WO2016205169A1 - Passive security analysis with inline active security device - Google Patents

Passive security analysis with inline active security device Download PDF

Info

Publication number
WO2016205169A1
WO2016205169A1 PCT/US2016/037321 US2016037321W WO2016205169A1 WO 2016205169 A1 WO2016205169 A1 WO 2016205169A1 US 2016037321 W US2016037321 W US 2016037321W WO 2016205169 A1 WO2016205169 A1 WO 2016205169A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
data points
network traffic
network
copy
Prior art date
Application number
PCT/US2016/037321
Other languages
French (fr)
Inventor
Shreyans Mehta
Ameya Talwalkar
Original Assignee
Stealth Security, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Stealth Security, Inc. filed Critical Stealth Security, Inc.
Priority to EP16812215.8A priority Critical patent/EP3308279A4/en
Priority to JP2017566003A priority patent/JP2018518127A/en
Publication of WO2016205169A1 publication Critical patent/WO2016205169A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • Patent Application No. 62/175,585 entitled “PASSIVE SECURITY ANALYSIS WITH INLINE ACTIVE SECURITY DEVICE”, filed June 15, 2015, which is hereby incorporated by reference in its entirety for all purposes.
  • Web servers that provide web services are often subject to automated attacks, such as using stolen credentials to fraudulently access the service, brute-force attacks that try several username and password combinations to gain access, registering fake accounts, scraping websites to harvest web data, and others.
  • Such velocity attacks typically require a large number of transactions with the web service in a very short period of time, and commonly used web browsers are prohibitively slow for such large- scale and high-speed communications.
  • attackers use a wide variety of attack tools, ranging from simple shell scripts to sophisticated custom tools designed to speed up transactions.
  • Various types of network security devices work to protect web services and their components from being attacked by malicious actors, such as firewalls, intrusion prevention systems, and the like.
  • Such devices inspect network traffic at varying degrees of depth, typically by matching incoming traffic data with a library of patterns and network protocol analyzers.
  • Security researchers typically update this pattern library continuously based on analysis of malware behavior at the network level.
  • the larger the set of patterns and protocol analyzers the longer it takes for network security devices to inspect network traffic. Consequently, this screening process introduces latency in the overall communication between the end user and the web service, which negatively impacts the user experience.
  • security devices often compromise on the depth of detection in order to minimize the time taken to inspect network traffic.
  • a passive analysis system receives a copy of network traffic, performs deep analysis on the copy of network traffic, and generates security data points based on the deep analysis. The passive analysis system then provides the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.
  • Figure 1 is a block diagram that illustrates a communication system.
  • Figure 2 is a flow diagram that illustrates an operation of the
  • Figure 3 is a flow diagram that illustrates an operation of a communication system in an exemplar ⁇ ' embodiment.
  • Figure 4 is a block diagram that illustrates a computing system.
  • Firewalls, intrusion prevention systems, web application firewalls, and other types of network security devices protect web services from velocity attacks, unauthorized usage, and other intrusions. These security devices analyze network traffic at varying degrees of depth. For example, firewalls typically inspect information in network layer 2 (Ethernet), layer 3 (Internet Protocol), and layer 4 (Transmission Control Protocol/User Datagram Protocol) in the network data. Intrusion prevention and web application firewall solutions often perform deep packet analysis that may involve inspecting every byte of a particular network stream. However, deeper analysis introduces higher latency, so inline devices that actively scan network traffic often compromise on the depth of analysis to achieve low-latency performance requirements.
  • Ethernet Ethernet
  • layer 3 Internet Protocol
  • layer 4 Transmission Control Protocol/User Datagram Protocol
  • inline network security devices are unable to offer certain advanced types of mitigation solutions. For example, solutions that require deep analysis of patterns of behavior by users and their devices interacting with a web service are prohibitively time consuming and thus not provided by inline security devices. Instead, this functionality is typically deployed in offline systems that process historical network data and perform their analysis in an offline mode to detect malicious or abnormal patterns of usage. Because of the nature of their deployment and the latency involved, this offline analysis of historical data fails to offer any active mitigation to the threats detected. Instead of immediate action, human operators typically employ a very slow and manual process of translating the detections into some basic and limited mitigation rules for deployment in load balancers, firewalls, intrusion prevention systems, web application firewalls, and the like.
  • the following disclosure enables low-latency active inline mitigation of network security threats using pattern matching based on complex and time-consuming analysis of network data.
  • a passive analysis system receives a copy of network traffic and performs very deep analysis on the data, including looking for malicious patterns of behavior by users, their devices, and applications. The passive analysis system then generates data points that can be used by an active inline security device to take immediate action on similar traffic.
  • the data points may be asynchronously fed over a high speed communication bus into a match module of the active inline security device. Incoming traffic is ingested by the active inline device and compared against the data points to detect security events and take mitigating action, while still maintaining the low latency standards that are expected of typical network security devices.
  • Communication system 100 includes computing system 101,
  • Computing system 101 includes passive analysis system 105 and active inline security device 107.
  • Passive analysis system 105 and active inline security device 107 provide separate functionality and could be included as different modules within the same hardware apparatus of computing system 101, but could be run in separate dedicated central processing unit, operating system, and memory containers within computing system 101 in some examples.
  • Passive analysis system 105 and active inline security device 107 can also individually reside on two separate hardware appliances that together may be referred to as computing system 101 in some implementations.
  • Computing system 101 and communication network 120 communicate over communication link 121.
  • Communication network 120 and computing system 130 are in communication over communication link 131.
  • An exemplary operation of communication system 100 will now be described with respect to Figure 2.
  • Figure 2 is a flow diagram that illustrates an operation of communication system 100 in an exemplar ⁇ ' implementation.
  • the operation 200 shown in Figure 2 may also be referred to as security process 200 herein.
  • the steps of the operation are indicated below parenthetically.
  • the following discussion of operation 200 will proceed with reference to computing systems 101 and 130 of Figure 1 in order to illustrate its operations, but note that the details provided in Figure 1 are merely exemplary and not intended to limit the scope of process 200 to the specific implementation of Figure 1.
  • Operation 200 may be employed by computing system 101 to facilitate network security analysis and attack response.
  • computing system 101 could comprise a network security appliance that monitors network traffic and mitigates detected security threats.
  • active inline security device 107 of computing system 101 could intercept network traffic en route to its final destination, which could be computing system 101, computing system 130 or any other computing sy stem, a cloud server, or any other computing resource.
  • computing system 101 could comprise a web server used in the provision of a web service, where active inline security device 107 receives and analyzes network traffic from a plurality of users, such as computing system 130, before delivering it to the web service.
  • passive analysis system 105 receives a copy of network traffic (201).
  • the actual network traffic is typically received by active inline security device 107 as discussed above, so a copy of the network traffic is provided to passive analysis system 105 for processing. Because passive analysis system 105 receives a copy of the network traffic, any latency introduced by analyzing this data will not impact the packet flow rate of the actual network traffic.
  • Passive analysis system 105 performs deep analysis on the copy of network traffic (202).
  • performing deep analysis on the copy of network traffic comprises detecting malicious patterns of behavior.
  • passive analysis system 05 could analyze historical patterns of usage in the copy of the network traffic to identify malicious patterns of behavior by users, applications, devices, and others.
  • Passive analysis system 105 may also analyze the copy of network traffic against a library of threat patterns to detect security threats.
  • performing deep analysis on the copy of network traffic could include analyzing the copy of the network traffic for protocol violations.
  • Passive analysis system 105 can detect large velocity attacks by analyzing behavioral patterns, which are typically identified in streams of packets over time.
  • Some exemplar ⁇ ' behavior that may be identified by passive analysis system 05 includes the length of time a connection persists, transitions from idle to active on a connection, frequency of requests sent from an endpoint, header information associated with a request, or any other contextual or behavioral data observable from interactions with a remote computing system 130.
  • Passive analysis system generates security data points based on the deep analysis (203),
  • the security data points provide active inline security device 107 the information necessary to take mitigating action.
  • the security data points could comprise IP address whitelists, blacklists, regular expressions, fingerprints of behavior, data models, or any other information that may be matched against similar traffic, including combinations thereof.
  • the security data points may describe the unique form and behavior of the interactions that clients make with computing system 101 as determined from analyzing the network traffic,
  • passive analysis system 105 could generate security data points based on fields in the HTTP request header and connection behavior of the client. For example, information in the request header could be compared to known headers of common browsers to help validate a request, such as the order of fields in the request header, the presence or absence of particular fields, the values of the fields, including the protocols, languages, media types, compression algorithms, and other features that the browser supports, new capabilities that appear in newer versions of a browser that were not present in older versions, and any other information that can be gleaned from the request header.
  • HTTP hypertext transfer protocol
  • passive analysis system 105 may also analyze the connection behavior and the interactions that the client system makes with the web server.
  • Web browsers may interact with a web server in different ways. For example, some browsers choose to send multiple HTTP requests in the same TCP connection, while others create a new connection for even,' request. Some browsers send multiple requests in the same connection even before they start receiving responses from the server, while others wait to send subsequent requests in the same connection until a response to an initial request on that connection is returned. In certain cases, browsers may choose to keep a connection or multiple connections open for a period of time, even if there are no active requests or responses in transit.
  • the length of time that a connection persists, even though no data may be flowing over that connection can differ between the various types and versions of web browsers.
  • Other behavior of the web client could be determined as well, such as the order and manner in which the client parses the hypertext markup language (HTML) and other code when fetching a web page.
  • HTML hypertext markup language
  • some browsers will parse hyperlinks and other textual content in a different way than images or video, such as fetching all images first, or processing all JavaScript code first before fetching images, or fetching images with a different connection than other page content and any other nuances in HTML parsing and content fetching.
  • Any of the above information in the HTTP header, connection behavior, and other data that can be observed from the interactions of the client system with the web server can be used to generate the security data points based on the deep analysis of network usage and connection behavior,
  • Passive analysis system 105 provides the security data points to active inline security device 107, wherein active inline security device 107 compares incoming network traffic to the security data points to detect security issues (204).
  • the security data points received from passive analysis system 105 may be stored in a database for use in the comparison.
  • passive analysis system 105 asynchronously feeds the security data points to active inline security device 107.
  • Passive analysis system 105 typically provides the security data points to active inline security device 107 over a high speed communication bus, although active device 107 could receive the security data points in other ways.
  • Active inline security device 107 performs a match function that compares incoming network traffic to the security data points to detect security issues and take action. For example, active inline security device 107 could match malicious connection behavioral patterns to the incoming network traffic using the security data points and help mitigate threats by blocking the malicious traffic.
  • Active inline security device 107 typically blocks packets or employs some other countermeasures upon detection of at least one security event.
  • passive analysis system 105 monitors web traffic and interactions between users and a web service using deep analysis to generate security data points for active inline security device 107.
  • active inline security device 107 can detect malicious network behavior and take mitigating action.
  • the techniques described herein provide the technical advantage of reducing the load on the processor, network components, and other elements of communication system 100 by eliminating illegitimate requests, while al so safeguarding the information of users of the web service. Further, because the deep analysis and processing of the network traffic is handled transparently by passive analysis system 105, the endpoints of the
  • passive analysis system 105 enables deep and complex analysis of network traffic which can be used to effectively thwart attacks on web services by active inline security device 107 without impacting network latency or user experience.
  • FIG. 3 a flow diagram is illustrated of an operation of a communication system in an exemplary embodiment.
  • the techniques described in Figure 3 could be executed by the devices of communication system 100 such as computing systems 101 and 130, and could be combined with operation 200 of Figure 2 in some implementations.
  • Figure 3 is divided into two sections, separated by a dotted line.
  • the top portion of Figure 3, labeled "Traditional Network Security Appliance”, illustrates a typical, inline deployment of a security appliance between a network device and another network device or network sendee.
  • the inline network device performs three functions: ingest network traffic, analyze and match, and enforce or mitigate.
  • the 'Ingest' module receives network packets over a network from one or more connected computing devices.
  • the 'Analyze and Match' module looks for malicious network traffic, typically by processing network packets against a library of protocol analyzers to detect protocol violations.
  • the 'Enforce/Mitigate' module takes action if malicious activity is detected, which could include blocking packets from reaching their destination or terminating network connections.
  • the 'Analyze & Match' module takes the longest amount of time, and deeper analysis during this phase is directly correlated to increased latency and degraded user experience.
  • This traditional network security appliance has a very short maximum latency that it can impose on the traffic while holding packets and performing analysis, so there is no time for complex analysis and pattern matching.
  • the traditional network security appliance is split into an active inline security device and a passive analysis system.
  • the 'Analyze and Match' module of the traditional network security appliance above is effectively split between the passive analysis system and the active inline security device, with additional enhanced functionality added to both.
  • the passive analysis system is split into an active inline security device and a passive analysis system.
  • the passive analysis system works with a copy of the network traffic and is no longer inline with the real time data flow, the passive analysis system can perform very deep analysis of the network traffic, including looking for malicious patterns of behavior by users, applications, and devices, without regard for latency.
  • the passive analysis system also generates data points that can be used by the 'Match' module in the active inline security device to take mitigating action on similar traffic.
  • the data points typically describe patterns of usage and behavior exhibited by malicious users, applications, devices, and other systems, and may further identify these malicious entities in IP blacklists in some examples.
  • the active inline security device is enhanced with the ability to process the data points received from the passive analysis system, which are typically communicated rapidly over a high speed communication bus.
  • the active inline security device performs pattern matching between the data points and the incoming network traffic it receives in the 'Ingest' module to detect security events.
  • the pattern matching can be performed quickly by the active inline device to comply with maximum latency restrictions for inline devices.
  • the 'Enforce/Mitigate' module takes appropriate action to address the detected threat. In this manner, the 'Ingest', 'Match', and 'Enforce' modules that are part of the active inline security device do not burden the active device with lengthy delays while holding network packets for processing.
  • the passive analysis system performs the more time-consuming deep analysis and pattern detection, feeding data points to the 'Match' module of the active inline device as they are generated.
  • the active inline security device ingests incoming network traffic and matches the data points it receives from the passive analysis system against the traffic to detect and mitigate malicious behavior.
  • the passive analysis system provides deep and complex analysis of network traffic and usage patterns to generate data points for use in an inline active device to mitigate threats without impacting network latency or user experience.
  • the security techniques described above provide for deep analysis of network traffic with automated mitigation by applying mitigation rules on a rich set of attributes for high accuracy. Any suspicious activity that matches patterns in the data points generated by the passive analysis system can be flagged and blocked by the active inline device, thereby providing improved defenses against malicious actors.
  • computing system 101 may be
  • Computing system 101 comprises at least one processing system and a communication transceiver.
  • Computing system 101 may also include other components such as a user interface, data storage system, and power supply. Computing system 101 may reside in a single device or may be distributed across multiple devices. Computing system 101 may be a discrete system or may be integrated within other systems, including other systems within communication system 100. Computing system 101 provides an example of a computing system that could be used as a either a server or a client device in some implementations, although such devices could have alternative configurations. Examples of computing system 101 include mobile computing devices, such as cell phones, tablet computers, laptop computers, notebook computers, and gaming devices, as well as any other type of mobile computing devices and any combination or variation thereof. Examples of computing system 101 also include desktop computers, server computers, and virtual machines, as well as any other type of computing system, variation, or combination thereof.
  • computing system 101 could comprise a network security appliance, firewall, load balancer, intrusion prevention system, web application firewall, web server, network switch, router, switching system, packet gateway, network gateway system, Internet access node, application server, database system, service node, or some other communication equipment, including combinations thereof.
  • Communication network 120 could comprise multiple network elements such as routers, gateways, telecommunication switches, servers, processing systems, or other communication equipment and systems for providing communication and data semces.
  • communication network 120 could comprise wireless communication nodes, telephony switches, Internet routers, network gateways, computer systems, communication links, or some other type of communication equipment, including combinations thereof.
  • Communication network 120 may also comprise optical networks, asynchronous transfer mode (ATM) networks, packet networks, local area networks (LAN), metropolitan area networks (MAN), wide area networks (WAN), or other network topologies, equipment, or systems - including combinations thereof.
  • Communication network 120 may be configured to communicate over metallic, wireless, or optical links.
  • Communication network 20 may be configured to use time-division multiplexing (TDM), Internet Protocol (IP), Ethernet, optical networking, wireless protocols, communication signaling, or some other communication format, including combinations thereof.
  • TDM time-division multiplexing
  • IP Internet Protocol
  • Ethernet optical networking
  • wireless protocols communication signaling
  • communication network 120 includes further access nodes and associated equipment for providing communication seraces to several computer systems across a large geographic region.
  • Computing system 130 may be representative of any computing apparatus, system, or systems that may connect to another computing system over a communication network.
  • Computing system 130 comprises at least one processing system and a com muni cation transceiver.
  • Computing system 130 may also include other components such as a router, server, data storage system, and power supply.
  • Computing system 130 may reside in a single device or may be distributed across multiple devices.
  • Computing system 130 may be a discrete system or may be integrated within other systems, including other systems within communication system 100,
  • Some examples of computing system 130 include desktop computers, server computers, cloud computing platforms, and virtual machines, as well as any other type of computing system, variation, or combination thereof.
  • Communication links 121 and 131 use metal, air, space, optical fiber such as glass or plastic, or some other material as the transport medium - including
  • Communication links 121 and 131 could use various combinations thereof.
  • Communication links 121 and 131 could be direct links or may include intermediate networks, systems, or devices.
  • FIG. 4 a block diagram that illustrates computing system 400 in an exemplary implementation is shown.
  • Computing system 400 provides
  • Computing system 400 includes processing system 401, storage system 403, software 405, communication interface 407, and user interface 409.
  • Software 405 includes application 406 which itself includes security process 200.
  • Security process 200 may optionally be implemented separately from application 406.
  • Computing system 400 may be representative of any computing apparatus, system, or systems on which application 406 and security process 200 or variations thereof may be suitably implemented.
  • Examples of computing system 400 include mobile computing devices, such as cell phones, tablet computers, laptop computers, notebook computers, and gaming devices, as well as any other type of mobile computing devices and any combination or variation thereof. Note that the features and functionality of computing system 400 may apply as well to desktop computers, server computers, and virtual machines, as well as any other type of computing system, variation, or
  • Computing system 400 includes processing system 401, storage system
  • Processing system 401 is operatively coupled with storage system 403, communication interface 407, and user interface 409. Processing system 401 loads and executes software 405 from storage system 403. When executed by computing system 400 in general, and processing system 401 in particular, software 405 directs computing system 400 to operate as described herein for security process 200 or variations thereof.
  • system 400 may optionally include additional devices, features, or functionality not discussed herein for purposes of brevity.
  • processing system 401 may comprise a microprocessor and other circuitry that retrieves and executes software 405 from storage system 403.
  • Processing system 401 may be implemented within a single processing device but may also be distributed across multiple processing devices or sub-systems that cooperate in executing program instructions. Examples of processing system 401 include general purpose central processing units, application specific processors, and logic devices, as well as any other type of processing device, combinations, or variations thereof.
  • Storage system 403 may comprise any computer readable media or storage media readable by processing system 401 and capable of storing software 405.
  • Storage system 403 may include volatile and nonvolatile, removable and non-removable media impiemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
  • Storage system 403 may be implemented as a single storage device but may also be implemented across multiple storage devices or sub-systems co-located or distributed relative to each other.
  • Storage system 403 may comprise additional elements, such as a controller, capable of communicating with processing system 401.
  • storage media examples include random- access memory, read-only memory, magnetic disks, optical disks, flash memory, virtual memory and non-virtual memory, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and that may be accessed by an instruction execution system, as well as any combination or variation thereof, or any other type of storage media.
  • the storage media a propagated signal.
  • processing system 401 loads and executes portions of software 405, such as security process 200, to facilitate network security analysis and attack response.
  • Software 405 may be implemented in program instructions and among other functions may, when executed by computing system 400 in general or processing system 401 in particular, direct computing system 400 or processing system 401 to receive a copy of network traffic, perform deep analysis on the copy of network traffic, and generate security data points based on the deep analysis.
  • Software 405 may further direct computing system 400 or processing system 401 to provide the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.
  • Software 405 may include additional processes, programs, or components, such as operating system software or other application software. Examples of operating systems include Windows®, iOS®, and Android®, as well as any other suitable operating system. Software 405 may also comprise firmware or some other form of machine-readable processing instaictions executable by processing system 401.
  • software 405 may, when loaded into processing system 401 and executed, transform computing system 400 overall from a general-purpose computing system into a special-purpose computing system customized to facilitate network security analysis and attack response as described herein for each implementation.
  • encoding software 405 on storage system 403 may transform the physical structure of
  • the specific transformation of the physical staicture may depend on various factors in different implementations of this description. Examples of such factors may include, but are not limited to the technology used to implement the storage media of storage system 403 and whether the computer-readable storage media are characterized as primary or secondary storage.
  • software 405 may transform the physical state of the semiconductor memory when the program is encoded therein.
  • software 405 may transform the state of transistors, capacitors, or other discrete circuit elements constituting the semiconductor memory, A similar transformation may occur with respect to magnetic or optical media. Other transformations of physical media are possible without departing from the scope of the present description, with the foregoing examples provided only to facilitate this discussion.
  • computing system 400 is generally intended to represent a computing system with which software 405 is deployed and executed in order to implement application 406 and/or security process 200 (and variations thereof). However, computing system 400 may also represent any computing system on which software 405 may be staged and from where software 405 may be distributed, transported, downloaded, or otherwise provided to yet another computing system for deployment and execution, or yet additional distribution. For example, computing system 400 could be configured to deploy software 405 over the internet to one or more client computing systems for execution thereon, such as in a cloud-based deployment scenario.
  • Communication interface 407 may include communication connections and devices that allow for communication between computing system 400 and other computing systems (not shown) or services, over a communication network 41 or collection of networks.
  • communication interface 407 receives dynamic data 421 over communication network 411.
  • Examples of connections and devices that together allow for inter-system communication may include network interface cards, antennas, power amplifiers, RF circuitry, transceivers, and other communication circuitry.
  • the aforementioned network, connections, and devices are well known and need not be discussed at length here.
  • User interface 409 may include a voice input device, a touch input device for receiving a gesture from a user, a motion input device for detecting non-touch gestures and other motions by a user, and other comparable input devices and associated processing elements capable of receiving user input from a user.
  • Output devices such as a display, speakers, haptic devices, and other types of output devices may also be included in user interface 409,
  • user interface 409 could include a touch screen capable of displaying a graphical user interface that also accepts user inputs via touches on its surface.
  • the aforementioned user input devices are well known in the art and need not be discussed at length here.
  • User interface 409 may also include associated user interface software executable by processing system 401 in support of the various user input and output devices discussed above. Separately or in conjunction with each other and other hardware and software elements, the user interface software and devices may provide a graphical user interface, a natural user interface, or any other kind of user interface. User interface 409 may be omitted in some implementations. [0044] The functional block diagrams, operational sequences, and flow diagrams provided in the Figures are representative of exemplary architectures, environments, and methodologies for performing novel aspects of the disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Techniques to facilitate network security analysis and attack response are disclosed herein. In at least one implementation, a passive analysis system receives a copy of network traffic, performs deep analysis on the copy of network traffic, and generates security data points based on the deep analysis. The passive analysis system then provides the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.

Description

PASSIVE SECURITY ANALYSIS WITH INLINE ACTIVE SECURITY DEVICE RELATED APPLICATIONS
[0001] This application claims the benefit of, and priority to, U.S. Provisional
Patent Application No. 62/175,585, entitled "PASSIVE SECURITY ANALYSIS WITH INLINE ACTIVE SECURITY DEVICE", filed June 15, 2015, which is hereby incorporated by reference in its entirety for all purposes.
TECHNICAL BACKGROUND
[0002] Web servers that provide web services are often subject to automated attacks, such as using stolen credentials to fraudulently access the service, brute-force attacks that try several username and password combinations to gain access, registering fake accounts, scraping websites to harvest web data, and others. Such velocity attacks typically require a large number of transactions with the web service in a very short period of time, and commonly used web browsers are prohibitively slow for such large- scale and high-speed communications. Instead, attackers use a wide variety of attack tools, ranging from simple shell scripts to sophisticated custom tools designed to speed up transactions.
[0003] Various types of network security devices work to protect web services and their components from being attacked by malicious actors, such as firewalls, intrusion prevention systems, and the like. Such devices inspect network traffic at varying degrees of depth, typically by matching incoming traffic data with a library of patterns and network protocol analyzers. Security researchers typically update this pattern library continuously based on analysis of malware behavior at the network level. The larger the set of patterns and protocol analyzers, the longer it takes for network security devices to inspect network traffic. Consequently, this screening process introduces latency in the overall communication between the end user and the web service, which negatively impacts the user experience. As a result, security devices often compromise on the depth of detection in order to minimize the time taken to inspect network traffic.
OVERVIEW
[0004] Provided herein are systems, methods, and software to facilitate network security analysis and attack response. In at least one implementation, a passive analysis system receives a copy of network traffic, performs deep analysis on the copy of network traffic, and generates security data points based on the deep analysis. The passive analysis system then provides the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.
[0005] This Overview is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. It may be understood that this Overview is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. BRIEF DESCRIPTION OF THE DRAWINGS
[0006] Figure 1 is a block diagram that illustrates a communication system.
[0007] Figure 2 is a flow diagram that illustrates an operation of the
communication system.
[0008] Figure 3 is a flow diagram that illustrates an operation of a communication system in an exemplar}' embodiment.
[0009] Figure 4 is a block diagram that illustrates a computing system.
DETAILED DESCRIPTION
[0010] The following description and associated figures teach the best mode of the invention. For the purpose of teaching inventive principles, some conventional aspects of the best mode may be simplified or omitted. The following claims specify the scope of the invention. Note that some aspects of the best mode may not fall within the scope of the invention as specified by the claims. Thus, those skilled in the art will appreciate variations from the best mode that fall within the scope of the invention. Those skilled in the art will appreciate that the features described below can be combined in various ways to form multiple variations of the invention. As a result, the invention is not limited to the specific examples described below, but only by the claims and their equivalents.
[0011] Firewalls, intrusion prevention systems, web application firewalls, and other types of network security devices protect web services from velocity attacks, unauthorized usage, and other intrusions. These security devices analyze network traffic at varying degrees of depth. For example, firewalls typically inspect information in network layer 2 (Ethernet), layer 3 (Internet Protocol), and layer 4 (Transmission Control Protocol/User Datagram Protocol) in the network data. Intrusion prevention and web application firewall solutions often perform deep packet analysis that may involve inspecting every byte of a particular network stream. However, deeper analysis introduces higher latency, so inline devices that actively scan network traffic often compromise on the depth of analysis to achieve low-latency performance requirements.
[0012] Due to the latency concerns, inline network security devices are unable to offer certain advanced types of mitigation solutions. For example, solutions that require deep analysis of patterns of behavior by users and their devices interacting with a web service are prohibitively time consuming and thus not provided by inline security devices. Instead, this functionality is typically deployed in offline systems that process historical network data and perform their analysis in an offline mode to detect malicious or abnormal patterns of usage. Because of the nature of their deployment and the latency involved, this offline analysis of historical data fails to offer any active mitigation to the threats detected. Instead of immediate action, human operators typically employ a very slow and manual process of translating the detections into some basic and limited mitigation rules for deployment in load balancers, firewalls, intrusion prevention systems, web application firewalls, and the like. Advantageously, the following disclosure enables low-latency active inline mitigation of network security threats using pattern matching based on complex and time-consuming analysis of network data.
[0013] Implementations are disclosed herein to facilitate network security analysis and attack response. In at least one implementation, a passive analysis system receives a copy of network traffic and performs very deep analysis on the data, including looking for malicious patterns of behavior by users, their devices, and applications. The passive analysis system then generates data points that can be used by an active inline security device to take immediate action on similar traffic. In some implementations, the data points may be asynchronously fed over a high speed communication bus into a match module of the active inline security device. Incoming traffic is ingested by the active inline device and compared against the data points to detect security events and take mitigating action, while still maintaining the low latency standards that are expected of typical network security devices.
[0014] Referring now to Figure 1 , a block diagram of communication system 100 is illustrated. Communication system 100 includes computing system 101,
communication network 120, and computing system 130. Computing system 101 includes passive analysis system 105 and active inline security device 107. Passive analysis system 105 and active inline security device 107 provide separate functionality and could be included as different modules within the same hardware apparatus of computing system 101, but could be run in separate dedicated central processing unit, operating system, and memory containers within computing system 101 in some examples. Passive analysis system 105 and active inline security device 107 can also individually reside on two separate hardware appliances that together may be referred to as computing system 101 in some implementations. Computing system 101 and communication network 120 communicate over communication link 121.
Communication network 120 and computing system 130 are in communication over communication link 131. An exemplary operation of communication system 100 will now be described with respect to Figure 2.
[0015] Figure 2 is a flow diagram that illustrates an operation of communication system 100 in an exemplar}' implementation. The operation 200 shown in Figure 2 may also be referred to as security process 200 herein. The steps of the operation are indicated below parenthetically. The following discussion of operation 200 will proceed with reference to computing systems 101 and 130 of Figure 1 in order to illustrate its operations, but note that the details provided in Figure 1 are merely exemplary and not intended to limit the scope of process 200 to the specific implementation of Figure 1.
[0016] Operation 200 may be employed by computing system 101 to facilitate network security analysis and attack response. I some implementations, computing system 101 could comprise a network security appliance that monitors network traffic and mitigates detected security threats. For example, active inline security device 107 of computing system 101 could intercept network traffic en route to its final destination, which could be computing system 101, computing system 130 or any other computing sy stem, a cloud server, or any other computing resource. In some examples, computing system 101 could comprise a web server used in the provision of a web service, where active inline security device 107 receives and analyzes network traffic from a plurality of users, such as computing system 130, before delivering it to the web service.
[0017] As shown in the operational flow of Figure 2, passive analysis system 105 receives a copy of network traffic (201). The actual network traffic is typically received by active inline security device 107 as discussed above, so a copy of the network traffic is provided to passive analysis system 105 for processing. Because passive analysis system 105 receives a copy of the network traffic, any latency introduced by analyzing this data will not impact the packet flow rate of the actual network traffic.
[0018] Passive analysis system 105 performs deep analysis on the copy of network traffic (202). In at least one implementation, performing deep analysis on the copy of network traffic comprises detecting malicious patterns of behavior. For example, passive analysis system 05 could analyze historical patterns of usage in the copy of the network traffic to identify malicious patterns of behavior by users, applications, devices, and others. Passive analysis system 105 may also analyze the copy of network traffic against a library of threat patterns to detect security threats. In some implementations, performing deep analysis on the copy of network traffic could include analyzing the copy of the network traffic for protocol violations. Passive analysis system 105 can detect large velocity attacks by analyzing behavioral patterns, which are typically identified in streams of packets over time. Some exemplar}' behavior that may be identified by passive analysis system 05 includes the length of time a connection persists, transitions from idle to active on a connection, frequency of requests sent from an endpoint, header information associated with a request, or any other contextual or behavioral data observable from interactions with a remote computing system 130.
[0019] Passive analysis system generates security data points based on the deep analysis (203), The security data points provide active inline security device 107 the information necessary to take mitigating action. For example, the security data points could comprise IP address whitelists, blacklists, regular expressions, fingerprints of behavior, data models, or any other information that may be matched against similar traffic, including combinations thereof. In some implementations, the security data points may describe the unique form and behavior of the interactions that clients make with computing system 101 as determined from analyzing the network traffic,
[0020] In examples where the network traffic comprises a hypertext transfer protocol (HTTP) request that purports to originate from a web browser, passive analysis system 105 could generate security data points based on fields in the HTTP request header and connection behavior of the client. For example, information in the request header could be compared to known headers of common browsers to help validate a request, such as the order of fields in the request header, the presence or absence of particular fields, the values of the fields, including the protocols, languages, media types, compression algorithms, and other features that the browser supports, new capabilities that appear in newer versions of a browser that were not present in older versions, and any other information that can be gleaned from the request header.
[0021] Continuing this example, passive analysis system 105 may also analyze the connection behavior and the interactions that the client system makes with the web server. Web browsers may interact with a web server in different ways. For example, some browsers choose to send multiple HTTP requests in the same TCP connection, while others create a new connection for even,' request. Some browsers send multiple requests in the same connection even before they start receiving responses from the server, while others wait to send subsequent requests in the same connection until a response to an initial request on that connection is returned. In certain cases, browsers may choose to keep a connection or multiple connections open for a period of time, even if there are no active requests or responses in transit. In other words, the length of time that a connection persists, even though no data may be flowing over that connection, can differ between the various types and versions of web browsers. Other behavior of the web client could be determined as well, such as the order and manner in which the client parses the hypertext markup language (HTML) and other code when fetching a web page. For example, when parsing HTML, some browsers will parse hyperlinks and other textual content in a different way than images or video, such as fetching all images first, or processing all JavaScript code first before fetching images, or fetching images with a different connection than other page content and any other nuances in HTML parsing and content fetching. Any of the above information in the HTTP header, connection behavior, and other data that can be observed from the interactions of the client system with the web server can be used to generate the security data points based on the deep analysis of network usage and connection behavior,
[0022] Passive analysis system 105 provides the security data points to active inline security device 107, wherein active inline security device 107 compares incoming network traffic to the security data points to detect security issues (204). Typically, the security data points received from passive analysis system 105 may be stored in a database for use in the comparison. In at least one implementation, to provide the security data points to active inline security device 107, passive analysis system 105 asynchronously feeds the security data points to active inline security device 107.
Passive analysis system 105 typically provides the security data points to active inline security device 107 over a high speed communication bus, although active device 107 could receive the security data points in other ways. Active inline security device 107 performs a match function that compares incoming network traffic to the security data points to detect security issues and take action. For example, active inline security device 107 could match malicious connection behavioral patterns to the incoming network traffic using the security data points and help mitigate threats by blocking the malicious traffic. Active inline security device 107 typically blocks packets or employs some other countermeasures upon detection of at least one security event.
[0023] Advantageously, passive analysis system 105 monitors web traffic and interactions between users and a web service using deep analysis to generate security data points for active inline security device 107. By comparing the security data points to incoming traffic, active inline security device 107 can detect malicious network behavior and take mitigating action. By securing the web service from malicious use, the techniques described herein provide the technical advantage of reducing the load on the processor, network components, and other elements of communication system 100 by eliminating illegitimate requests, while al so safeguarding the information of users of the web service. Further, because the deep analysis and processing of the network traffic is handled transparently by passive analysis system 105, the endpoints of the
communication transmission are unaware of the additional security measures and validation that occurs to safeguard the information exchange. In this manner, passive analysis system 105 enables deep and complex analysis of network traffic which can be used to effectively thwart attacks on web services by active inline security device 107 without impacting network latency or user experience.
[0024] Referring now to Figure 3, a flow diagram is illustrated of an operation of a communication system in an exemplary embodiment. The techniques described in Figure 3 could be executed by the devices of communication system 100 such as computing systems 101 and 130, and could be combined with operation 200 of Figure 2 in some implementations. Figure 3 is divided into two sections, separated by a dotted line. The top portion of Figure 3, labeled "Traditional Network Security Appliance", illustrates a typical, inline deployment of a security appliance between a network device and another network device or network sendee. The inline network device performs three functions: ingest network traffic, analyze and match, and enforce or mitigate. The 'Ingest' module receives network packets over a network from one or more connected computing devices. The 'Analyze and Match' module looks for malicious network traffic, typically by processing network packets against a library of protocol analyzers to detect protocol violations. The 'Enforce/Mitigate' module takes action if malicious activity is detected, which could include blocking packets from reaching their destination or terminating network connections. Of these three modules, the 'Analyze & Match' module takes the longest amount of time, and deeper analysis during this phase is directly correlated to increased latency and degraded user experience. This traditional network security appliance has a very short maximum latency that it can impose on the traffic while holding packets and performing analysis, so there is no time for complex analysis and pattern matching.
[0025] Turning now to the lower portion of Figure 3, labeled "Active Inline
Security Device With Passive Analysis System", the traditional network security appliance is split into an active inline security device and a passive analysis system. The 'Analyze and Match' module of the traditional network security appliance above is effectively split between the passive analysis system and the active inline security device, with additional enhanced functionality added to both. In particular, since the passive
1 analysis system works with a copy of the network traffic and is no longer inline with the real time data flow, the passive analysis system can perform very deep analysis of the network traffic, including looking for malicious patterns of behavior by users, applications, and devices, without regard for latency. The passive analysis system also generates data points that can be used by the 'Match' module in the active inline security device to take mitigating action on similar traffic. The data points typically describe patterns of usage and behavior exhibited by malicious users, applications, devices, and other systems, and may further identify these malicious entities in IP blacklists in some examples.
[0026] The active inline security device is enhanced with the ability to process the data points received from the passive analysis system, which are typically communicated rapidly over a high speed communication bus. The active inline security device performs pattern matching between the data points and the incoming network traffic it receives in the 'Ingest' module to detect security events. The pattern matching can be performed quickly by the active inline device to comply with maximum latency restrictions for inline devices. In the event of a match, the 'Enforce/Mitigate' module takes appropriate action to address the detected threat. In this manner, the 'Ingest', 'Match', and 'Enforce' modules that are part of the active inline security device do not burden the active device with lengthy delays while holding network packets for processing. Instead, the passive analysis system performs the more time-consuming deep analysis and pattern detection, feeding data points to the 'Match' module of the active inline device as they are generated. The active inline security device ingests incoming network traffic and matches the data points it receives from the passive analysis system against the traffic to detect and mitigate malicious behavior. Thus, in combination, the passive analysis system provides deep and complex analysis of network traffic and usage patterns to generate data points for use in an inline active device to mitigate threats without impacting network latency or user experience.
[0027] The security techniques described above provide for deep analysis of network traffic with automated mitigation by applying mitigation rules on a rich set of attributes for high accuracy. Any suspicious activity that matches patterns in the data points generated by the passive analysis system can be flagged and blocked by the active inline device, thereby providing improved defenses against malicious actors.
[0028] Now referring back to Figure 1, computing system 101 may be
representative of any computing apparatus, system, or systems on which the techniques disclosed herein or variations thereof may be suitably implemented. Computing system 101 comprises at least one processing system and a communication transceiver.
Computing system 101 may also include other components such as a user interface, data storage system, and power supply. Computing system 101 may reside in a single device or may be distributed across multiple devices. Computing system 101 may be a discrete system or may be integrated within other systems, including other systems within communication system 100. Computing system 101 provides an example of a computing system that could be used as a either a server or a client device in some implementations, although such devices could have alternative configurations. Examples of computing system 101 include mobile computing devices, such as cell phones, tablet computers, laptop computers, notebook computers, and gaming devices, as well as any other type of mobile computing devices and any combination or variation thereof. Examples of computing system 101 also include desktop computers, server computers, and virtual machines, as well as any other type of computing system, variation, or combination thereof. In some examples, computing system 101 could comprise a network security appliance, firewall, load balancer, intrusion prevention system, web application firewall, web server, network switch, router, switching system, packet gateway, network gateway system, Internet access node, application server, database system, service node, or some other communication equipment, including combinations thereof.
[0029] Communication network 120 could comprise multiple network elements such as routers, gateways, telecommunication switches, servers, processing systems, or other communication equipment and systems for providing communication and data semces. In some examples, communication network 120 could comprise wireless communication nodes, telephony switches, Internet routers, network gateways, computer systems, communication links, or some other type of communication equipment, including combinations thereof. Communication network 120 may also comprise optical networks, asynchronous transfer mode (ATM) networks, packet networks, local area networks (LAN), metropolitan area networks (MAN), wide area networks (WAN), or other network topologies, equipment, or systems - including combinations thereof. Communication network 120 may be configured to communicate over metallic, wireless, or optical links. Communication network 20 may be configured to use time-division multiplexing (TDM), Internet Protocol (IP), Ethernet, optical networking, wireless protocols, communication signaling, or some other communication format, including combinations thereof. In some examples, communication network 120 includes further access nodes and associated equipment for providing communication seraces to several computer systems across a large geographic region.
[0030] Computing system 130 may be representative of any computing apparatus, system, or systems that may connect to another computing system over a communication network. Computing system 130 comprises at least one processing system and a com muni cation transceiver. Computing system 130 may also include other components such as a router, server, data storage system, and power supply. Computing system 130 may reside in a single device or may be distributed across multiple devices. Computing system 130 may be a discrete system or may be integrated within other systems, including other systems within communication system 100, Some examples of computing system 130 include desktop computers, server computers, cloud computing platforms, and virtual machines, as well as any other type of computing system, variation, or combination thereof.
[0031] Communication links 121 and 131 use metal, air, space, optical fiber such as glass or plastic, or some other material as the transport medium - including
combinations thereof. Communication links 121 and 131 could use various
communication protocols, such as TDM, IP, Ethernet, telephony, optical networking, hybrid fiber coax (HFC), communication signaling, wireless protocols, or some other communication format, including combinations thereof. Communication links 121 and 131 could be direct links or may include intermediate networks, systems, or devices.
[0032] Referring now to Figure 4, a block diagram that illustrates computing system 400 in an exemplary implementation is shown. Computing system 400 provides
1 an example of computing systems 101, 130, or any computing system that may be used to execute security process 200 or variations thereof, although such systems could use alternative configurations. Computing system 400 includes processing system 401, storage system 403, software 405, communication interface 407, and user interface 409. Software 405 includes application 406 which itself includes security process 200.
Security process 200 may optionally be implemented separately from application 406.
[0033] Computing system 400 may be representative of any computing apparatus, system, or systems on which application 406 and security process 200 or variations thereof may be suitably implemented. Examples of computing system 400 include mobile computing devices, such as cell phones, tablet computers, laptop computers, notebook computers, and gaming devices, as well as any other type of mobile computing devices and any combination or variation thereof. Note that the features and functionality of computing system 400 may apply as well to desktop computers, server computers, and virtual machines, as well as any other type of computing system, variation, or
combination thereof.
[0034] Computing system 400 includes processing system 401, storage system
403, software 405, communication interface 407, and user interface 409. Processing system 401 is operatively coupled with storage system 403, communication interface 407, and user interface 409. Processing system 401 loads and executes software 405 from storage system 403. When executed by computing system 400 in general, and processing system 401 in particular, software 405 directs computing system 400 to operate as described herein for security process 200 or variations thereof. Computing
6 system 400 may optionally include additional devices, features, or functionality not discussed herein for purposes of brevity.
[0035] Referring still to Figure 4, processing system 401 may comprise a microprocessor and other circuitry that retrieves and executes software 405 from storage system 403. Processing system 401 may be implemented within a single processing device but may also be distributed across multiple processing devices or sub-systems that cooperate in executing program instructions. Examples of processing system 401 include general purpose central processing units, application specific processors, and logic devices, as well as any other type of processing device, combinations, or variations thereof.
[0036] Storage system 403 may comprise any computer readable media or storage media readable by processing system 401 and capable of storing software 405. Storage system 403 may include volatile and nonvolatile, removable and non-removable media impiemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. Storage system 403 may be implemented as a single storage device but may also be implemented across multiple storage devices or sub-systems co-located or distributed relative to each other. Storage system 403 may comprise additional elements, such as a controller, capable of communicating with processing system 401. Examples of storage media include random- access memory, read-only memory, magnetic disks, optical disks, flash memory, virtual memory and non-virtual memory, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and that may be accessed by an instruction execution system, as well as any combination or variation thereof, or any other type of storage media. In no case is the storage media a propagated signal.
[0037] In operation, processing system 401 loads and executes portions of software 405, such as security process 200, to facilitate network security analysis and attack response. Software 405 may be implemented in program instructions and among other functions may, when executed by computing system 400 in general or processing system 401 in particular, direct computing system 400 or processing system 401 to receive a copy of network traffic, perform deep analysis on the copy of network traffic, and generate security data points based on the deep analysis. Software 405 may further direct computing system 400 or processing system 401 to provide the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.
[0038] Software 405 may include additional processes, programs, or components, such as operating system software or other application software. Examples of operating systems include Windows®, iOS®, and Android®, as well as any other suitable operating system. Software 405 may also comprise firmware or some other form of machine-readable processing instaictions executable by processing system 401.
[0039] In general, software 405 may, when loaded into processing system 401 and executed, transform computing system 400 overall from a general-purpose computing system into a special-purpose computing system customized to facilitate network security analysis and attack response as described herein for each implementation. For example, encoding software 405 on storage system 403 may transform the physical structure of
8 storage system 403. The specific transformation of the physical staicture may depend on various factors in different implementations of this description. Examples of such factors may include, but are not limited to the technology used to implement the storage media of storage system 403 and whether the computer-readable storage media are characterized as primary or secondary storage.
[0040] In some examples, if the computer-readable storage media are
implemented as semiconductor-based memory, software 405 may transform the physical state of the semiconductor memory when the program is encoded therein. For example, software 405 may transform the state of transistors, capacitors, or other discrete circuit elements constituting the semiconductor memory, A similar transformation may occur with respect to magnetic or optical media. Other transformations of physical media are possible without departing from the scope of the present description, with the foregoing examples provided only to facilitate this discussion.
[0041] It should be understood that computing system 400 is generally intended to represent a computing system with which software 405 is deployed and executed in order to implement application 406 and/or security process 200 (and variations thereof). However, computing system 400 may also represent any computing system on which software 405 may be staged and from where software 405 may be distributed, transported, downloaded, or otherwise provided to yet another computing system for deployment and execution, or yet additional distribution. For example, computing system 400 could be configured to deploy software 405 over the internet to one or more client computing systems for execution thereon, such as in a cloud-based deployment scenario. |Ό042| Communication interface 407 may include communication connections and devices that allow for communication between computing system 400 and other computing systems (not shown) or services, over a communication network 41 or collection of networks. In some implementations, communication interface 407 receives dynamic data 421 over communication network 411. Examples of connections and devices that together allow for inter-system communication may include network interface cards, antennas, power amplifiers, RF circuitry, transceivers, and other communication circuitry. The aforementioned network, connections, and devices are well known and need not be discussed at length here.
[0043] User interface 409 may include a voice input device, a touch input device for receiving a gesture from a user, a motion input device for detecting non-touch gestures and other motions by a user, and other comparable input devices and associated processing elements capable of receiving user input from a user. Output devices such as a display, speakers, haptic devices, and other types of output devices may also be included in user interface 409, In some examples, user interface 409 could include a touch screen capable of displaying a graphical user interface that also accepts user inputs via touches on its surface. The aforementioned user input devices are well known in the art and need not be discussed at length here. User interface 409 may also include associated user interface software executable by processing system 401 in support of the various user input and output devices discussed above. Separately or in conjunction with each other and other hardware and software elements, the user interface software and devices may provide a graphical user interface, a natural user interface, or any other kind of user interface. User interface 409 may be omitted in some implementations. [0044] The functional block diagrams, operational sequences, and flow diagrams provided in the Figures are representative of exemplary architectures, environments, and methodologies for performing novel aspects of the disclosure. While, for purposes of simplicity of explanation, methods included herein may be in the form of a functional diagram, operational sequence, or flow diagram, and may be described as a series of acts, it is to be understood and appreciated that the methods are not limited by the order of acts, as some acts may, in accordance therewith, occur in a different order and/or concurrently with other acts from that shown and described herein. For example, those skilled in the art will understand and appreciate that a method could alternatively be represented as a series of interrelated states or events, such as in a state diagram.
Moreover, not all acts illustrated in a methodology may be required for a novel implementation.
[0045] The above description and associated figures teach the best mode of the invention. The following claims specify the scope of the invention. Note that some aspects of the best mode may not fall within the scope of the invention as specified by the claims. Those skilled in the art will appreciate that the features described above can be combined in various ways to form multiple variations of the invention. As a result, the invention is not limited to the specific embodiments described above, but only by the following claims and their equivalents.

Claims

CLAIMS What is claimed is:
1. A method to facilitate network security analysis and attack response, the method comprising:
in a passive analysis system:
receiving a copy of network traffic;
performing deep analysis on the copy of network traffic; generating security data points based on the deep analysis; and providing the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.
2. The method of claim 1 wherein the active inline security device blocks packets upon detection of at least one security event.
3. The method of claim J wherein performing the deep analysis on the copy of network traffic comprises detecting malicious patterns of behavior.
4. The method of claim 1 wherein performing the deep analysis on the copy of network traffic comprises analyzing the copy of the network traffic for protocol violations.
5. The method of claim 1 wherein providing the security data points to the active inline security device comprises asynchronously feeding the security data points to the active inline security device.
6. The method of claim 1 wherein the security data points comprise at least one internet protocol address.
7. The method of claim 1 wherein the security data points comprise a regular expression.
8. One or more computer-readable storage media having program instructions stored thereon to facilitate network security analysis and attack response, wherein the program instructions, when executed by a passive analysis system, direct the passive analysis system to at least:
receive a copy of network traffic;
perform deep analysis on the copy of network traffic,
generate security data points based on the deep analysis; and
provide the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.
9. The one or more computer-readable storage media of claim 8 wherein the active inline security device blocks packets upon detection of at least one security event.
10. The one or more computer-readable storage media of claim 8 wherein the program instructions direct the passive analysis system to perform the deep analysis on the copy of network traffic by directing the passive analysis system to detect malicious patterns of behavior,
1 1. The one or more computer-readable storage media of claim 8 wherein the program instructions direct the passive analysis system to perform the deep analysis on the copy of network traffic by directing the passive analysis system to analyze the copy of the network traffic for protocol violations.
12. The one or more computer-readable storage media of claim 8 wherein the program instructions direct the passive analysis system to provide the security data points to the active inline security device by directing the passive analysis system to asynchronously feed the security data points to the active inline security device.
13. The one or more computer-readable storage media of claim 8 wherein the security data points comprise at least one internet protocol address.
14. The one or more computer-readable storage media of claim 8 wherein the security data points comprise a regular expression.
15. A network security system comprising:
a passive analysis system; and
an active inline security device;
the passive analysis system configured to receive a copy of network traffic, perform deep analysis on the copy of network traffic, generate security data points based on the deep analysis, and provide the security data points to the active inline security device, and
the active inline security device configured to compare incoming network traffic to the security data points to detect security events.
16. The network security system of claim 15 wherein the active inline security device is further configured to block packets upon detection of at least one security event.
17. The network security system of claim 15 wherein the passive analysis system configured to perform the deep analysis on the copy of network traffic compri ses the passive analysis system configured to detect malicious patterns of behavior.
18. The network security system of claim 15 wherein the passive analysis system configured to perform the deep analysis on the copy of network trafiic comprises the passive analy sis system configured to analyze the copy of the network traffic for protocol violations.
19. The network security system of claim 15 wherein the passive analysis system configured to provide the security data points to the active inline security device comprises the passive analysis system configured to asynchronously feed the security data points to the active inline security device.
20. The network security system of claim 15 wherein the security data points comprise at least one internet protocol address.
PCT/US2016/037321 2015-06-15 2016-06-14 Passive security analysis with inline active security device WO2016205169A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP16812215.8A EP3308279A4 (en) 2015-06-15 2016-06-14 Passive security analysis with inline active security device
JP2017566003A JP2018518127A (en) 2015-06-15 2016-06-14 Passive security analysis with inline active security devices

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201562175585P 2015-06-15 2015-06-15
US62/175,585 2015-06-15
US15/178,965 US11418520B2 (en) 2015-06-15 2016-06-10 Passive security analysis with inline active security device
US15/178,965 2016-06-10

Publications (1)

Publication Number Publication Date
WO2016205169A1 true WO2016205169A1 (en) 2016-12-22

Family

ID=57517586

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/037321 WO2016205169A1 (en) 2015-06-15 2016-06-14 Passive security analysis with inline active security device

Country Status (4)

Country Link
US (1) US11418520B2 (en)
EP (1) EP3308279A4 (en)
JP (1) JP2018518127A (en)
WO (1) WO2016205169A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11349852B2 (en) * 2016-08-31 2022-05-31 Wedge Networks Inc. Apparatus and methods for network-based line-rate detection of unknown malware
US10341293B2 (en) 2017-02-22 2019-07-02 Honeywell International Inc. Transparent firewall for protecting field devices
US11095678B2 (en) * 2017-07-12 2021-08-17 The Boeing Company Mobile security countermeasures
US10839074B2 (en) * 2017-10-19 2020-11-17 AO Kaspersky Lab System and method of adapting patterns of dangerous behavior of programs to the computer systems of users
JP6861196B2 (en) * 2018-06-18 2021-04-21 エーオー カスペルスキー ラボAO Kaspersky Lab Systems and methods to adapt the dangerous behavior patterns of a program to the user's computer system
CN109246153A (en) * 2018-11-09 2019-01-18 中国银行股份有限公司 Network safety situation analysis model and network safety evaluation method
US20210234878A1 (en) * 2020-01-26 2021-07-29 Check Point Software Technologies Ltd. Method and system to determine device vulnerabilities by scanner analysis
US11876782B2 (en) * 2021-02-08 2024-01-16 Nvidia Corporation Header-based packet filtering and inferencing to identify malicious network traffic using neural networks

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060117386A1 (en) * 2001-06-13 2006-06-01 Gupta Ramesh M Method and apparatus for detecting intrusions on a computer system
US20070005648A1 (en) * 2005-06-29 2007-01-04 Sbc Knowledge Ventures L.P. Network capacity management system
US20080162679A1 (en) * 2006-12-29 2008-07-03 Ebay Inc. Alerting as to denial of service attacks
US8646081B1 (en) * 2007-10-15 2014-02-04 Sprint Communications Company L.P. Method and system to detect a security event in a packet flow and block the packet flow at an egress point in a communication network

Family Cites Families (75)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7120934B2 (en) * 2000-03-30 2006-10-10 Ishikawa Mark M System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network
US9525696B2 (en) * 2000-09-25 2016-12-20 Blue Coat Systems, Inc. Systems and methods for processing data flows
US7600014B2 (en) 2000-11-16 2009-10-06 Symantec Corporation Method and system for monitoring the performance of a distributed application
US7360096B2 (en) 2002-11-20 2008-04-15 Microsoft Corporation Securely processing client credentials used for Web-based access to resources
US7814542B1 (en) 2003-06-30 2010-10-12 Cisco Technology, Inc. Network connection detection and throttling
US7483384B2 (en) * 2003-09-22 2009-01-27 Hewlett-Packard Development Company, L.P. System and method for monitoring network traffic
US20050198099A1 (en) * 2004-02-24 2005-09-08 Covelight Systems, Inc. Methods, systems and computer program products for monitoring protocol responses for a server application
US8171553B2 (en) * 2004-04-01 2012-05-01 Fireeye, Inc. Heuristic based capture with replay to virtual machine
US20060026682A1 (en) 2004-07-29 2006-02-02 Zakas Phillip H System and method of characterizing and managing electronic traffic
US20060031680A1 (en) 2004-08-04 2006-02-09 Yehuda Maiman System and method for controlling access to a computerized entity
US7578436B1 (en) 2004-11-08 2009-08-25 Pisafe, Inc. Method and apparatus for providing secure document distribution
US7380708B1 (en) 2004-11-08 2008-06-03 Pisafe, Inc. Method and apparatus for providing secure document distribution
US7784099B2 (en) 2005-02-18 2010-08-24 Pace University System for intrusion detection and vulnerability assessment in a computer network using simulation and machine learning
JP4742144B2 (en) * 2005-06-06 2011-08-10 インターナショナル・ビジネス・マシーンズ・コーポレーション Method and computer program for identifying a device attempting to penetrate a TCP / IP protocol based network
US7609625B2 (en) * 2005-07-06 2009-10-27 Fortinet, Inc. Systems and methods for detecting and preventing flooding attacks in a network environment
US8255996B2 (en) * 2005-12-30 2012-08-28 Extreme Networks, Inc. Network threat detection and mitigation
JP4774307B2 (en) 2006-02-06 2011-09-14 アラクサラネットワークス株式会社 Unauthorized access monitoring device and packet relay device
JP4664257B2 (en) * 2006-09-06 2011-04-06 富士通株式会社 Attack detection system and attack detection method
US7984500B1 (en) * 2006-10-05 2011-07-19 Amazon Technologies, Inc. Detecting fraudulent activity by analysis of information requests
US8307099B1 (en) 2006-11-13 2012-11-06 Amazon Technologies, Inc. Identifying use of software applications
US20080229109A1 (en) 2007-03-12 2008-09-18 Alexander Gantman Human-recognizable cryptographic keys
US20090119769A1 (en) 2007-11-05 2009-05-07 Microsoft Corporation Cross-site scripting filter
US8893270B1 (en) 2008-01-29 2014-11-18 Trend Micro Incorporated Detection of cross-site request forgery attacks
JP2009284433A (en) * 2008-05-26 2009-12-03 Hitachi Ltd System and method for detecting and controlling p2p terminal
US8244799B1 (en) * 2008-07-21 2012-08-14 Aol Inc. Client application fingerprinting based on analysis of client requests
EP2180664A1 (en) 2008-10-22 2010-04-28 Vivendi Mobile Entertainment System and method for accessing multi-media content via a mobile terminal
US8677473B2 (en) * 2008-11-18 2014-03-18 International Business Machines Corporation Network intrusion protection
US7953852B2 (en) * 2008-12-31 2011-05-31 Intel Corporation Method and system for detecting and reducing botnet activity
WO2010105184A2 (en) * 2009-03-13 2010-09-16 Breach Security , Inc. A method and apparatus for phishing and leeching vulnerability detection
US9231964B2 (en) * 2009-04-14 2016-01-05 Microsoft Corporation Vulnerability detection based on aggregated primitives
US8914878B2 (en) * 2009-04-29 2014-12-16 Juniper Networks, Inc. Detecting malicious network software agents
US8856869B1 (en) 2009-06-22 2014-10-07 NexWavSec Software Inc. Enforcement of same origin policy for sensitive data
US8068431B2 (en) * 2009-07-17 2011-11-29 Satyam Computer Services Limited System and method for deep packet inspection
KR101070614B1 (en) * 2009-12-18 2011-10-10 한국인터넷진흥원 Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation
US8826438B2 (en) 2010-01-19 2014-09-02 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
US8819826B2 (en) * 2010-01-27 2014-08-26 Mcafee, Inc. Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation
US8307418B2 (en) * 2010-03-16 2012-11-06 Genband Inc. Methods, systems, and computer readable media for providing application layer firewall and integrated deep packet inspection functions for providing early intrusion detection and intrusion prevention at an edge networking device
US8904514B2 (en) 2010-04-12 2014-12-02 Hewlett-Packard Development Company, L.P. Implementing a host security service by delegating enforcement to a network device
US9646140B2 (en) 2010-05-18 2017-05-09 ServiceSource Method and apparatus for protecting online content by detecting noncompliant access patterns
GB2483111A (en) * 2010-08-27 2012-02-29 Zeus Technology Ltd Monitoring connections to servers and memory management
US9270691B2 (en) 2010-11-01 2016-02-23 Trusteer, Ltd. Web based remote malware detection
US9119109B1 (en) * 2010-12-30 2015-08-25 Dell Software Inc. Method and an apparatus to perform multi-connection traffic analysis and management
US8819819B1 (en) 2011-04-11 2014-08-26 Symantec Corporation Method and system for automatically obtaining webpage content in the presence of javascript
US8869279B2 (en) 2011-05-13 2014-10-21 Imperva, Inc. Detecting web browser based attacks using browser response comparison tests launched from a remote source
US8856913B2 (en) 2011-08-29 2014-10-07 Arbor Networks, Inc. Method and protection system for mitigating slow HTTP attacks using rate and time monitoring
US8677487B2 (en) 2011-10-18 2014-03-18 Mcafee, Inc. System and method for detecting a malicious command and control channel
EP2792178B1 (en) * 2011-12-12 2018-08-29 Telefonaktiebolaget LM Ericsson (publ) Method for detection of persistent malware on a network node
US9565120B2 (en) * 2012-01-30 2017-02-07 Broadcom Corporation Method and system for performing distributed deep-packet inspection
US9264402B2 (en) 2012-02-20 2016-02-16 Virtustream Canada Holdings, Inc. Systems involving firewall of virtual machine traffic and methods of processing information associated with same
US9596286B2 (en) 2012-05-25 2017-03-14 A10 Networks, Inc. Method to process HTTP header with hardware assistance
WO2014021863A1 (en) 2012-07-31 2014-02-06 Hewlett-Packard Development Company, L.P. Network traffic processing system
CN104704788A (en) 2012-09-14 2015-06-10 惠普发展公司,有限责任合伙企业 Determining a load distribution for data units at a packet inspection device
US9135439B2 (en) 2012-10-05 2015-09-15 Trustwave Holdings, Inc. Methods and apparatus to detect risks using application layer protocol headers
US9977900B2 (en) 2012-12-27 2018-05-22 Microsoft Technology Licensing, Llc Identifying web pages in malware distribution networks
US9225737B2 (en) 2013-03-15 2015-12-29 Shape Security, Inc. Detecting the introduction of alien content
WO2015005936A1 (en) 2013-07-12 2015-01-15 Hewlett-Packard Development Company, L.P. Analyzing target software for security vulnerabilities
US20150067472A1 (en) 2013-08-28 2015-03-05 F5 Networks, Inc. Web browser fingerprinting
US9294501B2 (en) * 2013-09-30 2016-03-22 Fireeye, Inc. Fuzzy hash of behavioral results
US9348742B1 (en) 2013-12-18 2016-05-24 Amazon Technologies, Inc. Detecting code alteration based on memory allocation
KR101501669B1 (en) * 2013-12-24 2015-03-12 한국인터넷진흥원 Behavior detection system for detecting abnormal behavior
US9942265B2 (en) * 2014-01-06 2018-04-10 International Business Machines Corporation Preventing application-level denial-of-service in a multi-tenant system
US10944765B2 (en) 2014-01-10 2021-03-09 Red Bend Ltd. Security system for machine to machine cyber attack detection and prevention
US9485262B1 (en) * 2014-03-28 2016-11-01 Juniper Networks, Inc. Detecting past intrusions and attacks based on historical network traffic information
US9705914B2 (en) * 2014-07-23 2017-07-11 Cisco Technology, Inc. Signature creation for unknown attacks
US9749305B1 (en) 2014-08-28 2017-08-29 Amazon Technologies, Inc. Malicious client detection based on usage of negotiable protocols
US9602543B2 (en) 2014-09-09 2017-03-21 Shape Security, Inc. Client/server polymorphism using polymorphic hooks
US20160088001A1 (en) * 2014-09-22 2016-03-24 Alcatel-Lucent Usa Inc. Collaborative deep packet inspection systems and methods
US9043894B1 (en) 2014-11-06 2015-05-26 Palantir Technologies Inc. Malicious software detection in a computing system
US20160173526A1 (en) 2014-12-10 2016-06-16 NxLabs Limited Method and System for Protecting Against Distributed Denial of Service Attacks
US10291589B1 (en) 2014-12-12 2019-05-14 Amazon Technologies, Inc. Session-based access control determinations
KR101600295B1 (en) * 2015-01-06 2016-03-21 한국인터넷진흥원 System for detecting abnomal behaviors using personalized the whole access period use behavior pattern analsis
US20160241560A1 (en) 2015-02-13 2016-08-18 Instart Logic, Inc. Client-site dom api access control
US9503474B2 (en) 2015-02-18 2016-11-22 Vmware, Inc. Identification of trusted websites
US20160308898A1 (en) * 2015-04-20 2016-10-20 Phirelight Security Solutions Inc. Systems and methods for tracking, analyzing and mitigating security threats in networks via a network traffic analysis platform
GB2542175B (en) 2015-09-10 2019-12-04 Openwave Mobility Inc Intermediate network entity

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060117386A1 (en) * 2001-06-13 2006-06-01 Gupta Ramesh M Method and apparatus for detecting intrusions on a computer system
US20070005648A1 (en) * 2005-06-29 2007-01-04 Sbc Knowledge Ventures L.P. Network capacity management system
US20080162679A1 (en) * 2006-12-29 2008-07-03 Ebay Inc. Alerting as to denial of service attacks
US8646081B1 (en) * 2007-10-15 2014-02-04 Sprint Communications Company L.P. Method and system to detect a security event in a packet flow and block the packet flow at an egress point in a communication network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3308279A4 *

Also Published As

Publication number Publication date
EP3308279A1 (en) 2018-04-18
US20160366161A1 (en) 2016-12-15
JP2018518127A (en) 2018-07-05
US11418520B2 (en) 2022-08-16
EP3308279A4 (en) 2019-01-02

Similar Documents

Publication Publication Date Title
US11418520B2 (en) Passive security analysis with inline active security device
EP3577589B1 (en) Prevention of malicious automation attacks on a web service
US11381629B2 (en) Passive detection of forged web browsers
US10931686B1 (en) Detection of automated requests using session identifiers
US9413776B2 (en) System for finding code in a data flow
Choi et al. A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment
US11831420B2 (en) Network application firewall
US9294502B1 (en) Method and system for detection of malicious bots
US9398027B2 (en) Data detecting method and apparatus for firewall
US10764311B2 (en) Unsupervised classification of web traffic users
US20160359904A1 (en) Method and system for detection of headless browser bots
US20220263823A1 (en) Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium
US11665196B1 (en) Graph stream mining pipeline for efficient subgraph detection
Rebecchi et al. DDoS protection with stateful software‐defined networking
US11140178B1 (en) Methods and system for client side analysis of responses for server purposes
CN106576051A (en) Zero day threat detection using host application/program to user agent mapping
Alani et al. ARP-PROBE: An ARP spoofing detector for Internet of Things networks using explainable deep learning
US10931713B1 (en) Passive detection of genuine web browsers based on security parameters
Ponomarev Intrusion Detection System of industrial control networks using network telemetry
Yan et al. Anti‐virus in‐the‐cloud service: are we ready for the security evolution?
JP2022541250A (en) Inline malware detection
Sabaz et al. Systematic Literature Review on Security Vulnerabilities and Attack Methods in Web Services
Plazas Olaya et al. Securing Microservices‐Based IoT Networks: Real‐Time Anomaly Detection Using Machine Learning
Sokol et al. Data control in virtual honeynets based on operating system-level virtualization
Jyothi Hardware Accelerated-and-Assisted Novel Network Security Architectures

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16812215

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2017566003

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2016812215

Country of ref document: EP