RU181257U1 - Data Clustering Firewall - Google Patents

Abstract

The utility model relates to the field of information technology, in particular to information security, namely, firewalls used to prevent unauthorized access and exchange of information between various users of computer networks. The firewall contains a control unit, a packet parsing unit for receiving data at the channel, network and transport levels, a data clustering unit, a decision unit, a memory unit, and a DPI device. The control unit is configured to pre-analyze traffic about traffic belonging to a previously established connection. The clustering unit is configured to split the received data when parsing the packet into clusters. EFFECT: accelerated processing of network traffic while thoroughly filtering it, which is ensured by data clustering. 1 s.p. f-ly, 1 ill.

Description

The utility model relates to the field of information technology, in particular to information security, namely, firewalls used to prevent unauthorized access and exchange of information between various users of computer networks.

As new applications and network technologies become available, data transfer becomes more complex. Filtering network traffic while maintaining a high level of security with the advent of new network attacks is becoming an increasingly multifaceted task. In addition, as network connection speeds increase, it becomes more difficult to monitor network traffic without losing bandwidth and performance. The above problems require network equipment built on new principles for processing network traffic. This equipment should have high bandwidth so that there is no loss of network packets without negative impact during their processing. Known firewalls are designed to solve only some of the problems mentioned. They can work at high speeds, but there is a high probability of missing a network attack, or they can carefully analyze network packets with low processing performance. To solve the above problems, a firewall is proposed in which the filtering of network traffic occurs according to the results of clustering.

A known firewall with filtering traffic by credentials (RU 159041 U1, publ. 01/27/2016), comprising a firewall control unit that makes decisions based on filtering rules, to the input of which network packets arrive; a block for working with credentials, consisting of a packet parsing block and a decision block. The network packet and rules for working with network packets containing credentials are received at the input of the work unit with credentials from the output of the firewall control unit, and the solution based on credentials is transmitted to the input of the firewall control unit, and then the control unit the firewall forms the final decision on the further route of the packet.

The main disadvantage of this solution is that individual categories of the same level are equivalent, which in most cases leads to redundancy of access rights for specific entities within the corresponding levels. Also, the implementation of devices with security policy by credentials is quite complicated and requires significant resources of the computing system.

An automatic firewall is known (RU 2580004 C2, published April 10, 2016), which is a combination of hardware and software that contains at least two network interfaces and allows filtering transit traffic without assigning network addresses to its interfaces. This firewall contains a processor that implements a multilevel filtering of network traffic, based on the analysis of the direction of traffic transit, determined by the membership of the input and output network interfaces, to the shared segments of the computer network, and also taking into account the analysis of the status of telecommunication protocols of transit traffic, and filtering the traffic at the channel, network and transport levels. The firewall is also configured to pass traffic through already established connections. This technical solution is selected as a prototype.

The disadvantage of this technical solution is that there is no possibility of clustering data, which leads to the complexity of data processing.

The technical problem to be solved, when developing the device, is to create a firewall whose operation is based on data clustering.

The technical result of the proposed utility model is to accelerate the processing of network traffic while thoroughly filtering it, which is ensured by clustering data.

The technical result is achieved due to the fact that the firewall contains a control unit, a parsing unit for receiving data at the channel, network and transport levels, a data clustering unit, a decision unit, a memory unit, while the control unit is configured to pre-analyze traffic about traffic belongs to a previously established connection, and the clustering unit is configured to split the received data when parsing the packet into clusters.

The utility model is illustrated in the drawing, which shows the structure of the firewall.

According to the proposed technical solution, the firewall, the structure of which is shown in the drawing, contains a control unit (1), a packet analysis unit (2), a data clustering unit (3), and a decision block (4). The firewall may further comprise a DPI device (5) (deep packet inspection).

The control unit (1) is connected to the packet analysis unit (2) and is configured to pre-analyze the traffic flow. If it is determined that the traffic belongs to an already established connection, that is, such packets with SYN and ASK flags have already passed through the control unit (1), then the packet is passed without filtering. In some cases, this is especially important, because, for example, a delay of more than 150 milliseconds is unacceptable for two-way voice conversations and a connection loss may occur. A valid time interval for the absence of traffic can also be set, by default it is usually 25 seconds. If the time is exceeded, then this traffic will be related to the new connection. In addition, for each type of traffic and / or protocol at the option of the user, a valid time interval can be set. The control unit (1) can also be configured to buffer data for temporary storage. If the packet belongs to a new connection, then it is sent to the packet analysis block (2). The packet parsing unit (2) parses a packet with an IP protocol specification. In this block, data is received from packet headers from the channel, network, and transport layers. Examples of data include: obtaining physical host addresses (MAC address), network protocol type (IPv4 and IPv6), source and destination host IP addresses, transport protocol type (IP, ICMP, RIP, DDP, ARP, etc.), numbers source and destination ports, as well as LLC, the value of service flags, the TCP value of the “window”.

The firewall may also further comprise a packet filtering device (5) for receiving application layer data. Examples of such data are remote access and resource sharing protocols, for example, HTTP, SMTP, FTP, HTTPS, TELNET, SSH, DNS. DPI device (5) has its own unique characteristics, which are recorded in the built-in signature database. Comparing the sample from the database with the analyzed traffic allows you to accurately determine the application or protocol. But as new applications and protocols periodically appear, the signature database also needs to be updated to ensure high accuracy of identification.

Block (3) of data clustering is used to split data from packets into clusters of similar objects to simplify further data processing and decision making. At the same time, each analysis group can use its own analysis method. Block (3) data clustering can be implemented based on neural networks.

The clustering problem can be described as follows. Let x be the set of objects (type of network protocol, sender port, receiver port, protocol name, etc.), y be the set of cluster numbers. The distance function between the objects p (x, x ⁱ ) is given. There is a finite training set of objects X ^m = {x ₁ , ... x _m } ⊂X. It is necessary to break the sample into disjoint subsets called clusters, so that each cluster consists of objects close in the metric p, and the objects of different clusters are significantly different. In this case, the cluster number y _{i is} assigned to each object x _i ∈X ^m .

To group data, any known algorithms can be used, for example, hierarchical, k-means, s-means, layer-by-layer clustering, Kohonen neural network. As already indicated, the similarity of objects is determined by the distance, which can be determined by any known method, for example: Euclidean distance, squared Euclidean distance, Manhattan distance, Chebyshev distance, power-law distance.

Thus, such input data is grouped into clusters, and atypical objects can also be selected that cannot be attached to any of the clusters, which helps to identify network anomalies. The number of clusters can be arbitrary or fixed, while the list of clusters is not clearly defined and is determined during operation depending on the incoming data.

The decision block (4) makes a decision on the cluster based on the rules for processing network packets. The functioning of the firewall is determined by a set of rules, for example, IPtables or Suricata, which can be stored in the memory block (6). Each processing cluster can have its own processing rules that are different from other clusters; in other words, certain chains can be created into which clusters will be redirected for further processing. Thus, it is enough to create one general rule for a particular cluster, and then redirect clusters from it to separate chains. Clusters can also be redirected from one chain to another. This allows you to optimize the processing of network traffic, since each packet from the cluster is processed according to its own rules. Then, based on the decision, the packet can be sent to the control unit (1) for further routing of the packet or discarded. Also, the firewall can be configured so that the packets are not discarded, but are sent for re-clustering in case if any inconsistencies were found to the rules. Based on the temporary storage of files in a buffer (not indicated in the drawing), the control unit (1) can determine that such a packet has already passed and put a mark so that it would fall into another cluster upon repeated clustering. And only after repeated processing were discarded.

The following is an example implementation of a utility model.

When the generated IP packet hits the firewall, the control unit (1) performs a preliminary analysis of the traffic flow. If the analysis revealed that the traffic packet belongs to an already established connection, then it is skipped without filtering. Otherwise, it is sent to the packet parsing unit (2). Block (2) parses the packet at the channel, network and transport levels to obtain a lot of data characterizing the packets, namely: physical host addresses (MAC address), types of network protocols (IPv4 and IPv6), IP addresses of source and destination hosts, types of transport protocols (IP, ICMP, RIP, DDP, ARP, etc.), port numbers of the source and destination, as well as LLC, the value of service flags, the value of the TCP “window”.

The received data is sent to the clustering unit (3). In the indicated block, similar data is grouped into clusters. If the firewall also additionally contains a DPI device (5), then the packets received at the input of the packet parsing unit (2) can also be redirected to the input of the device (5) for parsing the packet at the application level. In this way, application layer data as well as associated metadata can be obtained. DPI device (5) compares the sample from the database with the incoming traffic, as a result of which the protocol and / or application can be determined. This data can also be sent to the clustering unit (3), then the unit (3) splits the data received at the channel, network, transport and application levels. Next, the clusters are sent to decision block (4). For each packet, a decision is made based on the rules for processing the cluster, for example, IPtables or Suricata, which can be stored in the memory block (6). As already indicated, for each cluster can be set their own processing rules. Each packet from the cluster undergoes processing in accordance with the rules on the basis of which a decision is made to skip or block the packet. If the package meets all the rules, then it is sent to the control unit (1) for the further route.

Claims (2)

1. A firewall containing a control unit (1), a packet analysis unit (2) for receiving data at the channel, network and transport levels, data clustering unit (3), decision making unit (4), memory unit (6), In this, the control unit (1) is configured to pre-analyze the traffic about the traffic belonging to a previously established connection, and the clustering unit is capable of dividing the received data when parsing the packet into clusters. 2. The firewall according to claim 1, characterized in that it further comprises a DPI device.

Images