RU2723458C1 - Method and system for sonification of cyber-security events based on analysis of network connection protocols - Google Patents

Abstract

FIELD: information technology.SUBSTANCE: invention relates to means of sonification of cybersecurity events. Cybersecurity events are collected, which include information on the type of network protocols and IP addresses of network exchange nodes, time for performing connections between nodes and response of network protection means to said connections. Obtained IP addresses are aggregated according to types of network protocol, by means of which communication is performed between network nodes. Statistical characteristics of connections between network nodes for each transport protocol are calculated, wherein statistical characteristics reflect number of connections per unit of time and deviation from average value of number of connections for specific transport protocol. A scheme for event sonification is generated based on said statistical characteristics of connections between network nodes.EFFECT: high efficiency of responding to emerging events of cybersecurity in network zones owing to use of a scheme of events sonification.8 cl, 6 dwg

Description

FIELD OF TECHNOLOGY

[0001] The present technical solution relates to the field of computer technology, in particular to a method and system for the cyber security event sonification.

BACKGROUND

[0002] With the development of a technical level in the field of data processing that requires an immediate response to a transient change in their states, a new method has been formed that allows us to analyze various processes based on the use of audio display of information, in which data obtained during measurements or control of various processes, can be converted into sound vibrations, which makes it possible to register them through the sound channels of perception.

[0003] This approach is called sonification and is currently used in many scientific fields as an alternative to the visual presentation of data, allowing the generation of sound alerts related to changes in the state of controlled processes. At the same time, the main advantages are the ability to process and respond to a large number of parallel information flows in real time, as well as the rapid detection of changes in critical parameters, which is especially critical in processing cybersecurity event processes.

[0004] The most important criterion for sonification is the construction of a sound scheme for a specific task of identification and notification of specified types of events. As a rule, a sound scheme relies on a number of parameters to form a sonification of events, for example, sound parameters, amount of data, their connectivity, etc.

[0005] Information tends to grow. Each new virtual entity of an individual initiates new connections with other entities, receives and sends data, initializes various processes, that is, carries out information activity leading to an increase in data. An increase in the volume of data storages and a decrease in the cost of their storage leads to the fact that the general trend of interaction with information systems can be expressed as “save everything” instead of “save this fragment. The thesis about information saturation (saturation) of the visual channel of perception is undeniable. Whether it is a shopper in a supermarket or an operator of a situation center, a person is forced to turn his attention to an increasing number of data that are visually displayed in the field of view and / or to divide their presentation in time, thereby increasing the processing time of this data. This leads to a number of well-known problems - from increased fatigue and reduced labor efficiency to the occurrence of critical errors in the decision-making process. Against this background, the problems associated with combining various data are amplified.

[0006] Currently, sonification methods are widely used in various fields, including medicine, aviation and complex systems management, media art, business analytics, seismography, assistive technologies for the visually impaired, astronomy. [1]

[0007] Various approaches are known in the art to sonify observational data. For example, the analysis of network activity using SonSTAR software allows you to generate sound alerts based on the analysis of network activity flows by filtering the data of transmitted packets. [2]

[0008] From US Pat. No. 7511213 B2 (Soft Sound Holdings LLC, March 31, 2009), the principle of sonization of data of changes in the securities market by creating a sound mapping scheme for generating alerts based on parameters of dynamic market changes, for example, jumps in exchange rates, stock prices, is known etc.

[0009] The existing approaches are not suitable for the analysis of cybersecurity events in terms of identifying network anomalies and forming an audio environment based on the statistical data of connections between nodes aggregated according to certain criteria.

SUMMARY OF THE INVENTION

[0010] The present invention is directed to solving a technical problem, which consists in creating a new principle of sonification of cybersecurity events, which allows more efficient and timely identification of network anomalies in a corporate network.

[0011] The technical result is to increase the efficiency of responding to emerging cybersecurity events in network zones through the use of an event sonification scheme generated by network protection based on the statistical characteristics of connections between nodes of a corporate network in a given time interval.

[0012] The claimed result is achieved through a computer-implemented method of sonification of cybersecurity events generated by network protection means, performed by the processor and comprising stages in which:

collect data from cybersecurity events, which include information about the type of network protocols and IP addresses of network exchange nodes, the time of execution of connections between nodes and the reaction of network protection tools to these connections;

Aggregate the received IP addresses according to the types of network protocol by which communication between network nodes is carried out;

calculate the statistical characteristics of the connections between network nodes for each transport protocol, and the statistical characteristics reflect the number of connections per unit time and the deviation from the average value of the number of connections for a particular transport protocol;

generate a scheme of sonification of events on the basis of the mentioned statistical characteristics of connections between network nodes, and the said scheme is formed as:

transport protocol - a sound source;

the relative number of connections using a specific transport protocol is the volume of the sound source;

deviation from the average value of the number of connections for a particular transport protocol - timbre / pitch of the sound source;

generate sound alerts for incoming cybersecurity notifications in accordance with the said scheme of sonication.

[0013] In one particular embodiment of the method, the network zones and the connections between them are visualized in real time.

[0014] In another particular embodiment of the method, visualization is performed synchronously with the generation of sound alerts.

[0015] In another particular embodiment of the method, sound notification and / or visualization of network zones is transmitted to a user's mobile device.

[0016] In another particular embodiment of the method, the source is selected from the group: musical instrument, sounds of the environment, sounds of animals, sounds of nature, synthesized sounds, or combinations thereof.

[0017] In another private embodiment of the method, IP addresses and / or ports of network connections are further analyzed for their presence in the black list.

[0018] In another particular embodiment of the method, a separate sound source is assigned to the IP addresses and / or ports of the network connections from the blacklist to identify them in the general data stream.

[0019] The claimed result is also achieved through a system of sonication of cybersecurity events generated by network protection means, which contains at least one processor and at least one data storage medium containing machine-readable instructions that, when executed by the processor, perform the above method.

[0020] Other, particular aspects of the implementation of the claimed technical solution will be disclosed further in the present application materials.

BRIEF DESCRIPTION OF THE DRAWINGS

[0021] FIG. 1 illustrates the general scheme of the claimed solution.

[0022] FIG. 2 illustrates a flowchart of processing cybersecurity events for their sonication.

[0023] FIG. 3 illustrates a pattern of sonification of cybersecurity events when divided into zones of network activity.

[0024] FIG. 4 illustrates an example of dividing audio sources into zones of a corporate network.

[0025] FIG. 5 illustrates an embodiment of a sonification scheme with analysis of network connection punctures.

[0026] FIG. 6 illustrates a view of a computing system.

DETAILED DESCRIPTION OF THE INVENTION

[0027] As shown in FIG. 1, the general scheme of the claimed solution includes a data transmission network (110), the connection between the sections of which are controlled by the network infrastructure protection tool (120) of the corporate infrastructure. Network protection tools (120) can be selected from various devices, for example, the NGFW PaloAlto firewall or any other suitable type of device that takes into account audit log events (130) related to the initiation of connections and network interaction of hosts in a corporate network with each other and with external hosts.

[0028] The firewall audit log (130) contains cybersecurity events that include data about network connections, in particular, the time of the event, the sender's IP address, the recipient's IP address, and the protection action (whether the connection was blocked or allowed by the firewall) . Under the data transmission network, the Internet information network can be used, formed by various well-known protocols and principles of communication, for example, WAN, PAN, WLAN, LAN, etc.

[0029] The data of cybersecurity events from the audit log (130) are sent to a processing device (200) made on the basis of a personal computer, which provides data processing for the implementation of the information sonification process.

[0030] The device (200) comprises a preprocessing module (210), which enriches the data received from network protection means (120), a sonification module (220), which generates sound alerts according to the established sound scheme, a sound database (230), containing sound sources for generating sound alerts, a visualization module (240) that implements the visualization of cybersecurity event data.

[0031] In FIG. 2 shows the steps of a method for sonification of cybersecurity events. At the first stage (301), events are collected from the audit log (130) of the network protection tool (120). The data obtained using the preprocessing module (210) are aggregated taking into account the timestamp in accordance with the selected sonication scheme and enriched with additional information, for example, whether the IP address belongs to a specific network zone of the corporate network, the presence of the IP address and / or network port in the black list IP addresses and / or network ports. The preprocessing module (210) can be executed in Python and, in a particular version, can represent a module based on machine learning algorithms, for example, a neural network, superimposing a sonification scheme on the generated set of statistical characteristics from network security tools (120) to generate sound alerts for network anomalies activity.

[0032] Depending on the received data from network protection means (120), at step (301), the statistical characteristics of the compounds (302) are calculated, based on which a decision is then made on the application of the selected data sonification and visualization scheme at step (303) for subsequent generation real-time sound environment (304).

[0033] FIG. Figure 3 presents an example of the scheme of the claimed solution, in which the information to be sonicated is distributed over the zones of the corporate network (400). As shown in FIG. 4 for each network zone (4001-4004) and a given time interval (which can be set if necessary - 1,3,5,10 sec, etc.) is assigned its own unique sound source (I1-I4), which allows to identify each of zones (4001-4004).

[0034] In this sonification scheme, the statistical characteristics of the connections are determined using the preprocessing module (210), which is the total number of network connections in each of the zones (4001-4004) of the corporate network (400) in one time interval (in accordance with the selected aggregation interval (1,3,5,10 sec)), the ratio of blocked and allowed connections, the deviation of the current value of the number of connections from the average indicator of the number of connections in a given network zone, the ratio of the number of connections from this zone to the total number of connections, number of zones, s which establish connections from this zone.

[0035] These statistical characteristics are then transmitted to a sonification module (220) and a visualization module (240) to perform a step including data sonification and visualization (303). At the sonification step (303), the statistical characteristics obtained at step (302) for each network zone (110) are processed using the generated sound scheme. The sound scheme is arranged as follows: the sound source is the network zone, the number of connections in the network zone is the volume of the sound source, the deviation from the average value in the time interval is the repetition frequency of the sound of the mentioned source in the time interval, the ratio of blocked and allowed connections for each zone is the timbre / source pitch.

[0036] The sound source is selected from various types of sound representations stored in the database (230) and assigned to each of the zones (4001-4004). Such representations can be, for example, a musical instrument, sounds of the surrounding nature, sounds of animals, sounds of nature, synthesized sounds, or combinations thereof. The list of sound representations is not limited to the given examples and can be expanded.

[0037] The sound source is superimposed on the generated sonification scheme for generating sound alerts (304) for recorded anomalies in the data network (110). Anomalies are understood as sharp changes in the observed statistical characteristics (a sharp change in the number of connections in a certain zone, a change in the ratio of blocked and allowed connections, a strong deviation from the average value of the number of connections in a given zone), which can signal a security incident or the functioning of IT systems. Sonification of anomalies allows more explicitly and / or at an earlier stage to notify about the occurrence of such events and increase the efficiency and speed of response of operators monitoring network activity.

[0038] For example, certain changes in network activity in the data transmission network (110) may signal a beginning DDoS attack, massive virus infection, malfunctioning of protective equipment, and more. Given that in a large network infrastructure, even one network protection tool (130) can generate tens of thousands of events per second, using sonication, the operator can quickly identify from them an anomalous one subset, which requires a more detailed study of threats.

[0039] The visualization module (240) allows you to additionally form images of the emerging anomalies of the network connections of the data network (110). Module (240) can be implemented, for example, on the Unity engine, which provides various types of generation of visually perceptible information on emerging cybersecurity events. Visualization of the statistical characteristics of data network connections (110) can be formed simultaneously with sound alerts.

[0040] Sound alerts generated by the sonification circuit in step (304) are output using standard means of an operator workstation, for example, using headphones. Sound alerts can also be transmitted to operators on personal mobile devices or other type of wearable devices, such as smart watches. The device (200), which provides data authentication, can be executed in the form of a server and contain information with the assignment of observed anomalies to the profiles of operators, which allows you to generate sound alerts to the required employees. Such information is transmitted via wireless means, for example, such as Bluetooth, Wi-Fi, etc.

[0041] In the claimed preferred embodiment of the claimed invention, a cybersecurity event sonification scheme is proposed, which is generated on the basis of statistical characteristics determined based on the analysis of data from the transport protocol of network connections. Data preprocessing using module (210) and subsequent data processing by device (200) and modules (220) - (240) according to the established sonication scheme is performed similarly to the above method presented in FIG. 3.

[0042] In FIG. Figure 5 presents a flowchart of the process of sonification of cybersecurity events when using a model of sonification based on the analysis of a network protocol (500). At the first stage (501), data preprocessing is performed, during which events are aggregated using the involved transport protocol (TCP / UDP / ICMP), and the presence of IP addresses and network ports from security events in the black lists of IP addresses and ports is checked. Black lists contain malicious and dangerous IP addresses (usually hosts on the Internet that are involved in malicious activity, such as phishing, spam, malware distribution, etc.) and ports, the use of which may indicate infection of the host of the corporate malware network.

[0043] In step (502), for each transport protocol, statistical characteristics are calculated:

- the number of compounds per unit time;

- deviation from the average value of the number of connections for a particular transport protocol.

[0044] For IP addresses and ports from blacklists, the presence of IP addresses and ports from blacklists in each time interval is calculated.

[0045] When generating sound environments using the sonification circuit in step (503), it is further determined that the data received from the security means (120) contains IP addresses and / or network connection ports from the blacklist. If such IP addresses or ports are detected, a separate sound source is assigned to identify them in the general data stream (504).

[0046] The sonification model in step (503) is as follows.

For transport protocols:

- Transport protocol - a separate instrument / sound source;

- The relative number of connections using a specific transport protocol is the volume of the sound source;

- Deviation from the average value of the number of connections for a particular transport protocol - the timbre / pitch of the sound source.

For IP addresses and network ports from blacklists:

- The presence of an IP address / network port in the black list - instrument / sound source (a separate tool for IP addresses and network ports);

- The number of IP addresses / ports from the black list in one time interval - the volume levels of the instrument / sound source (where zero volume means no blacklisting in this time interval).

[0047] The following is an example of the formation of a sound environment using the above sonification model (500):

- TCP protocol - rustling leaves of trees from the wind (left);

- UDP protocol - wave noise (right);

- ICMP protocol - wind whistle (left);

- IP address from the black list - overflows / chimes in the style of a wind catcher (left);

- network port from the black list - ship hoot (right).

[0048] The presented schemes and examples of the distribution of sound sources are presented only for the purpose of displaying one of the examples of the formation of the sound environment.

[0049] FIG. Figure 6 shows an example of a general view of a computing system (600) based on a computing device that provides an implementation of the claimed method of sonization of cybersecurity events. A computing device may be a computer device suitable for executing functionality for data sonification and processing, for example, a personal computer, laptop, smartphone, tablet, server, etc. Device (200) may be a particular embodiment of a computing system (600).

[0050] In general, the system (600) comprises one or more processors (601) connected by a common data bus (610), memory means such as RAM (602) and ROM (603), input / output interfaces (604) , input / output devices (605), and a device for network communication (606).

[0051] A processor (601) (or multiple processors, a multi-core processor) can be selected from a variety of currently widely used devices, such as Intel ™, AMD ™, Apple ™, Samsung Exynos ™, MediaTEK ™, Qualcomm Snapdragon ™, and etc. Under the processor, it is also necessary to take into account a graphic processor, for example, an NVIDIA or ATI GPU, which is also suitable for fully or partially performing a method of processing and sonicating data. In this case, the available memory of the graphics card or graphics processor may be a memory tool.

[0052] RAM (602) is a random access memory and is intended to store machine-readable instructions executed by the processor (601) to perform the necessary operations for logical data processing. RAM (602), as a rule, contains executable instructions of the operating system and corresponding software components (applications, program modules, etc.).

[0053] The ROM (603) is one or more permanent storage devices, for example, a hard disk drive (HDD), a solid state drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media ( CD-R / RW, DVD-R / RW, BlueRay Disc, MD), etc.

[0054] Various types of I / O interfaces (604) are used to organize the operation of components of a computing system (600) and organize the operation of external connected devices. The choice of appropriate interfaces depends on the particular computing device, which can be, but not limited to: PCI, AGP, PS / 2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, Type C), TRS / Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

[0055] Various means (605) of I / O information, for example, a keyboard, a display (monitor), a touch screen, a touch pad, a joystick, a mouse, a light pen, a stylus, are used to provide user interaction with a computing system (600), touchpad, trackball, speakers, microphone, augmented reality, optical sensors, tablet, light indicators, projector, camera, biometric identification tools (retina scanner, fingerprint scanner, voice recognition module), etc.

[0056] The network interaction tool (606) provides data transfer by the system (600) via an internal or external computer network, for example, an Intranet, the Internet, a LAN, and the like. As one or more means (606), it can be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communications module, NFC module, Bluetooth and / or BLE module, Wi-Fi module and other

[0057] Additionally, satellite navigation aids within the system (600), for example, GPS, GLONASS, BeiDou, Galileo, can also be used.

[0058] The application materials presented disclose preferred examples of the implementation of the technical solution and should not be construed as limiting other, particular examples of its implementation, not going beyond the scope of the requested legal protection, which are obvious to specialists in the relevant field of technology.

Sources of information:

1. Rogozinsky G.G. Models and methods of sonification of cyber-physical systems / Dissertation, St. Petersburg, St. Petersburg State University of Telecommunications named after prof. M.A. Bonch-Bruevich, 2019

2. Debashi M, Vickers P (2018) Sonification of network traffic flow for monitoring and situational awareness. PLOS ONE 13 (4): e0195948. https: /7doi.org/10.1371/journal.pone.0195948.

Claims (16)

1. A computer-implemented method of sonification of cybersecurity events generated by network protection, performed using a processor and containing stages in which: - collect data from cybersecurity events, which include information about the type of network protocols and IP addresses of network exchange nodes, the time of execution of connections between nodes, and the reaction of network protection tools to these connections; - aggregate the received IP addresses according to the types of network protocol with which communication between network nodes is carried out; - calculate the statistical characteristics of the connections between network nodes for each transport protocol, and the statistical characteristics reflect the number of connections per unit time and the deviation from the average value of the number of connections for a particular transport protocol; - generate a scheme of sonification of events based on the mentioned statistical characteristics of the connections between network nodes, and the said scheme is formed as: transport protocol - a sound source; the relative number of connections using a specific transport protocol is the volume of the sound source; deviation from the average value of the number of connections for a particular transport protocol - timbre / pitch of the sound source; - generate sound alerts for incoming cybersecurity notifications in accordance with the mentioned scheme of sonication. 2. The method according to p. 1, characterized in that it additionally implements the visualization of the network zones and the connections between them in real time. 3. The method according to p. 2, characterized in that the visualization is performed synchronously with the formation of sound alerts. 4. The method according to any one of paragraphs. 1-3, characterized in that the sound notification and / or visualization of network zones is transmitted to the user's mobile device. 5. The method according to p. 1, characterized in that the source is selected from the group: musical instrument, sounds of the environment, sounds of animals, sounds of nature, synthesized sounds or combinations thereof. 6. The method according to p. 1, characterized in that they further analyze the IP addresses and / or ports of network connections for their presence in the black list. 7. The method according to claim 6, characterized in that for the IP addresses and / or ports of the network connections from the blacklist, a separate sound source is assigned to identify them in the general data stream. 8. The system of sonication of cybersecurity events generated by network protection means, containing at least one processor and at least one data storage medium containing machine-readable instructions that, when executed by the processor, perform the method of sonization of cybersecurity events according to any one of paragraphs. 1-7.

Images