WO2022228647A1 - Method and enforcement unit for supervising connections in a computer network - Google Patents

Method and enforcement unit for supervising connections in a computer network Download PDF

Info

Publication number
WO2022228647A1
WO2022228647A1 PCT/EP2021/060818 EP2021060818W WO2022228647A1 WO 2022228647 A1 WO2022228647 A1 WO 2022228647A1 EP 2021060818 W EP2021060818 W EP 2021060818W WO 2022228647 A1 WO2022228647 A1 WO 2022228647A1
Authority
WO
WIPO (PCT)
Prior art keywords
unit
client
computer
host
address
Prior art date
Application number
PCT/EP2021/060818
Other languages
French (fr)
Inventor
Omer ANSON
Irena BEREZOVSKY
Dima KUZNETSOV
Natan BROSZTEIN
Original Assignee
Huawei Cloud Computing Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co., Ltd. filed Critical Huawei Cloud Computing Technologies Co., Ltd.
Priority to PCT/EP2021/060818 priority Critical patent/WO2022228647A1/en
Priority to CN202180097210.5A priority patent/CN117203942A/en
Publication of WO2022228647A1 publication Critical patent/WO2022228647A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the disclosure relates generally to a method of supervising connections in a computer network including one or more client units and one or more host units and the enforcement unit, and more particularly, the disclosure relates to an enforcement unit for use in the computer network in which the client computer can connect to a plurality of host computers
  • NAT Network Address Translation
  • IP addresses that are pre-defmed allows anyone, anywhere to connect to the device directly from the internet. That may include cybercriminals.
  • the pre-defmed IP addresses allow the requests to flow freely to the device and that transmission includes spam and attempts to take control of the device.
  • the connections on the pre-defmed IP addresses usually belong to attempt to connect with the device, bugs, malware, or darknet.
  • the bugs may be either in an implementation of the pre-defmed IP addresses or design.
  • the malware attempts to connect to a known remote server.
  • the pre-defmed IP address may also include botnet that is remotely controlled and used to launch massive threats than the viruses.
  • the disclosure provides a method of supervising connections in a computer network including one or more client units and one or more host units and the enforcement unit, and an enforcement unit for use in the computer network in which a client computer can connect to a plurality of host computers.
  • a method of supervising connections in a computer network including one or more client units and one or more host units, and an enforcement unit is arranged to monitor connections in the computer network and allow or deny connections based on a dynamic set of rules.
  • the method includes detecting a message from an address resolving unit, and the message includes an IP address.
  • the method includes obtaining the IP address from the message.
  • the method includes checking that the message is sent as a response to a request from a first client unit of the one or more client units, the IP address corresponding to a host name stated in the request.
  • the method includes adding a new rule in the dynamic set of rules, the new rule allowing a connection between the first client unit and the IP address only if the message is found to be in response to the request and the IP address corresponds to the host name.
  • the method enforces the IP address from the request to connect to the hostnames.
  • the connection does not include any hard-coded IP addresses as bugs, darknet, or unregistered malware server address, thereby improving security.
  • the method enables to further increase the security by adding hostname-based black-listing and white-listing and DNS server black-listing and white-listing, and by supporting malware prevention.
  • the checking includes that the request has been received in the enforcement unit prior to the message.
  • the new rule includes a timeframe defining time period which the new rule is active, the method optionally includes a step of deactivating the new rule after this time period.
  • the new rule includes a maximum number of packets
  • the method optionally includes the step of deactivating the new rule after the maximum number of packets has been received for the connection.
  • the method includes the step of deactivating the new rule upon reception in a firewall unit of an outbound packet from the client computer to the host.
  • the enforcement unit is optionally located in a firewall unit is arranged to monitor connections between the one or more client units and the one or more host units.
  • the enforcement unit may be located in the first client unit and may be arranged to implement the new rule as a hook in a computer function initiating a connection to a host.
  • the enforcement unit may be located in a local server in a local network including the one or more client units.
  • a computer program product for use in a monitoring unit in a network in which a client device can connect to one or more host devices.
  • the monitoring unit being arranged allow or deny connections based on a dynamic set of rules.
  • the computer program product includes computer readable code which when run in a processor will cause the monitoring unit to perform the method.
  • the computer program product does not require any manual intervention as the computer program product includes automatic mechanism in the computer network to allow or deny the connections based on the dynamic set of rules.
  • the computer program product includes a non-transitory storage that includes storing of the computer readable code.
  • an enforcement unit for use in a network in which a client device can connect to one or more host devices.
  • the enforcement unit being arranged allow or deny connections based on a dynamic set of rules.
  • the enforcement unit includes a control unit being arranged to perform the method.
  • the enforcement unit is arranged to be included in a firewall unit and is arranged to monitor connections between the client computer and the one or more host units.
  • the control unit may be arranged to monitor connections between the client computer and the one or more host units.
  • the enforcement unit is arranged to be included in a first client computer.
  • the control unit may be arranged to implement the new rule as a hook in a computer function initiating a connection to a host.
  • the enforcement unit is arranged to be included in a local server unit in a local network including the client computer.
  • the control unit may be located in the local server in the local network including the one or more client units.
  • the enforcement unit enforces the IP address from the request to connect to the hostnames, thereby improving security of the client computer.
  • the enforcement unit enables to track the requests and responses from the computer network to perform the method.
  • a computer network including one or more client computers, one or more host computers, and a firewall unit for monitoring traffic between the one or more client computers and the one or more host computers and block undesired traffic.
  • the network includes an enforcement unit to perform the above method.
  • the method and the enforcement unit provided in the disclosure enables the supervision of the connections in the network and enforcing the connections to connect with the host names, thereby improving the security.
  • FIG. 1 is a block diagram that illustrates an enforcement unit for use in a computer network in accordance with an implementation of the disclosure
  • FIG. 2 is a block diagram that illustrates a computer network including one or more client computers, one or more host computers and a firewall unit in accordance with an implementation of the disclosure;
  • FIG. 3A is an exemplary diagram that illustrates a flow of information in a computer network when an enforcement unit is located on a client computer in accordance with an implementation of the disclosure
  • FIG. 3B is an exemplary diagram that illustrates a flow of response from the enforcement unit in accordance with an implementation of the disclosure
  • FIG. 4 is an interaction diagram that illustrates a flow of an event received from the client computer in a computer network in accordance with an implementation of the disclosure
  • FIG. 5 is a flow diagram of a method of supervising connections in a computer network in accordance with an implementation of the disclosure
  • FIG. 6 is an illustration of an exemplary computing arrangement in which the various architectures and functionalities of the various previous implementations may be implemented.
  • Implementations of the disclosure provide a method of supervising connections in a computer network including one or more client units and one or more host units and an enforcement unit, and the enforcement unit for use in the computer network for supervising connections in the computer network.
  • FIG. 1 is a block diagram that illustrates an enforcement unit 106 for use in a computer network 100 in accordance with an implementation of the disclosure.
  • the computer network 100 includes a client computer 102, a communication network 104, and one or more host computers/units 108A-N.
  • the computer network 100 is communicatively connected to the enforcement unit 106.
  • the enforcement unit 106 enables the client computer 102 to connect to the one or more host computers 108A-N.
  • the enforcement unit 106 is arranged to allow or deny the connections based on a dynamic set of rules.
  • the enforcement unit 106 includes a control unit 107 that is arranged to detect a message from an address resolving unit.
  • the message includes an IP address.
  • the control unit 107 is arranged to obtain the IP address from the message.
  • the control unit 107 is arranged to check that the message is sent as a response to a request from a first client computer (e.g. the client computer 102) of one or more client computers/units, and the IP address corresponding to a host name stated in the request.
  • the control unit 107 is arranged to add a new rule in the dynamic set of rules. The new rule allows a connection between the first client computer and the IP address only if the message is found to be in response to the request and the IP address corresponds to the host name.
  • the enforcement unit 106 enforces the IP address from the request to connect to the host names and improves security as only the IP address with the request only be allowed to connect to the host names, and the connection does not include any hard-coded IPs as bugs, darknet, or unregistered malware server addresses.
  • the enforcement unit 106 improves security by adding host name-based black-listing and white-listing and DNS server black-listing and white-listing. This mechanism supports malware prevention.
  • the enforcement unit 106 enables automatic processing or monitoring the connections and enables to allow/deny the connections between the client computer 102 and the one or more host units 108A-N.
  • the address resolving unit may be a name server or a local file.
  • the message may be maliciously received from the client computer 102 without any initiation.
  • the host name may be associated with any of the one or more host computers 108A-N.
  • the control unit 107 optionally checks that the request has been received in the enforcement unit 106 prior to the message.
  • the request may be a Domain Name System (DNS) request that requests for the requested host name.
  • DNS Domain Name system
  • the response may be a Domain Name system (DNS) response that responds back to the enforcement unit 106.
  • the requested host name may be associated with any of the one or more host computers 108A-N.
  • the enforcement unit 106 is configured to track the DNS requests and the DNS responses from and to the computer network 100.
  • the dynamic set of rules are dynamic and temporary depending on data in the DNS response.
  • the new rules may also be dynamic and temporary.
  • the new rule may include a timeframe defining a time period which the new rule is active and the control unit 107 may deactivate the new rule after the time period.
  • the new rule may include a maximum number of packets and the control unit 107 may deactivate the new rule after the maximum number of packets has been received for the connection.
  • the control unit 107 may deactivate the new rule upon reception in a firewall unit of an outbound packet.
  • the outbound packet may be from the client computer 102 to a host.
  • the computer network 100 create pin-holes only for the IP addresses known and belong to hostnames and enforces the client device to connect to the host names.
  • the enforcement unit 106 may be located in the firewall unit and is arranged to monitor the connections between the client computer 102 and the one or more host computers 108A-N.
  • the client computer 102 can connect to one or more host computers 108A-N with the enforcement unit 106 in the computer network 100.
  • the enforcement unit 106 allows or denies the connections based on the dynamic set of rules.
  • the enforcement unit 106 includes a control unit for supervising the connections.
  • the enforcement unit 106 may employ an enforcing mechanism to monitor and supervise the connections.
  • the enforcement unit 106 allow and deny the connections based on the response from the computer network 100.
  • the computer network 100 may include a mechanism and the mechanism is configured to note the requested host name by sniffing host name lookups, note the responded IP address that is detected from the message, verify the response matches the request, and update the enforcement unit 106 to allow or deny the connection.
  • This mechanism enables the IP address to connect to the one or more host computers 108A-N with the host names or domain.
  • the enforcement unit 106 sniffs host name lookups from local clients.
  • the local clients may be a local DNS server.
  • the hostname lookups may be done by a firewall, hooks in getaddrinfo, or from the local DNS server.
  • the hostname lookups with the firewall includes any of: lptables, Ebpf or netfilter.
  • the enforcement unit 106 can provide different granularity and resolution in process-based and session-based enforcement of hostname-based connections and global and system-wide enforcement of hostname- based connections.
  • the enforcement unit 106 may provide detailed level granularity at all the processes.
  • the enforcement unit 106 When the DNS response is received from the local clients, the enforcement unit 106 identifies the responded IP address with the message and updates the enforcement unit 106.
  • the enforcement unit 106 may be updated with the firewall or hooks that connect and send to system calls.
  • the enforcement unit 106 may be located in the client computer 102 and is arranged to implement the new rule as the hooks in a computer function initiating a connection to a host.
  • the enforcement unit 106 is arranged to be included in a first client computer and the control unit 107 being arranged to perform the mechanism.
  • the new rules may include a process specific, have a timeout or have a match limit.
  • the timeout can be a default or with Time to Live (TTL) provided by a DNS server.
  • TTL Time to Live
  • the match limit may be the IP address that can be used for a determined number of times, or the IP address that can used for only determined number of sessions.
  • the match limit supports multiple protocols that may include any of: a Transmission Control Protocol (TCP) session or a User Datagram Protocol (UDP) session.
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • the enforcement unit 106 in the computer network 100 in which the client computer 102 can connect to one or more host computers 108 A-N includes the control unit being arranged to perform the mechanism.
  • the computer network 100 includes one or more client computers, one or more host computers 108A-N and the firewall unit for monitoring traffic between the one or more client computers and the one or more host computers 108A-N and block undesired traffic.
  • FIG. 2 is a block diagram that illustrates a computer network 200 including one or more client computers/units 202A-N, one or more host computers 206A-N, and a firewall unit 208 in accordance with an implementation of the disclosure.
  • the block diagram includes the computer network 200 including the one or more client computers 202A-N, a communication network 204, the one or more host computers 206A-N, and a firewall unit 208.
  • the firewall unit 208 monitors traffic between the one or more client computers 202A-N and the one or more host computers 206A-N and block undesired traffic.
  • the computer network 200 further includes an enforcement unit.
  • FIG. 3A is an exemplary diagram that illustrates a flow of information in a computer network when an enforcement unit 306 is located on a client computer 302 in accordance with an implementation of the disclosure.
  • the exemplary diagram includes the client computer 302 that includes a client application 304 and the enforcement unit 306, a firewall unit 308, a local DNS server 310 associated with an internal network 314, and a DNS server 312 associated with an external network 316.
  • the client computer 302 send a request to the computer network.
  • the one or more clients may send the request to the computer network using the client application 304.
  • the request may be information or a message, including the IP address.
  • the internal network 314 receives the request from the client application 304.
  • the internal network 314 is communicatively connected with the local DNS server 310 and the firewall unit 308.
  • the local DNS server 310 may send the request to the external network 316 through the firewall unit 308.
  • the firewall unit 308 is a gateway for communicating with the internal network 314 and the external network 316.
  • the external network 316 is communicatively connected with the DNS server 312.
  • the external network 316 may send the request to the DNS server 312 and the DNS server 312 may send a response for the request to the external network 316.
  • the local DNS server 310 may send the response received from the DNS server 312 to the client computer 302.
  • the enforcement unit 306 in the client computer 302 sniffs the request and the response to monitor the connections and allow or deny the connections based on a dynamic set of rules.
  • FIG. 3B is an exemplary diagram that illustrates a flow of a response that is received from the enforcement unit 306 in accordance with an implementation of the disclosure.
  • the client computer 302 may lookup host.
  • the host may be “server.com”.
  • the enforcement unit 306 may perform a lookup e.g. DNS, hosts.
  • the local DNS server 310 may send an IP address in response to the lookup from the client computer 302.
  • the enforcement unit 306 may create a local rule in the dynamic set of rules for the IP address and sets a trigger based on its configuration.
  • the enforcement unit 306 may update the rule in the dynamic set of rules if the rule already exists.
  • the enforcement unit 306 may overwrite the rule with the existed rule.
  • the client computer 302 may send a request to the IP address using the client application 304.
  • the DNS server 312 receives the request and sends a response to the client computer 302.
  • the enforcement unit 306 receives the response from the DNS server 312 and sends the response to the client application 304.
  • the enforcement unit 306 deletes the rule if the trigger condition occurs on the local rule.
  • the enforcement unit 306 may drop packets from the local rule and the client application 304, if the enforcement unit 306 deletes the local rule.
  • FIG. 4 is an interaction diagram that illustrates a flow of an event from a client computer 401 in a computer network in accordance with an implementation of the disclosure.
  • the client computer 401 is configured to lookup for a host, e.g.“server.com”.
  • the lookup is performed at an address resolving unit 403 using any of: a DNS server or hosts.
  • the client computer 401 is enabled to connect to an enforcement unit 405.
  • the address resolving unit 403 may enable the client computer 401 to connect with the enforcement unit 405 with the IP address.
  • the IP address may be 179.285.71.74.
  • the client computer 401 is connected to the host with the IP address by the enforcement unit 405.
  • the enforcement unit 405 is configured to add a new rule to the dynamic set of rules.
  • the new rule may include: Process “Client device” > 179.285.71.74: ACCEPT.
  • the enforcement unit 405 set timeout 407, if the lookup of the dynamic set of rules or the new rule includes the TTL.
  • the enforcement unit 405 set timeout for a predefined interval in the timeout 407, if a DNS record does not include the TTL.
  • the IP address is requested to the enforcement unit 405 by the client computer 401.
  • connections are established with the IP address by the enforcement unit 405.
  • the rule is deleted by the enforcement unit 405 if there is no TTL, and the IP address may be used only once. The rule is deleted by:
  • a request is communicated to a server 409 for the IP address by the enforcement unit 405.
  • a response for the IP address is communicated to the enforcement unit 405 by the server 409.
  • the connection is established and the response for the IP address received from the server 409 is communicated to the client computer 401 by the enforcement unit 405.
  • the rule is deleted when the timeout 407 is reached.
  • the IP address for additional packets is requested by the client computer 401 and the additional packet may be dropped at the enforcement unit 405.
  • FIG. 5 is a flow diagram of a method of supervising connections in a computer network in accordance with an implementation of the disclosure.
  • the computer network including one or more client units and one or more host units and an enforcement unit arranged to monitor connections in the computer network and allow or deny connections based on a dynamic set of rules.
  • a message from an address resolving unit is detected.
  • the message includes an IP address.
  • the IP address is obtained from the message.
  • a step 506 checked that the message is sent as a response from a first client unit of the one or more client units, the IP address corresponding to a host name stated in the request.
  • a new rule is added in the dynamic set of rules. The new rule allowing a connection between the first client unit and the IP address only if the message is found to be in response to the request and the IP address corresponds to the host name.
  • the method enforces the IP address from the request to connect to the host name.
  • the connection does not include any hard-coded IP addresses as bugs, darknet, or unregistered malware server address, thereby improving security.
  • the method enables to further increase the security by adding hostname-based black-listing and white-listing and DNS server black-listing and white-listing, and by supporting malware prevention.
  • the method enables to track the requests and responses from the network.
  • the method does not require any manual intervention as the method includes an automatic mechanism in the computer network to allow or deny the connections based on the dynamic set of rules.
  • the checking that the request has been received in an enforcement unit prior to the message is not limited to:
  • the new rule includes a timeframe defining time period which the new rule is active, and the method optionally includes a step of deactivating the new rule after the time period.
  • the new rule includes a maximum number of packets, the method optionally includes the step of deactivating the new rule after the maximum number of packets has been received for the connection.
  • the method includes the step of deactivating the new rule upon reception in a firewall unit of an outbound packet from a client device to the host.
  • the enforcement unit is located on the firewall unit arranged to monitor the connections between one or more clients and one or more hosts.
  • the computer network may add an external DNS server (i.e. a remote host) to allow outgoing traffic.
  • an external DNS server i.e. a remote host
  • the following rule allows a local DNS server to connect to the external DNS server: lptables -A OUTPUT -d ⁇ DNS SERVER> -udp -dport 53 -j ACCEPT.
  • the local DNS server forwards DNS requests to the external DNS server.
  • a response for the DNS requests is received by the local DNS server from the external DNS server.
  • the local DNS server updates a local firewall with specific rule for outgoing traffic as follows: iptables -A OUTPUT -d ⁇ IP address from response> -j ACCEPT -m owner -pid-owner
  • An owner PID may be retrieved by any of: scanning, proc, ⁇ pid> or net for the connection (e.g. UDP connection) to the local DNS server.
  • the local DNS server creates a timer for TTL field, or a default timeout.
  • the default timeout is an amount of time to stay open for the UDP connection on the local DNS server and in a computer network. Normally, the default timeout may be about 60 seconds.
  • the local DNS server On receiving the response from the external DNS server, the local DNS server forwards the response to the client computer.
  • the client computer connects to the remote host, the response matches a newly added pin-hole rule.
  • the client computer sends one or more additional packets on the same session, the existing connection are matched with the dynamic set of rules and the computer network allows the connection.
  • the local DNS server may include a netfilter queue handler to support match limit. The local DNS server checks the netfilter queue handler for one or more events and delete the relevant rules from the dynamic set of rules when at least one of the one or more additional packets is matched.
  • An enforcement unit may be implemented using library function hooks.
  • the library function hooks handle any of: intercepted function calls, events or messages to allow or deny the connection from the client computer.
  • the hooks may be implemented by getaddrinfo, connect and sendto.
  • the hooks in connect, sendto, and sendmsg may use seccomp-ebpf. Installation of IP, PID, and timeout timestamp in an ebpf map may be required for the connect and sendto hooks. If the rule already exists on the dynamic set of rules, the computer network overwrites it with the same rule. While in getaddrinfo, the IP address looks up for the given host name. For single-use, IP may be tagged when the TTL is not given.
  • the client computer connects to the DNS server through the computer network using hooks.
  • the hooks may be system calls such as connect, sendto, or sendmsg or operating system services.
  • the hooks may be installed on the system calls.
  • the computer network is configured to look up the destination IP address and PID in the ebpf map.
  • the computer network may remove the rule from the dynamic set of rules if the timeout timestamp is in past. It may not be a match and deny the connection. If the rule matches with the dynamic set of rules, the computer network permits the system call to allow the connection.
  • the computer network may remove the IP address from the ebpf map if the IP address is marked as single use.
  • the computer network is configured to reject the system call if the single use IP address is not removed from the ebpf map.
  • a hook exit system call can be added on the client computer to remove all the PID’s rules in the computer network.
  • the computer program product includes a computer readable code that when run in a processor will cause the monitoring unit to perform the enforcing mechanism.
  • the computer program product optionally includes a non-transitory storage that stores the computer readable code.
  • FIG. 6 is an illustration of an exemplary computing arrangement 600 in which the various architectures and functionalities of the various previous implementations may be implemented.
  • the computing arrangement 600 includes at least one processor 604 that is connected to a bus 602, wherein the computing arrangement 600 may be implemented using any suitable protocol, such as PCI (Peripheral Component Interconnect), PCI-Express, AGP (Accelerated Graphics Port), HyperTransport, or any other bus or point-to-point communication protocol (s).
  • the computing arrangement 600 also includes a memory 606.
  • Control logic (software) and data are stored in the memory 606 which may take the form of random-access memory (RAM).
  • RAM random-access memory
  • a single semiconductor platform may refer to a sole unitary semiconductor-based integrated circuit or chip. It should be noted that the term single semiconductor platform may also refer to multi-chip modules with increased connectivity which simulate on-chip modules with increased connectivity which simulate on-chip operation, and make substantial improvements over utilizing a conventional central processing unit (CPU) and bus implementation. Of course, the various modules may also be situated separately or in various combinations of semiconductor platforms per the desires of the user.
  • the computing arrangement 600 may also include a secondary storage 610.
  • the secondary storage 610 includes, for example, a hard disk drive and a removable storage drive, representing a floppy disk drive, a magnetic tape drive, a compact disk drive, digital versatile disk (DVD) drive, recording device, universal serial bus (USB) flash memory.
  • the removable storage drive at least one of reads from and writes to a removable storage unit in a well-known manner.
  • Computer programs, or computer control logic algorithms may be stored in at least one of the memory 606 and the secondary storage 610. Such computer programs, when executed, enable the computing arrangement 600 to perform various functions as described in the foregoing.
  • the memory 606, the secondary storage 610, and any other storage are possible examples of computer-readable media.
  • the architectures and functionalities depicted in the various previous figures may be implemented in the context of the processor 604, a graphics processor coupled to a communication interface 612, an integrated circuit (not shown) that is capable of at least a portion of the capabilities of both the processor 604 and a graphics processor, a chipset (i.e., a group of integrated circuits designed to work and sold as a unit for performing related functions, etc.).
  • a graphics processor coupled to a communication interface 612
  • an integrated circuit (not shown) that is capable of at least a portion of the capabilities of both the processor 604 and a graphics processor
  • a chipset i.e., a group of integrated circuits designed to work and sold as a unit for performing related functions, etc.
  • the architectures and functionalities depicted in the various previous figures may be implemented in the context of a general computer system, a circuit board system, a game console system dedicated for entertainment purposes, an application-specific system.
  • the computing arrangement 600 may take the form of a desktop computer, a laptop computer, a server, a workstation, a game console, an embedded system.
  • the computing arrangement 600 may take the form of various other devices including, but not limited to a personal digital assistant (PDA) device, a mobile phone device, a smart phone, a television, etc. Additionally, although not shown, the computing arrangement 600 may be coupled to a network (e.g., a telecommunications network, a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, a peer-to-peer network, a cable network, or the like) for communication purposes through an I/O interface 608.
  • a network e.g., a telecommunications network, a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, a peer-to-peer network, a cable network, or the like
  • I/O interface 608 e.g., a telecommunications network, a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, a peer-to-peer network,

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided a method for supervising connections in a computer network (100, 200) including one or more client units (202A-N), one or more host units (108A-N, 206A-N) and an enforcement unit (106, 306) to monitor connections in the computer network and allow or deny connections based on a dynamic set of rules. The method includes detecting a message from an address resolving unit (403). The method includes checking that the message is sent as a response to a request with a host name from a first client unit of the one or more client units after obtaining an IP address from the message. The method includes adding a new rule in the dynamic set of rules that allows a connection between the first client unit and the IP address only if the message is found to be in response to the request and the IP address corresponds to the host name.

Description

METHOD AND ENFORCEMENT UNIT FOR SUPERVISING CONNECTIONS
IN A COMPUTER NETWORK
TECHNICAL FIELD The disclosure relates generally to a method of supervising connections in a computer network including one or more client units and one or more host units and the enforcement unit, and more particularly, the disclosure relates to an enforcement unit for use in the computer network in which the client computer can connect to a plurality of host computers
BACKGROUND
Every online action requires data to be exchanged between one or more devices and host servers, and each device includes its IP address. To remap and preserve the IP address, NAT (Network Address Translation) was conceived, which includes one external public IP address for all the devices. When a packet is received from the device, the NAT, notes which device sent the packet and substitutes the device’s address with an external public IP before forwarding the packet. The NAT inserts a response packet to the common address in a provider’s internal network. But the NAT does not include connecting to the device from the internet, as a public IP address goes precisely nowhere as their target is unknown. The packet loss may also occur while originating from the device to the external server over the network. The legitimate connections over the internet are based on hostnames. But the IP addresses are connecting to the required host with the response received from the server.
IP addresses that are pre-defmed, allows anyone, anywhere to connect to the device directly from the internet. That may include cybercriminals. The pre-defmed IP addresses allow the requests to flow freely to the device and that transmission includes spam and attempts to take control of the device. The connections on the pre-defmed IP addresses usually belong to attempt to connect with the device, bugs, malware, or darknet. The bugs may be either in an implementation of the pre-defmed IP addresses or design. The malware attempts to connect to a known remote server. The pre-defmed IP address may also include botnet that is remotely controlled and used to launch massive threats than the viruses. Security is not clearly in a view in those pre-defmed IP addresses and does not supervise and enforcing the connections, the hard-coded IP address-based functions are undesired and should be blocked. And in an institution, there is no way to enforce connections by hostnames as the pre-defmed IP addresses network traffic.
Therefore, there arises a need to address the aforementioned technical drawbacks in existing systems or technologies in enforcing connections in a computer network.
SUMMARY
It is an object of the disclosure to provide a method of supervising connections in a computer network including one or more client units and one or more host units and an enforcement unit, and the enforcement unit for use in the computer network in which a client computer can connect to a plurality of host computers while avoiding one or more disadvantages of prior art approaches.
This object is achieved by features of the independent claims. Further implementation forms are apparent from the dependent claims, the description, and the figures.
The disclosure provides a method of supervising connections in a computer network including one or more client units and one or more host units and the enforcement unit, and an enforcement unit for use in the computer network in which a client computer can connect to a plurality of host computers.
According to a first aspect, there is provided a method of supervising connections in a computer network including one or more client units and one or more host units, and an enforcement unit is arranged to monitor connections in the computer network and allow or deny connections based on a dynamic set of rules. The method includes detecting a message from an address resolving unit, and the message includes an IP address. The method includes obtaining the IP address from the message. The method includes checking that the message is sent as a response to a request from a first client unit of the one or more client units, the IP address corresponding to a host name stated in the request. The method includes adding a new rule in the dynamic set of rules, the new rule allowing a connection between the first client unit and the IP address only if the message is found to be in response to the request and the IP address corresponds to the host name.
The method enforces the IP address from the request to connect to the hostnames. The connection does not include any hard-coded IP addresses as bugs, darknet, or unregistered malware server address, thereby improving security. The method enables to further increase the security by adding hostname-based black-listing and white-listing and DNS server black-listing and white-listing, and by supporting malware prevention.
Optionally, the checking includes that the request has been received in the enforcement unit prior to the message.
The new rule includes a timeframe defining time period which the new rule is active, the method optionally includes a step of deactivating the new rule after this time period.
The new rule includes a maximum number of packets, the method optionally includes the step of deactivating the new rule after the maximum number of packets has been received for the connection.
Optionally, the method includes the step of deactivating the new rule upon reception in a firewall unit of an outbound packet from the client computer to the host.
The enforcement unit is optionally located in a firewall unit is arranged to monitor connections between the one or more client units and the one or more host units. The enforcement unit may be located in the first client unit and may be arranged to implement the new rule as a hook in a computer function initiating a connection to a host. The enforcement unit may be located in a local server in a local network including the one or more client units.
According to a second aspect, there is provided a computer program product for use in a monitoring unit in a network in which a client device can connect to one or more host devices. The monitoring unit being arranged allow or deny connections based on a dynamic set of rules. The computer program product includes computer readable code which when run in a processor will cause the monitoring unit to perform the method. The computer program product does not require any manual intervention as the computer program product includes automatic mechanism in the computer network to allow or deny the connections based on the dynamic set of rules.
Optionally, the computer program product includes a non-transitory storage that includes storing of the computer readable code.
According to a third aspect, there is provided an enforcement unit for use in a network in which a client device can connect to one or more host devices. The enforcement unit being arranged allow or deny connections based on a dynamic set of rules. The enforcement unit includes a control unit being arranged to perform the method. Optionally, the enforcement unit is arranged to be included in a firewall unit and is arranged to monitor connections between the client computer and the one or more host units. The control unit may be arranged to monitor connections between the client computer and the one or more host units.
Optionally, the enforcement unit is arranged to be included in a first client computer. The control unit may be arranged to implement the new rule as a hook in a computer function initiating a connection to a host.
Optionally, the enforcement unit is arranged to be included in a local server unit in a local network including the client computer. The control unit may be located in the local server in the local network including the one or more client units. The enforcement unit enforces the IP address from the request to connect to the hostnames, thereby improving security of the client computer. The enforcement unit enables to track the requests and responses from the computer network to perform the method.
According to a fourth aspect, there is provided a computer network including one or more client computers, one or more host computers, and a firewall unit for monitoring traffic between the one or more client computers and the one or more host computers and block undesired traffic. The network includes an enforcement unit to perform the above method. A technical problem in the prior art is resolved, where the technical problem is that connections over the internet based on pre-defmed IP addresses can be security risks for the organization.
Therefore, in contradistinction, according to the method and the enforcement unit provided in the disclosure enables the supervision of the connections in the network and enforcing the connections to connect with the host names, thereby improving the security.
These and other aspects of the disclosure will be apparent from and the implementation(s) described below.
BRIEF DESCRIPTION OF DRAWINGS
Implementations of the disclosure will now be described, by way of example only, with reference to the following diagrams in which:
FIG. 1 is a block diagram that illustrates an enforcement unit for use in a computer network in accordance with an implementation of the disclosure;
FIG. 2 is a block diagram that illustrates a computer network including one or more client computers, one or more host computers and a firewall unit in accordance with an implementation of the disclosure;
FIG. 3A is an exemplary diagram that illustrates a flow of information in a computer network when an enforcement unit is located on a client computer in accordance with an implementation of the disclosure;
FIG. 3B is an exemplary diagram that illustrates a flow of response from the enforcement unit in accordance with an implementation of the disclosure;
FIG. 4 is an interaction diagram that illustrates a flow of an event received from the client computer in a computer network in accordance with an implementation of the disclosure;
FIG. 5 is a flow diagram of a method of supervising connections in a computer network in accordance with an implementation of the disclosure; and FIG. 6 is an illustration of an exemplary computing arrangement in which the various architectures and functionalities of the various previous implementations may be implemented. DETAILED DESCRIPTION
Implementations of the disclosure provide a method of supervising connections in a computer network including one or more client units and one or more host units and an enforcement unit, and the enforcement unit for use in the computer network for supervising connections in the computer network. To make solutions of the disclosure more comprehensible for a person skilled in the art, the following implementations of the disclosure are described with reference to the accompanying drawings.
Terms such as "a first", "a second", "a third", and "a fourth" (if any) in the summary, claims, and the accompanying drawings of the disclosure are used to distinguish between similar objects and are not necessarily used to describe a specific sequence or order. It should be understood that the terms so used are interchangeable under appropriate circumstances, so that the implementations of the disclosure described herein are, for example, capable of being implemented in sequences other than the sequences illustrated or described herein. Furthermore, the terms "include" and "have" and any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, a method, a system, a product, or a device that includes a series of steps or units, is not necessarily limited to expressly listed steps or units, but may include other steps or units that are not expressly listed or that are inherent to such process, method, product, or device. FIG. 1 is a block diagram that illustrates an enforcement unit 106 for use in a computer network 100 in accordance with an implementation of the disclosure. The computer network 100 includes a client computer 102, a communication network 104, and one or more host computers/units 108A-N. The computer network 100 is communicatively connected to the enforcement unit 106. The enforcement unit 106 enables the client computer 102 to connect to the one or more host computers 108A-N. The enforcement unit 106 is arranged to allow or deny the connections based on a dynamic set of rules. The enforcement unit 106 includes a control unit 107 that is arranged to detect a message from an address resolving unit. The message includes an IP address. The control unit 107 is arranged to obtain the IP address from the message. The control unit 107 is arranged to check that the message is sent as a response to a request from a first client computer (e.g. the client computer 102) of one or more client computers/units, and the IP address corresponding to a host name stated in the request. The control unit 107 is arranged to add a new rule in the dynamic set of rules. The new rule allows a connection between the first client computer and the IP address only if the message is found to be in response to the request and the IP address corresponds to the host name.
The enforcement unit 106 enforces the IP address from the request to connect to the host names and improves security as only the IP address with the request only be allowed to connect to the host names, and the connection does not include any hard-coded IPs as bugs, darknet, or unregistered malware server addresses. The enforcement unit 106 improves security by adding host name-based black-listing and white-listing and DNS server black-listing and white-listing. This mechanism supports malware prevention. The enforcement unit 106 enables automatic processing or monitoring the connections and enables to allow/deny the connections between the client computer 102 and the one or more host units 108A-N.
The address resolving unit may be a name server or a local file. The message may be maliciously received from the client computer 102 without any initiation. The host name may be associated with any of the one or more host computers 108A-N.
The control unit 107 optionally checks that the request has been received in the enforcement unit 106 prior to the message. The request may be a Domain Name System (DNS) request that requests for the requested host name. The response may be a Domain Name system (DNS) response that responds back to the enforcement unit 106. The requested host name may be associated with any of the one or more host computers 108A-N. The enforcement unit 106 is configured to track the DNS requests and the DNS responses from and to the computer network 100.
The dynamic set of rules are dynamic and temporary depending on data in the DNS response. The new rules may also be dynamic and temporary. The new rule may include a timeframe defining a time period which the new rule is active and the control unit 107 may deactivate the new rule after the time period. The new rule may include a maximum number of packets and the control unit 107 may deactivate the new rule after the maximum number of packets has been received for the connection. The control unit 107 may deactivate the new rule upon reception in a firewall unit of an outbound packet. The outbound packet may be from the client computer 102 to a host. The computer network 100 create pin-holes only for the IP addresses known and belong to hostnames and enforces the client device to connect to the host names.
The enforcement unit 106 may be located in the firewall unit and is arranged to monitor the connections between the client computer 102 and the one or more host computers 108A-N. The client computer 102 can connect to one or more host computers 108A-N with the enforcement unit 106 in the computer network 100. The enforcement unit 106 allows or denies the connections based on the dynamic set of rules. The enforcement unit 106 includes a control unit for supervising the connections. The enforcement unit 106 may employ an enforcing mechanism to monitor and supervise the connections. The enforcement unit 106 allow and deny the connections based on the response from the computer network 100.
The computer network 100 may include a mechanism and the mechanism is configured to note the requested host name by sniffing host name lookups, note the responded IP address that is detected from the message, verify the response matches the request, and update the enforcement unit 106 to allow or deny the connection. This mechanism enables the IP address to connect to the one or more host computers 108A-N with the host names or domain.
The enforcement unit 106 sniffs host name lookups from local clients. The local clients may be a local DNS server. The hostname lookups may be done by a firewall, hooks in getaddrinfo, or from the local DNS server. The hostname lookups with the firewall includes any of: lptables, Ebpf or netfilter. The enforcement unit 106 can provide different granularity and resolution in process-based and session-based enforcement of hostname-based connections and global and system-wide enforcement of hostname- based connections. The enforcement unit 106 may provide detailed level granularity at all the processes.
When the DNS response is received from the local clients, the enforcement unit 106 identifies the responded IP address with the message and updates the enforcement unit 106. The enforcement unit 106 may be updated with the firewall or hooks that connect and send to system calls. The enforcement unit 106 may be located in the client computer 102 and is arranged to implement the new rule as the hooks in a computer function initiating a connection to a host. Optionally, the enforcement unit 106 is arranged to be included in a first client computer and the control unit 107 being arranged to perform the mechanism.
The new rules may include a process specific, have a timeout or have a match limit. The timeout can be a default or with Time to Live (TTL) provided by a DNS server. The match limit may be the IP address that can be used for a determined number of times, or the IP address that can used for only determined number of sessions. The match limit supports multiple protocols that may include any of: a Transmission Control Protocol (TCP) session or a User Datagram Protocol (UDP) session. The UDP session may be detected using its 5-tuple.
Optionally, the enforcement unit 106 in the computer network 100 in which the client computer 102 can connect to one or more host computers 108 A-N includes the control unit being arranged to perform the mechanism.
Optionally, the computer network 100 includes one or more client computers, one or more host computers 108A-N and the firewall unit for monitoring traffic between the one or more client computers and the one or more host computers 108A-N and block undesired traffic.
FIG. 2 is a block diagram that illustrates a computer network 200 including one or more client computers/units 202A-N, one or more host computers 206A-N, and a firewall unit 208 in accordance with an implementation of the disclosure. The block diagram includes the computer network 200 including the one or more client computers 202A-N, a communication network 204, the one or more host computers 206A-N, and a firewall unit 208. The firewall unit 208 monitors traffic between the one or more client computers 202A-N and the one or more host computers 206A-N and block undesired traffic. The computer network 200 further includes an enforcement unit.
FIG. 3A is an exemplary diagram that illustrates a flow of information in a computer network when an enforcement unit 306 is located on a client computer 302 in accordance with an implementation of the disclosure. The exemplary diagram includes the client computer 302 that includes a client application 304 and the enforcement unit 306, a firewall unit 308, a local DNS server 310 associated with an internal network 314, and a DNS server 312 associated with an external network 316. The client computer 302 send a request to the computer network. The one or more clients may send the request to the computer network using the client application 304. The request may be information or a message, including the IP address. The internal network 314 receives the request from the client application 304. The internal network 314 is communicatively connected with the local DNS server 310 and the firewall unit 308. The local DNS server 310 may send the request to the external network 316 through the firewall unit 308. The firewall unit 308 is a gateway for communicating with the internal network 314 and the external network 316. The external network 316 is communicatively connected with the DNS server 312. The external network 316 may send the request to the DNS server 312 and the DNS server 312 may send a response for the request to the external network 316. The local DNS server 310 may send the response received from the DNS server 312 to the client computer 302. The enforcement unit 306 in the client computer 302 sniffs the request and the response to monitor the connections and allow or deny the connections based on a dynamic set of rules.
FIG. 3B is an exemplary diagram that illustrates a flow of a response that is received from the enforcement unit 306 in accordance with an implementation of the disclosure. The client computer 302 may lookup host. The host may be “server.com”. The enforcement unit 306 may perform a lookup e.g. DNS, hosts. The local DNS server 310 may send an IP address in response to the lookup from the client computer 302. The enforcement unit 306 may create a local rule in the dynamic set of rules for the IP address and sets a trigger based on its configuration. The enforcement unit 306 may update the rule in the dynamic set of rules if the rule already exists. The enforcement unit 306 may overwrite the rule with the existed rule.
The client computer 302 may send a request to the IP address using the client application 304. The DNS server 312 receives the request and sends a response to the client computer 302. The enforcement unit 306 receives the response from the DNS server 312 and sends the response to the client application 304. The enforcement unit 306 deletes the rule if the trigger condition occurs on the local rule. The enforcement unit 306 may drop packets from the local rule and the client application 304, if the enforcement unit 306 deletes the local rule. FIG. 4 is an interaction diagram that illustrates a flow of an event from a client computer 401 in a computer network in accordance with an implementation of the disclosure. At a step 402, the client computer 401 is configured to lookup for a host, e.g.“server.com”. At a step 404, the lookup is performed at an address resolving unit 403 using any of: a DNS server or hosts. At a step 406, the client computer 401 is enabled to connect to an enforcement unit 405. The address resolving unit 403 may enable the client computer 401 to connect with the enforcement unit 405 with the IP address. The IP address may be 179.285.71.74. At a step 408, the client computer 401 is connected to the host with the IP address by the enforcement unit 405. At a step 410, the enforcement unit 405 is configured to add a new rule to the dynamic set of rules. The new rule may include: Process “Client device” > 179.285.71.74: ACCEPT.
At a step 412, the enforcement unit 405 set timeout 407, if the lookup of the dynamic set of rules or the new rule includes the TTL. At a step 414, the enforcement unit 405 set timeout for a predefined interval in the timeout 407, if a DNS record does not include the TTL. At a step 416, the IP address is requested to the enforcement unit 405 by the client computer 401. At a step 418, connections are established with the IP address by the enforcement unit 405. At a step 420, the rule is deleted by the enforcement unit 405 if there is no TTL, and the IP address may be used only once. The rule is deleted by:
Delete rule: Process “Client device” > 179.285.71.74: ACCEPT.
At a step 422, a request is communicated to a server 409 for the IP address by the enforcement unit 405. At a step 424, a response for the IP address is communicated to the enforcement unit 405 by the server 409. At a step 426, the connection is established and the response for the IP address received from the server 409 is communicated to the client computer 401 by the enforcement unit 405. At a step 428, the rule is deleted when the timeout 407 is reached. At a step 430, the IP address for additional packets is requested by the client computer 401 and the additional packet may be dropped at the enforcement unit 405.
FIG. 5 is a flow diagram of a method of supervising connections in a computer network in accordance with an implementation of the disclosure. The computer network including one or more client units and one or more host units and an enforcement unit arranged to monitor connections in the computer network and allow or deny connections based on a dynamic set of rules. At a step 502, a message from an address resolving unit is detected. The message includes an IP address. At a step 504, the IP address is obtained from the message. At a step 506, checked that the message is sent as a response from a first client unit of the one or more client units, the IP address corresponding to a host name stated in the request. At a step 508, a new rule is added in the dynamic set of rules. The new rule allowing a connection between the first client unit and the IP address only if the message is found to be in response to the request and the IP address corresponds to the host name.
The method enforces the IP address from the request to connect to the host name. The connection does not include any hard-coded IP addresses as bugs, darknet, or unregistered malware server address, thereby improving security. The method enables to further increase the security by adding hostname-based black-listing and white-listing and DNS server black-listing and white-listing, and by supporting malware prevention.
The method enables to track the requests and responses from the network. The method does not require any manual intervention as the method includes an automatic mechanism in the computer network to allow or deny the connections based on the dynamic set of rules.
Optionally, the checking that the request has been received in an enforcement unit prior to the message.
The new rule includes a timeframe defining time period which the new rule is active, and the method optionally includes a step of deactivating the new rule after the time period. The new rule includes a maximum number of packets, the method optionally includes the step of deactivating the new rule after the maximum number of packets has been received for the connection.
Optionally, the method includes the step of deactivating the new rule upon reception in a firewall unit of an outbound packet from a client device to the host. The enforcement unit is located on the firewall unit arranged to monitor the connections between one or more clients and one or more hosts.
Optionally, during initialization, the computer network may add an external DNS server (i.e. a remote host) to allow outgoing traffic. Optionally, the following rule allows a local DNS server to connect to the external DNS server: lptables -A OUTPUT -d <DNS SERVER> -udp -dport 53 -j ACCEPT.
The local DNS server forwards DNS requests to the external DNS server. A response for the DNS requests is received by the local DNS server from the external DNS server. The local DNS server updates a local firewall with specific rule for outgoing traffic as follows: iptables -A OUTPUT -d <IP address from response> -j ACCEPT -m owner -pid-owner
<PID>.
An owner PID may be retrieved by any of: scanning, proc, <pid> or net for the connection (e.g. UDP connection) to the local DNS server. The local DNS server creates a timer for TTL field, or a default timeout. The default timeout is an amount of time to stay open for the UDP connection on the local DNS server and in a computer network. Normally, the default timeout may be about 60 seconds.
On receiving the response from the external DNS server, the local DNS server forwards the response to the client computer. When the client computer connects to the remote host, the response matches a newly added pin-hole rule. When the client computer sends one or more additional packets on the same session, the existing connection are matched with the dynamic set of rules and the computer network allows the connection. The local DNS server may include a netfilter queue handler to support match limit. The local DNS server checks the netfilter queue handler for one or more events and delete the relevant rules from the dynamic set of rules when at least one of the one or more additional packets is matched.
An enforcement unit may be implemented using library function hooks. The library function hooks handle any of: intercepted function calls, events or messages to allow or deny the connection from the client computer. The hooks may be implemented by getaddrinfo, connect and sendto. The hooks in connect, sendto, and sendmsg may use seccomp-ebpf. Installation of IP, PID, and timeout timestamp in an ebpf map may be required for the connect and sendto hooks. If the rule already exists on the dynamic set of rules, the computer network overwrites it with the same rule. While in getaddrinfo, the IP address looks up for the given host name. For single-use, IP may be tagged when the TTL is not given. And the getaddrinfo, forwards the IP address to the client computer. The client computer connects to the DNS server through the computer network using hooks. The hooks may be system calls such as connect, sendto, or sendmsg or operating system services. The hooks may be installed on the system calls. The computer network is configured to look up the destination IP address and PID in the ebpf map. The computer network may remove the rule from the dynamic set of rules if the timeout timestamp is in past. It may not be a match and deny the connection. If the rule matches with the dynamic set of rules, the computer network permits the system call to allow the connection. The computer network may remove the IP address from the ebpf map if the IP address is marked as single use. The computer network is configured to reject the system call if the single use IP address is not removed from the ebpf map. A hook exit system call, can be added on the client computer to remove all the PID’s rules in the computer network.
A computer program product for use in a monitoring unit in a computer network in which a client computer can connect to one or more host devices and the monitoring unit being arranged on the computer network allow or deny the connections based on the dynamic set of rules. The computer program product includes a computer readable code that when run in a processor will cause the monitoring unit to perform the enforcing mechanism.
The computer program product optionally includes a non-transitory storage that stores the computer readable code.
FIG. 6 is an illustration of an exemplary computing arrangement 600 in which the various architectures and functionalities of the various previous implementations may be implemented. As shown, the computing arrangement 600 includes at least one processor 604 that is connected to a bus 602, wherein the computing arrangement 600 may be implemented using any suitable protocol, such as PCI (Peripheral Component Interconnect), PCI-Express, AGP (Accelerated Graphics Port), HyperTransport, or any other bus or point-to-point communication protocol (s). The computing arrangement 600 also includes a memory 606.
Control logic (software) and data are stored in the memory 606 which may take the form of random-access memory (RAM). In the present description, a single semiconductor platform may refer to a sole unitary semiconductor-based integrated circuit or chip. It should be noted that the term single semiconductor platform may also refer to multi-chip modules with increased connectivity which simulate on-chip modules with increased connectivity which simulate on-chip operation, and make substantial improvements over utilizing a conventional central processing unit (CPU) and bus implementation. Of course, the various modules may also be situated separately or in various combinations of semiconductor platforms per the desires of the user.
The computing arrangement 600 may also include a secondary storage 610. The secondary storage 610 includes, for example, a hard disk drive and a removable storage drive, representing a floppy disk drive, a magnetic tape drive, a compact disk drive, digital versatile disk (DVD) drive, recording device, universal serial bus (USB) flash memory. The removable storage drive at least one of reads from and writes to a removable storage unit in a well-known manner.
Computer programs, or computer control logic algorithms, may be stored in at least one of the memory 606 and the secondary storage 610. Such computer programs, when executed, enable the computing arrangement 600 to perform various functions as described in the foregoing. The memory 606, the secondary storage 610, and any other storage are possible examples of computer-readable media.
In an implementation, the architectures and functionalities depicted in the various previous figures may be implemented in the context of the processor 604, a graphics processor coupled to a communication interface 612, an integrated circuit (not shown) that is capable of at least a portion of the capabilities of both the processor 604 and a graphics processor, a chipset (i.e., a group of integrated circuits designed to work and sold as a unit for performing related functions, etc.).
Furthermore, the architectures and functionalities depicted in the various previous figures may be implemented in the context of a general computer system, a circuit board system, a game console system dedicated for entertainment purposes, an application-specific system. For example, the computing arrangement 600 may take the form of a desktop computer, a laptop computer, a server, a workstation, a game console, an embedded system.
Furthermore, the computing arrangement 600 may take the form of various other devices including, but not limited to a personal digital assistant (PDA) device, a mobile phone device, a smart phone, a television, etc. Additionally, although not shown, the computing arrangement 600 may be coupled to a network (e.g., a telecommunications network, a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, a peer-to-peer network, a cable network, or the like) for communication purposes through an I/O interface 608.
It should be understood that the arrangement of components illustrated in the figures described are exemplary and that other arrangement may be possible. It should also be understood that the various system components (and means) defined by the claims, described below, and illustrated in the various block diagrams represent components in some systems configured according to the subject matter disclosed herein. For example, one or more of these system components (and means) may be realized, in whole or in part, by at least some of the components illustrated in the arrangements illustrated in the described figures.
In addition, while at least one of these components are implemented at least partially as an electronic hardware component, and therefore constitutes a machine, the other components may be implemented in software that when included in an execution environment constitutes a machine, hardware, or a combination of software and hardware.
Although the disclosure and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the disclosure as defined by the appended claims.

Claims

1. A method of supervising connections in a computer network (100, 200) comprising one or more client units (202A-N) and one or more host units (108A-N, 206A-N) and an enforcement unit (106, 306, 405) arranged to monitor connections in the computer network (100, 200) and allow or deny connections based on a dynamic set of rules, the method comprising the steps of detecting a message from an address resolving unit (403), said message including an IP address, obtaining the IP address from the message, checking that the message is sent as a response to a request from a first client unit of the one or more client units (202A-N), the IP address corresponding to a host name stated in the request, and adding a new rule in the dynamic set of rules, said new rule allowing a connection between the first client unit and the IP address only if the message is found to be in response to the request and the IP address corresponds to the host name.
2. The method according to claim 1, wherein the checking includes checking that the request has been received in the enforcement unit (106, 306, 405) prior to the message.
3. The method according to claim 1 or 2, wherein the new rule includes a timeframe defining the time period which the new rule is active, the method comprising the step of deactivating the new rule after this time period.
4. The method according to any one of the preceding claims, wherein the new rule includes a maximum number of packets, the method comprising the step of deactivating the new rule after the maximum number of packets has been received for the connection.
5. The method according to any one of the preceding claims, comprising the step of deactivating the new rule upon reception in a firewall unit (208, 308) of an outbound packet from the client computer (102, 302, 401) to the host.
6. The method according to any one of the preceding claims, wherein the enforcement unit (106, 306, 405) is located in the firewall unit (208, 308) arranged to monitor connections between the one or more client units (202A-N) and the one or more host units (108A-N, 206A-N).
7. The method according to any one of the claims 1 - 5, wherein the enforcement unit (106, 306, 405) is located in the first client unit and is arranged to implement the new rule as a hook in a computer function initiating a connection to a host.
8. The method according to any one of the claims 1 - 5, wherein the enforcement unit (106, 306, 405) is located in a local server in a local network comprising the one or more client units (202A-N).
9. A computer program product for use in a monitoring unit in a computer network (100, 200) in which a client computer (102, 302, 401) can connect to a plurality of host computers (108A-N), said monitoring unit being arranged to allow or deny connections based on a dynamic set of rules, the computer program product comprising computer readable code means which when run in a processor will cause the monitoring unit to perform the method according to any one of the preceding claims.
10. The computer program product according to claim 9, comprising a non-transitory storage means having stored thereon the computer readable code means.
11. An enforcement unit (106, 306, 405) for use in a computer network (100, 200) in which a client computer (102, 302, 401) can connect to a plurality of host computers (108A-N), said enforcement unit (106, 306, 405) being arranged to allow or deny connections based on a dynamic set of rules, said enforcement unit (106, 306, 405) comprising a control unit (107) being arranged to perform the method according to any one of the claims 1 - 8.
12. The enforcement unit (106, 306, 405) according to claim 11, arranged to be included in a firewall unit (208, 308) arranged to monitor connections between the client computer (102, 302, 401) and the one or more host units (108A-N, 206A-N), the control unit (107) being arranged to perform the method according to claim 6.
13. The enforcement unit (106, 306, 405) according to claim 11, arranged to be included in the first client computer, the control unit (107) being arranged to perform the method according to claim 7.
14. The enforcement unit (106, 306, 405) according to claim 11, arranged to be included in a local server unit in a local network comprising the client computer, the control unit (107) being arranged to perform the method according to claim 8.
15. A computer network (100, 200) comprising one or more client computers (202A-N), one or more host computers (108A-N, 206A-N) and a firewall unit (208, 308) for monitoring traffic between the one or more client computers (202A-N) and the one or more host computers (108A-N, 206A-N) and block undesired traffic, further comprising an enforcement unit (106, 306, 405) according to any one of the claims 11 - 14.
PCT/EP2021/060818 2021-04-26 2021-04-26 Method and enforcement unit for supervising connections in a computer network WO2022228647A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/EP2021/060818 WO2022228647A1 (en) 2021-04-26 2021-04-26 Method and enforcement unit for supervising connections in a computer network
CN202180097210.5A CN117203942A (en) 2021-04-26 2021-04-26 Method and execution unit for supervising connections in a computer network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/060818 WO2022228647A1 (en) 2021-04-26 2021-04-26 Method and enforcement unit for supervising connections in a computer network

Publications (1)

Publication Number Publication Date
WO2022228647A1 true WO2022228647A1 (en) 2022-11-03

Family

ID=75674848

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/060818 WO2022228647A1 (en) 2021-04-26 2021-04-26 Method and enforcement unit for supervising connections in a computer network

Country Status (2)

Country Link
CN (1) CN117203942A (en)
WO (1) WO2022228647A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3270573A1 (en) * 2016-07-13 2018-01-17 DNSthingy Inc. Method and router to permit or block internet protocol (ip) connectivity based on originating domain name server (dns) requests
US20180124016A1 (en) * 2016-10-31 2018-05-03 Guest Tek Interactive Entertainment Ltd. Walled garden system with cleared ips list automatically generated from dns queries
US20190253385A1 (en) * 2018-02-09 2019-08-15 Comcast Cable Communications, Llc Dynamic firewall configuration
EP3654606A1 (en) * 2018-11-15 2020-05-20 Ovh Method and data packet cleaning system for screening data packets received at a service infrastructure
US20200228538A1 (en) * 2019-01-15 2020-07-16 Raytheon Bbn Technologies Corp. System and method for protecting network-facing services
US20200314065A1 (en) * 2019-03-29 2020-10-01 Jpmorgan Chase Bank, N.A. Dynamic application firewalling in cloud systems

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3270573A1 (en) * 2016-07-13 2018-01-17 DNSthingy Inc. Method and router to permit or block internet protocol (ip) connectivity based on originating domain name server (dns) requests
US20180124016A1 (en) * 2016-10-31 2018-05-03 Guest Tek Interactive Entertainment Ltd. Walled garden system with cleared ips list automatically generated from dns queries
US20190253385A1 (en) * 2018-02-09 2019-08-15 Comcast Cable Communications, Llc Dynamic firewall configuration
EP3654606A1 (en) * 2018-11-15 2020-05-20 Ovh Method and data packet cleaning system for screening data packets received at a service infrastructure
US20200228538A1 (en) * 2019-01-15 2020-07-16 Raytheon Bbn Technologies Corp. System and method for protecting network-facing services
US20200314065A1 (en) * 2019-03-29 2020-10-01 Jpmorgan Chase Bank, N.A. Dynamic application firewalling in cloud systems

Also Published As

Publication number Publication date
CN117203942A (en) 2023-12-08

Similar Documents

Publication Publication Date Title
US11757941B2 (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
US11722509B2 (en) Malware detection for proxy server networks
US10375110B2 (en) Luring attackers towards deception servers
US9197666B2 (en) Method and apparatus for mitigating distributed denial of service attacks
US9614870B2 (en) Method of DDoS and hacking protection for internet-based servers using a private network of internet servers by executing computer-executable instructions stored on a non-transitory computer-readable medium
CN111756712B (en) Method for forging IP address and preventing attack based on virtual network equipment
JP2009523331A (en) System and method for providing network security to mobile devices
US11689502B2 (en) Securing control and user plane separation in mobile networks
US9985985B2 (en) Method of distributed denial of service (DDos) and hacking protection for internet-based servers using a private network of internet servers by executing computer-executable instructions stored on a non-transitory computer-readable medium
US10432646B2 (en) Protection against malicious attacks
Wang et al. An SDN-based defensive solution against DHCP attacks in the virtualization environment
CN116723020A (en) Network service simulation method and device, electronic equipment and storage medium
US8001243B2 (en) Distributed denial of service deterrence using outbound packet rewriting
WO2022228647A1 (en) Method and enforcement unit for supervising connections in a computer network
US11683337B2 (en) Harvesting fully qualified domain names from malicious data packets
Ikarashi et al. Design and implementation of SDN-based proactive firewall system in collaboration with domain name resolution
JP6286314B2 (en) Malware communication control device
WO2024116666A1 (en) Detection system, detection method, and program
US20230140533A1 (en) Identifying dynamic ip address cyberattacks
WO2022228649A1 (en) Method and firewall unit to support a host name based outbound firewall rule
US20210044568A1 (en) Specifying system and specifying method

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202180097210.5

Country of ref document: CN

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21721505

Country of ref document: EP

Kind code of ref document: A1