WO2013189723A1 - Procédé et système pour la détection d'un logiciel malveillant et l'atténuation de ses effets nuisibles - Google Patents
Procédé et système pour la détection d'un logiciel malveillant et l'atténuation de ses effets nuisibles Download PDFInfo
- Publication number
- WO2013189723A1 WO2013189723A1 PCT/EP2013/061362 EP2013061362W WO2013189723A1 WO 2013189723 A1 WO2013189723 A1 WO 2013189723A1 EP 2013061362 W EP2013061362 W EP 2013061362W WO 2013189723 A1 WO2013189723 A1 WO 2013189723A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data traffic
- suspicious data
- module
- detection
- mitigation
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Definitions
- the present invention generally relates, in a first aspect, to a method for Malware detection and mitigation, and more specifically to a method for optimizing the performance of detecting and mitigating malware on a network.
- a second aspect of the invention relates to a system arranged for implementing the method of the first aspect.
- Malware refers to software programs designed to damage or do other unwanted actions on a system. Therefore, Malware could be considering as enabler technology to cybercrime industry.
- DNS is a special name and can refer either to the entire worldwide name resolution system, or to the protocol that makes it work.
- DNS protocol definition "the goal of domain names is to provide a mechanism for naming resources in such a way that the names are usable in different hosts, networks, protocol families, internets, and administrative organizations.”
- DNS system is based on a distributed database among different name servers that makes up the domain space. In general, different parts of the domain space are stored in different name servers.
- DNS servers become an attack targets or a malicious platform.
- Cybercrime industry uses them into an incorrect way knowingly of its basic service condition.
- BotNets Robot networks are a set of infected PCs controlled centrally to carry out, in an orchestrated way, one (or many) of the following actions:
- the main advantage of using a botnet in a DDoS attack is that the sender is not a unique PC, but hundreds or thousands of them, so it is very difficult to detect and mitigate it.
- IDS solution can monitor network access and detect malware behavior but this kind of systems is not focus on residential users, it is focus on enterprise environments.
- DNS Global System for Mobile communications
- SNMP Network Address Translation
- Detection at the endpoint Malware "modus operandi" includes unable detection capacities user devices. Because of user equipment provides a non-trust environment to analyze malware threat. • Detection at the core of the network: The detection is carried out using equipment located in the core of the ISP network, so the amount of traffic that must be analyzed is really huge. Also, this can lead to performance/scaling problems.
- the detection / mitigation is carried out once the malware has consumed some bandwidth of the ISP core network, which can result in the need to increase the ISPs resources.
- the detection at the core of the network solution is based on sampling the traffic across the network, so it really does not analyze the whole information to detect malicious activity, but only a minimum part of it. This can lead to an inaccuracy detection mechanism.
- this solution identifies a user by his/her IP, which can be very imprecise in those ISPs in which private addressing is used, not identifying univocally the user.
- the mitigation measures applied by the described solutions are the following ones:
- the present invention provides, in a first aspect, a method for malware detection and mitigation, performed in a user-centric Network Anomaly
- Detection System comprising computing means for capturing suspicious data traffic through a plurality of access nodes in a communication network.
- the method of the first aspect of the invention comprises:
- the detection of discontinuous streaming of suspicious data traffic and/or silent streaming periods of time is adapted by means of evaluating several vectors in a period of time in order to establish a list of malicious users and assign a user reputation level.
- the identification of the malicious users relies on the server IP address of the access node, however, when this server IP address is dynamically assigned the identification of the malicious users relies on a combination of the IP address and a transmission timestamp.
- alerts to logging facilities are sent between the monitor module and the detector library module and/or between the compiler module and the detector library module.
- a second aspect of the present invention generally comprises a system for malware detection and mitigation, performed in a user-centric Network Anomaly Detection System, comprising means for detecting suspicious data traffic through a plurality of access nodes in a communication network.
- the system of the second aspect of the present invention comprises:
- monitor module arranged for perform the detecting of suspicious data traffic from the communication network
- a mitigation module arranged for receive and analyze the suspicious data traffic detected, and in charge of blocking it in case the suspicious data traffic is infected.
- the system in order to perform the detection and mitigation of the suspicious data traffic, the system comprises a first detector library arranged to the monitor module, a second detector library arranged to the compiler module and a mitigator library arranged to the mitigator module.
- the mitigator module can be arranged in the same or in a different physical device within the access node.
- the system is integrated in a specific card or as plug-in within the access node.
- the system of the second aspect of the present invention is arranged for implement the method of the first aspect.
- Figure 1 shows an example of the IH-DMSON architecture proposed in the present invention.
- Figure 2 shows an example of the monitor and detector library components used in the present invention.
- Figure 3 shows an example of the compiler and the detector library components used in the present invention.
- FIG. 4 shows an example of the mitigator and mitigator library components used in the present invention.
- Figure 5 shows a possible sequence diagram between the monitor module and the compiler module, according to an embodiment of the present invention.
- Figure 6 shows a possible sequence diagram between the monitor module and the compiler module, with the deployed databases USERDB and SERVERDB, according to an embodiment of the present invention.
- Figure 7 shows an example on how the traffic analysis is done by the IH- DMSON detection algorithm in the monitor module, according to an embodiment of the present invention.
- FIG. 8 shows an example on how the traffic analysis is done by the IH-
- Figure 9 describes the mitigation algorithm used in the present invention. Detailed Description of Several Embodiments
- the proposed invention proposes a malware Infected Hosts Detection and Mitigation System On-Net (IH-DMSON) regarding hardware and software equipment to be included in the network access nodes, for example, integrated in a specific card within the node.
- IH-DMSON malware Infected Hosts Detection and Mitigation System On-Net
- This present invention will enable:
- Holistic security approach Detection and Mitigation in real time of malicious traffic by mean of detailed analysis of traffic at network access nodes. This system allows to, on the one hand, detecting infected customer detection at origin, and on the other hand, to mitigate only suspected infected customer in order to only legitimate customers and/or traffic could be avoided to be blocked.
- NADS Network Anomaly Detection System
- DNS Malware detection algorithm
- the Infected Host Detection and Mitigation System defined in this invention concerns a hardware and software system which implements a lightweight detection and mitigation algorithm in real time based on the inspection of the DNS traffic (requests going through the access nodes, such as BRAS and GGSN, in the ISP network), incorporating a set of security functions into networks nodes which do not only work with aggregate traffic but also fine-grained.
- the invention will be included in these nodes integrated in a specific card or as a plugin, which can be added to an existing node.
- FIG. 1 depicts the IH-DMSON architecture, including its components and the interaction between them, used in the present invention.
- the modules defined in this system are:
- ⁇ PROBE monitoring point, providing a copy of the network traffic to the
- MONITOR receives the traffic from the PROBE module, being responsible for the invocation of the Detector process that performs the IH-DMSON Detection Algorithm.
- I H-DMSON Detection Algorithm to detect infected users. It presents in MONITOR and COMPILER modules. It is responsible for analyzing in online mode.
- COMPILER responsible for COMPILERS invocation when the system works in offline mode. It runs once the traces storing phase ends.
- COMPILER DETECTOR LIBRARY supposes the library that implements the IH-DMSON Detection Algorithm to detect infected users. It presents in COMPILER and MONITOR modules. It is responsible for analyzing in offline mode.
- MITIGATOR receives traffic passing through the access node, applying mitigation according to the IH-DMSON Mitigation Algorithm, in charge of blocking illegitimate traffic.
- USER DB contents key users information. Its determine MITIGATOR LIBRARY actions joined SERVER DB data. MONITOR DETECTOR LIBRARY and COMPILER DETECTOR LIBRARY store user information after processing flows. Information will remain in time.
- MONITOR DETECTOR LIBRARY and COMPILER DETECTOR LIBRARY store server information after processing flows. Information will remain in time.
- the PROBE component is defined.
- this module is able to store the results of the detection algorithm.
- the relationship between the MONITOR and the DETECTOR LIBRARY includes the possibility of sending alerts to logging facilities.
- the relationship between the COMPILER and the DETECTOR LIBRARY also includes the possibility of sending alerts to logging facilities.
- MITIGATOR Once the DETECTOR has accomplished with its function of detecting suspicious infected users, the DNS communication will be mitigated, for example, being blocked, using the component called MITIGATOR.
- This element analyses the traffic passing through the access node and invokes the MITIGATOR LIBRARY, which implements the MALWARE-DSON Mitigation Algorithm.
- the MITIGATOR LIBRARY needs the information previously stored as result of the detection algorithm to allow or block the suspected DNS traffic. Besides, the MITIGATOR LIBRARY would be used to dynamically change the mitigation algorithm and its settings.
- the communication between the MONITOR and the COMPILER uses FLOWS, USERDB and SERVERDB databases to perform the communication between DETECTORS LIBRARIES.
- the deployed database named FLOWS must allow the MONITOR to store the flows built in the exchange format agreed between the PROBE and the MONITOR. These stored flows can be queried by the COMPILER as well, which will generate new data and store them in another database (like SERVERDB or USERDB).
- USERDB and SERVERDB must allow the MONITOR to store the user and servers information built in a different format with respect to agree between the PROBE and the MONITOR (see Figure 6). These stored records can be queried by the MITIGATOR, through MITIGATOR LIBRARY, as well, which will use during mitigation process.
- USERDB and SERVERDB store user and server records. These records contain related user or server information generated by DETECTOR LIBRARY.
- the objective of this algorithm is detecting suspicious infected users, in a lightweight manner by monitoring DNS requests and responses.
- User equipment compromised by a malware could act as a botnet node, bot, being used to participate into DDoS attacks or into other threats.
- the IH- DMSON detection algorithm will be able to detect these behaviors since it evaluates several vectors within an interval of time, in order to establish the list with the malicious users and assign an user reputation level.
- These detection vectors/features to evaluate are the following: DNS server
- the suspected infected host identity in these algorithms relies on the server IP address.
- this IP address has been assigned dynamically, other ways to identify a user should be used. For example, a combination of user IP address and the transmission timestamp, which needs a request to an external system like RADIUS, or a combination of IP Address and other transmission features within the access node for that traffic, like the sub-interface or the port used for that communication.
- Figure 7 shows the traffic analysis done by the IH-DMSON Detection Algorithm used by the MONITOR. Taking this figure as basis, the data flow (1 ) to obtain the former information records is analyzed as follows:
- Figures 8 shows the IH-DMSON Detection Algorithm used by the COMPILER. Taking this figure as basis, the data flow (1 ) to obtain the former information records is analyzed as follows:
- COMPILER DETECTOR LIBRARY process works in a parallels way. Each process (2) can update or add database records (3). At the flow ends alerts generated by process can be sent to third party systems (4).
- the detection counters are evaluated using the corresponding thresholds set for the algorithm execution.
- the user DNS traffic has increased substantially, exceeding the configured thresholds, it indicates that a bot has probably infected the user. In this case, the user will be increased its reputation level.
- COMPILER DETECTOR LIBRARY works in an offline mode unlike MONITOR DETECTOR LIBRARY. In order to achieve better performance, heavier vectors to evaluate are performed in COMPILER module.
- Figure 9 describes the IH-DMSON mitigation algorithm used in the present invention.
- Mitigation consists of dropping the user traffic from a suspicious IP detected by the IH-DMSON detection algorithm or another action using MITIGATOR alerts. These actions could be based on public proposed standards or ISP proposed.
- Including the Infected Host Detection and Mitigation System in the ISP network at the access nodes will provide the following advantages: • Infected Host detection and mitigation at the network edge, a functionality that currently is not given by any equipment at this point.
- DNS flows are depth analyzed which supposes a substantial difference with other inventions based on DNS content analysis. Furthermore, it also protects privacy of user messages.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
La présente invention se rapporte à un procédé et à un système adaptés pour détecter un programme malveillant et atténuer ses effets nuisibles. Le procédé selon l'invention comprend des moyens informatiques qui sont utilisés pour capturer un trafic de données douteuses passant par une pluralité de nœuds d'accès dans un réseau de communication. Le procédé selon l'invention est caractérisé en ce qu'il comprend les étapes suivantes : a) un module de surveillance détecte ledit trafic de données douteuses qui passe par ladite pluralité de nœuds d'accès dans le réseau de communication ; et b) un module d'atténuation reçoit et analyse ledit trafic de données douteuses détecté, afin de le bloquer dans le cas où ledit trafic de données douteuses serait infecté. Les étapes a) et b) sont exécutées en temps réel à l'origine du nœud d'accès au réseau ; et l'analyse du trafic de données douteuses qui est exécutée au cours de ladite étape b) est exécutée sur la base du contrôle et de la surveillance d'une pluralité de paquets DNS. Le système est configuré de façon à mettre en œuvre le procédé selon la présente invention.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
ESP201230976 | 2012-06-21 | ||
ES201230976 | 2012-06-21 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013189723A1 true WO2013189723A1 (fr) | 2013-12-27 |
Family
ID=48570138
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2013/061362 WO2013189723A1 (fr) | 2012-06-21 | 2013-06-03 | Procédé et système pour la détection d'un logiciel malveillant et l'atténuation de ses effets nuisibles |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2013189723A1 (fr) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016101510A1 (fr) * | 2014-12-23 | 2016-06-30 | 中兴通讯股份有限公司 | Procédé et dispositif <b> </b> serveur d'accès distant à large bande <b> </b> d'acquisition <b> </b> d'informations de traduction d'adresse de réseau |
US10474820B2 (en) | 2014-06-17 | 2019-11-12 | Hewlett Packard Enterprise Development Lp | DNS based infection scores |
CN111310538A (zh) * | 2019-11-18 | 2020-06-19 | 韩玉芝 | 基于大数据服务器的内容管理系统 |
US10887332B2 (en) | 2015-06-15 | 2021-01-05 | Nokia Technologies Oy | Control of unwanted network traffic |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1906620A1 (fr) * | 2006-09-29 | 2008-04-02 | AT&T Corp. | Procédé et appareil de détection d'ordinateurs hôtes compromis |
US20080141372A1 (en) * | 2006-12-12 | 2008-06-12 | Privacy Networks, Inc. | Electronic Data Integrity Checking and Validation |
US20100235915A1 (en) * | 2009-03-12 | 2010-09-16 | Nasir Memon | Using host symptoms, host roles, and/or host reputation for detection of host infection |
US7849502B1 (en) * | 2006-04-29 | 2010-12-07 | Ironport Systems, Inc. | Apparatus for monitoring network traffic |
-
2013
- 2013-06-03 WO PCT/EP2013/061362 patent/WO2013189723A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7849502B1 (en) * | 2006-04-29 | 2010-12-07 | Ironport Systems, Inc. | Apparatus for monitoring network traffic |
EP1906620A1 (fr) * | 2006-09-29 | 2008-04-02 | AT&T Corp. | Procédé et appareil de détection d'ordinateurs hôtes compromis |
US20080141372A1 (en) * | 2006-12-12 | 2008-06-12 | Privacy Networks, Inc. | Electronic Data Integrity Checking and Validation |
US20100235915A1 (en) * | 2009-03-12 | 2010-09-16 | Nasir Memon | Using host symptoms, host roles, and/or host reputation for detection of host infection |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10474820B2 (en) | 2014-06-17 | 2019-11-12 | Hewlett Packard Enterprise Development Lp | DNS based infection scores |
WO2016101510A1 (fr) * | 2014-12-23 | 2016-06-30 | 中兴通讯股份有限公司 | Procédé et dispositif <b> </b> serveur d'accès distant à large bande <b> </b> d'acquisition <b> </b> d'informations de traduction d'adresse de réseau |
US10887332B2 (en) | 2015-06-15 | 2021-01-05 | Nokia Technologies Oy | Control of unwanted network traffic |
CN111310538A (zh) * | 2019-11-18 | 2020-06-19 | 韩玉芝 | 基于大数据服务器的内容管理系统 |
CN111310538B (zh) * | 2019-11-18 | 2020-11-17 | 万金芬 | 基于大数据服务器的内容管理系统 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11924170B2 (en) | Methods and systems for API deception environment and API traffic control and security | |
US10440049B2 (en) | Network traffic analysis for malware detection and performance reporting | |
US11563772B2 (en) | Detection and mitigation DDoS attacks performed over QUIC communication protocol | |
Zeidanloo et al. | Botnet detection based on traffic monitoring | |
JP5886422B2 (ja) | プロトコルフィンガープリント取得および評価相関のためのシステム、装置、プログラム、および方法 | |
EP2767056A1 (fr) | Procédé et système pour détecter un logiciel malveillant | |
Kshirsagar et al. | CPU load analysis & minimization for TCP SYN flood detection | |
WO2019159833A1 (fr) | Dispositif d'extraction d'informations de menace et programme d'extraction d'informations de menace | |
Zlomislić et al. | Denial of service attacks: an overview | |
Tritilanunt et al. | Entropy-based input-output traffic mode detection scheme for dos/ddos attacks | |
Graham et al. | Botnet detection within cloud service provider networks using flow protocols | |
Corrêa et al. | Ml-based ddos detection and identification using native cloud telemetry macroscopic monitoring | |
Saad et al. | Rule-based detection technique for ICMPv6 anomalous behaviour | |
WO2013189723A1 (fr) | Procédé et système pour la détection d'un logiciel malveillant et l'atténuation de ses effets nuisibles | |
Kim et al. | Agent-based honeynet framework for protecting servers in campus networks | |
Harikrishnan et al. | Mitigation of DDoS attacks using honeypot and firewall | |
Lyu et al. | PEDDA: Practical and Effective Detection of Distributed Attacks on enterprise networks via progressive multi-stage inference | |
Shinde et al. | DDoS attack analyzer: using JPCAP and WinCap | |
Ostap et al. | A concept of clustering-based method for botnet detection | |
Golchin et al. | In-Network SYN Flooding DDoS Attack Detection Utilizing P4 Switches | |
Burke et al. | Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN) a postmortem analysis of the memcached attack on the SANReN | |
Akimoto et al. | Collaborative behavior visualization and its detection by observing darknet traffic | |
Bou-Harb et al. | On detecting and clustering distributed cyber scanning | |
Bortoluzzi et al. | Cloud Telescope: A distributed architecture for capturing Internet Background Radiation | |
Ghosh et al. | Managing high volume data for network attack detection using real-time flow filtering |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13726519 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 13726519 Country of ref document: EP Kind code of ref document: A1 |