WO2006103337A1 - Procede de controle d’une table de flots adaptative et de detection d’une attaque par inondation d’un reseau de transmission de donnees par paquets a large bande et equipement d’analyse correspondant - Google Patents
Procede de controle d’une table de flots adaptative et de detection d’une attaque par inondation d’un reseau de transmission de donnees par paquets a large bande et equipement d’analyse correspondant Download PDFInfo
- Publication number
- WO2006103337A1 WO2006103337A1 PCT/FR2006/000631 FR2006000631W WO2006103337A1 WO 2006103337 A1 WO2006103337 A1 WO 2006103337A1 FR 2006000631 W FR2006000631 W FR 2006000631W WO 2006103337 A1 WO2006103337 A1 WO 2006103337A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- stream
- existing
- candidate
- flow
- attributes
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Definitions
- the invention relates to a method for controlling an adaptive flow table and detecting a flood attack of a broadband packet transmission network and corresponding analysis equipment.
- the transmission of packet data over a broadband transmission network involves the implementation of specific procedures or protocols, which are essential for the smooth running of the transmission process.
- network equipment such as routers, switches or multiplexers, for example, can ensure the execution of records and the processing of these records relating to flows or transmitted data streams.
- a stream is characterized by a number of parameters or variables common to several transmitted data packets. These parameters can be contained in several layers of the OSI model for Open Systems Interconnection model in English. These parameters or variables may correspond to prefixes in the source and / or destination address fields, layer 3 in the case of IP or layer 2 networks in the case of ATM networks for Asynchronous Transfer Mode in English, or to any other field in the header (type of protocol for example) or in the payload, in English, packets, such as, in particular, the port numbers in the case of TCP segments, for Transmission ⁇ ontrol Protocol in English, encapsulated in the datagrams of the IP protocol.
- the recordings relating to the flows, designated flow recordings, are created then sent to a collector according to certain criteria applied by the equipments of the network.
- the aforementioned flow records may for example contain information relating to several streams and sent to the collector under form of one or more data packets according to the aforementioned criteria by the network equipment.
- the aforementioned flow recordings can be made by a specific probe marketed by CISCO, designated CISCO Netflow, whose specifications can be found on the html address http: // www. cisco. com / warp / public / 732 / netflo w / index.html.
- Such a probe analyzes only one packet of IP data on N packets entering a router.
- the corresponding box of the stream table is updated with certain parameters of the parsed data packet, such as for example the volume in bytes, the type of packets indicated by the CODE field of the TCP segment header, including SYN flags, ACK flags, RESET flags, and others; the start and end dates of the stream, coded according to a certain proprietary schema, corresponding respectively to the arrival date of the first packet of the stream and to that of the last are also updated;
- the flow table is flushed and sent as UDP packets, for User Data Protocol in English, to a collector when no other box is available in the table at the arrival of a packet that requires the creation of a new entry or when the elapsed time since sending the last table has exceeded a pre-established threshold value.
- the above-mentioned flood monitoring process makes it possible to implement network flood attack detection techniques by a multitude of useless and malicious messages, such as connection establishment messages or the like.
- the abovementioned techniques are based on the observation of the traffic at a point of observation, on a link via a device for duplicating the traffic by an optical coupler, or on an interface of a router, or by the implementation of functions as in the case of CISCO Netflow probes, on observation windows formed by successive time intervals.
- the different observed flows are then classified according to specific criteria, as a function of the volumes, the number of connection establishment signals for the connected transfer protocols, for example.
- the aforementioned classification then makes it possible to determine the most important flows, relative to a given criterion.
- deltoids method Another technique, known as the deltoids method, consists of comparing the different waves observed on two consecutive windows and noting the larger contributors, but those with the largest differences in behavior between these two periods. Such a method has been described in the article "What's New: Finding Significant Differences in Network Data Streams” published by Graham Cormode, S.Muthukrishnan, IEEE Infocom 2004. Other techniques provide anomaly detection with respect to average behavior and can be used to determine flows with abnormal behavior. The article titled “Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks” and published by Vasilios A. Siris, Fotini Papagalou in Proc. Globecom 2004, Dallas, December 2004 presents a panorama of the different techniques mentioned above, to which we will be able to refer.
- Another known technique proposes a first phase of learning, more or less long, followed by a phase in which one classifies the different flows observed in several families. Each family is then characterized by a typical behavior. Consequently, if a stream comes out of the class which has been attributed to it, this variation results from an anomaly.
- the above technique is implemented in the Peak Flow designated commercial product distributed by Arbor Networks and whose specifications are available at http: // www, arbornetworks.com.
- the aforementioned techniques have the major drawback because of their need to accumulate a large amount of information over successive time intervals. It is also necessary to sort this information and reconstruct the flows in order to calculate the value of specific parameters or variables. These operations are very expensive in terms of computation time, because of the gigantic number of streams that are likely to coexist simultaneously or to occur in a given time interval on a transmission link of a broadband packet data network. bandaged. When an average behavior has been defined, it is then necessary to identify the flows which exceed the aforementioned average behavior or to identify the large contributors, or even to carry out correlations over successive time intervals to detect anomalies, when a deltoid method is Implementation.
- the object of the present invention is to remedy all the disadvantages of the techniques of the prior art, by implementing a method of controlling a table of flows, or hash table, which is adaptive and of a method of detecting a flood attack of a corresponding broadband packet data network.
- the notion of floating hash table must be understood as that relating to an adaptive flow coding table and reduced size.
- an object of the present invention is the implementation of a control method of the above-mentioned flow table, which, thanks to the reduced size of the latter, makes it possible to introduce a natural selection by filtering the transiting flows.
- the streams of least contribution according to a criterion of volume or flow, of number of connection establishment messages, ICMP messages, for Internet ⁇ ontrol Message Protocol in English, or other being systematically eliminated, in real time.
- Another object of the present invention is also, by means of the aforementioned filtering process, the implementation of evaluation criteria of the averages and the variances of the variables and monitoring parameters that are much more reliable, more precise and more faithful, allowing and the implementation of a corresponding method for detecting a flood attack of a broadband packet data transmission network.
- the method of controlling an adaptive flow table located in memory of an analysis equipment of a broadband packet data transmission network, object of the present invention is implemented from recordings streams each having a stream descriptor, each stream descriptor including at least stream attributes formed at least by a stream identifier including at least the destination address of the stream and by the volume of the cumulative stream over a creation time recording.
- the criterion of conditional attribute existence includes at least the identity respectively the absence of identity of the destination address of the candidate stream and the existing stream and the superiority of the volume respectively of the number of messages of this message type of the volume candidate stream or the number of messages of this type of messages of the existing stream measured during the creation time of the record being processed.
- the method of controlling an adaptive flow table object of the invention finds application to the technical management of broadband packet data transmission networks, such as the IP network, to the security of these networks, in particular to their protection against malicious attacks by flooding by multitude of access request messages or other, through the implementation of an adaptive flow table in accordance with the object of the present invention and the dedicated use thereof. ci for the implementation of a method of detecting a flood attack.
- FIG. 1 represents, by way of illustration, a flowchart of the essential steps of the method of controlling an adaptive flow table, object of the present invention
- FIG. 2 represents, by way of illustration, a detail of implementation of the registration / non-registration operation of a candidate stream with a potential address of the adaptive flow table, according to a partial flowchart;
- FIG. 3 represents, by way of illustration, a detail of implementation of the update operation of the attributes of an existing stream, when the destination address of the candidate stream and of the existing stream are identical;
- FIG. 4 represents, for illustrative purposes, a continuation of the flowchart illustrating the registration / non-registration operation of a candidate stream of FIG. 2;
- FIG. 5 represents, by way of illustration, a flowchart of the essential steps of the method for detecting a flood attack of a broadband packet data transmission network, from a table of flows. adaptive controlled according to the method object of the invention illustrated in Figures 1 to 4;
- FIG. 6 represents, by way of illustration, a flowchart of the essential steps of an abnormality qualification procedure of a candidate and / or existing stream, according to a nonlimiting preferential embodiment, in the context of the method illustrated in Figure 5;
- FIG. 7 represents, by way of illustration, a flowchart of the essential steps of an attack signaling procedure
- FIG. 8 represents, by way of illustration, a broadband packet data network analysis equipment according to the subject of the present invention.
- FIG. 9 represents, in detail, the arrangement of an adaptive flow table, in accordance with the object of the present invention.
- the method which is the subject of the invention is implemented from stream recordings, designated FR, each comprising a stream descriptor, designated FD, each stream descriptor comprising stream attributes.
- FA the stream attributes being formed at least by a flow identifier designated FI including at least the destination address of the stream, denoted DA, and by the volume of the cumulative stream over the duration of creation of the record containing the flow descriptor, the volume of the cumulative stream being denoted FV.
- a stream record is noted:
- the method which is the subject of the invention is implemented for at least one type of message M; conveyed by the streams considered on any link of the transmission network to which is dedicated the adaptive flow table according to the subject of the present invention.
- the method which is the subject of the invention consists, at least, for a type of message Mi conveyed by the streams, in a step A, of extracting from each of the flow descriptors the flow information and attributes. relating to each of the streams contained in each stream descriptor and to associate the stream attributes to the corresponding relevant stream, to define a plurality of candidate streams for enrollment in the adaptive flow table object of the present invention.
- Step A of FIG. 1 is represented by the symbolic relation representing the extraction operation:
- FR [FD [FA], Mi] actually means the recording of a given stream and CF [FD [FA], Mi] designates the candidate stream obtained after extraction of the stream attributes and association of these attributes with the flow corresponding relevant to define the aforementioned candidate stream.
- Step A is then followed by a step B consisting in calculating, for each of the candidate streams, a potential address of memory area in the flow table, that is to say in the memory of the equipment. analysis in which the flow table is implemented.
- the potential address is a function of the destination address DA of the candidate stream CF considered.
- Step B is then followed by a step C consisting of listing or not the FA attributes of each of the candidate streams CF to the determined potential address HA (DA) of the memory area considered, the aforementioned attributes FA being accompanied by an update of the cumulative value of the number of messages of the type of message considered.
- the operation consisting of inscribing or not the attributes of the candidate stream under consideration is carried out on the criterion of non-existence or conditional existence of an attribute of an existing stream in the determined potential address memory zone HA (DA), respectively. with respect to the candidate stream CF.
- the aforementioned criterion of conditional existence of attributes comprises at least the identity respectively the absence of identity of the the destination address of the candidate stream and the existing stream, when the latter is stored in the HA address memory (DA), and the superiority of the volume or the number of messages of a particular type of the candidate stream to the volume respectively to the number of messages of the same type of the existing stream, these quantities being measured during the creation time of the records.
- step C thereof the registration / non-registration operation is represented at the potential address HA (DA) of the memory area of the attributes of each of the streams by the symbolic relation. :
- any FD flow descriptor can be at least constituted as shown in Table 1 below.
- any FD flow descriptor can comprise: the identifier of the stream FI, which may itself comprise the source address SA of the stream, a destination address DA of the stream, the type of protocol, the number of ports and any other relevant parameter; the start date of the ST flow; the end date of the FT flow;
- step C of FIG. 1 registration / non-registration step with the potential address considered, the value of the calculated potential address HA (DA), the candidate stream CF and attributes of the latter, as well as the type of message Mi and of course the value of the flag mentioned above indicating the presence of such a message.
- DA calculated potential address
- Mi the type of message
- the presence of an existing flow EF [F 1 D [D 1 A] 5 CNMj] and the attributes of the latter entered in the memory zone at the aforementioned potential address are also available, or the case where appropriate, empty memory zone when there is no existing flow EF and therefore no existing flow attribute entered in the address memory area considered.
- the method which is the subject of the invention then consists at least in a step Ci in calculating the cumulative number of messages of the type of message considered from the attributes of the flow CF candidate, updated as an existing stream, then to enter in the potential address memory area HA (DA) the attributes of the candidate stream and the cumulative value of the number of message type messages M ,.
- M designates the type of message considered
- NJC indicates the cumulative number of messages, which can be determined in the presence of the flag of the attributes of the candidate stream to the value 1 from the volume of the stream and the number of packets, for example.
- step C 2 of FIG. 2 the entry in the potential address memory zone HA (DA) of the candidate stream CF and the attributes of the latter is symbolized by the inscription of CF [FD [DA] 5 CNMI].
- the method which is the subject of the invention then consists, on the identity of the destination address of the existing stream and the destination address of the candidate stream, the identity test being carried out in stage C 3 of FIG. comparison of the destination addresses DA of the candidate stream CF and D'A of the existing stream EF and positive response to the R2006 / 000631
- step C 4 the value of the cumulative number of messages of the type of messages considered Mj, in the memory zone, by adding to the existing value, the estimated value of the number of messages of the message type, based on the attributes of the candidate stream.
- This updating operation in step C 4 comprises the calculation of the number of messages NM; in a manner similar to step Ci of the same figure 2 to then update the cumulative value by the relation:
- Step C 4 is then followed by a step C 5 of updating the attributes of the existing flow F 1 A, other than the destination address of the existing flow on criterion of identity and lack of identity. identifiers of the existing stream and the candidate stream.
- step C 5 The operation of step C 5 will now be described with reference to FIG. 3, in which, for the implementation of step C 5 , one has on the one hand
- FA [FI [DA], ST 5 FT, FV];
- F 1 A [F 1 I [DA] 5 S 1 T 5 F 1 T 5 F 1 V]. It is indicated that due to the positive response to the C 3 test the destination addresses of the candidate and existing streams are identical and equal to DA.
- the step of updating the attributes of the existing flow F'A represented in FIG. 3, as represented in the above-mentioned figure, is executed on the candidate and existing stream attributes comprising as well as previously described the identifiers FI and F '. I of each of the aforementioned flows, the start dates ST and S'T, the end dates FT and
- the update step C 5 then comprises a step C 51 for updating the volume of the existing flow F 1 V by adding the volume of the candidate stream to step C 51 , this operation being represented by the relation
- Step C 51 is followed by a step C 52 for updating the start date, respectively the end date of the existing flow by the minimum, respectively the maximum between the corresponding value of start date, respectively of end date of the candidate stream CF and the existing stream EF.
- the previous relationships indicate the update of the start date by the minimum between the start date value ST of the candidate stream and S 1 T of the existing stream and the maximum between the value of the date end of the existing FT flow and the FT candidate flow.
- step C 50 In negative response to the test of step C 50 , that is to say if the identifiers of the candidate stream IF and the existing stream are different, and if the existing stream is out of date vis-à-vis a duration of reactualization determined, this expiry condition being executed by the test C 53 by the symbolic relation DoT 0 (EF) relation in which
- Dc denotes a current date given by a system date for example and T 0 (EF) denotes the re-actualization duration determined for the existing flow EF, this duration being able to be determined arbitrarily or experimentally, then on positive response to the aforementioned test C 53 in step C 54, the attributes of the existing stream are erased in the memory area and the attributes of the identifier FI, of the date, are entered in the same HA address memory zone (DA). ST start, end date and FT volume flow VF candidate to replace the corresponding attributes f ', S 1 T, FT and F'v existing EF flow.
- DA HA address memory zone
- the method which is the subject of the invention when the memory zone is occupied, furthermore consists in the absence of an identity of the destination address of the existing flow A and of the the destination address of the candidate stream DA as represented in FIG. 4, if the existing stream EF has expired with respect to a given refreshment period as represented in FIG. 4, this condition being executed on the C 6 test of FIG.
- step C 9 the execution of a step C 9 of calculation of the cumulative number of messages of this type of messages, number CNMj then comparison of the aforementioned number with the threshold value SCMj representing the determined threshold value mentioned above, then one proceeds in a step Cio to an erase in the memory area of the attributes of the existing flow F 1 I, S 1 T, F 1 T, F 1 V and one proceeds to the registration of the attributes identifying IF of start date ST, of date FT end, FV volume of the candidate stream replacing the attributes of the existing stream, the cumulative number of messages CNMj of the message type M; considered having been calculated in step C 9 from the attributes of the candidate stream.
- step C 8 the volume of the candidate flow FV is smaller than the volume of the existing flow F 1 V, then proceed to step C 11 to reject the candidate stream, the attributes of the existing flow being maintained in the memory area of the water table and unchanged.
- step C 11 This operation in step C 11 is represented by the relation Reject CF [FD [FA] 5 Mi].
- step B of FIG. 1 it is indicated that the potential address calculation can be executed from a calculation module taking into account the destination address DA of the candidate stream. CF.
- This HA (DA) address is calculated for example by means of a hash function applied to the destination address of the candidate stream.
- any hash function ensuring a substantially uniform distribution of the potential memory area address calculated on the memory space of the analysis equipment is likely to be suitable.
- Such hash functions are normally available in the scientific literature and in particular on the relevant websites.
- each memory zone of the adaptive flow table object of the present invention contains for each existing stream EF at least the fields as mentioned in Table 2.
- each memory zone of the flow table comprises at least: a stream identifier, that is to say the value FI for example; the start date of the flow ST, the end date of the flow FT,
- the memory zone write operations are the operations C 2 , C 54 , C 52 , C 56, C 7 and C 9 0 previously described in the description.
- control method that is the subject of the present invention thus makes it possible to implement an adaptive flow table, which makes it possible to establish an average acceptable behavior for at least one stream and in particular a plurality of streams with respect to a given criterion. .
- a stream is then characterized by a certain variable corresponding to the desired detection criteria, this criterion being able to correspond to the volume of data of the stream or the number of connection establishment requests to a given destination address, as previously described in the description.
- the average behavior can then be defined by a permissible average for the absence of a flood attack of this network on the criterion of relative stationary rate of the volume flow and / or the rate of the number of messages of the type of messages considered as the request for establishment. of connection.
- control method which is the object of the present invention, thus makes it possible to create an adaptive flow table which constitutes an image set of existing flows, from the recording of candidate flows each comprising a candidate stream descriptor containing attributes. of the candidate stream.
- the adaptive flow table which is the subject of the present invention, is thus implemented by means of a hashing function to constitute a floating table maintained in the course of the water, that is to say according to the arrival of the recordings of flows, thanks to the application of certain rules of insertion and expulsion of the flows in the table, these rules favoring of course the taking into account of the important flows according to the criteria defined previously in the description.
- Maintaining the flow image set to constitute the adaptive flow table according to the control method of the present invention can then be performed over a record creation time in the absence of a limited viewing window.
- the method of detecting a flood attack which is the subject of the invention, naturally consists in establishing an image set of existing flows from the recording of candidate flows each comprising a candidate stream descriptor. containing attributes of the candidate stream.
- a plurality of candidate streams CF [FD [FA] 5 M 1 ] are thus considered according to the annotation previously mentioned in the description.
- the attributes of each candidate flow are written together with a cumulative number value of messages of message type M; considered.
- the candidate flow is accepted, at the time of registration, or otherwise not registered, the candidate stream is then rejected, as mentioned previously in the description.
- the registration or the non-registration of each candidate stream CF in the existing flow image set is carried out on the criterion of non-existence or conditional existence of a comparable existing stream in the set of existing streams as well as than previously mentioned in the description.
- the set of images of existing streams that is to say the adaptive flow table, obtained thanks to the implementation of the control method object of the present invention, is representative over one or more periods creation of records of an average acceptable state for lack of flood attack of this network, on criterion of relative stationarity of volume flow rate and / or the rate of the number of messages of the type of messages considered.
- step D the operation of establishing the stream image set is represented, which is represented by the symbolic relation:
- the method for detecting a flood attack of a broadband packet data transmission network then consists of detecting in one step E the exclusion of any existing stream of this image set of existing streams, when writing a candidate stream in this image set of existing streams.
- the method of detecting a flood attack in accordance with the object of the present invention , then consists in the step F to discriminate in all the aforementioned image a subset of healthy existing streams.
- an existing healthy stream is defined as any existing or expired stream which has not been measured. exclusion by marking the existing streams constituting the entire image of existing streams.
- the discriminating operation consists of the discrimination of any healthy existing stream belonging to the image set, according to the previously defined healthy current flow criterion, with each healthy existing stream that can be assigned. a corresponding subscript of belonging to the subset of existing healthy stream E s .
- step F is then followed by a step G consisting in calculating, for the subset E s of existing healthy streams, an average variable and a volume variance variable and / or a number of message messages.
- message type considered Mj taking into account the existing stream rejected in the previous step E.
- the volume average variables M v and the volume variance variables S v are updated from an exponential smoothing mobile calculation algorithm for example.
- This type of calculation and update by the aforementioned algorithm is a conventional type of calculation, which for this reason will not be described in detail.
- an average and a floating variance for the flow rate in the number of messages of type of message considered Mi per second of the healthy flows are calculated taking into account the flow rate of the expelled flow.
- CNMj denotes the cumulative number of messages of the expelled stream EFE + I, FT and ST denote the start date and the end date of the aforementioned expelled stream.
- M m and S m variables of average and variance in the number of messages denoted M m and S m are also calculated from an averaging algorithm with smoothing exponential for example.
- Step G is then followed by a step H, which consists in detecting an anomaly of any existing stream and / or any candidate stream by comparing the volume rate and / or the rate of the number of messages of this type of message. derived from the attributes of the existing flow and / or the candidate flow vis-à-vis variables of average and volume variance volume and / or number of aforementioned messages.
- the anomaly detection of any existing stream advantageously consists in comparing the volume flow rate with the average volume flow rate and the volume flow variance respectively the flow rate of the number of messages to the average of the message rate and the rate variance in the number of messages.
- the anomaly detection in step H is advantageously performed by comparing the superiority of the volume flow rate r v of the existing EF E + I discharge stream with a linear combination of the flow rate variable. volume and variance variable in volume.
- the operation of detecting a flow rate anomaly in the number of messages of the same type of message of any existing stream and / or candidate includes the comparison of the rate flow advantage in number of messages r m to a linear combination of the message number average rate variable and the number of message rate variance variable.
- the corresponding operations are recorded in step H of Figure 5 by the relation: r v> M + K v v v .S
- K v denotes a weighting coefficient of the volume flow variance, taken for example equal to 5;
- K m designates a weighting coefficient of the variance of flow in number of messages, taken for example equal to 35.
- a flow of an anomaly is not necessarily an abnormal flow in the sense of a flood attack.
- the method that is the subject of the present invention further consists, as represented in FIG. 6 in a step I, of relying on a set of existing flow recordings, anomaly seats E. eav, m , the number of occurrences of volume flow anomaly detection and / or in number of messages for a given message type for an existing stream and / or a candidate stream.
- step I The counting done in step I is represented by the symbolic relationship
- OE 3V is the number of occurrences of volume flow anomalies and OE am is the number of occurrences of flow anomalies in message counts for the existing flow E eav , n
- Step I is followed by a step J consisting in comparing the numbers of occurrences mentioned above with a threshold value of anomaly occurrences denoted N v for the occurrence threshold of volume flow anomaly respectively in number. of messages N m .
- This operation is represented by the symbolic operation
- step K If one or both of the aforementioned anomaly occurrence threshold values are exceeded, then the candidate stream and / or the existing stream is stored in step K as an abnormal flow in a subset of the image. abnormal flows. This operation is performed on a positive response to the test J of FIG.
- step 1 is returned to counting for an adaptive continuation of the process.
- step K the subset image of abnormal flows is noted: . It includes, of course, the collection of all existing streams and / or candidates that have satisfied the test of stage J and which have therefore been considered abnormal.
- the detection method of the present invention also consists, according to a preferred embodiment, in a periodic scan or scan of the subset image of abnormal flows, as shown in Figure 7, by reading the latter.
- the reading operation in the above-mentioned step L is accompanied by a count v of occurrence of the same abnormal flow during the period of travel.
- the aforementioned counting operation is represented by the symbolic relation
- NE eA denotes the number of occurrences of the same abnormal flow.
- the analysis equipment of a broadband packet data transmission network can advantageously be implemented in the form of a waiter.
- the aforementioned server can then be installed in a collector or on the contrary be installed in a network independently, so as to communicate with any collector implanted on this network.
- the analysis equipment that is the subject of the present invention conventionally comprises I / O input / output devices, a RAM working memory and a CPU. It is understood in particular that when the network analysis equipment object of the present invention is implanted in a collector, the input / output I / O members, the working memory RAM and the central processing unit CPUs can be common.
- the network analysis equipment object of the present invention can then benefit from all the software resources of the collector to ensure in particular the reception, the storage and the processing of the recordings of flows FR and of course descriptors of FD flows to allow the implementation of the method object of the present invention.
- an adaptive flow table Ti 5 which, of course, includes an image set of existing streams established from FR records of candidate streams each having a candidate stream descriptor FD containing attributes of the candidate stream FA, as previously described in the description.
- each candidate stream CF The attributes of each candidate stream CF are entered, the candidate stream being accepted, accompanied by a value of the cumulative number of messages of at least one type of message respectively not inscribed, the candidate stream being rejected, in the set of images.
- existing flows on the criterion of non-existence respectively of conditional existence of a comparable existing stream in the whole image of existing flows.
- the image set of existing flows is representative, over a record creation time, of a permissible average state by absence of flood attack of this network, on the criterion of relative stationarity of the volume flow rate and / or the rate in number of messages of a certain type of messages.
- the analysis equipment object of the invention also comprises a control module M 1 of the adaptive flow table T 1 .
- the control module M 1 can be constituted by a program module in executable permanent memory in RAM working memory and allowing the technical management of the adaptive flow table T 1 .
- each candidate stream is registered when the candidate stream is accepted accompanied by a value of the cumulative number of messages of a given message type respectively unregistered when the candidate stream is rejected in the existing stream image set, c that is, in the adaptive flow table T 1 on the criterion of non-existence or conditional existence of a comparable existing stream in the existing stream image set, respectively.
- control module M 1 makes it possible, of course, to implement the steps of the method of controlling the adaptive flow table T 1 as described previously in the description with reference to FIGS. 1 to 4. .
- the network analysis equipment which is the subject of the invention, also comprises a program module M 2 also formed by a permanent memory module, for example.
- program module being however directly executable in RAM working memory in order to allow the implementation of the method for detecting a flood attack of a broadband packet data transmission network as described previously in the description in FIG. connection with Figure 5.
- This procedure allows in particular to perform the detection of an anomaly of any existing stream and / or any candidate stream, any registered candidate stream becoming an existing stream in accordance with the method object of the present invention.
- the analysis equipment object of the present invention comprises a table of abnormal flows T 2 comprising a subset image of abnormal flows and a control module M 3 of the abnormal flow table and sub-image image of abnormal flows T 2 .
- the control module M 3 is constituted by a program module directly executable in RAM working memory in order to allow the implementation of the method which is the subject of the invention and in particular of the abnormal flow table management process, as described with reference to FIG.
- control module of the abnormal flow table and the abnormal flow image subassembly advantageously also comprises a submodule of program M ' 3 executable in working memory and allowing a periodic scan of the abnormal flow table T 1 in order to launch a network flood attack signaling message respectively an end-of-anomaly message of the stream in question, as well as previously described in the description with reference to FIG. 7.
- the program modules M 1 , M 2 and M 3 , M ' 3 can be stored or transmitted by a data medium.
- the latter may be a hardware storage medium, for example a CD-ROM, a magnetic diskette or a hard disk, or a transmissible medium such as an electrical, optical or radio signal.
- the aforementioned program modules M 1 , M 2 and M 3 , M ' 3 which are the subject of the invention, comprise the software instructions allowing the execution of the method according to the invention as described with reference to FIGS. 1 to 4, 5 and 6, respectively.
- the aforementioned adaptive flow table is in the form of a memory space, a table divided into boxes of the same size. Each memory box is itself divided into sub-boxes, each of these sub-boxes being intended to store the attributes of the existing flows, such as Identifier, Flow # 1 to Flow #M, start date ST, end date FT , FV volume, accumulated number of PN packets, cumulative number of CNM messages; one or more particular types for the destination address DA of the existing flow, as well as control variables for the rejection of existing flows, for example a counter COF 1n indicating the number of times the existing flow considered exceeds a certain criterion, which is itself a linear combination of the average and variance calculated along the water, as previously described in the description.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0503156 | 2005-03-31 | ||
FR0503156 | 2005-03-31 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006103337A1 true WO2006103337A1 (fr) | 2006-10-05 |
Family
ID=35414758
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR2006/000631 WO2006103337A1 (fr) | 2005-03-31 | 2006-03-22 | Procede de controle d’une table de flots adaptative et de detection d’une attaque par inondation d’un reseau de transmission de donnees par paquets a large bande et equipement d’analyse correspondant |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2006103337A1 (fr) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008090531A3 (fr) * | 2007-01-23 | 2009-01-08 | Alcatel Lucent | Mécanisme d'isolement pour systèmes terminaux potentiellement contaminés |
US8112801B2 (en) | 2007-01-23 | 2012-02-07 | Alcatel Lucent | Method and apparatus for detecting malware |
US8250645B2 (en) | 2008-06-25 | 2012-08-21 | Alcatel Lucent | Malware detection methods and systems for multiple users sharing common access switch |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002021771A1 (fr) * | 2000-09-07 | 2002-03-14 | Mazu Networks, Inc. | Dispositif permettant de proteger les sites victimes durant des attaques par deni de service |
US20020107953A1 (en) * | 2001-01-16 | 2002-08-08 | Mark Ontiveros | Method and device for monitoring data traffic and preventing unauthorized access to a network |
US20040054925A1 (en) * | 2002-09-13 | 2004-03-18 | Cyber Operations, Llc | System and method for detecting and countering a network attack |
EP1429230A2 (fr) * | 2002-12-12 | 2004-06-16 | Alcatel Canada Inc. | Amélioration du hachage secret de la correspondance TCP SYN/FIN |
-
2006
- 2006-03-22 WO PCT/FR2006/000631 patent/WO2006103337A1/fr not_active Application Discontinuation
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002021771A1 (fr) * | 2000-09-07 | 2002-03-14 | Mazu Networks, Inc. | Dispositif permettant de proteger les sites victimes durant des attaques par deni de service |
US20020107953A1 (en) * | 2001-01-16 | 2002-08-08 | Mark Ontiveros | Method and device for monitoring data traffic and preventing unauthorized access to a network |
US20040054925A1 (en) * | 2002-09-13 | 2004-03-18 | Cyber Operations, Llc | System and method for detecting and countering a network attack |
EP1429230A2 (fr) * | 2002-12-12 | 2004-06-16 | Alcatel Canada Inc. | Amélioration du hachage secret de la correspondance TCP SYN/FIN |
Non-Patent Citations (1)
Title |
---|
HAINING WANG ET AL: "Detecting SYN flooding attacks", PROCEEDINGS IEEE INFOCOM 2002. THE CONFERENCE ON COMPUTER COMMUNICATIONS. 21ST. ANNUAL JOINT CONFERENCE OF THE IEEE COMPUTER ANDCOMMUNICATIONS SOCIETIES. NEW YORK, NY, JUNE 23 - 27, 2002, PROCEEDINGS IEEE INFOCOM. THE CONFERENCE ON COMPUTER COMMUNICA, vol. VOL. 1 OF 3. CONF. 21, 23 June 2002 (2002-06-23), pages 1530 - 1539, XP010593720, ISBN: 0-7803-7476-2 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008090531A3 (fr) * | 2007-01-23 | 2009-01-08 | Alcatel Lucent | Mécanisme d'isolement pour systèmes terminaux potentiellement contaminés |
US8020207B2 (en) | 2007-01-23 | 2011-09-13 | Alcatel Lucent | Containment mechanism for potentially contaminated end systems |
US8112801B2 (en) | 2007-01-23 | 2012-02-07 | Alcatel Lucent | Method and apparatus for detecting malware |
US8250645B2 (en) | 2008-06-25 | 2012-08-21 | Alcatel Lucent | Malware detection methods and systems for multiple users sharing common access switch |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9531742B2 (en) | Detection of malicious network connections | |
CN107683586B (zh) | 用于异常检测中的计算基于小区密度的稀有度的方法和装置 | |
US9680877B2 (en) | Systems and methods for rule-based anomaly detection on IP network flow | |
US8533819B2 (en) | Method and apparatus for detecting compromised host computers | |
CN111277570A (zh) | 数据的安全监测方法和装置、电子设备、可读介质 | |
Duffield et al. | Rule-based anomaly detection on IP flows | |
US20090168645A1 (en) | Automated Network Congestion and Trouble Locator and Corrector | |
Yeganeh et al. | Cute: Traffic classification using terms | |
KR20090087437A (ko) | 트래픽 검출 방법 및 장치 | |
EP1842389B1 (fr) | Procédé, dispositif et programme de détection d'usurpation d'adresse dans un réseau sans fil | |
Simon et al. | Scan detection: A data mining approach | |
WO2006103337A1 (fr) | Procede de controle d’une table de flots adaptative et de detection d’une attaque par inondation d’un reseau de transmission de donnees par paquets a large bande et equipement d’analyse correspondant | |
EP2353272B1 (fr) | Procede de caracterisation d'entites a l'origine de variations dans un trafic reseau | |
Li et al. | Usaid: Unifying signature-based and anomaly-based intrusion detection | |
EP4009584A1 (fr) | Procédé de détermination de classifieurs pour la détection d'attaques dans un réseau de communication, dispositif de détermination associé | |
EP3598330B1 (fr) | Procédé et dispositif de détection d'anomalie | |
Wu | Audit data analysis and mining | |
Nychis | An empirical evaluation of entropy-based anomaly detection | |
EP4280560A1 (fr) | Procédé pour détecter des anomalies de routage entre systèmes autonomes | |
WO2006123036A1 (fr) | Procede de representation en structure arborescente d'un groupe de flots de donnees numeriques. structure arborescente, procede et systeme de detection d'une attaque par inondation | |
FR2806503A1 (fr) | Procede et dispositif d'analyse de trafic d'une pluralite de systemes informatiques pare-feu | |
Zang et al. | Encrypted DNS Traffic Analysis for Service Intention Inferring | |
EP4009209A1 (fr) | Procédé de détermination de quantités pour la détection d'attaques dans un réseau de communication, dispositif de détermination associé | |
CN117579532A (zh) | 一种针对无状态记录的网络服务检测方法、装置及设备 | |
CN116366327A (zh) | 一种网络流量还原和监控方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
NENP | Non-entry into the national phase |
Ref country code: RU |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: RU |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 06726129 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 06726129 Country of ref document: EP Kind code of ref document: A1 |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 6726129 Country of ref document: EP |