WO2013189723A1 - Procédé et système pour la détection d'un logiciel malveillant et l'atténuation de ses effets nuisibles - Google Patents

Procédé et système pour la détection d'un logiciel malveillant et l'atténuation de ses effets nuisibles Download PDF

Info

Publication number
WO2013189723A1
WO2013189723A1 PCT/EP2013/061362 EP2013061362W WO2013189723A1 WO 2013189723 A1 WO2013189723 A1 WO 2013189723A1 EP 2013061362 W EP2013061362 W EP 2013061362W WO 2013189723 A1 WO2013189723 A1 WO 2013189723A1
Authority
WO
WIPO (PCT)
Prior art keywords
data traffic
suspicious data
module
detection
mitigation
Prior art date
Application number
PCT/EP2013/061362
Other languages
English (en)
Inventor
Francisco José GOMEZ RODRIGUEZ
Carlos Juan DÍAZ HIDALGO
David Prieto Marques
Original Assignee
Telefonica, S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonica, S.A. filed Critical Telefonica, S.A.
Publication of WO2013189723A1 publication Critical patent/WO2013189723A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • the present invention generally relates, in a first aspect, to a method for Malware detection and mitigation, and more specifically to a method for optimizing the performance of detecting and mitigating malware on a network.
  • a second aspect of the invention relates to a system arranged for implementing the method of the first aspect.
  • Malware refers to software programs designed to damage or do other unwanted actions on a system. Therefore, Malware could be considering as enabler technology to cybercrime industry.
  • DNS is a special name and can refer either to the entire worldwide name resolution system, or to the protocol that makes it work.
  • DNS protocol definition "the goal of domain names is to provide a mechanism for naming resources in such a way that the names are usable in different hosts, networks, protocol families, internets, and administrative organizations.”
  • DNS system is based on a distributed database among different name servers that makes up the domain space. In general, different parts of the domain space are stored in different name servers.
  • DNS servers become an attack targets or a malicious platform.
  • Cybercrime industry uses them into an incorrect way knowingly of its basic service condition.
  • BotNets Robot networks are a set of infected PCs controlled centrally to carry out, in an orchestrated way, one (or many) of the following actions:
  • the main advantage of using a botnet in a DDoS attack is that the sender is not a unique PC, but hundreds or thousands of them, so it is very difficult to detect and mitigate it.
  • IDS solution can monitor network access and detect malware behavior but this kind of systems is not focus on residential users, it is focus on enterprise environments.
  • DNS Global System for Mobile communications
  • SNMP Network Address Translation
  • Detection at the endpoint Malware "modus operandi" includes unable detection capacities user devices. Because of user equipment provides a non-trust environment to analyze malware threat. • Detection at the core of the network: The detection is carried out using equipment located in the core of the ISP network, so the amount of traffic that must be analyzed is really huge. Also, this can lead to performance/scaling problems.
  • the detection / mitigation is carried out once the malware has consumed some bandwidth of the ISP core network, which can result in the need to increase the ISPs resources.
  • the detection at the core of the network solution is based on sampling the traffic across the network, so it really does not analyze the whole information to detect malicious activity, but only a minimum part of it. This can lead to an inaccuracy detection mechanism.
  • this solution identifies a user by his/her IP, which can be very imprecise in those ISPs in which private addressing is used, not identifying univocally the user.
  • the mitigation measures applied by the described solutions are the following ones:
  • the present invention provides, in a first aspect, a method for malware detection and mitigation, performed in a user-centric Network Anomaly
  • Detection System comprising computing means for capturing suspicious data traffic through a plurality of access nodes in a communication network.
  • the method of the first aspect of the invention comprises:
  • the detection of discontinuous streaming of suspicious data traffic and/or silent streaming periods of time is adapted by means of evaluating several vectors in a period of time in order to establish a list of malicious users and assign a user reputation level.
  • the identification of the malicious users relies on the server IP address of the access node, however, when this server IP address is dynamically assigned the identification of the malicious users relies on a combination of the IP address and a transmission timestamp.
  • alerts to logging facilities are sent between the monitor module and the detector library module and/or between the compiler module and the detector library module.
  • a second aspect of the present invention generally comprises a system for malware detection and mitigation, performed in a user-centric Network Anomaly Detection System, comprising means for detecting suspicious data traffic through a plurality of access nodes in a communication network.
  • the system of the second aspect of the present invention comprises:
  • monitor module arranged for perform the detecting of suspicious data traffic from the communication network
  • a mitigation module arranged for receive and analyze the suspicious data traffic detected, and in charge of blocking it in case the suspicious data traffic is infected.
  • the system in order to perform the detection and mitigation of the suspicious data traffic, the system comprises a first detector library arranged to the monitor module, a second detector library arranged to the compiler module and a mitigator library arranged to the mitigator module.
  • the mitigator module can be arranged in the same or in a different physical device within the access node.
  • the system is integrated in a specific card or as plug-in within the access node.
  • the system of the second aspect of the present invention is arranged for implement the method of the first aspect.
  • Figure 1 shows an example of the IH-DMSON architecture proposed in the present invention.
  • Figure 2 shows an example of the monitor and detector library components used in the present invention.
  • Figure 3 shows an example of the compiler and the detector library components used in the present invention.
  • FIG. 4 shows an example of the mitigator and mitigator library components used in the present invention.
  • Figure 5 shows a possible sequence diagram between the monitor module and the compiler module, according to an embodiment of the present invention.
  • Figure 6 shows a possible sequence diagram between the monitor module and the compiler module, with the deployed databases USERDB and SERVERDB, according to an embodiment of the present invention.
  • Figure 7 shows an example on how the traffic analysis is done by the IH- DMSON detection algorithm in the monitor module, according to an embodiment of the present invention.
  • FIG. 8 shows an example on how the traffic analysis is done by the IH-
  • Figure 9 describes the mitigation algorithm used in the present invention. Detailed Description of Several Embodiments
  • the proposed invention proposes a malware Infected Hosts Detection and Mitigation System On-Net (IH-DMSON) regarding hardware and software equipment to be included in the network access nodes, for example, integrated in a specific card within the node.
  • IH-DMSON malware Infected Hosts Detection and Mitigation System On-Net
  • This present invention will enable:
  • Holistic security approach Detection and Mitigation in real time of malicious traffic by mean of detailed analysis of traffic at network access nodes. This system allows to, on the one hand, detecting infected customer detection at origin, and on the other hand, to mitigate only suspected infected customer in order to only legitimate customers and/or traffic could be avoided to be blocked.
  • NADS Network Anomaly Detection System
  • DNS Malware detection algorithm
  • the Infected Host Detection and Mitigation System defined in this invention concerns a hardware and software system which implements a lightweight detection and mitigation algorithm in real time based on the inspection of the DNS traffic (requests going through the access nodes, such as BRAS and GGSN, in the ISP network), incorporating a set of security functions into networks nodes which do not only work with aggregate traffic but also fine-grained.
  • the invention will be included in these nodes integrated in a specific card or as a plugin, which can be added to an existing node.
  • FIG. 1 depicts the IH-DMSON architecture, including its components and the interaction between them, used in the present invention.
  • the modules defined in this system are:
  • ⁇ PROBE monitoring point, providing a copy of the network traffic to the
  • MONITOR receives the traffic from the PROBE module, being responsible for the invocation of the Detector process that performs the IH-DMSON Detection Algorithm.
  • I H-DMSON Detection Algorithm to detect infected users. It presents in MONITOR and COMPILER modules. It is responsible for analyzing in online mode.
  • COMPILER responsible for COMPILERS invocation when the system works in offline mode. It runs once the traces storing phase ends.
  • COMPILER DETECTOR LIBRARY supposes the library that implements the IH-DMSON Detection Algorithm to detect infected users. It presents in COMPILER and MONITOR modules. It is responsible for analyzing in offline mode.
  • MITIGATOR receives traffic passing through the access node, applying mitigation according to the IH-DMSON Mitigation Algorithm, in charge of blocking illegitimate traffic.
  • USER DB contents key users information. Its determine MITIGATOR LIBRARY actions joined SERVER DB data. MONITOR DETECTOR LIBRARY and COMPILER DETECTOR LIBRARY store user information after processing flows. Information will remain in time.
  • MONITOR DETECTOR LIBRARY and COMPILER DETECTOR LIBRARY store server information after processing flows. Information will remain in time.
  • the PROBE component is defined.
  • this module is able to store the results of the detection algorithm.
  • the relationship between the MONITOR and the DETECTOR LIBRARY includes the possibility of sending alerts to logging facilities.
  • the relationship between the COMPILER and the DETECTOR LIBRARY also includes the possibility of sending alerts to logging facilities.
  • MITIGATOR Once the DETECTOR has accomplished with its function of detecting suspicious infected users, the DNS communication will be mitigated, for example, being blocked, using the component called MITIGATOR.
  • This element analyses the traffic passing through the access node and invokes the MITIGATOR LIBRARY, which implements the MALWARE-DSON Mitigation Algorithm.
  • the MITIGATOR LIBRARY needs the information previously stored as result of the detection algorithm to allow or block the suspected DNS traffic. Besides, the MITIGATOR LIBRARY would be used to dynamically change the mitigation algorithm and its settings.
  • the communication between the MONITOR and the COMPILER uses FLOWS, USERDB and SERVERDB databases to perform the communication between DETECTORS LIBRARIES.
  • the deployed database named FLOWS must allow the MONITOR to store the flows built in the exchange format agreed between the PROBE and the MONITOR. These stored flows can be queried by the COMPILER as well, which will generate new data and store them in another database (like SERVERDB or USERDB).
  • USERDB and SERVERDB must allow the MONITOR to store the user and servers information built in a different format with respect to agree between the PROBE and the MONITOR (see Figure 6). These stored records can be queried by the MITIGATOR, through MITIGATOR LIBRARY, as well, which will use during mitigation process.
  • USERDB and SERVERDB store user and server records. These records contain related user or server information generated by DETECTOR LIBRARY.
  • the objective of this algorithm is detecting suspicious infected users, in a lightweight manner by monitoring DNS requests and responses.
  • User equipment compromised by a malware could act as a botnet node, bot, being used to participate into DDoS attacks or into other threats.
  • the IH- DMSON detection algorithm will be able to detect these behaviors since it evaluates several vectors within an interval of time, in order to establish the list with the malicious users and assign an user reputation level.
  • These detection vectors/features to evaluate are the following: DNS server
  • the suspected infected host identity in these algorithms relies on the server IP address.
  • this IP address has been assigned dynamically, other ways to identify a user should be used. For example, a combination of user IP address and the transmission timestamp, which needs a request to an external system like RADIUS, or a combination of IP Address and other transmission features within the access node for that traffic, like the sub-interface or the port used for that communication.
  • Figure 7 shows the traffic analysis done by the IH-DMSON Detection Algorithm used by the MONITOR. Taking this figure as basis, the data flow (1 ) to obtain the former information records is analyzed as follows:
  • Figures 8 shows the IH-DMSON Detection Algorithm used by the COMPILER. Taking this figure as basis, the data flow (1 ) to obtain the former information records is analyzed as follows:
  • COMPILER DETECTOR LIBRARY process works in a parallels way. Each process (2) can update or add database records (3). At the flow ends alerts generated by process can be sent to third party systems (4).
  • the detection counters are evaluated using the corresponding thresholds set for the algorithm execution.
  • the user DNS traffic has increased substantially, exceeding the configured thresholds, it indicates that a bot has probably infected the user. In this case, the user will be increased its reputation level.
  • COMPILER DETECTOR LIBRARY works in an offline mode unlike MONITOR DETECTOR LIBRARY. In order to achieve better performance, heavier vectors to evaluate are performed in COMPILER module.
  • Figure 9 describes the IH-DMSON mitigation algorithm used in the present invention.
  • Mitigation consists of dropping the user traffic from a suspicious IP detected by the IH-DMSON detection algorithm or another action using MITIGATOR alerts. These actions could be based on public proposed standards or ISP proposed.
  • Including the Infected Host Detection and Mitigation System in the ISP network at the access nodes will provide the following advantages: • Infected Host detection and mitigation at the network edge, a functionality that currently is not given by any equipment at this point.
  • DNS flows are depth analyzed which supposes a substantial difference with other inventions based on DNS content analysis. Furthermore, it also protects privacy of user messages.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention se rapporte à un procédé et à un système adaptés pour détecter un programme malveillant et atténuer ses effets nuisibles. Le procédé selon l'invention comprend des moyens informatiques qui sont utilisés pour capturer un trafic de données douteuses passant par une pluralité de nœuds d'accès dans un réseau de communication. Le procédé selon l'invention est caractérisé en ce qu'il comprend les étapes suivantes : a) un module de surveillance détecte ledit trafic de données douteuses qui passe par ladite pluralité de nœuds d'accès dans le réseau de communication ; et b) un module d'atténuation reçoit et analyse ledit trafic de données douteuses détecté, afin de le bloquer dans le cas où ledit trafic de données douteuses serait infecté. Les étapes a) et b) sont exécutées en temps réel à l'origine du nœud d'accès au réseau ; et l'analyse du trafic de données douteuses qui est exécutée au cours de ladite étape b) est exécutée sur la base du contrôle et de la surveillance d'une pluralité de paquets DNS. Le système est configuré de façon à mettre en œuvre le procédé selon la présente invention.
PCT/EP2013/061362 2012-06-21 2013-06-03 Procédé et système pour la détection d'un logiciel malveillant et l'atténuation de ses effets nuisibles WO2013189723A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ESP201230976 2012-06-21
ES201230976 2012-06-21

Publications (1)

Publication Number Publication Date
WO2013189723A1 true WO2013189723A1 (fr) 2013-12-27

Family

ID=48570138

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2013/061362 WO2013189723A1 (fr) 2012-06-21 2013-06-03 Procédé et système pour la détection d'un logiciel malveillant et l'atténuation de ses effets nuisibles

Country Status (1)

Country Link
WO (1) WO2013189723A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016101510A1 (fr) * 2014-12-23 2016-06-30 中兴通讯股份有限公司 Procédé et dispositif <b> </b> serveur d'accès distant à large bande <b> </b> d'acquisition <b> </b> d'informations de traduction d'adresse de réseau
US10474820B2 (en) 2014-06-17 2019-11-12 Hewlett Packard Enterprise Development Lp DNS based infection scores
CN111310538A (zh) * 2019-11-18 2020-06-19 韩玉芝 基于大数据服务器的内容管理系统
US10887332B2 (en) 2015-06-15 2021-01-05 Nokia Technologies Oy Control of unwanted network traffic

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1906620A1 (fr) * 2006-09-29 2008-04-02 AT&T Corp. Procédé et appareil de détection d'ordinateurs hôtes compromis
US20080141372A1 (en) * 2006-12-12 2008-06-12 Privacy Networks, Inc. Electronic Data Integrity Checking and Validation
US20100235915A1 (en) * 2009-03-12 2010-09-16 Nasir Memon Using host symptoms, host roles, and/or host reputation for detection of host infection
US7849502B1 (en) * 2006-04-29 2010-12-07 Ironport Systems, Inc. Apparatus for monitoring network traffic

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7849502B1 (en) * 2006-04-29 2010-12-07 Ironport Systems, Inc. Apparatus for monitoring network traffic
EP1906620A1 (fr) * 2006-09-29 2008-04-02 AT&T Corp. Procédé et appareil de détection d'ordinateurs hôtes compromis
US20080141372A1 (en) * 2006-12-12 2008-06-12 Privacy Networks, Inc. Electronic Data Integrity Checking and Validation
US20100235915A1 (en) * 2009-03-12 2010-09-16 Nasir Memon Using host symptoms, host roles, and/or host reputation for detection of host infection

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10474820B2 (en) 2014-06-17 2019-11-12 Hewlett Packard Enterprise Development Lp DNS based infection scores
WO2016101510A1 (fr) * 2014-12-23 2016-06-30 中兴通讯股份有限公司 Procédé et dispositif <b> </b> serveur d'accès distant à large bande <b> </b> d'acquisition <b> </b> d'informations de traduction d'adresse de réseau
US10887332B2 (en) 2015-06-15 2021-01-05 Nokia Technologies Oy Control of unwanted network traffic
CN111310538A (zh) * 2019-11-18 2020-06-19 韩玉芝 基于大数据服务器的内容管理系统
CN111310538B (zh) * 2019-11-18 2020-11-17 万金芬 基于大数据服务器的内容管理系统

Similar Documents

Publication Publication Date Title
US11924170B2 (en) Methods and systems for API deception environment and API traffic control and security
US10440049B2 (en) Network traffic analysis for malware detection and performance reporting
US11563772B2 (en) Detection and mitigation DDoS attacks performed over QUIC communication protocol
Zeidanloo et al. Botnet detection based on traffic monitoring
JP5886422B2 (ja) プロトコルフィンガープリント取得および評価相関のためのシステム、装置、プログラム、および方法
EP2767056A1 (fr) Procédé et système pour détecter un logiciel malveillant
Kshirsagar et al. CPU load analysis & minimization for TCP SYN flood detection
WO2019159833A1 (fr) Dispositif d'extraction d'informations de menace et programme d'extraction d'informations de menace
Zlomislić et al. Denial of service attacks: an overview
Tritilanunt et al. Entropy-based input-output traffic mode detection scheme for dos/ddos attacks
Graham et al. Botnet detection within cloud service provider networks using flow protocols
Corrêa et al. Ml-based ddos detection and identification using native cloud telemetry macroscopic monitoring
Saad et al. Rule-based detection technique for ICMPv6 anomalous behaviour
WO2013189723A1 (fr) Procédé et système pour la détection d'un logiciel malveillant et l'atténuation de ses effets nuisibles
Kim et al. Agent-based honeynet framework for protecting servers in campus networks
Harikrishnan et al. Mitigation of DDoS attacks using honeypot and firewall
Lyu et al. PEDDA: Practical and Effective Detection of Distributed Attacks on enterprise networks via progressive multi-stage inference
Shinde et al. DDoS attack analyzer: using JPCAP and WinCap
Ostap et al. A concept of clustering-based method for botnet detection
Golchin et al. In-Network SYN Flooding DDoS Attack Detection Utilizing P4 Switches
Burke et al. Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN) a postmortem analysis of the memcached attack on the SANReN
Akimoto et al. Collaborative behavior visualization and its detection by observing darknet traffic
Bou-Harb et al. On detecting and clustering distributed cyber scanning
Bortoluzzi et al. Cloud Telescope: A distributed architecture for capturing Internet Background Radiation
Ghosh et al. Managing high volume data for network attack detection using real-time flow filtering

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13726519

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13726519

Country of ref document: EP

Kind code of ref document: A1