The size n of the model vector V _mO d is chosen in such a way that the probability of having collisions at the level of the positions Pj, that is to say of having two different words represented by the same bit, is low. The use of a vector of bits to represent the words that make up the response to the request makes it possible to make an inventory of the words that make up the response, disregarding duplicates. Indeed, if a word appears several times in the response, it is represented by the same bit in the model vector V _mO d Moreover, it is understood that with such a representation, it is not necessary to memorize the words which make up the answer. On the other hand, a word of any length is always represented by a bit. It will be understood that the gain in memory space for the detection device 12 is not negligible.

The model vector V _mO d is then refined by repeating the previous steps. The following iterations are intended to calculate indicators specific to each type of request.

Thus, in a second iteration of steps E00 to E04, denoted E00 'to E04', a second request, intended for server 10 is received by detection device 12 and retransmitted to server 10. It is assumed that the second request is different of the request received during step E00 but that the type of the second request is the same as the type of the request received during step E00. In other words the second request is of the form "http://www.webservice.com/application/form17user = name2"; it is therefore of the same type as the request of the form “http://www.webservice.com/application/forml” but concerns another user. In a response step Ε0Γ, similar to step E01, the response to the second request, called second response, is received and stored by the detection device 12 and then transmitted to the client device 11. In a step E02 ′ of decomposition of the response, similar to step E02, the second response is broken down into words. In a step E03 'for creating the vector of bits, a second vector of bits V ₂ is generated and initialized to zero. Finally, in a vector calculation step E04 ', similar to the previous step E04, the second bit vector V ₂ is calculated from the words which make up the second response, in the same way as the model vector Vmod ·

In a step E05 ′ for updating the model vector, the model vector V _mO d calculated during step E04 is updated. To this end, the logical operator AND (or “AND”) is applied to the vectors V _mod and V ₂ . In other words, the model vector V _mO d is updated according to the following formula: V _m od = V _mO d AND V ₂ . As a reminder, the logical operator AND has the result of 1 if and only if the two added bits themselves have the value 1. The updated model vector V _mO d therefore represents the intersection between the two vectors Vmod and V ₂ and therefore corresponds to a content of the response present in the two compared responses.

In a step E06 ′ for calculating a similarity index, a similarity index IS is calculated between the model vector V _mod thus obtained and the second vector V ₂ . This similarity index IS corresponds to the distance between the two vectors V _mO d and V ₂ . It can be calculated as the sum of the common elements between the two vectors, minus the sum of the different elements, divided by the size of the considered vectors. In other words:

. _ £ identical elements (7 _wti > K ₂ ) - £ different elements (P _{7! Wrfl} V0

Steps E00 ′ to E06 ′ are iterated a predefined number of times. Thus, during a following iteration, the device 11 receives a following response consecutive to a following request from the client device 11 to the server 10. It is assumed that the following request is of the same type as the previous requests. In a step E02, similar to steps E02 and E02 ', the following response is broken down into words. In a step E03, similar to steps E03 and E03 ′, a vector of following bits V _s is generated and initialized to zero. Finally, in a step E04, similar to the previous steps E04 and E04 ′, the following vector V _s is calculated from the words which make up the third response, in the same way as the vectors V _mO d and V ₂ .

In a step E05 of updating the model vector, the model vector V _mO d, obtained during the previous step E05 ′ is updated. The logical operator AND (or AND) is applied to the vectors V _mO d and V _s . In other words, it is calculated V _mod = V _mO d AND V _s . The updated model vector Vmod represents the intersection between the three vectors V _mO d and V ₂ and V _s and therefore corresponds to a content present in the compared responses. It is understood that with these successive iterations, the model vector V _mO d is refined by virtue of the successive updates.

In a step E06 for calculating a new similarity index, a similarity index along IS ′ is calculated between the model vector V _mO d thus obtained and the vector along V _s . This similarity index according to IS ′ corresponds to the distance between the two vectors V _mO d and V _s . It can be calculated as the sum of the common elements, minus the sum of the different elements, divided by the size of the considered vectors. In other words:

Σ identical elements (V _mod , V _s ) - £ different elements (V _raod , V _s )

In a following step E07 for calculating the mean and standard deviation, an average M | _S of the similarity indices obtained during the 5 steps E06 'and E06, as well as the standard deviation Q | _S of these clues. It is known that the standard deviation measures the variation of variables, here the similarity indices, with respect to the mean.

In a test step E08, it is checked whether the standard deviation aïs is different from zero. In a first case where the standard deviation a, s is different from zero (branch "10 ok" in FIG. 1), then in a step E09 '' of calculating a compliance interval, a first variability threshold T _mo djnf and a second variability threshold T _mO d_sup which respectively constitute the lower and upper limits of a compliance interval representative of the compliance of a response to the model vector calculated for this type of request, as a function of the measured discrepancy between the responses received. In an exemplary embodiment, the first variability threshold T _mO djnfest calculated according to the following formula:

Tmodjnf - M [s - 3 Ojg

The second threshold of variability T _mO d_sup is calculated according to the following formula:

Tmod_sup ~ Mis + 3 days

The first and second thresholds T _mO djnf, T _mO d_su _P constitute the lower and upper limits of the compliance interval IC. In other words:

/ C - Jn / d • 25 The conformance interval IC represents, for a given request type, a measure by which content received in response to such a request is considered to be an expected response. Thus, a response to a request of the given type must be sufficiently close to the model vector to be assimilated to a normal or expected response for this type of request.

The calculation formula proposed above makes it possible to greatly limit the number of false positives. A false positive corresponds to a response to a request of a given type which is assimilated to an anomaly when in reality it is not. Indeed, it is known that the standard deviation and the mean make it possible to determine an interval in which the majority of a population of a sample of values is found. In this case, it is known that the distribution of the values of a sample conforms to a graphical representation of a normal distribution and that in an interval [-3 * Ois, +3 * aj _S ] around the mean, lies 98% of the sample distribution.

In a second case where the standard deviation ajs is zero (“nok” branch in FIG. 1), corresponding to a case where the responses analyzed during the learning phase are all identical, the learning phase is continued. for a maximum number of iterations. In other words, steps E00 ″ to E08 ″ are iterated for the maximum number of iterations. If the maximum number of iterations is reached and the standard deviation O | _S is always zero, then the learning phase is interrupted. In this case, all the bit vectors generated from the responses to requests of the same type are strictly identical to the initial model vector V _m0 d generated during the vector computation step E04. This means that the content of the responses is static. In other words, for this type of request, all responses are the same.

The learning described here implements, for a request of the same type, an iteration of steps E00 to E04, intended to calculate the initial model vector V _mod and at least two successive iterations of steps E00 ′ to E06 ′ intended to update update the model vector V _mod and calculate similarity indices between the new vectors calculated during steps E04 ′ and E04 and the model vector V _mod . This number of iterations is a minimum number intended to calculate an average and a standard deviation of the similarity indices. However, the invention is not limited to this number of iterations. Thus, in another exemplary embodiment, ten or twenty iterations of steps E00 'to E06' or E00 to E06 can be carried out in order to best refine the values of the mean and of the standard deviation used. to calculate the first and second variability thresholds T _mod j _n f and T _mod _ _S up

In the exemplary embodiment described here, the iterations are implemented for each request of a given type. In an alternative embodiment, the successive iterations are implemented according to a given frequency.

For example, steps E00 'to E06' or E00 to

E06 per day for a given period, for example a month. Proceeding in this way to implement the PO learning phase can prove to be interesting in the case of a web service which updates its home page regularly, for example every day. In another exemplary embodiment, the iterations will be distributed over a period of twenty-four hours to take into account known changes to the service over this period.

In another exemplary embodiment, the number of iterations is determined dynamically by comparing the standard deviation obtained between an m-th iteration and two previous iterations, that is to say the (ml) -th and (m -2) th iterations, m> 4. If the variation between these three standard deviation values is 10 less than a given value, then the model vector is considered to be constructed. The value given is for example of the order of two percent. In fact, it is estimated in this case that the model vector calculated from the preceding iterations is already sufficiently precise.

In the embodiment described here, the steps E02, E02 ', E02' 'for creating the bit vector use punctuation marks to break down the response received into words. The invention is not limited to punctuation marks. Thus, in another exemplary embodiment, linguistic notions such as Chinese or Japanese kanji, kana or romaji can be used to break down the answer into words. In another exemplary embodiment, computer concepts such as an encoding and a value of the characters used can be used.

In the embodiment described here, the value n corresponding to the size of the bit vectors used to represent the initial model vector V _m0 d and the vectors obtained from the responses analyzed during consecutive iterations is not specified. to the construction of the initial model vector V _mO d A vector, whether it is the initial model vector, the updated model vector V _mod , or the vector obtained from the analysis of a response, is supposed to be represented at bit mean a set of words that constitute a response to a query. In a way, a vector is intended to model a dictionary 30 of words. It is known that a daily conversation involves about two thousand words. Thus, is not chosen in such a way that it is between 4000 and 400000, or 4 Kbits <n <400 Kbits. The value of n, included in the above interval, can be refined and set as a function of the average size of the responses to the requests. Thus, it was determined empirically that n could be set at 5% of the average size of the responses, more precisely at a number of Kbits close to 5% of the average size of the responses. The determination of the size n of the vectors intended to represent the responses to the requests makes it possible to avoid collisions during the representation of the words 5 of a response in the vector. A collision occurs when two different words M _p and M _q , p # q are associated with the same position k in a bit vector. In other words there is a collision when Pr = H (M _P ) mod n = H (M _q ) mod n.

Furthermore, it is estimated that the value of n is insufficient when a vector intended to represent a response is 70% full, that is to say 10 when 70% of its bits are set to 1. Thus, it is possible, during the implementation of the learning phase PO, to detect that the dimensioning of the bit vectors is insufficient by checking the rate of bits positioned at 1 in the vectors intended to represent responses. If this rate is greater than 70%, the PO learning phase is interrupted, the size of the bit vectors is doubled and a new PO learning phase is implemented.

In an exemplary embodiment, and in order to disregard a non-significant vocabulary in responses to requests, a filtering vector V _d ict representative of the non-significant vocabulary is subtracted from the 20 different vectors constructed during the learning phase, i.e. the model vector V _mod and the new vectors V ₂ , V _s , etc. The filtering vector V _dict is constructed in the same way as the model vector V _mod and as the vectors V ₂ , V _s , from a dictionary of words deemed insignificant in a content. For example, in the case of requests and responses associated with the “HTML” (standing for “Hyper Text Transfer Protocol”) format, the dictionary used to construct the filter vector comprises HTML tags such as “a”, "Href", "img", "class", etc. Indeed, these tags are not significant from a semantic point of view. Thus, for the different words included in the dictionary, a binary form is obtained, then the hash function H is applied to the binary form obtained, modulo n. The value obtained corresponds to a position Pr in the filtering vector V _d i _C t- The bit located in P _k -th position is then set to 1.

The filtering vector V _d i _C test then used during the learning phase PO. The filtering vector V _dic t is thus subtracted from each of the vectors manipulated. Thus, during step E04 of calculating the model vector, the filtering vector V _dic t is subtracted from the initial model vector V _m0 d. The filter vector Vdict is also subtracted from the bit vectors V ₂ and V _s obtained during steps E04 ′ and E04. The subtraction of the filter vector Vdict from a current bit vector V _{court in} order to obtain a resulting vector V _res can be implemented by applying an AND (or “AND”) operation followed by an EXCLUSIVE OR ( or "XOR"). In other words:

Vres ⁼ (Vcour AND Vdict) XOR V _C our

Filtering a non-significant vocabulary makes it possible to optimize the memory space necessary for storing the bit vectors V _mO d, V ₂ and V _s . Moreover, during the calculation of the mean and standard deviation used for calculating the variability thresholds T _mod jnfet T _m0 d_sup, the words which are semantically insignificant in terms of security are thus eliminated. It will be understood that the compliance interval IC established on the basis of the variability thresholds thus calculated is more precise than if it is established on the basis of indicators based on content which take account, among other things, of non-significant words.

The detection phase P1 of the detection method, according to an exemplary embodiment of the invention, will now be described in relation to FIG. 2.

It is considered that at this stage, the learning phase described in relation to FIG. 1 has been implemented and that it has been calculated, for each type of request that the server 10 can process a representative compliance interval IC a tolerated distance between a response sent following a request of the same type and a response model calculated for this type of request.

In an initial interrogation step E10 of the detection phase P1, the detection device 12 receives a request from the client device 11 and intended for the server 10. The detection device 12 stores the request and transmits it to the server 10. .

In a following response step E11, the detection device 12 receives a response to the request from the server 10. The detection device 12 stores the response and forwards it to the client device 11.

In an analysis step E12, the type of the request at the origin of the sending of the response is analyzed and it is obtained for this type of request, the conformity interval IC and the model vector V _mO d calculated for this type of request during the PO learning phase. For the record, the IC compliance interval is defined from the first and second variability thresholds

In a binary vector modeling step E13, a current binary vector Vn representative of the response received is calculated, in the same way as during the steps of calculating the vector E04 of the learning phase PO.

In a test step E14, it is verified whether the content of the responses has been identified as static during the test step E08 of the learning phase PO. As a reminder, the test performed during step E08 indicates that the content of the responses is static for a given type of request when the standard deviation of the similarity indices calculated during step E07 of averaging and d 'standard deviation is zero.

In a first case where the content of the responses to requests of the given type has been identified as static during the learning phase PO (“ok” branch in FIG. 2), the model vector Vm _Od is compared with the current vector Vn in a comparison step E15. In a case where the two vectors are identical (“ok” branch in FIG. 2), the response received and modeled by the vector Vn is considered as normal. In fact, in the case of static content, it is normal for the current vector of bits V _{N to} be identical to the vector of model bits V _mo d since two responses to a request of the same type are identical. The bit vectors which model these responses are therefore a fortiori identical. Otherwise (“nok” branch in FIG. 2), that is to say in the case where the content associated with this type of request has been identified as static in the learning phase PO and the current vector Vn calculated from the response received is not identical to the model vector V _m0 d, then an alert is raised during an alert step E16. Indeed, in the case of static content, all the responses to requests of the same type are supposed to be identical, which is not the case here. This scenario is suitable for the detection of an attack on a website during which a hacker has modified the presentation of the website. Such an attack is usually called disfigurement, or "defacement" in English.

In a case where the test carried out during step E14 is negative (“nok” branch in FIG. 2), that is to say in a case where the content of the responses to requests of the given type has no not identified as static during the learning phase PO, then it is calculated during a step E17 of calculating a current similarity index, a current similarity index ISc between the model _reader V _mO d calculated during the learning phase and the current vector Vn.

In a step E18 of verification with respect to the compliance interval, it is verified that the current similarity index IS _C is included in the compliance interval IC calculated during the learning phase PO for the current type of request.

In a first case where the current similarity index IS _C is included in the conformity interval IC (“ok” case in FIG. 2), that is to say when the current similarity index IS _C is greater than or equal to the first threshold of variability T _mod jnf and less than or equal to the second threshold of variability Tmod_sup then the current response is considered as normal. Otherwise (“nok” branch in FIG. 2), an alert is raised during the alert step E16. In fact, in this case the difference between the response analyzed and the model vector calculated in the learning phase PO exceeds the threshold defined for this model vector, the response is therefore considered to be abnormal.

In the alert step E16, the detection device 12 can for example block the traffic corresponding to responses to requests of this type.

In another exemplary embodiment (not shown in FIG. 1), during the alert step E16, it is determined whether the current similarity index ISc is less than the first variability threshold T _mO djnf or greater than the second variability threshold T _mO d_su _P , in order to refine the type of anomaly detected. In a first case where the current similarity index IS _C is less than the first variability threshold T _m0 djnf, the anomaly is of the data leak attack type. In the case of the web service example, this corresponds to an analyzed response which includes a plurality of user email addresses. In this case, the analyzed response deviates from the model bit vector calculated beyond what is tolerated. In a second case where the current similarity index IS _C is greater than the second variability threshold T _mO d_su _P , the anomaly is to be compared with an abnormal behavior of the service and may correspond to an attack which tends to render the service inoperative . Indeed, in this case, the analyzed response is very close to the model bit vector constructed in a theoretical manner, which is not possible in the case of a dynamic service.

In an exemplary embodiment where the filter vector Vdj _C t intended to take account of a non-significant vocabulary is used during the learning phase PO, this filter vector is also used in the detection phase. Thus, in this case, the same filter vector V _d jct as that used in the learning phase is subtracted from the current binary vector Vn during step E13 of binary vector modeling. Thus, the vectors V _mO d and V _N which are compared in the comparison step E15 are comparable.

In the example of requests to a web server intended to obtain the e-mail address of a user, a malicious request intercepted by the detection device 12 and emanating from an attacker can for example be of the following form:

"Http://www.webservice.com/application/form12user- OR 1 = 1-". This request is of the type: “http://www.webservice.com/application/form1” for which a model vector V _mO d and a variability threshold T _mO d have been calculated during the learning phase PO. In response to this request, the poorly secured server 10 will provide a set of data in response, for example all the e-mail addresses that it stores:

<html>

<h1> Result of your query </h1>

<p> name1.surname1 @ domain 1 name2. surname2 @ domain2 ... </p>

</html>

In accordance with the steps of the detection phase described above, the detection device 12 constructs a current binary vector for this response during step E13 of binary vector modeling and calculates during step E17 its current similarity index with the vector bit pattern. Analysis of the response resulting from the attack will lead to an abnormal variation in the current similarity index with respect to so-called normal traffic for which the variability threshold has been calculated.

The invention is described here in the case of web flow. However, the invention is not limited to this scenario and can be applied for various protocols such as flows specific to database queries, “SIP” flows (standing for “Session Initiation Protocol”). used in the context of voice over IP (“VoIP”).

A detection device 12, according to an exemplary embodiment of the invention, will now be described in relation to FIG. 3.

The detection device is computer equipment, such as a terminal or a computer server, suitable for being placed in a network between a client device 11 and a server 10 capable of delivering a service to the client device 11 (the client device 11 and the server 10 are not shown in FIG. 3).

The detection device includes:

a microprocessor 120, or “CPU” (standing for “Central Processing Unit”), intended to load instructions into memory, to execute them, to perform operations;

a set of memories, including a volatile memory 121, or “RAM” (for “Random Access Memory”) used to execute code instructions, store variables, etc., a storage memory 122 of the “ROM” type or “EEPROM” (standing for “Read Only Memory” and “ElectronicallyErasable Programmable Read-Only Memory”).

The storage memory 122 is designed to store an application which comprises code instructions for implementing the steps of the method for detecting anomalies in network traffic. The storage memory 122 is also designed to store indicators calculated during the learning phase, in this case the vector models the standard deviation and the compliance interval. These indicators are intended for use during the detection phase;

- Network interfaces 123, arranged to communicate on the one hand with the client device 11 and on the other hand with the server 10. More precisely, the detection device 12 is cut between these two devices and is arranged to receive a request of a given type from the client device 11, and to receive a response to the request of the given type from the server 10. The request and the response are received in the learning phase PO and / or in the detection phase PI . The network interfaces 123 are arranged to implement the steps E00 of reception and E01 of response of the learning phase PO, and E10 of interrogation and E11 of response of the detection phase P1 of the method described above;

a module 124 for constructing bit vectors, arranged to construct bit vectors from the responses received. The construction module 124 is thus suitable for constructing both the model bit vector and the following bit vectors. The construction module 124 is arranged to implement the steps E03, E03 ', E03 for creating a vector of bits and E04, E04', E04 for calculating the vector of the learning phase PO of the method described above. It is also arranged to implement step E13 of binary vector modeling of the detection phase of the method described above;

a first calculation module 125, arranged to calculate similarity indices representative of distances between the model bit vector and a next or current bit vector. The first calculation module 125 is implemented during the learning phase PO and during the detection phase PI. The first calculation module 125 is arranged to implement the steps E06 ′ and E06 of calculating a similarity index of the learning phase PO and E17 of calculating a similarity index of the detection phase of the method previously described;

a second calculation module 126, designed to calculate an average of the similarity indices and a standard deviation between these indices. The second calculation module 126 is designed to implement step E07 for calculating the average and standard deviation of the learning phase PO of the detection method described above;

- a third calculation module 127, designed to calculate a compliance interval for a vector of model bits during the learning phase

PO. For example, the compliance interval is calculated from a first variability threshold T _mO d_inf and a second variability threshold Tm _O d_su _P , calculated according to the following formulas:

Tmod_inf ~ M | S “O '| s

Tmod_sup ^- M | s + 3 O '| s (TC -

Where Mis represents an average between several similarity indices and

Qis the standard deviation between these indices. The third calculation module 127 is designed to implement the step E09 of calculating a compliance interval of the learning phase PO of the method described above;

a verification module 128, arranged to verify that a similarity index calculated by the first calculation module 125 is included in the compliance interval IC, previously calculated by the second calculation module 126. The verification module 128 is arranged to implement step E18 of verification with respect to the compliance interval of the detection phase P1 of the method described above;

a module 129 for updating the model vector, designed to update the model vector constructed by the construction module 124, from a following vector of bits. The update module 129 is designed to implement the steps E05 ′ and E05 for updating the model vector of the learning phase PO of the method described above;

The bit vector construction module 124, the first 125, second 126 and third 127 calculation modules, the verification module 128, the module 129 for updating the model vector are preferably software modules comprising software instructions for carrying out the steps of the method for detecting anomalies in network traffic described above.

The invention therefore also relates to:

a computer program comprising instructions for implementing the anomaly detection method as described above when this program is executed by a processor of the detection device 12;

- a readable recording medium on which is recorded the computer program described above.

Software modules can be stored in or transmitted by a data medium. This can be a material storage medium, for example a CD-ROM, a magnetic diskette or a hard disk, or else a transmission medium such as a signal or a telecommunications network.

In an alternative embodiment, the first 125, second 126 and third 127 calculation modules, the verification module 128 and the module 129 for updating the model vector are defined as gates of a programmable logic circuit. An example of such a circuit is an "FPGA" card (standing for "Field-Programmable Gâte Array").

Claims (13)

1. A method of detecting anomalies in network traffic, said traffic being transmitted by a server (10) in response to requests from at least one client device (11), the method comprising: - a step (E10) of receiving a request, said request being of a given type, - a step (E11) of receiving a response to the request, - a step (E13) of building a current bit vector (Vn), representative of the response, - a step (E17) of calculating a similarity index representative of a distance between the current bit vector and a model bit vector (V _mO d) associated with the type of the request, a step of verifying (E18) that the similarity index (IS _C ) belongs to a conformity interval (CI) calculated for the type of request, an anomaly being detected when the similarity index does not belong to the 'interval of 15 compliance. 2. Anomaly detection method according to claim 1, comprising a learning phase (PO), the learning phase comprising: - a step (E00) of receiving an initial request, the initial request 20 being of the given type, - a step (E01) of receiving an initial response to the initial request, - a step (E03) of construction of a vector of model bits, representative of the initial response, - a step (E03 ', E03) of updating the model vector from a next vector of bits, constructed from a following response received consecutively to a following request of the given type, - a step (E06, ', E06) of calculating a similarity index between the updated model vector and the next bit vector, the steps of updating and calculating the similarity index being repeated in less once, 30 - a step (E07) of calculating an average of the calculated similarity indices and a standard deviation of these indices, - a step (E09) of calculating the compliance interval from the average of the indices and the standard deviation. 3. Anomaly detection method according to claim 2, wherein the compliance interval (CI) is defined by means of the mean Mis of the calculated similarity indices and of the standard deviation Ois of these indices, according to the formula next : IC = [Mis - 3 * o, M _is + 3 * o] 4. Detection method according to one of the preceding claims, in which the construction of a vector of bits from a response to a request comprises the following steps: - decomposition of the answer into words which compose it, - calculation of a position Pj, 1 ^ n, in the bit vector, said position being associated with one of the words by implementing the following steps: - conversion of said word into binary form, - obtaining the position Pj in the vector by modulo n application of a hash function to said obtained binary form, and - positioning of the Pj-th bit at 1. 5. Detection method according to one of claims 2 to 4, also comprising a filtering step during which a vector of filtering bits comprising a representation of a set of non-significant words is subtracted from the model vector and from the vector of bits. next before updating the template vector from the next bit vector. 6. The method of claim 4, wherein the size of the bit vector is a number of bytes between 4Kbits and 400Kbits. 7. The method of claim 6, wherein an order of magnitude of the size of the bit vector is 5% of an average size of responses to requests. 8. Method according to one of claims 2 to 7, wherein the steps are implemented at a given frequency over a determined period. 9. Method according to one of claims 2 to 7, wherein a number of iterations of the steps is determined dynamically by comparing standard deviations obtained between an m-th iteration and (ml) -th and (m-2) - th iterations, with m> 4, the number of iterations being sufficient when a variation of the standard deviations obtained is less than a given value. 10. The method of claim 2 to 9, comprising a step (E15) of comparing the vector of model bits and the current vector of bits, implemented when the standard deviation calculated in the learning phase is equal to zero, an alert being raised when the vectors are different. 11. Device for detecting anomalies in network traffic, said traffic being transmitted by a server in response to requests from a client device, the device comprising: - reception means (123), adapted to receive a request, said request being of a given type, and to receive a response to the request, - construction means (124), suitable for constructing a current bit vector (Vn), representative of the response, - calculation means (125), suitable for calculating a similarity index representative of a distance between the current bit vector and a model bit vector (V _mO d) associated with the type of the request, - verification means (128), adapted to verify that the similarity index does not belong to a conformity interval calculated for the type of request, an anomaly being detected when the similarity index does not belong to the 'compliance interval. 12. Computer program intended to be installed in a memory of a computer, comprising instructions for implementing the steps of the method for detecting anomalies in network traffic according to one of claims 1 to 10, when the program is executed by a processor. 13. Data medium on which the program according to claim 12 is recorded.