WO2013081521A1 - Monitoring traffic in a communication network - Google Patents

Monitoring traffic in a communication network Download PDF

Info

Publication number
WO2013081521A1
WO2013081521A1 PCT/SE2012/050361 SE2012050361W WO2013081521A1 WO 2013081521 A1 WO2013081521 A1 WO 2013081521A1 SE 2012050361 W SE2012050361 W SE 2012050361W WO 2013081521 A1 WO2013081521 A1 WO 2013081521A1
Authority
WO
WIPO (PCT)
Prior art keywords
client device
information
executed
software components
information pertaining
Prior art date
Application number
PCT/SE2012/050361
Other languages
French (fr)
Inventor
Michael Liljenstam
Mats NÄSLUND
Original Assignee
Telefonaktiebolaget L M Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget L M Ericsson (Publ) filed Critical Telefonaktiebolaget L M Ericsson (Publ)
Publication of WO2013081521A1 publication Critical patent/WO2013081521A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the invention relates also to a computer program and a computer program product.
  • Such unwanted and/or excessive network traffic may be due to client devices of the network which are infected by malicious software (malware), client devices behaving abnormally due to a malfunction, or a new, previously unknown application, or app, giving rise to excessive signaling and/or traffic.
  • malware malicious software
  • client devices behaving abnormally due to a malfunction, or a new, previously unknown application, or app, giving rise to excessive signaling and/or traffic.
  • Known techniques for detecting such threats may generally be classified according to two categories, network-based appliances, such as firewall or intrusion detection/prevention systems, and client/host-based solutions, e.g., antivirus software or host-based firewalls.
  • network-based appliances such as firewall or intrusion detection/prevention systems
  • client/host-based solutions e.g., antivirus software or host-based firewalls.
  • Some security appliance vendors have more recently also started offering client software in addition to their network-based appliance solution, thereby offering improved coverage and protection.
  • client software offers essentially the same features as is typically offered by antivirus-software vendors.
  • operational monitoring of a communication network can use a variety of data, e.g., statistical data and flow-level data collected from network nodes, to diagnose the status of the network. Further, input from a security appliance, or indirect information from client-based security software processed by the security vendor, can be also be used, if the event is security related.
  • client-based solutions exist which provide feedback to the network based on
  • Further technology of relevance includes hardware security support for remote attestation which can be used for remotely verifying which software has been loaded on a device.
  • Network access control mechanisms may be used to permit or deny access to a network based on which software is executed on a device.
  • Host-based client-side security software commonly provides malware detection and removal (i.e., antivirus software), as well as host-based firewalls.
  • Malware detection typically relies on a combination of binary-content signatures downloaded from a server and analysis of application behavior. In response to detecting a threat, information is typically sent back to a server, enabling the provider to compute statistics of malware prevalence. In this case, what is reported back to the server is based on a previous definition of malware through content signatures or specific behavior. However, whilst checking of content signatures is a well-known principle, less is known about the details of behavioral detection, since these techniques are generally proprietary.
  • Host-based firewalls apply a policy to inbound and outbound
  • policies are typically defined locally to block known or typical malicious connections, and connection attempts are logged locally. However, the policies can also be downloaded from the network and logged events may be reported back to a monitoring point in the network.
  • the policies typically consist of local and remote port numbers, transport protocol, and an action, where the action is one of permit, deny (and log), or log (permit and log). Again, what is logged back to the network is based on previous definitions of presumed malicious behavior based on the policies.
  • the Symantec Endpoint Security IPS function logs the following information related to inbound and outbound traffic: date and time, action (block or permit), severity, direction (inbound or outbound), protocol, remote host, remote mac, remote port, local host, local mac, local port, application (path and name of the application that is associated with the traffic), user, user domain, location (physical), number of packets, start time, end time, and rule that triggered.
  • the Ascom TEMS Pocket product allows performing measurements of radio signal conditions and service test traffic performance using a smartphone, and result logs can be uploaded to a server for analysis.
  • the radio interface on normal subscriber devices can be instrumented to permit the network to collect data about radio events and get the logs uploaded for analysis.
  • TCG Trusted Computing Group
  • TPM trusted platform manager
  • the TPM takes a "fingerprint" of the software and adds the fingerprint to a TPM-internal tamper-resistant register, the so called platform configuration register (PCR).
  • PCR platform configuration register
  • the fingerprint comprises a checksum of the actual code, not just the name or path of the file which was loaded. This can be utilized for the purpose of remote attestation.
  • An external entity typically another host, asks the TPM to provide an
  • remote attestation is related to content piracy protection. Before allowing content to be streamed to a host, remote attestation is used to verify that the host is running software with appropriate copy-protection mechanisms.
  • Mechanisms for network access control try to check properties of a device as it is connected to a network before permitting it to use the network. For instance, it may try to verify which OS version is running on the device, if it is configured as required, and if it has antivirus or similar endpoint security software installed and up to date. NAC solutions may or may not use agent software on the device to determine that the required criteria are met. A further example is to perform remote scanning of the device. NAC may use the aforementioned TPM functionality, if present.
  • NAC functionality can be used to prevent that applications already identified a "bad” or “unknown” are allowed to even attach to a network, but this is not a viable solution in a typical commercial mobile network where "app store” concepts are used to attract users.
  • TPM functionality is merely an enhancement/enabler for NAC and similar approaches and will in itself not provide a solution to the problems in focus.
  • a method of monitoring traffic in a communication network comprises analyzing network traffic which is associated with a first client device of the communication network, and, if suspect network traffic behavior is detected, requesting information from the first client device, receiving the information from the first client device, and analyzing the information.
  • the information requested from the first client device pertains to software components which are executed on the first client device.
  • a computer program comprises computer program code.
  • the computer program code is adapted, if executed on one or more processors, to implement the method according to the first aspect of the invention.
  • a computer program product comprises a computer readable storage medium.
  • the computer readable storage medium has the computer program according to the second aspect of the invention embodied therein.
  • a client security module (CSM) is provided.
  • the CSM is intended for use in a first client device in a communication network.
  • the CSM is arranged for receiving a request for information from a network security module (NSM).
  • the requested information pertains to software components which are executed on the first client device.
  • the CSM is further arranged for compiling the information and sending the information to the NSM.
  • an NSM is provided.
  • the NSM is intended for a communication network.
  • the NSM is arranged for analyzing network traffic which is associated with a first client device in the communication network, and, if suspect network traffic behavior is detected, requesting information from a CSM in the first client device, receiving the information from the CSM, and analyzing the information.
  • the requested information pertains to software components which are executed on the first client device.
  • a communication network may be a wireless network, e.g., a mobile communication network such as a 3GPP GSM, WCDMA, LTE or UMTS network, or a wireless local area network (WLAN), or a wired network, e.g., Ethernet, DSL, an optical network, and so forth.
  • a client device of the communication network may be a mobile phone, a smartphone, a computer, a portable computer, a laptop, a tablet pc, an M2M device, a cloud computing resource, or any other type of terminal capable of communicating over a communication network.
  • the present invention makes use of an understanding that excessive traffic due to abnormally behaving devices may be detected by analyzing network traffic which is associated with a certain client device.
  • embodiment of the invention provides means to diagnose, from the network's perspective, strange or suspect traffic behavior. This is advantageous in that the amount of manual labor involved in searching for a cause for the observed traffic behavior is reduced. Thereby, operational costs for the network operator are lowered, and a possibility to notify the user of a client device, or an app marketplace, to rectify the situation is provided.
  • an embodiment of the invention provides mechanisms to relate traffic observed from a certain client device in the communication network to an application or a set of applications, e.g., a mash-up type of service, that have generated the observed traffic.
  • a smartphone may have been infected by bot malware forcing the phone to periodically send control traffic back to a control server, from which the attacker controls the device.
  • An operator discovering subscriber traffic towards an internet protocol (IP) address occurring in a control server blacklist would want to find additional evidence that it is indeed malware. Being able to determine which software on the phone generated the traffic is one important step in such a process.
  • IP internet protocol
  • the detecting suspect network traffic behavior comprises detecting malicious network traffic in accordance with a predefined rule.
  • the detecting suspect network traffic behavior comprises detecting network traffic of unknown type or having unexpected characteristics.
  • the detecting suspect network traffic behavior comprises detecting network traffic causing network problems.
  • the information pertaining to software components which are executed on the first client device comprises fingerprints of the software components.
  • the information pertaining to software components which are executed on the first client device comprises at least one of a list of all running applications, port information, information pertaining to the destination of the network traffic, traffic volume information, information pertaining to application stability, or information pertaining to user activity.
  • the information pertaining to software components which are executed on the first client device comprises cryptographic information.
  • the method further comprises verifying the information pertaining to software components which are executed on the first client device.
  • the information pertaining to software components which are executed on the first client device is verified using the cryptographic information.
  • the analyzing the information pertaining to software components which are executed on the first client device comprises relating the network traffic which is associated with the client device with applications running on the first client device.
  • Fig. 1 illustrates a system for monitoring network traffic, in accordance with an embodiment of the invention.
  • Fig. 2 shows a sequence diagram, in accordance with an embodiment of the invention.
  • Fig. 3 illustrates a method of monitoring traffic in a communication network, in accordance with an embodiment of the invention.
  • Fig. 4 shows a client device, in accordance with an embodiment of the invention.
  • Fig. 1 illustrates a system 100 for monitoring traffic in a communication network 101 .
  • Three client devices 102-104 are connected to network 101 for the purpose of effecting communications.
  • Client devices 102-104 may communicate with network 101 by means of a wired connection, such as Ethernet, or a wireless connection, e.g., WLAN or a cellular radio technology such as GSM, WCDMA, LTE or UMTS. It will be appreciated that any number of client devices may be connected to network 101 .
  • system 101 comprises a node 105/106 comprising an NSM, in accordance with an embodiment of the invention.
  • the node comprising the NSM may either be part 105 of network 101 or be provided by an external party 106.
  • the NSM does not necessarily have to reside in the network being monitored, i.e., network 101. Rather, it may retrieve information pertaining to
  • network 101 but reside in a separate network, e.g., an enterprise network together with other operations support systems, or with a provider of a remote monitoring service, as a managed or an outsourced service.
  • a separate network e.g., an enterprise network together with other operations support systems, or with a provider of a remote monitoring service, as a managed or an outsourced service.
  • NSM 105/106 located in network 101 or being accessible by network 101 .
  • CSM 102-104 provide information regarding, e.g., which application(s) are running on a client device, how specific applications are communicating (which ports, destinations, amount of traffic), and other properties about the applications, such as consumed resources, stability, and so forth.
  • the NSM 105/106 attempts to analyze, i.e., correlate, observed traffic behavior with the applications running on client devices 102-104.
  • NSM 105/106 sends a request 21 1 for information to CSMs 102- 104/202 which respond 212 by sending the requested information.
  • possible query scenarios are described.
  • a tuple is an ordered list of one or more elements.
  • NSM 105/106/201 requests list of all running applications on device 202-204.
  • CSM 102-104/201 returns list of tuples (one tuple per application) that may contain any or all of the following information: application name, application path, verifiable identifier, and generic authentication information.
  • the verifiable identifier might be a hash of the binary or a digital signature of the binary.
  • the generic authentication information might be a hash of the binary or a digital signature of the binary.
  • authentication information might be information on whether the identity and/or integrity of the application have been checked, e.g., if a TPM has been used.
  • Application using a specific port Query for which application(s) is/are using a specific port.
  • NSM 105/106/201 requests information on which application is using, i.e., sending and/or receiving, on a specific port, e.g., given by port number and protocol (e.g., 1023/tcp).
  • CSM 102-104/201 returns application name and/or
  • Application connecting to remote destination Query which application is connecting to a specific destination.
  • NSM 105/106/201 requests information on which application is connecting to, i.e., sending and/or receiving, a specific destination, given by DNS name and/or IP and/or port number and/or protocol.
  • CSM 102-104/201 returns application name and/or
  • a query may also request information on which destinations and/or ports are used by a specific application. Further, a query may also request a list of all open ports.
  • Amount of traffic sent/received Query for amount of traffic sent and/or received.
  • NSM 105/106/201 requests information on amount of traffic sent and/or received (could be any and all of number of flows, packets, bytes) by the device or specific application(s).
  • CSM 102-104/201 returns traffic volume(s), possibly
  • Destination Verification Query whether the identity of a particular destination has been verified, e.g., by a site certificate through SSL/TLS handshake. This may be used in connection with historical information.
  • NSM 105/106/201 requests information on communications with a particular destination which have used SSL or TLS components in the protocol stack to authenticate.
  • the query may relate to a specific application.
  • CSM 102-104/201 responds with yes/no, and possibly provides some more details about what authentication mechanisms were used to authenticate the destination.
  • the response may comprise a list of applications with corresponding destination information.
  • Application stability Query as to whether a particular application has been observed, by the device, to crash frequently. This may be used in connection with historical information.
  • NSM 105/106/201 requests information on number of logged crashes, or list of crashes with timestamps, of a particular application.
  • CSM 102-104/201 responds with number of crashes or list of logged occasions.
  • User-driven application behavior Query information pertaining to user activity.
  • - Query NSM 105/106/201 requests information on whether traffic related to a specific application, as previously established, and optionally port and/or destination could be linked to user input.
  • CSM 102-104/201 responds with yes/no or a confidence indicator, e.g., say a number between zero and one.
  • an application running on the device without an explicit install and/or launch command being issued by the user could be a sign of a malicious application. If such a mechanism is available to the CSM, it would be of interest for the NSM to be able to query it for information. This may be used in connection with historical information.
  • all queries and/or responses in accordance with embodiments of the invention may either relate to all traffic which is related to a client device or to traffic which is related to one or several specific software components of a client device.
  • a software component may be an application, an app, a library, a process, a daemon, a part of operating system, a part of a protocol stack (e.g., a TCP layer), and so forth.
  • NSM 105/106/201 may be protected to limit the risk of sensitive data being exposed to, or spoofed by, unauthorized parties. This could for example be based on SIM card, public key infrastructure (PKI), or the like.
  • PKI public key infrastructure
  • Method 300 starts with analyzing 301 network traffic which is associated with a first client device of the
  • method 300 may further comprise verifying, using received cryptographic information, the information pertaining to software components which are executed on the first client device. Further, as a result of analyzing 305 the received information, additional information may be deemed necessary and may be obtained by repeating request 303.
  • a client device is described in the following, in accordance with an embodiment of the invention.
  • Client device 401 which may, e.g., be a personal computer, a laptop, a tablet pc, a mobile phone, a smartphone, a media player, or the like, comprises a CSM 402 which is part of an operating system 403 of client device 401 . Having CSM 402 at the operating system level provides
  • CSM 402 with access the desired information and also some protection against processes at user-level, i.e., processes with only user privileges.
  • CSM 402 may be of a platform management domain. For instance, in a Xen-based virtualized environment, the CSM could be part of "domO".
  • CSM 402 further makes use of a TPM 404 to reliably provide information regarding which applications 405/406 that have been launched on client device 401 .
  • TPM 404 may be provided as a separate hardware module or built into a central processing unit (CPU) 407 of client device 401.
  • CPU 407 typically comprises a processor and memory.
  • CSM 402 could be implemented at the hardware level or be executed inside TPM 404 or a TEE.
  • An embodiment of the CSM with limited functionality, supporting only a subset of the listed query cases, could be implemented as an application or as part of an application.
  • client device 401 comprises a network communication module, i.e., a network interface card (NIC) 408, for effecting a network communication module, i.e., a network interface card (NIC) 408, for effecting
  • client 401 comprises a user interface 410 for interacting with a user 41 1 of device 401 .
  • User interface 410 may, e.g., comprise a display and a keyboard, a touch screen, or the like.
  • an embodiment of the method according to the first aspect of the invention may be implemented as a computer program, or as a plurality of interacting computer programs, comprising computer program code.
  • an existing client device, and an existing network node for monitoring a communication network such as nodes 105/106, may be adapted to perform in accordance with embodiments of the invention by providing them with an embodiment of the computer program.
  • a computer program 413 may be loaded into a memory of CPU 407 of client device 401 .
  • Computer program 413 comprises computer program code which, when executed by a processor of CPU 407, is adapted to implement at least parts of the method according to the first aspect of the invention, thereby turning an existing client device into a client device in accordance with an embodiment of the invention.
  • An existing client device such as client device 401
  • a computer program product such as a memory of CPU 407, or a memory stick which may be connected to a client device.
  • an embodiment of computer program 413 may be downloaded to a client device, e.g., to a memory of CPU 407. This may, e.g., be accomplished over a communication network to which the client device is connected to.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method of monitoring traffic in a communication network(101) is provided. The method comprises analyzing, at a network node(105/106), network traffic which is associated with a client device(102–104) of the communication network, and, if suspect network traffic behavior is detected, requesting information from the client device, which information pertains to software components which are executed on the client device, receiving the information from the client device, and analyzing the information. An embodiment of the invention provides mechanisms to relate traffic observed from a certain client device in the communication network to an application which is executed on the client device. Further, a computer program, a computer program product, a client security module, and a network security module, are provided.

Description

MONITORING TRAFFIC IN A COMMUNICATION NETWORK Technical field The invention relates to a method of monitoring traffic in a
communication network, a client security module for a client device in a communication network, and a network security module for a communication network. The invention relates also to a computer program and a computer program product.
Background
Due to the steadily increasing use of smartphones and other devices connecting to mobile communication networks, such as machine-to-machine (M2M) sensors and actuators, unwanted and/or excessive traffic has recently started to emerge also in these traditionally "safe" networks. Besides impacting user experience, operators of mobile networks suffering from such traffic, e.g., local area wireless networks (WLAN) or 3GPP cellular radio networks, are forced to increase their efforts for diagnosing network problems as well as network capacity.
Such unwanted and/or excessive network traffic may be due to client devices of the network which are infected by malicious software (malware), client devices behaving abnormally due to a malfunction, or a new, previously unknown application, or app, giving rise to excessive signaling and/or traffic. There is therefore a need for detection of, as well as protection against, these problems and the traffic associated with them.
Known techniques for detecting such threats may generally be classified according to two categories, network-based appliances, such as firewall or intrusion detection/prevention systems, and client/host-based solutions, e.g., antivirus software or host-based firewalls. Some security appliance vendors have more recently also started offering client software in addition to their network-based appliance solution, thereby offering improved coverage and protection. Such client software offers essentially the same features as is typically offered by antivirus-software vendors.
Generally, operational monitoring of a communication network can use a variety of data, e.g., statistical data and flow-level data collected from network nodes, to diagnose the status of the network. Further, input from a security appliance, or indirect information from client-based security software processed by the security vendor, can be also be used, if the event is security related.
Specifically for radio network performance analysis, client-based solutions exist which provide feedback to the network based on
measurements. However, these solutions focus on radio propagation aspects and radio resource usage.
Further technology of relevance includes hardware security support for remote attestation which can be used for remotely verifying which software has been loaded on a device. Network access control mechanisms may be used to permit or deny access to a network based on which software is executed on a device.
The technologies outlined above will now be described in more detail.
Host-based client-side security software commonly provides malware detection and removal (i.e., antivirus software), as well as host-based firewalls.
Malware detection typically relies on a combination of binary-content signatures downloaded from a server and analysis of application behavior. In response to detecting a threat, information is typically sent back to a server, enabling the provider to compute statistics of malware prevalence. In this case, what is reported back to the server is based on a previous definition of malware through content signatures or specific behavior. However, whilst checking of content signatures is a well-known principle, less is known about the details of behavioral detection, since these techniques are generally proprietary.
Host-based firewalls apply a policy to inbound and outbound
connections. Policies are typically defined locally to block known or typical malicious connections, and connection attempts are logged locally. However, the policies can also be downloaded from the network and logged events may be reported back to a monitoring point in the network. The policies typically consist of local and remote port numbers, transport protocol, and an action, where the action is one of permit, deny (and log), or log (permit and log). Again, what is logged back to the network is based on previous definitions of presumed malicious behavior based on the policies. For instance, the Symantec Endpoint Security IPS function logs the following information related to inbound and outbound traffic: date and time, action (block or permit), severity, direction (inbound or outbound), protocol, remote host, remote mac, remote port, local host, local mac, local port, application (path and name of the application that is associated with the traffic), user, user domain, location (physical), number of packets, start time, end time, and rule that triggered.
Various radio network performance measurement tools exist to test and monitor wireless networks. For instance, the Ascom TEMS Pocket product allows performing measurements of radio signal conditions and service test traffic performance using a smartphone, and result logs can be uploaded to a server for analysis. Similarly, the radio interface on normal subscriber devices can be instrumented to permit the network to collect data about radio events and get the logs uploaded for analysis. Common to these solutions, however, is that they are primarily focused on studying and optimizing relatively low-level issues, such as those related to the air interface and specific services are tested by initiating test traffic from the device. The Trusted Computing Group (TCG) has defined a trusted platform manager (TPM) concept that, among other things, can keep track of which software, including the operating system (OS), is running on a host. Each time a software component is loaded, the TPM takes a "fingerprint" of the software and adds the fingerprint to a TPM-internal tamper-resistant register, the so called platform configuration register (PCR). The fingerprint comprises a checksum of the actual code, not just the name or path of the file which was loaded. This can be utilized for the purpose of remote attestation. An external entity, typically another host, asks the TPM to provide an
authenticated snapshot of the PCR content. This implies that the external entity will be able to deduce, with reasonable high confidence, which software is actually running on the other host.
A typically use of remote attestation is related to content piracy protection. Before allowing content to be streamed to a host, remote attestation is used to verify that the host is running software with appropriate copy-protection mechanisms.
Mechanisms for network access control (NAC) try to check properties of a device as it is connected to a network before permitting it to use the network. For instance, it may try to verify which OS version is running on the device, if it is configured as required, and if it has antivirus or similar endpoint security software installed and up to date. NAC solutions may or may not use agent software on the device to determine that the required criteria are met. A further example is to perform remote scanning of the device. NAC may use the aforementioned TPM functionality, if present.
One obvious problem for an operator/internet service provider focusing on operational network monitoring, and which is experiencing suspicious or problematic data connectivity behavior from subscriber devices, is to determine which application on the device is causing the behavior. As mentioned above, if there is standard client-based security software running on the device, information from that software, e.g., logged security events, might be useful to determine which application that is causing the problem. However, this is only possible if that application has performed some action that is "noticed", i.e., registered/characterized as "security related", by the security software, "zero-day" problems, or previously unknown applications, can therefore in general not be identified by such approaches. Moreover, problematic behavior could be caused by poor design or bugs, issues that are not security-related and that would not be detected by security software.
One approach is to just shut down and/or disconnect any device that appears to be generating traffic/signaling in an unwanted or suspect fashion. However, this will certainly annoy legitimate users who are using some new application which, in a few weeks, may be the new "app-in-fashion", and thus may create badwill. In addition, shutting down the service will make it impossible to collect further data/evidence for security/root cause analysis.
NAC functionality can be used to prevent that applications already identified a "bad" or "unknown" are allowed to even attach to a network, but this is not a viable solution in a typical commercial mobile network where "app store" concepts are used to attract users. TPM functionality is merely an enhancement/enabler for NAC and similar approaches and will in itself not provide a solution to the problems in focus.
In US 201 1/0145920 A1 a system and method for identifying mobile applications which may have an adverse effect on a mobile device or a mobile network is disclosed.
Summary
It is an object of the present invention to provide an improved alternative to the above techniques and prior art.
More specifically, it is an object of the present invention to provide an improved monitoring of traffic in a communication network. It is a further object of the invention to provide an improved analysis of suspect network traffic behavior.
These and other objects of the invention are achieved by means of different aspects of the invention, as defined by the independent claims. Embodiments of the invention are characterized by the dependent claims.
According to a first aspect of the invention, a method of monitoring traffic in a communication network is provided. The method comprises analyzing network traffic which is associated with a first client device of the communication network, and, if suspect network traffic behavior is detected, requesting information from the first client device, receiving the information from the first client device, and analyzing the information. The information requested from the first client device pertains to software components which are executed on the first client device.
According to a second aspect of the invention, a computer program is provided. The computer program comprises computer program code. The computer program code is adapted, if executed on one or more processors, to implement the method according to the first aspect of the invention.
According to a third aspect of the invention, a computer program product is provided. The computer program product comprises a computer readable storage medium. The computer readable storage medium has the computer program according to the second aspect of the invention embodied therein.
According to a fourth aspect of the invention, a client security module (CSM) is provided. The CSM is intended for use in a first client device in a communication network. The CSM is arranged for receiving a request for information from a network security module (NSM). The requested information pertains to software components which are executed on the first client device. The CSM is further arranged for compiling the information and sending the information to the NSM. According to a fifth aspect of the invention, an NSM is provided. The NSM is intended for a communication network. The NSM is arranged for analyzing network traffic which is associated with a first client device in the communication network, and, if suspect network traffic behavior is detected, requesting information from a CSM in the first client device, receiving the information from the CSM, and analyzing the information. The requested information pertains to software components which are executed on the first client device.
For the purpose of describing the invention, a communication network may be a wireless network, e.g., a mobile communication network such as a 3GPP GSM, WCDMA, LTE or UMTS network, or a wireless local area network (WLAN), or a wired network, e.g., Ethernet, DSL, an optical network, and so forth. Further, a client device of the communication network may be a mobile phone, a smartphone, a computer, a portable computer, a laptop, a tablet pc, an M2M device, a cloud computing resource, or any other type of terminal capable of communicating over a communication network.
The present invention makes use of an understanding that excessive traffic due to abnormally behaving devices may be detected by analyzing network traffic which is associated with a certain client device. An
embodiment of the invention provides means to diagnose, from the network's perspective, strange or suspect traffic behavior. This is advantageous in that the amount of manual labor involved in searching for a cause for the observed traffic behavior is reduced. Thereby, operational costs for the network operator are lowered, and a possibility to notify the user of a client device, or an app marketplace, to rectify the situation is provided.
To this end, an embodiment of the invention provides mechanisms to relate traffic observed from a certain client device in the communication network to an application or a set of applications, e.g., a mash-up type of service, that have generated the observed traffic. For instance, a smartphone may have been infected by bot malware forcing the phone to periodically send control traffic back to a control server, from which the attacker controls the device. An operator discovering subscriber traffic towards an internet protocol (IP) address occurring in a control server blacklist would want to find additional evidence that it is indeed malware. Being able to determine which software on the phone generated the traffic is one important step in such a process. Or, as a more general example, assume that a mobile network operator is experiencing network performance problems and has managed to tie this to traffic flows of a certain type of device or application, perhaps with certain periodic behaviors or volume characteristics. It would then be useful to understand if this is due to some new app which contains implementation flaws giving rise to the observed problematic behavior, or if it is due to malware, or some unforeseen interaction with network equipment. Being able to understand which client application is involved is crucial for diagnosing the problem.
According to an embodiment of the invention, the detecting suspect network traffic behavior comprises detecting malicious network traffic in accordance with a predefined rule.
According to an embodiment of the invention, the detecting suspect network traffic behavior comprises detecting network traffic of unknown type or having unexpected characteristics.
According to an embodiment of the invention, the detecting suspect network traffic behavior comprises detecting network traffic causing network problems.
According to an embodiment of the invention, the information pertaining to software components which are executed on the first client device comprises fingerprints of the software components.
According to an embodiment of the invention, the information pertaining to software components which are executed on the first client device comprises at least one of a list of all running applications, port information, information pertaining to the destination of the network traffic, traffic volume information, information pertaining to application stability, or information pertaining to user activity.
According to an embodiment of the invention, the information pertaining to software components which are executed on the first client device comprises cryptographic information. The method further comprises verifying the information pertaining to software components which are executed on the first client device. The information pertaining to software components which are executed on the first client device is verified using the cryptographic information.
According to an embodiment of the invention, the analyzing the information pertaining to software components which are executed on the first client device comprises relating the network traffic which is associated with the client device with applications running on the first client device.
Further objectives of, features of, and advantages with, the present invention will become apparent when studying the following detailed disclosure, the drawings and the appended claims. Those skilled in the art realize that different features of the present invention can be combined to create embodiments other than those described in the following. Brief description of the drawings
The above, as well as additional objects, features and advantages of the present invention, will be better understood through the following illustrative and non-limiting detailed description of embodiments of the present invention, with reference to the appended drawings, in which:
Fig. 1 illustrates a system for monitoring network traffic, in accordance with an embodiment of the invention.
Fig. 2 shows a sequence diagram, in accordance with an embodiment of the invention. Fig. 3 illustrates a method of monitoring traffic in a communication network, in accordance with an embodiment of the invention.
Fig. 4 shows a client device, in accordance with an embodiment of the invention.
All the figures are schematic, not necessarily to scale, and generally only show parts which are necessary in order to elucidate the invention, wherein other parts may be omitted or merely suggested.
Detailed description
In the following, an embodiment of the invention will be described with reference to Fig. 1 .
Fig. 1 illustrates a system 100 for monitoring traffic in a communication network 101 . Three client devices 102-104 are connected to network 101 for the purpose of effecting communications. Client devices 102-104 may communicate with network 101 by means of a wired connection, such as Ethernet, or a wireless connection, e.g., WLAN or a cellular radio technology such as GSM, WCDMA, LTE or UMTS. It will be appreciated that any number of client devices may be connected to network 101 .
For the purpose of monitoring traffic in network 101 , system 101 comprises a node 105/106 comprising an NSM, in accordance with an embodiment of the invention. The node comprising the NSM may either be part 105 of network 101 or be provided by an external party 106. Thus, the NSM does not necessarily have to reside in the network being monitored, i.e., network 101. Rather, it may retrieve information pertaining to
network 101 but reside in a separate network, e.g., an enterprise network together with other operations support systems, or with a provider of a remote monitoring service, as a managed or an outsourced service.
Client devices 102-104 are provided with CSMs, in accordance with embodiments of the invention. To this end, the CSMs, located in client devices 102-104,
communicate with an NSM 105/106, located in network 101 or being accessible by network 101 . On request by NSM 105/106, CSM 102-104 provide information regarding, e.g., which application(s) are running on a client device, how specific applications are communicating (which ports, destinations, amount of traffic), and other properties about the applications, such as consumed resources, stability, and so forth. The NSM 105/106 attempts to analyze, i.e., correlate, observed traffic behavior with the applications running on client devices 102-104.
The exchange of information between NSM 105/106 and CSMs 102- 104 is performed by means of query/response exchanges, as is illustrated in Fig. 2. NSM 105/106/201 sends a request 21 1 for information to CSMs 102- 104/202 which respond 212 by sending the requested information. In the following, possible query scenarios are described.
For the purpose of describing the invention, a tuple is an ordered list of one or more elements.
List running applications: Query for all running applications on the device.
- Query: NSM 105/106/201 requests list of all running applications on device 202-204.
- Response: CSM 102-104/201 returns list of tuples (one tuple per application) that may contain any or all of the following information: application name, application path, verifiable identifier, and generic authentication information. The verifiable identifier might be a hash of the binary or a digital signature of the binary. The generic
authentication information might be information on whether the identity and/or integrity of the application have been checked, e.g., if a TPM has been used. Application using a specific port: Query for which application(s) is/are using a specific port.
- Query: NSM 105/106/201 requests information on which application is using, i.e., sending and/or receiving, on a specific port, e.g., given by port number and protocol (e.g., 1023/tcp).
- Response: CSM 102-104/201 returns application name and/or
additional associated information, as was described hereinbefore.
Application connecting to remote destination: Query which application is connecting to a specific destination.
- Query: NSM 105/106/201 requests information on which application is connecting to, i.e., sending and/or receiving, a specific destination, given by DNS name and/or IP and/or port number and/or protocol.
- Response: CSM 102-104/201 returns application name and/or
additional associated information, as was described hereinbefore.
This is useful to deal with, for instance, "port-hopping" malware that tries to make it difficult to analyze local port usage, but connect to a specific destination DNS name, IP, or port. As an alternative, a query may also request information on which destinations and/or ports are used by a specific application. Further, a query may also request a list of all open ports.
Amount of traffic sent/received: Query for amount of traffic sent and/or received.
- Query: NSM 105/106/201 requests information on amount of traffic sent and/or received (could be any and all of number of flows, packets, bytes) by the device or specific application(s).
- Response: CSM 102-104/201 returns traffic volume(s), possibly
broken down by application name etc., ports, or destinations, as described hereinbefore. Historical information: Query on historical information. In this case, the CSM 102-104/201 is assumed to keep a log of communication activity on the device that can be queried for information similar to what is described hereinbefore, with returned information including timestamps or time intervals.
Destination Verification: Query whether the identity of a particular destination has been verified, e.g., by a site certificate through SSL/TLS handshake. This may be used in connection with historical information.
- Query: NSM 105/106/201 requests information on communications with a particular destination which have used SSL or TLS components in the protocol stack to authenticate. Optionally, the query may relate to a specific application.
- Response: CSM 102-104/201 responds with yes/no, and possibly provides some more details about what authentication mechanisms were used to authenticate the destination. Optionally, the response may comprise a list of applications with corresponding destination information.
Application stability: Query as to whether a particular application has been observed, by the device, to crash frequently. This may be used in connection with historical information.
- Query: NSM 105/106/201 requests information on number of logged crashes, or list of crashes with timestamps, of a particular application.
- Response: CSM 102-104/201 responds with number of crashes or list of logged occasions.
User-driven application behavior: Query information pertaining to user activity. - Query: NSM 105/106/201 requests information on whether traffic related to a specific application, as previously established, and optionally port and/or destination could be linked to user input.
- Response: CSM 102-104/201 responds with yes/no or a confidence indicator, e.g., say a number between zero and one.
For example, an application running on the device without an explicit install and/or launch command being issued by the user could be a sign of a malicious application. If such a mechanism is available to the CSM, it would be of interest for the NSM to be able to query it for information. This may be used in connection with historical information.
It will be appreciated that all queries and/or responses in accordance with embodiments of the invention may either relate to all traffic which is related to a client device or to traffic which is related to one or several specific software components of a client device. In this respect, a software component may be an application, an app, a library, a process, a daemon, a part of operating system, a part of a protocol stack (e.g., a TCP layer), and so forth.
In accordance with an embodiment of the invention, the
communication 21 1/212 between NSM 105/106/201 and CSMs 102-104/201 may be protected to limit the risk of sensitive data being exposed to, or spoofed by, unauthorized parties. This could for example be based on SIM card, public key infrastructure (PKI), or the like.
With reference to Fig. 3, a method of monitoring traffic in a
communication network is illustrated. Method 300 starts with analyzing 301 network traffic which is associated with a first client device of the
communication network. Under the condition 302 that suspect network traffic behavior is detected, information pertaining to software components which are executed on the first client device is requested 303 from the first client device. In the next step, the information is received 304 from the first client device, and subsequently analyzed 305. Optionally, method 300 may further comprise verifying, using received cryptographic information, the information pertaining to software components which are executed on the first client device. Further, as a result of analyzing 305 the received information, additional information may be deemed necessary and may be obtained by repeating request 303.
With reference to Fig. 4, a client device is described in the following, in accordance with an embodiment of the invention.
Client device 401 , which may, e.g., be a personal computer, a laptop, a tablet pc, a mobile phone, a smartphone, a media player, or the like, comprises a CSM 402 which is part of an operating system 403 of client device 401 . Having CSM 402 at the operating system level provides
CSM 402 with access the desired information and also some protection against processes at user-level, i.e., processes with only user privileges. As an alternative, CSM 402 may be of a platform management domain. For instance, in a Xen-based virtualized environment, the CSM could be part of "domO".
In accordance with an embodiment of the invention, CSM 402 further makes use of a TPM 404 to reliably provide information regarding which applications 405/406 that have been launched on client device 401 .
TPM 404, as well as other hardware security functions 412, such as a TEE, may be provided as a separate hardware module or built into a central processing unit (CPU) 407 of client device 401. CPU 407 typically comprises a processor and memory. CSM 402 could be implemented at the hardware level or be executed inside TPM 404 or a TEE. An embodiment of the CSM with limited functionality, supporting only a subset of the listed query cases, could be implemented as an application or as part of an application.
In addition, client device 401 comprises a network communication module, i.e., a network interface card (NIC) 408, for effecting
communications with a communication network 409, such as network 401 described with reference to Fig. 1 . Further, client 401 comprises a user interface 410 for interacting with a user 41 1 of device 401 . User interface 410 may, e.g., comprise a display and a keyboard, a touch screen, or the like.
It will be appreciated by the person skilled in the art that embodiments of the invention may be implemented by means of hardware, software, or a combination thereof. For instance, an embodiment of the method according to the first aspect of the invention may be implemented as a computer program, or as a plurality of interacting computer programs, comprising computer program code. In this way, an existing client device, and an existing network node for monitoring a communication network, such as nodes 105/106, may be adapted to perform in accordance with embodiments of the invention by providing them with an embodiment of the computer program. For instance, with reference to Fig. 4, a computer program 413 may be loaded into a memory of CPU 407 of client device 401 . Computer program 413 comprises computer program code which, when executed by a processor of CPU 407, is adapted to implement at least parts of the method according to the first aspect of the invention, thereby turning an existing client device into a client device in accordance with an embodiment of the invention.
An existing client device, such as client device 401 , may be provided with an embodiment of computer program 413 by means of a computer program product, such as a memory of CPU 407, or a memory stick which may be connected to a client device. Alternatively, an embodiment of computer program 413 may be downloaded to a client device, e.g., to a memory of CPU 407. This may, e.g., be accomplished over a communication network to which the client device is connected to.
The person skilled in the art realizes that the present invention by no means is limited to the embodiments described above. On the contrary, many modifications and variations are possible within the scope of the appended claims.

Claims

1 . A method (300) of monitoring traffic in a communication
network (101 ), the method comprising:
analyzing (301 ) network traffic which is associated with a first client device (102-104) of the communication network, and
in response to detecting (302) suspect network traffic behavior:
requesting (303), from the first client device, information pertaining to software components (405, 406) which are executed on the first client device,
receiving (304) the information from the first client device, and analyzing (305) the information.
2. The method according to claim 1 , wherein the detecting suspect network traffic behavior comprises detecting malicious network traffic in accordance with a predefined rule.
3. The method according to claim 1 or 2, wherein the detecting suspect network traffic behavior comprises detecting network traffic of unknown type or having unexpected characteristics.
4. The method according to any one of claims 1 to 3, wherein the detecting suspect network traffic behavior comprises detecting network traffic causing network problems.
5. The method according to any one of claims 1 to 4, wherein the information pertaining to software components which are executed on the first client device comprises fingerprints of the software components.
6. The method according to any one of claims 1 to 5, wherein the information pertaining to software components which are executed on the first client device comprises at least one of a list of all running applications, port information, information pertaining to the destination of the network traffic, traffic volume information, information pertaining to application stability, or information pertaining to user activity.
7. The method according to any one of claims 1 to 6, wherein the information pertaining to software components which are executed on the first client device comprises cryptographic information, the method further comprising:
verifying, using the cryptographic information, the information pertaining to software components which are executed on the first client device.
8. The method according to any one of claims 1 to 7, wherein the analyzing the information pertaining to software components which are executed on the first client device comprises relating the network traffic which is associated with the client device with applications running on the first client device.
9. A computer program (413) comprising computer program code, the computer program code being adapted, if executed on one or more processors (407), to implement the method according to any one of the claims 1 to 8.
10. A computer program product comprising a computer readable storage medium, the computer readable storage medium having the computer program according to claim 9 embodied therein.
1 1 . A client security module, CSM, (402) for a first client device (102- 104) in a communication network (101 ), the CSM being arranged for:
receiving, from a network security module, NSM, (105/106) a request for information pertaining to software components (405, 406) which are executed on the first client device,
compiling the information, and
sending the information to the NSM.
12. The CSM according to claim 1 1 , wherein the information pertaining to software components which are executed on the first client device comprises fingerprints of the software components.
13. The CSM according to claim 1 1 or 12, wherein the information pertaining to software components which are executed on the first client device comprises at least one of a list of all running applications, port information, information pertaining to the destination of the network traffic, traffic volume information, information pertaining to application stability, or information pertaining to user activity.
14. The CSM according to any one of claims 1 1 to 13, wherein the information pertaining to software components which are executed on the first client device comprises cryptographic information being usable for verifying the information pertaining to software components which are executed on the first client device.
15. The CSM according to any one of claims 1 1 to 14, the CSM being implemented as part of the operating system (403) or of a platform
management domain of the first client device.
16. The CSM according to any one of claims 1 1 to 15, wherein at least part of the information pertaining to software components which are executed on the first client device is retrieved from a trusted platform module,
TPM, (404) or a trusted execution environment, TEE (412).
17. The CSM according to any one of claims 1 1 to 15, being at least in part executable inside a trusted platform module, TPM, (404) or a trusted execution environment, TEE (412).
18. A network security module, NSM, (105/106) for a communication network (101 ), the NSM being arranged for:
analyzing network traffic which is associated with a first client device (102-104) in the communication network, and
in response to detecting suspect network traffic behavior:
requesting, from a client security module, CSM, (402) in the first client device, information pertaining to software components (405, 406) which are executed on the first client device,
receiving the information from the CSM, and
analyzing the information.
19. The NSM according to claim 18, wherein the detecting suspect network traffic behavior comprises detecting malicious traffic in accordance with a predefined rule.
20. The NSM according to claim 18 or 19, wherein the detecting suspect network traffic behavior comprises detecting network traffic of unknown type or having unexpected characteristics.
21 . The NSM according to any one of claims 18 to 20, wherein the detecting suspect network traffic behavior comprises detecting network traffic causing network problems.
22. The NSM according to any one of claims 18 to 21 , wherein the information pertaining to software components which are executed on the first client device comprises fingerprints of the software components.
23. The NSM according to any one of claims 18 to 22, wherein the information pertaining to software components which are executed on the first client device comprises at least one of a list of all running applications, port information, information pertaining to the destination of the network traffic, traffic volume information, or information pertaining to application stability.
24. The NSM according to any one of claims 18 to 23, wherein the information pertaining to software components which are executed on the first client device comprises cryptographic information, the NSM being further arranged for:
verifying, using the cryptographic information, the information pertaining to software components which are executed on the first client device.
25. The NSM according to any one of claims 18 to 24, being further arranged for relating the network traffic which is associated with the first client device with applications running on the first client device.
PCT/SE2012/050361 2011-11-28 2012-04-02 Monitoring traffic in a communication network WO2013081521A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201161564008P 2011-11-28 2011-11-28
US61/564,008 2011-11-28

Publications (1)

Publication Number Publication Date
WO2013081521A1 true WO2013081521A1 (en) 2013-06-06

Family

ID=46172854

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2012/050361 WO2013081521A1 (en) 2011-11-28 2012-04-02 Monitoring traffic in a communication network

Country Status (1)

Country Link
WO (1) WO2013081521A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150089655A1 (en) * 2013-09-23 2015-03-26 Electronics And Telecommunications Research Institute System and method for detecting malware based on virtual host

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060095961A1 (en) * 2004-10-29 2006-05-04 Priya Govindarajan Auto-triage of potentially vulnerable network machines
US20110145920A1 (en) 2008-10-21 2011-06-16 Lookout, Inc System and method for adverse mobile application identification

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060095961A1 (en) * 2004-10-29 2006-05-04 Priya Govindarajan Auto-triage of potentially vulnerable network machines
US20110145920A1 (en) 2008-10-21 2011-06-16 Lookout, Inc System and method for adverse mobile application identification

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ABHINAV SRIVASTAVA ET AL: "Automatic Discovery of Parasitic Malware", 15 September 2010, RECENT ADVANCES IN INTRUSION DETECTION, SPRINGER BERLIN HEIDELBERG, BERLIN, HEIDELBERG, PAGE(S) 97 - 117, ISBN: 978-3-642-15511-6, XP019150481 *
TONG LIU ET AL: "A Trusted Integrity Measurement Architecture for Securing Enterprise Network", TRUST, SECURITY AND PRIVACY IN COMPUTING AND COMMUNICATIONS (TRUSTCOM), 2011 IEEE 10TH INTERNATIONAL CONFERENCE ON, IEEE, 16 November 2011 (2011-11-16), pages 726 - 731, XP032086869, ISBN: 978-1-4577-2135-9, DOI: 10.1109/TRUSTCOM.2011.94 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150089655A1 (en) * 2013-09-23 2015-03-26 Electronics And Telecommunications Research Institute System and method for detecting malware based on virtual host

Similar Documents

Publication Publication Date Title
US12026261B2 (en) Quarantine of software by an evaluation server based on authenticity analysis of user device data
EP2850803B1 (en) Integrity monitoring to detect changes at network device for use in secure network access
CN105409164B (en) Rootkit detection by using hardware resources to detect inconsistencies in network traffic
US11240260B2 (en) System and method for detecting computer network intrusions
Malik et al. CREDROID: Android malware detection by network traffic analysis
US8997231B2 (en) Preventive intrusion device and method for mobile devices
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
US11863571B2 (en) Context profiling for malware detection
US10771477B2 (en) Mitigating communications and control attempts
US20210409431A1 (en) Context for malware forensics and detection
Yamada et al. RAT-based malicious activities detection on enterprise internal networks
Pourali et al. Hidden in plain sight: exploring encrypted channels in android apps
US20230336579A1 (en) System and method for evaluating risk of a vulnerability
WO2013081521A1 (en) Monitoring traffic in a communication network
Powers et al. Whitelist malware defense for embedded control system devices
TWI761122B (en) Cyber security protection system and related proactive suspicious domain alert system
US11863586B1 (en) Inline package name based supply chain attack detection and prevention
US20230344866A1 (en) Application identification for phishing detection
US20240176869A1 (en) Dependency emulation for executable samples
Graa et al. Detection and Response to Data Exfiltration from Internet of Things Android Devices
WO2024049702A1 (en) Inline package name based supply chain attack detection and prevention

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12723949

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12723949

Country of ref document: EP

Kind code of ref document: A1