RU2777839C2 - Method for filtering attacking streams aimed at the communication module - Google Patents

Abstract

FIELD: communication technology.

SUBSTANCE: invention relates to a method for filtering attacking streams aimed at the communication module. Several aggregates are defined, where each aggregate is the result of combining several incoming data streams received over a given period of time. Several first measurement vectors are determined, each of which is associated with one of the specified aggregates and contains the values of the first characteristic parameters of the aggregate with which this vector is associated. These first several measurement vectors are projected into at least one subspace defined by the first characteristic parameters. Another aggregate is determined, which is the result of combining several incoming data streams received during a different time period. Another first measurement vector is determined, associated with the specified other aggregate. The specified other first dimension vector is projected into at least one subspace. An estimate of deviation from the norm is determined depending on the results of projecting the specified other first measurement vector and projecting the totality of the specified several first measurement vectors, and then, if the estimate of deviation from the norm falls into the zone of doubt about the presence of attacking flows, several second measurement vectors are determined, each of which is associated with one of the specified aggregates. Another second measurement vector associated with another aggregate is determined. The presence or absence of an attack is detected by analyzing another second measurement vector.

EFFECT: increase in the probability of detecting an attacking stream.

11 cl, 10 dwg

Description

The field of technology to which the invention belongs

The present invention generally relates to protecting communication modules from denial of service attacks.

More specifically, the present invention relates to a method for filtering attack streams targeted at a communication module receiving a plurality of incoming data streams.

The invention also relates to a device for filtering such attack streams.

State of the art

Denial-of-service attack (DoS attack) and distributed denial-of-service attack (DDoS attack) are cyber attacks aimed at making services provided by attacked site. In the context of these attacks, we are not talking about damage to the data of the attacked site.

Such attacks can be directed at any communication module associated with the server, and in particular, at the communication module associated with the server on the Internet.

The vehicle communication module is usually connected to the manufacturer's private network. However, in order to improve specific driver assistance systems or to provide a wider range of multimedia services offered, it is proposed to connect the vehicle's communication module to the public Internet. In such a case, this communication module will be exposed to various attacks and, in particular, to distributed denial of service attacks.

Known is a machine learning method used to detect potential attacks targeting a communication module, i.e. to a piece of network equipment such as a server or router. This well-known method was developed to protect critical network equipment components that accept an unlimited number of incoming and outgoing connections. This method aims to classify incoming Internet streams (or IP streams, where IP is an abbreviation of the words Internet Protocol) to split them into legitimate streams and attack streams.

For such a classification, the method is based on a graphical distribution of parameters characterizing incoming data streams over several subspaces. The subspace is defined as a graphical area delineated by two parameters characterizing the incoming stream. It might be a question of a graph showing the average lifetime of a request (of other IP packets) as a function of the number of sources of incoming data streams.

Under nominal conditions, the parameters of the input stream are collected graphically in a cluster around one operating point, while in the case of an attack, the parameters of the attacking streams have deviating, anomalous values and are collected graphically around isolated points or outliers.

According to the known method, a plurality of incoming data streams are aggregated, over a certain period of time, grouped by source addresses. The various aggregate streams are then analyzed and, if an attack is detected (by the presence of at least one outlier), the incoming stream, identified as invalid (illegitimate), is promptly filtered out due to the greater computational power of the processors involved.

This method is effective in the case of network equipment connected to the public Internet (usually servers), because the set of incoming data streams or outgoing data streams contains flows in and out of a very large number of connections, which allows you to collect reliable statistics, and because the processors used have a high processing power. Since the attack usually results in a relatively small number of incoming data streams compared to the total number of incoming data streams, discrimination between clusters and outliers is possible and works well.

In contrast, the vehicle communication module is only suitable for receiving a limited number of incoming connections (typically about ten connections). During the analysis of incoming data streams, legitimate streams will be blocked by attacking streams, "lost" among them, so that attack streams will appear as a cluster (and therefore in the form of nominal conditions) and will no longer appear to be anomalous quantities. Therefore, the technical solution described above cannot be applied to the protection of the vehicle's communication module.

Disclosure of the essence of the invention

The present invention provides a method for detecting attacks targeting communication modules, and in particular a communication module in a vehicle.

More specifically, a method is provided for filtering such attack streams as defined in the prior art section, the method comprising the steps of:

- defining a set of aggregates, where each aggregate is the result of a combination of a plurality of incoming data streams received during a given period of time, and the period of time taken into account for determining each aggregate is different from the periods of time taken into account for determining other aggregates, and the periods of time taken into account for determining the totality of the specified set of aggregates, all fit into the first observational time window,

- determination of the set of first measurement vectors, each of which is associated with one of the indicated aggregates and contains the values of the first characteristic parameters of the aggregate with which this vector is associated,

- projecting said set of first measurement vectors into at least one subspace defined by said first characteristic parameters,

- defining a different aggregate resulting from the combination of a plurality of incoming data streams received during a different time period, where this different time period follows the first observational time window,

- determining another first measurement vector associated with said other unit and containing the values of the first characteristic parameters of this other unit,

- projecting said other first measurement vector into at least one subspace defined by the first characteristic parameters,

- determining an estimate of the deviation from the norm depending on the results of the projection of the specified other first measurement vector and the projection of the totality of the specified set of first measurement vectors,

then, if the estimate of the deviation from the norm falls into the zone of doubt about the presence of attacking flows:

- defining a set of second measurement vectors, each of which is associated with one of the specified aggregates and contains the values of other characteristic parameters of the aggregate with which it is associated, these other characteristic parameters differ from the specified first characteristic parameters,

- defining another second measurement vector associated with another aggregate and containing values of other characteristic parameters of said other aggregate, and

- detection of the presence or absence of an attack by analyzing another second measurement vector.

Thus, according to the present invention, the detection of attack flows is carried out in several discrete phases of implementation, which allows you to limit the computing power required to perform these phases. Such an implementation can therefore be carried out by processors and procedures that do not have very high computing power, such as processors and procedures integrated into the communication module of the vehicle.

In addition, the use of a second measurement vector determined in dependence on other characteristic parameters different from and independent of the characteristic parameters usually used, allows to confirm the conclusion obtained regarding the presence or absence of an attack aimed at the vehicle communication module.

In the following, other non-exhaustive and preferred features of the attack stream filtering method according to the present invention are presented, which can be implemented individually or in any technically possible combinations:

- to determine whether the deviation estimate is in the zone of doubt about the presence or absence of attack flows, means are provided for comparing the deviation estimate with the first threshold value and with the second threshold value;

means are provided for comparing the abnormality score with a second threshold, and if the abnormality score is higher than the second threshold, detecting the presence of an attack is carried out in a different time period;

- means are provided for comparing the abnormality score with a first threshold, and if the abnormality score is below the first threshold, detecting the presence of an attack is carried out in a different time period;

- funds are also provided for the following stages:

- determining the second observational time window, this second observational time window corresponds to the first observational time window shifted by the value of the specified other time period,

- defining a new aggregate, where this new aggregate is obtained by combining a plurality of incoming data streams received during a new period of time, so that this new period of time follows the second observational time window,

- defining a new first measurement vector that is associated with the new unit and contains the values of the first characteristic parameters of this new unit,

- deleting the projection of the first measurement vector associated with the aggregate, which is the result of combining a plurality of incoming data streams received during a time period located in the first observational time window, but outside the second observational time window,

- projecting a new first vector into at least the specified subspace defined by the specified first characteristic parameters, and

- defining a new estimate of deviation from the norm depending on the result of this projection;

- means are provided, at the projection stage, for projecting a plurality of first measurement vectors into a plurality of subspaces and for determining a deviation estimate based on the sum of the deviation functions, where one such deviation function is determined for each subspace based on the result of the projection of the specified a plurality of first measurement vectors and a projection of said other first measurement vector and based on an average deviation from the norm, this average deviation from the norm is also determined based on said projection of the plurality of first measurement vectors and the projection of another first measurement vector;

- means are also provided for performing, in the event of detection of the presence of an attack, the following steps:

- comparison of deviation functions found for all subspaces,

- selection of at least one subspace having the highest value of the deviation function,

- splitting the specified other aggregate into a set of separate incoming streams,

- defining a set of identification vectors for the obtained set of separate incoming streams, these identification vectors contain the same first characteristic parameters as the first measurement vectors,

- projecting the specified set of identification vectors into at least one selected subspace,

- identifying at least one illegitimate incoming stream, this illegitimate incoming stream corresponds to the incoming stream associated with the abnormal projection of the identification vector, and

- filtering illegitimate incoming stream;

- the subspace is defined by the first axis and the second axis, the first axis corresponds to the first characteristic parameter and the second axis corresponds to the second characteristic parameter selected from the set of the first characteristic parameters;

- at least one of the set of first characteristic parameters contains one of the following data:

- the number of sources of incoming flows,

- the average number of sources of incoming flows per subnet,

is the proportion of transmission requests,

- the proportion of accepted requests regarding errors,

- average size of accepted requests,

- average lifetime of accepted requests; and

- at least one of the set of other characteristic parameters contains the following data:

is the hit ratio associated with the first level cache access,

is the hit ratio associated with the L2 cache access,

is the "miss" ratio associated with another level cache access, and

- the proportion of memory used.

The present invention also provides a device for filtering attack streams targeted at a communication module from a plurality of incoming data streams, the device comprising:

- a module for defining a set of aggregates, where each aggregate is the result of a combination of a plurality of incoming data streams received during a given period of time, and the period of time taken into account for determining each aggregate is different from the periods of time taken into account for determining other aggregates, and the periods of time, taken into account to determine the totality of the specified set of aggregates, all fit into the first observational time window,

- a module for determining a set of first measurement vectors, each of which is associated with one of the specified aggregates and contains the values of the first characteristic parameters of the aggregate with which this vector is associated,

- a module for projecting said set of first measurement vectors into at least one subspace defined by said first characteristic parameters,

- a module for determining another aggregate resulting from the combination of a plurality of incoming data streams received during a different time period, where this other time period follows the first observational time window,

- a module for determining another first measurement vector associated with the specified other unit and containing the values of the first characteristic parameters of this other unit,

- a module for projecting said other first measurement vector into at least one subspace defined by the first characteristic parameters,

- a module for determining an estimate of deviation from the norm depending on the results of projecting said other first measurement vector and projecting the totality of said plurality of first measurement vectors,

- a decision module suitable for determining if the deviation estimate falls into a zone of doubt regarding the presence of attacking flows, a set of second measurement vectors, each of which is associated with one of the specified aggregates and contains the values of other characteristic parameters of the aggregate with which it is associated, these other characteristic parameters differ from the first characteristic parameters indicated,

- a module for determining another second measurement vector associated with another unit and containing values of other characteristic parameters of said other unit, and

- a module for detecting the presence or absence of an attack by analyzing another second measurement vector.

Brief description of the drawings

The following description, when considered with reference to the accompanying drawings, which are given here as a non-exhaustive example, will clearly understand what the present invention contains and how it can be carried out.

On the attached drawings:

- Fig. 1 shows a simplified representation of the passenger compartment of a vehicle equipped with an attack stream filtering device according to the present invention;

- Fig. 2 shows, in the form of a logical diagram, a method for filtering attack streams according to the present invention;

- Fig. 3-10 show eight examples of subspaces used to implement the attack flow filtering method shown in FIG. 2.

Implementation of the invention

Fig. 1 shows in a simplified way the passenger compartment of a vehicle 1 equipped with a communication module 5 suitable for receiving a plurality of incoming data streams and a device 2 for filtering attack streams.

The incoming streams may, for example, come from servers allowing, for example, access to the Internet. The communication module 5 is connected, for example, to the multimedia processor 10 installed in the vehicle 1, thus allowing a person inside the vehicle 1 to access an enhanced multimedia service offering.

The attack stream filtering device 2 is suitable for analyzing the incoming streams received by the communication module 5 in order to identify potential attacks. The attack flow filtering device 2 is also suitable for filtering detected attacks.

As shown in FIG. 1, a device for filtering attack streams is included, for example, in the communication module 5. Alternatively, the device can be installed in an object independent of the communication module 5 but in direct communication with this module.

Device 2 for filtering attacking streams contains a group of modules (not shown). These modules can be practically implemented by combining hardware elements and software elements. Each of these modules has one of the functionality considered in relation to the method according to the present invention and described below.

Fig. 2 shows, in the form of a logical diagram, an example of a method implemented in the device 2 for filtering attack streams according to the present invention.

The execution of the method starts at step E2, with the communication module 5 receiving a plurality of incoming data streams. These various input streams of data may come from a single source object (eg, a single server) or from multiple discrete source objects.

, в котором должны быть реализованы этапы способа. Это первое обсервационное временное окно составляет, например, около 5 с.For the rest of the method, the first observational time window is determined

, in which the steps of the method are to be implemented. This first observational time window is, for example, about 5 s.

времени. В контексте настоящего изобретения все эти периоды

времени являются идентичными. Используемый период

времени составляет, например, около 100 мс (первое обсервационное временное окно поэтому состоит из 50 дискретных периодов времени). Такой период

времени соответствует периоду времени, в течение которого осуществляется анализ всех входящих потоков данных с целью определения ситуации, когда присутствует распределенная атака типа отказ в обслуживании.This first observational time window is divided into successive periods

time. In the context of the present invention, all these periods

times are identical. Used period

time is, for example, about 100 ms (the first observational time window therefore consists of 50 discrete time periods). Such a period

time corresponds to the period of time during which the analysis of all incoming data streams is carried out in order to determine the situation when a distributed denial of service attack is present.

времени, комбинируют с целью получения единого потока, называемого здесь «агрегат». На этапе E4, поэтому получают по одному агрегату для каждого периода времени (поэтому в течение всего первого обсервационного временного окна

получают около пятидесяти агрегатов).In step E4, all incoming data streams received during one period

time, combined to obtain a single stream, here called "aggregate". In step E4, therefore, one aggregate is obtained for each time period (so during the entire first observational time window

receive about fifty units).

In practice, each incoming stream contains a sequence of data, in particular, this includes data that allows access to the communication network. The procedure for combining all incoming data streams then comprises grouping all the data contained in all incoming streams into one data stream (referred to as an "aggregate" in the present description).

времени, ассоциированный первый вектор измерений

записывают как

, где

обозначает переменную, соответствующую n-ому измерению в течение периода

времени. Каждую переменную

вычисляют по-разному в зависимости от типа исследуемых данных.The aggregate is defined by a first measurement vector containing a plurality of measured values. For example, during the period

time, associated first measurement vector

write as

, where

denotes the variable corresponding to the nth dimension during the period

time. Every variable

calculated differently depending on the type of data being examined.

может быть оценена путем вычисления средней величины рассматриваемых данных за период

времени. Это представляет собой, например, случай, когда средний размер принятых запросов (также обычно называемых принятыми IP-пакетами) получают путем вычисления среднего размера всех принятых запросов по всем соединениям в течение периода

времени.For example, a variable

can be estimated by calculating the average value of the considered data for the period

time. This is, for example, the case where the average size of received requests (also commonly referred to as received IP packets) is obtained by calculating the average size of all received requests over all connections during the period

time.

определяют на основе числа адресов различных источников потоков данных, принимаемых в течение периода

времени.In an example where there are multiple stream sources, the variable

determined on the basis of the number of addresses of various sources of data streams received during the period

time.

определяют на основе числа адресов различных источников потоков данных, принимаемых в течение периода

времени, и на основе числа подсетей (обозначено как

ниже) из совокупности запросов, принимаемых в течение этого периода

времени. На практике учитывают только 24 первых бита адреса источника потока данных (этот адрес источника потока данных обозначают как IP/24). Затем для каждого адреса IP/24 источника потока данных, определяют число различных источников потоков данных и число принятых запросов (или принятых IP-пакетов). Наконец, среднее число источников потоков данных для одной подсети (обозначено

в формуле ниже) получают путем взвешивания числа различных источников потоков данных для одного адреса IP/24 источника (обозначено

в следующей формуле) с числом принятых запросов для одного адреса IP/24 источника (обозначено

в следующей формуле):In the example with the average number of data flow sources per subnet, the variable

determined on the basis of the number of addresses of various sources of data streams received during the period

time, and based on the number of subnets (denoted as

below) from the total of requests received during this period

time. In practice, only the first 24 bits of the data stream source address are taken into account (this data stream source address is referred to as IP/24). Then, for each IP/24 address of the data stream source, the number of different data stream sources and the number of received requests (or received IP packets) are determined. Finally, the average number of data stream sources per subnet (denoted

in the formula below) is obtained by weighting the number of different sources of data streams for a single source IP/24 address (denoted

in the following formula) with the number of accepted requests for a single source IP/24 address (denoted

in the following formula):

определена как отношение между числом запросов передачи, принятых в течение периода

времени и общим числом принятых запросов.With respect to the proportion of received transmission requests (also called TCP connection requests, where TCP is an acronym for "transmission control protocol"), the variable

defined as the ratio between the number of transmission requests received during the period

time and the total number of requests received.

определена как отношение между числом запросов относительно ошибок, принятых в течение периода

времени и общим числом принятых запросов.In the example of the proportion of received requests for errors (also called the proportion of packets according to the ICMP protocol, where ICMP is an abbreviation for "Internet control message protocol"), the variable

defined as the ratio between the number of requests for errors received during the period

time and the total number of requests received.

измерений. Этот первый вектор

измерений характеризует агрегат, с которым этот вектор ассоциирован, посредством характеристических параметров.As can be seen in FIG. 2, the execution of the method continues at step E6. At this stage, for each received aggregate (for each time period within the first observational time window), the first vector is determined

measurements. This first vector

measurements characterizes the aggregate with which this vector is associated, by means of characteristic parameters.

ниже), средним числом источников потоков данных на одну подсеть (параметр, обозначенный

), пропорцией запросов передачи данных (обычно определяемое через число TCP-пакетов, какой параметр обозначен

), пропорцией запросов контроля ошибок (обычно называются ICMP-пакетами, какой параметр обозначен

), средним размером передаваемых запросов (обычно определяют на основе принятых IP-пакетов, какой параметр обозначен

), среднего времени жизни запросов (или принятых IP-пакетов) во время передачи данных (или TTL для времени жизни) или числа подсетей.These characteristic parameters make it possible to characterize the received Internet communication data streams (or IP streams, here IP is the common abbreviation for "Internet protocol" (Internet Protocol)). These received incoming streams depend in particular on the type of active connections or on the type of data transmitted by the incoming streams. Among these characteristic parameters, a distinction is made in the following, for example, between: the number of sources of incoming data streams (parameter denoted

below), the average number of data stream sources per subnet (the parameter denoted

), the proportion of data transfer requests (usually determined by the number of TCP packets, which parameter is indicated

), the proportion of error control requests (usually called ICMP packets, which parameter is indicated

), the average size of transmitted requests (usually determined based on the received IP packets, which parameter is indicated

), the average lifetime of requests (or received IP packets) during a data transfer (or TTL for lifetime), or the number of subnets.

These characteristic parameters are recognition criteria to allow the identification of a distributed denial of service attack on the communication module.

измерений содержит пять параметров, обозначенных как

,

,

,

,

.Here is the first vector

measurements contains five parameters, denoted as

,

,

,

,

.

определяют для каждого периода

времени и поэтому в первом обсервационном временном окне

получают множество первых векторов

измерений. Таким образом, например, для периода времени 100 мс и первого обсервационного временного окна в 5 с получают 50 первых векторов измерений.At the end of step E6, the first measurement vector

determined for each period

time and therefore in the first observational time window

get the set of first vectors

measurements. Thus, for example, for a time period of 100 ms and a first observational time window of 5 s, 50 first measurement vectors are obtained.

измерений используются затем на этапе E8. Такие характеристические параметры позволяют определить проекционные подпространства. Подпространство определяют в виде сетки ячеек. Для этой сетки первая ось, например ось абсцисс, соответствует первому характеристическому параметру, и вторая ось, например ось ординат, соответствует второму характеристическому параметру. На практике, попарно выбираемые характеристические параметры позволяют определять двумерные подпространства. В качестве варианта можно также рассматривать подпространства, имеющие больше измерений.These first vectors

measurements are then used in step E8. Such characteristic parameters make it possible to define projection subspaces. The subspace is defined as a grid of cells. For this grid, the first axis, such as the x-axis, corresponds to the first characteristic parameter, and the second axis, such as the y-axis, corresponds to the second characteristic parameter. In practice, pairwise chosen characteristic parameters allow one to define two-dimensional subspaces. As a variant one can also consider subspaces having more dimensions.

) в функции пропорции запросов контроля ошибок (

). На Фиг. 4 и 8 показаны подпространства, соответствующие пропорции запросов передачи данных (

) в функции среднего числа передаваемых запросов (или принятых IP-пакетов) (

). На Фиг. 5 и 9 показаны подпространства, соответствующие пропорции запросов передачи данных (

) в функции числа источников поступающих потоков данных (

). На Фиг. 6 и 10 показаны подпространства, соответствующие пропорции запросов контроля ошибок (

) в функции числа источников поступающих потоков данных (

).On FIG. 3-10 show the subspaces obtained using the characteristic parameters listed above. Here, each subspace is defined as a grid of 10 cells by 10 cells. On FIG. 3 and 7 show, for example, subspaces corresponding to the proportion of data transfer requests (

) in the error control request proportion function (

). On FIG. 4 and 8 show the subspaces corresponding to the proportion of data transfer requests (

) as a function of the average number of transmitted requests (or received IP packets) (

). On FIG. Figures 5 and 9 show the subspaces corresponding to the proportion of data transfer requests (

) as a function of the number of sources of incoming data streams (

). On FIG. 6 and 10 show the subspaces corresponding to the proportion of error control requests (

) as a function of the number of sources of incoming data streams (

).

измерений проецируют в подпространства, определяемые характеристическими параметрами. Все первые векторы

измерений, получаемые в пределах первого обсервационного временного окна

проецируют в эти подпространства. Под проецированием понимают идентификацию ячейки в сетке, которой принадлежит величина проецируемого первого вектора

измерений. Другими словами, для подпространства, определяемого двумя данными n и m, проекция соответствует идентификации ячейки сетки, которой принадлежит точка (

;

) первого вектора измерений

. At step E8, the first vector

measurements are projected into subspaces determined by the characteristic parameters. All first vectors

measurements obtained within the first observational time window

project into these subspaces. Projection is understood as the identification of a cell in the grid, which belongs to the value of the projected first vector

measurements. In other words, for a subspace defined by two given n and m, the projection corresponds to identifying the grid cell to which the point belongs (

;

) of the first measurement vector

.

измерений нормируют с целью обеспечения релевантного сравнения характеристических параметров. Здесь каждый из характеристических параметров первого вектора

измерений нормируют по заданной величине соответствующего параметра. Эти используемые заданные величины соответствуют, например, разумно максимальным величинам характеристических параметров. Термин «максимальный» определен относительно ограничивающего поступающего потока, который модуль связи, находящийся в автомобиле, может принять. Например, для среднего размера передаваемых запросов (или принимаемых IP-пакетов), какой параметр обозначен

, величина 1500 будет использована в качестве нормирующей величины для IPv4-версии IP-протокола. Величина 8000 будет использована в качестве нормирующей величины для IPv6-версии IP-протокола.In practice, before projecting the first vectors

measurements are normalized to provide a relevant comparison of characteristic parameters. Here, each of the characteristic parameters of the first vector

measurements are normalized according to the given value of the corresponding parameter. These predetermined values used correspond, for example, to reasonable maximum values of the characteristic parameters. The term "maximum" is defined in relation to the limiting incoming flow that the vehicle-mounted communication module can accept. For example, for the average size of transmitted requests (or received IP packets), which parameter is indicated by

, the value 1500 will be used as the normalization value for the IPv4 version of the IP protocol. The value 8000 will be used as the normalization value for the IPv6 version of the IP protocol.

измерений в различные подпространства для первого обсервационного временного окна

. В конце проецирования первых векторов

измерений ячейки остаются пустыми, если в рассматриваемую ячейку не был спроецирован ни один из первых векторов

измерений.On FIG. 3 - 10 show examples of the projection of the first vectors

measurements into different subspaces for the first observational time window

. At the end of the projection of the first vectors

cell dimensions remain empty if none of the first vectors has been projected into the considered cell

measurements.

измерений, проецируемых в эти ячейки. Ячейка называется плотной, если пропорция первых векторов

измерений, проецируемых в эту ячейку, выше заданной пропорции. Эта заданная пропорция равна, например, 5%.Cell density is determined in accordance with the proportion of the first vectors

measurements projected into those cells. A cell is called dense if the proportion of the first vectors

measurements projected into that cell is higher than the specified proportion. This predetermined proportion is, for example, 5%.

измерений в это подпространство сконцентрированы в одной ячейке.Many neighboring dense cells can form a cluster. By "adjacent cells" is here meant cells having a common boundary. On FIG. 3–10, clusters, as defined above, are indicated by cells containing oblique shading. For example, in Fig 3, all projections of the first vectors

measurements in this subspace are concentrated in one cell.

Horizontal shading, such as that present in FIG. 4, 8, 9 and 10 denotes cells that are not empty but have a density below a predetermined proportion (here below 5%). The greater the number of horizontal lines, the higher the density of the corresponding cell (while remaining below the specified proportion).

The crosses shown in Fig. 7 - 10 indicate the presence of an attack (attack detection will be discussed in detail below).

отклонения от нормы для каждого из подпространств, в которые были спроецированы первые векторы

измерений.As can be seen in FIG. 2, the implementation of the method then continues with step E10. At this stage, the evaluation

deviations from the norm for each of the subspaces into which the first vectors were projected

measurements.

некоторой точки от нормы определяют как расстояние между ячейкой j, которой принадлежит эта точка, и ближайшим кластером. Другими словами, отклонение

от нормы соответствует расстоянию между этой ячейкой j и ближайшей (или несколькими ближайшими) к ней плотной ячейкой (ами) (т.е. ячейкой (ами), для которой пропорция спроецированных в нее первых векторов

измерений больше 5%). Вычисленное расстояние представляет собой либо евклидово расстояние, либо расстояние Махалонобиса. In a subspace (denoted below as subspace k), the deviation

of a certain point from the norm is defined as the distance between the cell j, to which this point belongs, and the nearest cluster. In other words, deviation

from the norm corresponds to the distance between this cell j and the dense cell (s) closest (or several closest) to it (i.e., the cell (s) for which the proportion of the first vectors projected into it

measurements are greater than 5%). The calculated distance is either the Euclidean distance or the Mahalanobis distance.

от нормы для этой точки равно нулю. Если в рассматриваемом подпространстве нет ни одного кластера (т.е. ни одна ячейка, например, не содержит более 5% спроецированных первых векторов измерений), величина отклонения

от нормы соответствует расстоянию между ячейкой j и ячейкой, имеющей наивысшую плотность (которая, однако, все равно будет ниже 5%) в рассматриваемом подпространстве k.If any point is in a cluster, the deviation

from the norm for this point is zero. If there is not a single cluster in the subspace under consideration (i.e., no cell, for example, contains more than 5% of the projected first measurement vectors), the deviation value

from the norm corresponds to the distance between cell j and the cell with the highest density (which, however, will still be below 5%) in the considered subspace k.

от нормы, определяемой для каждой ячейки j в подпространстве k, можно определить среднюю величину отклонения

от нормы для всех ячеек j в рассматриваемом подпространстве k. Эта средняя величина отклонения от нормы имеет вид:Based on the amount of deflection

from the norm determined for each cell j in the subspace k, it is possible to determine the average deviation

from the norm for all cells j in the considered subspace k. This average deviation from the norm has the form:

соответствует отклонению от нормы (как определено выше) для ячейки j в подпространстве k,

соответствует плотности ячейки j в подпространстве k и

обозначает число ячеек в подпространстве k.where

corresponds to the deviation from the norm (as defined above) for cell j in subspace k,

corresponds to the cell density j in the subspace k and

denotes the number of cells in subspace k.

отклонения от нормы подходит к 0, тем больше точек (соответствующих проекциям первых векторов

измерений) в пределах первого обсервационного временного окна

распределены в концентрических кластерах. В качестве примера, средняя величина отклонения от нормы, оцениваемая для подпространства, показанного на Фиг. 3, равна нулю, поскольку все точки распределены в одном кластере. То же самое относится к подпространству, показанному на Фиг. 5, и к подпространству, показанному на Фиг. 6.According to this definition, the closer the mean

deviation from the norm approaches 0, the more points (corresponding to the projections of the first vectors

measurements) within the first observational time window

distributed in concentric clusters. As an example, the average deviation from the norm estimated for the subspace shown in FIG. 3 is zero because all points are distributed in one cluster. The same applies to the subspace shown in FIG. 5 and to the subspace shown in FIG. 6.

отклонения от нормы, том больше точек равномерно распределены в рассматриваемом подпространстве.In contrast, the higher the average

deviations from the norm, that is, more points are evenly distributed in the considered subspace.

отклонения от нормы, введена функция

отклонения от нормы для первого вектора

измерений в подпространстве k:To determine the score

deviations from the norm, the function

deviations from the norm for the first vector

measurements in subspace k:

обозначает величину отклонения от нормы для проекции

первого вектора

измерений в подпространство k. Средняя величина

отклонения от нормы здесь позволяет нормировать величину отклонения

от нормы для проекции

рассматриваемого первого вектора

в подпространстве k (с целью позволить одинаково рассматривать и обрабатывать все подпространства).where

denotes the amount of deviation from the norm for the projection

first vector

measurements into subspace k. average value

deviation from the norm here allows you to normalize the magnitude of the deviation

from the norm for projection

considered first vector

in the subspace k (in order to allow all subspaces to be treated and treated equally).

отклонения от нормы можно определить оценку

отклонения от нормы для первого вектора

измерений путем суммирования по всем подпространствам всех функций

отклонения от нормы, определяемых для каждого подпространства k:Based on these features

deviations from the norm, you can determine the assessment

deviations from the norm for the first vector

measurements by summing over all subspaces of all functions

deviations from the norm, determined for each subspace k:

отклонения от нормы поэтому соответствует сумме функций

отклонения от нормы, полученных для проекций первого вектора

измерений в различные подпространства.Such an assessment

deviations from the norm therefore corresponds to the sum of the functions

deviations from the norm obtained for the projections of the first vector

measurements into different subspaces.

времени. Этот новый период

времени представляет собой период времени, следующий сразу же после первого обсервационного временного окна

.The method then proceeds to step E12 where a new period is determined

time. This new period

time is the time period immediately after the first observational time window

.

времени, комбинируют с целью получения нового агрегата (с применением способа, аналогичного тому, который был использован на этапе E4, описанном выше).All incoming data streams received during the specified new period

time, combined to obtain a new aggregate (using a method similar to that used in step E4, described above).

измерений содержит характеристические параметры указанного нового агрегата.New first vector

measurements contains the characteristic parameters of the specified new unit.

отклонения от нормы, определяемая для нового первого вектора

с использованием способа, описанного выше, представляет собой величину, которая позволит определить, присутствуют ли или отсутствуют атакующие потоки среди входящих потоков данных, принятых модулем 5 связи в течение временного окна

. Эта оценка

отклонения от нормы измеряет степень отклонения от нормы для всех поступающих потоков, принятых в течение периода

времени, (и характеризуемых новым агрегатом) относительно первого обсервационного временного окна

(которое предшествует периоду

времени).Grade

deviation from the norm, determined for the new first vector

using the method described above, is a value that will determine whether there are or are not attacking streams among the incoming data streams received by the communication module 5 during the time window

. This estimate

deviation from the norm measures the degree of deviation from the norm for all incoming streams received during the period

time, (and characterized by a new aggregate) relative to the first observational time window

(which precedes the period

time).

отклонения от нормы высока, это означает, что проекции нового первого вектора

измерений в различные подпространства значительно отличаются от кластеров, образованных в течение первого обсервационного периода

и идентифицированных в различных подпространствах на этапе E8. Группа поступающих потоков, соответствующих новому агрегату, кажется в этом случае подозрительной, так что необходимо провести более глубокий анализ, чтобы подтвердить или отвергнуть присутствие атаки.From a graphical point of view, if this estimate

deviation from the norm is high, which means that the projections of the new first vector

measurements into different subspaces are significantly different from the clusters formed during the first observational period

and identified in various subspaces in step E8. The group of incoming streams corresponding to the new aggregate seems suspicious in this case, so more analysis is needed to confirm or deny the presence of an attack.

отклонения от нормы сравнивают с первой пороговой величиной

и со второй пороговой величиной

. Первая пороговая величина

меньше второй пороговой величины

. Описаны три разных случая.For this, at step E14, the evaluation

deviations from the norm are compared with the first threshold value

and with the second threshold value

. First Threshold

less than the second threshold

. Three different cases have been described.

отклонения от нормы ниже первой пороговой величины

.В этом случае определяют, что в новом временном окне

отсутствует атака, и способ переходит к этапу E20. Это случай примеров, показанных на Фиг. 3 – 6, на которых все проекции сконцентрированы в соседних ячейках, являющихся плотными или очень плотными (Фиг. 4). На этих чертежах вычисления оценок отклонений от нормы не выявили изолированной величины.The first case corresponds to the situation when the estimate

deviations from the norm below the first threshold value

.In this case, it is determined that in the new time window

there is no attack, and the method proceeds to step E20. This is the case of the examples shown in FIG. 3 - 6, on which all projections are concentrated in neighboring cells that are dense or very dense (Fig. 4). In these drawings, the calculation of the estimates of deviations from the norm did not reveal an isolated value.

. Это второе обсервационное временное окно

соответствует первому обсервационному временному окну

, сдвинутому на один период

времени. Другими словами, первое обсервационное временное окно

представляет собой подвижное окно, увеличиваемое на один период

времени для определения второго обсервационного временного окна

. Это второе обсервационное временное окно

присоединяет новый первый вектор

измерений. Наконец, эти два обсервационных временных окна имеют в общем множество периодов времени. Первый период времени в первом обсервационном временном окне (ниже называется старым периодом времени) не входит во второе обсервационное временное окно

. Кроме того, последний период времени второго обсервационного временного окна

(выше называется новым периодом

времени) не входит в первое обсервационное временное окно

.In step E20, a second observational time window is determined

. This is the second observational time window

corresponds to the first observational time window

shifted by one period

time. In other words, the first observational time window

is a moving window that increases by one period

time to determine the second observational time window

. This is the second observational time window

appends a new first vector

measurements. Finally, these two observational time windows have many time periods in common. The first time period in the first observational time window (hereinafter referred to as the old time period) is not included in the second observational time window

. In addition, the last time period of the second observational time window

(above called new period

time) is not included in the first observational time window

.

In the subspaces considered in step E8, the projection of the first measurement vector corresponding to the old time period is removed in step E22.

измерений проецируют в эти подпространства. Кластеры, присутствующие в этих подпространствах, снова идентифицируют с использованием способа, рассмотренного со ссылками на этап E8. Этапы E22 и E24, на основе результатов, полученных ранее с использованием этого способа, позволяют ограничить время выполнения способа. Они позволяют также ограничить вычислительные мощности (в частности, мощность процессора, входящего в устройство 2 для фильтрации атакующих потоков), требуемые для осуществления этого способа.At step E24, new first vector

measurements are projected into these subspaces. The clusters present in these subspaces are again identified using the method discussed with reference to step E8. Steps E22 and E24, based on the results obtained earlier using this method, allow you to limit the execution time of the method. They also make it possible to limit the computing power (in particular, the power of the processor included in the device 2 for filtering attacking flows) required to implement this method.

отклонений от нормы после того, как новый первый вектор

измерений был спроецирован во все рассматриваемые подпространства, и после того, как первый вектор измерений, ассоциированный со старым периодом времени, был удален.As shown in FIG. 2 method proceeds to step E26 where average values are determined

deviations from the norm after the new first vector

dimension has been projected into all subspaces under consideration, and after the first dimension vector associated with the old time period has been removed.

Thereafter, the implementation of this method is iteratively performed again and again, starting from step E12.

. В этом случае присутствие атаки определяют в новом периоде

времени и способ переходит к этапу E60.The second case of comparison corresponds to the situation when the deviation from the norm is higher than the second threshold

. In this case, the presence of an attack is determined in a new period

time and the method proceeds to step E60.

This second case corresponds to the examples shown in FIG. 7 - 10. The deviation scores calculated for these examples become high.

отклонения от нормы, найденные на этапе E10 для нового первого вектора

измерений.This step E60 allows you to compare functions

deviations from the norm found in step E10 for the new first vector

measurements.

. На основе исследования, выполненного в этих выбранных подпространствах, затем идентифицируют один (или больше одного) атакующий поток (и), в частности, с использованием кластеров, присутствующих в выбранных подпространствах (и характеризующих номинальные рабочие условии), для первого обсервационного временного окна

(предшествующего новому периоду

времени). В качестве примера, на Фиг. 7 – 10, кластеры идентифицированы наклонной штриховкой (как описано выше).From the entire set of subspaces under consideration, at least two subspaces are selected at step E62. In practice, one or two subspaces are chosen. Here we consider subspaces with the largest values of the functions of deviation from the norm

. Based on the exploration performed in these selected subspaces, one (or more than one) attack stream(s) is then identified (and), in particular, using the clusters present in the selected subspaces (and characterizing the nominal operating conditions), for the first observational time window

(preceding the new period

time). As an example, in FIG. 7–10, clusters are identified by oblique shading (as described above).

времени, каковые входящие потоки данных были скомбинированы для формирования такой комбинации на этапе E12, разлагают на множество потоков, называемых отдельными поступающими потоками, на этапе E64. Все входящие потоки данных, принятые в течение нового периода

времени модулем 5 связи, принимают во внимание для комбинирования на этапе E12 с целью формирования нового агрегата. Этот новый агрегат разделяют посредством комбинирования с адресами источников поступающих потоков, принятых в течение нового периода

времени. Поэтому можно определить множество раздельных агрегатов, которые считаются подозрительными. На практике, здесь присутствуют столько отдельных агрегатов, сколько имеется адресов источников.In order to allow attacker streams to be identified, a new aggregate, which is a combination of several incoming data streams received during the new period

time, which incoming data streams have been combined to form such a combination in step E12 is decomposed into a plurality of streams, called separate incoming streams, in step E64. All incoming data streams received during the new period

time by the communication module 5 is taken into account for combining in step E12 to form a new assembly. This new aggregate is separated by combining with the source addresses of the incoming streams received during the new period.

time. Therefore, it is possible to define a set of separate aggregates that are considered suspicious. In practice, there are as many individual aggregates as there are source addresses.

измерений, определенным выше. Например, если на этапе E62 выбрано только подпространство, определяемое параметрами

и

, идентификационные векторы будут содержать только эти два параметра (эти два параметра определяют для каждого отдельного агрегата в течение нового периода

времени).In step E66, each of the individual aggregates is characterized by a vector, which is called an identification vector. These identification vectors are constructed from the parameters identified in step E62 through subspace selection. Therefore, identification vectors contain a small number of parameters compared to, for example, the new first vector

measurements defined above. For example, if in step E62 only the subspace defined by the parameters

and

, the identification vectors will contain only these two parameters (these two parameters are determined for each individual aggregate during the new period

time).

These identification vectors are then projected into one or more selected subspaces in step E68. When these identification vectors are projected into subspace cells forming a cluster, the associated single incoming stream is not considered an attacking stream. In contrast, if an identity vector is projected outside of any cluster, that single aggregate is considered an attack.

At the end of this stage, the attack is identified in the considered subspaces. On FIG. 7 - 10, this is symbolically indicated by cells containing a cross.

By design, a single aggregate corresponding to an attack is associated with a group of distinct incoming streams coming from the same source address. The discovery of a distinct aggregate corresponding to the attack then allows the source address generating the so-called illegitimate incoming streams to be identified at step E70.

These illegitimate incoming streams are then filtered in step E72 of the method. Such filtering is carried out, for example, by blocking illegitimate incoming streams at the input of the communication module 5 . In practice, for example, these flows are blocked by adding the source address associated with said illegitimate incoming flows to the list of blocked source addresses. Any request originating from the specified source address is then discarded.

измерений. Этот фильтрованный первый вектор

измерений проецируют во все рассматриваемые подпространства. Более того, поскольку атакующие потоки уже были отфильтрованы (поэтому атакующие потоки не обнаруживаются в новом периоде времени), способ переходит к этапу E20, который был описан выше (и которой соответствует остальной части способа для случая, когда никакие атаки не были обнаружены).In step E74, after the illegitimate incoming streams have been filtered out, the individual incoming streams are recombined to form an entity called a filtered aggregate. And define the filtered first vector associated with it

measurements. This filtered first vector

measurements are projected into all considered subspaces. Moreover, since attack flows have already been filtered out (so attack flows are not detected in the new time period), the method proceeds to step E20, which was described above (and which corresponds to the rest of the method for the case where no attacks were detected).

отклонения от нормы с первой пороговой величиной

и со второй пороговой величиной

соответствует ситуации, когда оценка

отклонения от нормы попадает в зону сомнений. Эта зона сомнений определена для величины оценки

отклонения от нормы, находящейся между первой пороговой величиной

и второй пороговой величиной

. В этом случае невозможно непосредственно прийти к какому-либо заключению относительно присутствия или отсутствия атаки в течение нового периода

времени. Тогда способ переходит к этапу E40.Third case of evaluation comparison

deviations from the norm with the first threshold

and with the second threshold value

corresponds to the situation when the evaluation

deviation from the norm falls into the zone of doubt. This zone of doubt is defined for the assessment value

deviations from the norm, which is between the first threshold value

and the second threshold

. In this case, it is not possible to directly reach any conclusion regarding the presence or absence of an attack during the new period.

time. The method then proceeds to step E40.

времени в пределах первого обсервационного временного окна

), определяют второй вектор

измерений. Этот второй вектор

измерений характеризует агрегат, с которым он ассоциирован, посредством других характеристических параметров. Эти другие характеристические параметры отличаются от характеристических параметров, ассоциированных с первым вектором

измерений.At this stage E40, for each aggregate obtained at stage E4 (for each period

time within the first observational time window

), define the second vector

measurements. This second vector

measurement characterizes the aggregate with which it is associated through other characteristic parameters. These other characteristic parameters are different from the characteristic parameters associated with the first vector

measurements.

These other characteristic parameters, this time, do not characterize the incoming IP streams, but the execution of the software built into the device 2 to filter attack streams. These other characteristic parameters make it possible, in particular, to describe the distribution of commands and data with respect to the various levels of memory available in the device 2 for filtering attack streams. Among these other characteristic parameters, one usually distinguishes, for example, the following: the hit ratio associated with access to the first level cache (usually measured by the hit ratio in the level-1 "data" and "instructions" caches), the hit ratio associated with access to the L2 cache (usually measured by the combined L2 cache hit ratio), the "miss" ratio associated with the L3 cache, or even the proportion of memory used.

It is known to use these characteristic parameters to characterize the execution of software on any particular processor.

измерений для каждого периода

времени, вследствие чего получают множество вторых векторов

измерений в первом обсервационном временном окне

. Таким образом, например, для периода времени в 100 мс и первого обсервационного временного окна в 5 с, получают 50 вторых векторов измерений.At the end of step E40, one second vector is determined

measurements for each period

time, resulting in a set of second vectors

measurements in the first observational time window

. Thus, for example, for a time period of 100 ms and a first observational time window of 5 s, 50 second measurement vectors are obtained.

измерений после этого используют при осуществлении способа на этапе E42, на котором анализируют векторы, что позволить устранить сомнения при обнаружении присутствия или отсутствия атаки. These second vectors

the measurements are then used in the implementation of the method at step E42, in which the vectors are analyzed, which will allow to eliminate doubts when detecting the presence or absence of an attack.

измерений является обнаружение аномальных операций при выполнении программного обеспечения.The purpose of the analysis of such second vectors

measurements is to detect anomalous operations while executing the software.

измерений на этапе E6, вторые векторы

измерений проецируют в двумерные подпространства. Можно также идентифицировать и определить по одной другой средней величине

отклонения от нормы для каждого подпространства (по такому же принципу, как определение средней величины

отклонения от нормы).In the same way as the first vector

measurements in step E6, second vectors

measurements are projected into two-dimensional subspaces. Can also be identified and determined from one other average

deviations from the norm for each subspace (on the same principle as determining the average value

deviations from the norm).

времени на основе анализа нового первого вектора

, вычисляют другую оценку

отклонения от нормы для нового второго вектора

измерений, ассоциированного с новым периодом

времени, с использованием способа, рассмотренного выше. When the preceding steps of the method identify doubt as to the presence or absence of an attack during the new period

time based on the analysis of the new first vector

, compute another estimate

deviations from the norm for the new second vector

measurements associated with the new period

time using the method discussed above.

отклонения от нормы затем сравнивают с третьей пороговой величиной

. Если другая оценка

отклонения от нормы выше третьей пороговой величины

, подтверждают присутствие атаки в течение нового периода

времени.This other estimate

deviations from the norm are then compared with the third threshold value

. If another estimate

deviations from the norm above the third threshold

, confirm the presence of an attack during the new period

time.

As shown in FIG. 2, after this step E42, if no attack is detected, the method proceeds to step E20 discussed above. If at the end of the analysis of the second measurement vectors the presence of an attack was detected, the method proceeds to step E60 discussed above.

Claims (55)

1. A method for filtering attack streams aimed at a communication module (5) configured to receive a plurality of incoming data streams, comprising the steps of: define a set of aggregates, each aggregate being the result of combining a set of incoming data streams received during a given time period (

), and the time period (

) considered to define each aggregate differs from the time periods considered to determine other aggregates, and all time periods (

), taken into account to determine the set of the specified set of aggregates, are contained in the first observational time window (

), define a set of first measurement vectors (X _i ), each of which is associated with one of the specified aggregates and contains the values of the first characteristic parameters of the aggregate with which the specified vector is associated, projecting said set of first measurement vectors (X _i ) into at least one subspace defined by said first characteristic parameters, define another aggregate resulting from the combination of a set of incoming data streams received during a different time period (

), and the indicated other period of time (

) follows the first observational time window (

), define another first dimension vector (

) associated with the specified other aggregate and containing the values of the first characteristic parameters of the specified other aggregate, projecting said other first measurement vector (X _N+1 ) into at least one subspace defined by the first characteristic parameters, determining an estimate of deviation from the norm (S(X)) depending on the results of the projection of the specified other first measurement vector (X _N+1 ) and the projection of the totality of the specified set of first measurement vectors (X _i ), then, if the deviation estimate (S(X)) falls into the zone of doubt about the presence or absence of attacking flows: determine a set of second measurement vectors (Y _i ), each of which is associated with one of the specified aggregates and contains the values of other characteristic parameters of the aggregate with which it is associated, and these other characteristic parameters differ from the specified first characteristic parameters, define another second measurement vector (Y _N+1 ) associated with another destination and containing the values of other characteristic parameters of the specified other unit, and detecting the presence or absence of an attack by analyzing another second measurement vector (Y _N+1 ). 2. The method for filtering attack streams according to claim 1, wherein determining whether the error estimate (S(X)) is in a zone of doubt regarding the presence of attack flows is provided by comparing the error estimate (S(X)) with the first threshold value (

) and with the second threshold value (

). 3. The attack stream filtering method according to claim 1 or 2, further comprising the step of comparing the deviation estimate (S(X)) with a second threshold value (

), and if the deviation estimate (S(X)) is above the second threshold (

), detection of the presence of an attack is carried out in a different time period (

). 4. A method for filtering attacking streams according to any one of paragraphs. 1-3, further comprising comparing the deviation score (S(X)) with a first threshold value (

), and if the deviation estimate (S(X)) is below the first threshold (

), detection of the absence of an attack is carried out in a different time period (

). 5. A method for filtering attacking streams according to any one of paragraphs. 1-4, further comprising the steps of: determine the second observational time window (

), and the indicated second observational time window (

) corresponds to the first observational time window (

) shifted by the value of the specified other time period (

), define a new aggregate, and the specified new aggregate is obtained by combining the set of incoming data streams received during the new period of time (

), so that the specified new time period (

) follows the second observational time window (

), define a new first measurement vector (X _N+2 ) associated with the new aggregate and containing the values of the first characteristic parameters of the specified new aggregate, removing the projections of the first measurement vector associated with the aggregate resulting from the combination of the plurality of incoming data streams received during the time period located in the first observational time window (

), but outside the second observational time window (

), projecting a new first vector (X _N+2 ) into at least the specified subspace defined by the specified first characteristic parameters, and determining a new estimate of deviation from the norm depending on the result of said projection. 6. The method of filtering attacking streams according to any one of paragraphs. 1-5, further comprising sub-steps in the projection step of projecting a plurality of first measurement vectors (X _i ) into a plurality of subspaces, wherein the deviation estimate (S(X)) is determined based on the sum of deviation functions (

), where for one indicated function of deviation from the norm (

) is determined for each subspace depending on the result of projecting said set of first measurement vectors (X _i ) and projecting said other first measurement vector (X _N+1 ) and based on the average deviation from the norm (

), the indicated average deviation from the norm (

) is also determined based on said projection of a set of first measurement vectors (X _i ) and a projection of another first measurement vector (X _N+1 ). 7. The method of filtering attacking streams according to claim 6, additionally containing the steps at which, upon detecting the presence of an attack: compare functions of deviation from the norm (

) found for all subspaces, choose at least one subspace having the highest value of the deviation function (

), breaking the specified other aggregate into a plurality of separate incoming streams, determine a set of identification vectors for the received set of separate incoming streams, and these identification vectors contain the same first characteristic parameters as the first measurement vectors (X _i ), projecting the specified set of identification vectors into at least one selected subspace, identifying at least one illegitimate incoming stream, wherein said illegitimate incoming stream corresponds to an incoming stream associated with the abnormal projection of the identification vector, and perform filtering of the illegitimate incoming stream. 8. The method of filtering attacking streams according to any one of paragraphs. 1-7, in which subspace is defined by a first axis and a second axis, the first axis corresponds to a first characteristic parameter, and the second axis corresponds to a second characteristic parameter selected from a plurality of first characteristic parameters. 9. The method of filtering attacking streams according to any one of paragraphs. 1-8, in which at least one of the set of first characteristic parameters contains one of the following data: number of sources of incoming streams (

), average number of sources of incoming flows per subnet (

), proportion of transfer requests (

), proportion of accepted requests relative to errors (

), average size of received requests (

), average lifetime of accepted requests. 10. The method of filtering attacking streams according to any one of paragraphs. 1-9, in which at least one of the set of other characteristic parameters contains one of the following data: hit ratio associated with L1 cache access, hit ratio associated with L2 cache access, the "miss" ratio associated with access to the cache memory of another level, proportion of used memory. 11. A device for filtering attacking streams aimed at the communication module (5), from the totality of the set of incoming data streams, containing: a determination module for determining a plurality of aggregates, each aggregate being the result of a combination of a plurality of incoming data streams received over a given period of time (

), and the specified period of time (

) considered to define each aggregate differs from the time periods considered to determine other aggregates, and all time periods (

), taken into account to determine the set of the specified set of aggregates, are contained in the first observational time window (

), a determination module for determining a plurality of first measurement vectors (X _i ), each of which is associated with one of the specified aggregates and contains the values of the first characteristic parameters of the aggregate with which the specified vector is associated, a projection module for projecting said set of first measurement vectors (X _i ) into at least one subspace defined by said first characteristic parameters, a determination module for determining another aggregate resulting from the combination of a plurality of incoming data streams received during a different time period (

), and the indicated other period of time (

) follows the first observational time window (

), a determination module for determining another first measurement vector (X _N+1 ) associated with said other aggregate and containing the values of the first characteristic parameters of said other aggregate, a projection module for projecting said other first measurement vector (X _N+1 ) into at least one subspace defined by the first characteristic parameters, a determination module for determining a deviation score (S(X)) depending on the results of projecting said other first measurement vector (X _N+1 ) and projecting a plurality of said set of first measurement vectors (X _i ), a determination module for determining when the deviation estimate (S(X)) falls into the zone of doubt regarding the presence of attacking flows, a set of second measurement vectors (Y _i ), each of which is associated with one of the specified aggregates and contains the values of other characteristic parameters of the aggregate , with which it is associated, wherein said other characteristic parameters differ from said first characteristic parameters, a determination module for determining another second measurement vector (Y _N+1 ) associated with another destination and containing values of other characteristic parameters of said other unit, and a detection module for detecting the presence or absence of an attack by analyzing another second measurement vector (Y _N+1 ).

Images