WO2023233580A1 - 検知対処制御システム、検知対処制御方法、ハードウェアアクセラレータ、コントローラ、および、プログラム - Google Patents

検知対処制御システム、検知対処制御方法、ハードウェアアクセラレータ、コントローラ、および、プログラム Download PDF

Info

Publication number
WO2023233580A1
WO2023233580A1 PCT/JP2022/022305 JP2022022305W WO2023233580A1 WO 2023233580 A1 WO2023233580 A1 WO 2023233580A1 JP 2022022305 W JP2022022305 W JP 2022022305W WO 2023233580 A1 WO2023233580 A1 WO 2023233580A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
detection
data
controller
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2022/022305
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
雄太 風戸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NTT Inc
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to US18/870,124 priority Critical patent/US20250322066A1/en
Priority to JP2024524071A priority patent/JPWO2023233580A1/ja
Priority to PCT/JP2022/022305 priority patent/WO2023233580A1/ja
Publication of WO2023233580A1 publication Critical patent/WO2023233580A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • the present invention relates to a detection and response control system, a detection and response control method, a hardware accelerator, a controller, and a program for detecting cyber attacks in the network security field.
  • 5G New Radio which is the next generation standard for mobile communications, which is one of the forms of network communication, will include the formulation of standard specifications for communication standards, as well as the communication Opening of devices and communication interfaces and software virtualization are progressing.
  • the RIC RAN Intelligence Controller
  • AI Artificial Intelligence
  • 5G is being promoted, there are concerns about a sharp increase in cyberattacks and associated damage that exploit the technical specifications of 5G, such as ultra-high speed, multiple simultaneous connections, ultra-low latency, and open interfaces. .
  • control plane (C-Plane) signals which are responsible for session control and management between terminals and communication devices/base stations
  • user User communications are realized by separating user plane (U-Plane) signals that transmit data communications.
  • These control signals and user data signals are attacked by cyber attacks such as signaling fraud attacks, volume DDoS attacks, and jamming.
  • Occurs in the protocol layer, etc. and performs unauthorized control of user communications and communication equipment, denial of service by compressing network bandwidth, and unauthorized acquisition of confidential information.
  • Patent Document 1 uses a filtering function of communication equipment to implement countermeasure control against cyber-attacks.
  • RIC A RAN intelligent controller platform for AI-enabled cellular networks
  • Non-Patent Document 1 cannot detect cyber attacks in real time due to increases in delay time and resources (used resources, network transfer resources).
  • the technology described in Patent Document 1 uses a filtering method in the communication device, and does not support machine learning or offloading to an accelerator, resulting in a decrease in attack response accuracy and processing capacity. . Therefore, if attack detection and attack response cannot be realized in real time, it may become impossible to provide network user communications and services as a whole.
  • the present invention has been made in view of these points, and an object of the present invention is to reduce the delay time of attack detection and attack response in cyber attacks on communication networks, and to reduce the resources used by communication devices. shall be.
  • a detection and response control system includes a controller that performs network control in an access network, a communication device of the access network, and a hardware accelerator connected to the controller, and is equipped with a controller that performs network control in an access network.
  • a data preprocessing unit that executes preprocessing for statistical processing and transmits the preprocessed data to the controller; and a data acquisition unit that acquires a learning model for detecting an attack using the communication data from the controller; an attack detection unit that uses the learning model to determine inline whether or not the communication data is an attack; and detection information including the reason for detecting the communication data determined to be an attack, and the communication.
  • a detection alert notification unit that generates a detection alert containing network information regarding the data and sends it to the controller; and the data acquisition unit acquires the data based on a countermeasure control policy including information necessary for responding to an attack acquired from the controller.
  • a countermeasure execution unit that executes inline countermeasures against attacks on communication data, and the controller obtains the preprocessed data and generates the learning model for detecting attacks based on the communication data.
  • a learning unit and the acquired detection alert are used to determine whether attack countermeasures are necessary, and if attack countermeasures are necessary, create the countermeasure control policy including the attack type and countermeasure method, and generate the countermeasure control policy using the hardware accelerator. and a countermeasure determining unit that transmits the information to the user.
  • the present invention it is possible to reduce the delay time for attack detection and attack response in a cyber attack on a communication network, and to reduce the resources used by a communication device.
  • FIG. 1 is a diagram showing the overall configuration of a detection and response control system according to the present embodiment. It is a sequence diagram showing the flow of learning processing by the detection and response control system according to the present embodiment. It is a flowchart which shows the flow of attack detection processing by the hardware accelerator of the detection response control system concerning this embodiment. It is a sequence diagram showing the flow of attack countermeasure processing by the detection countermeasure control system according to the present embodiment. It is a figure showing the whole structure of a detection countermeasure control system concerning a modification of this embodiment.
  • FIG. 2 is a hardware configuration diagram showing an example of a computer that implements the functions of the controller according to the present embodiment.
  • FIG. 1 is a diagram showing the overall configuration of a detection and response control system 1000 according to this embodiment.
  • a NIC-equipped FPGA board hardware accelerator 10
  • a security function a security function
  • a centralized controller controller 20
  • attack detection and attack response are realized by separating the functions.
  • the detection response control system 1000 includes an access network communication device 30 (access network communication device) that is connected to the user terminal 5 and transfers data etc. acquired from the user terminal 5 to the core network communication device 40. ), a hardware accelerator 10, and a controller 20.
  • the core network communication device 40 is a device that transfers data acquired from the access network communication device 30 and the like to a data network (such as the Internet).
  • data transfer units 31 and 41 transfer RAN data (U-plane/C-plane) received from the user terminal 5 or other communication devices, and also transfer the RAN data (U-plane/C-plane) received from the user terminal 5 or other communication device.
  • the protocol processing units 32 and 42 execute processing such as conversion.
  • the hardware accelerator 10 is connected to the communication device as, for example, an FPGA (Field Programmable Gate Array) board (FPGA SmartNIC) equipped with a NIC (Network Interface Card). More specifically, it is connected to the access network communication device 30 as an FPGA board using an expansion interface such as PCIe (Peripheral Component Interconnect Express).
  • FPGA Field Programmable Gate Array
  • NIC Network Interface Card
  • PCIe Peripheral Component Interconnect Express
  • the controller 20 is connected to the hardware accelerator 10 and executes the generation of a learning model for detecting a cyber attack, the creation of a response control policy regarding attack response, and the like.
  • the hardware accelerator 10 and the controller 20 work together to perform learning, attack detection, and attack response functions separately, thereby achieving low latency and reducing the resources used by communication devices (mainly operating resources and NW resources). Realize.
  • the hardware accelerator 10 and controller 20 will be described in detail below.
  • the hardware accelerator 10 includes a security processing unit 100 that implements security functions.
  • the security processing section 100 includes a data acquisition section 110, a data preprocessing section 120, an attack detection section 130, a detection alert notification section 140, and a countermeasure execution section 150.
  • the data acquisition unit 110 receives input of communication data (for example, U-plane and C-plane data) transferred from the access network communication device 30. Of the received data, the data acquisition unit 110 may acquire all data as a target for attack detection, or acquire only specific signaling (call control information), or perform sampling. Data may be acquired efficiently. For example, the data acquisition unit 110 may specify a field of a specific RAN packet and acquire the information. The data acquisition unit 110 outputs the acquired data to the data preprocessing unit 120.
  • communication data for example, U-plane and C-plane data
  • the data acquisition unit 110 may acquire all data as a target for attack detection, or acquire only specific signaling (call control information), or perform sampling. Data may be acquired efficiently. For example, the data acquisition unit 110 may specify a field of a specific RAN packet and acquire the information.
  • the data acquisition unit 110 outputs the acquired data to the data preprocessing unit 120.
  • the data preprocessing unit 120 performs preprocessing on the data received from the data acquisition unit 110. This preprocessing function is implemented in the programmable logic of the hardware accelerator 10, and the preprocessing is executed in an inline manner.
  • the data preprocessing unit 120 extracts predetermined data necessary for attack detection by, for example, removing unnecessary data for attack detection from the acquired communication data or processing the data ( (first step of pre-processing).
  • the data preprocessing unit 120 also performs statistical processing on the processed communication data (second stage preprocessing), and after a statistical execution period (for example, 60 seconds, 5 minutes) has elapsed, the data preprocessing unit 120 performs statistical processing on the processed communication data.
  • the processed data is sent to the controller 20.
  • As the statistical processing for example, calculation of the average value, variance value, maximum value, and minimum value, regularization processing, standardization processing, etc. are executed.
  • the data preprocessing unit 120 extracts only data fields related to attack features (predetermined data necessary for attack detection) from the RAN communication data, performs statistical processing on the data, and transmits the extracted data to the controller 20. The amount of data can be reduced.
  • the attack detection unit 130 uses the learning model (learning model for detecting an attack) received from the controller 20 to perform inline attack detection processing on the communication data (RAN communication data) acquired by the data acquisition unit 110. . At this time, the attack detection unit 130 performs attack detection processing on data (preprocessed data) that has undergone the same processing as the above-described preprocessing (first-stage and second-stage processing). If the attack detection unit 130 determines that an attack has been detected as a result of executing the attack detection process, it generates detection information including the reason for detection (information such as exceeding a threshold, matching characteristics with the attack, etc.), and issues a detection alert notification. 140. Note that information stored in advance in the storage means is used as threshold information and information on the feature amount of each attack for generating the detection reason.
  • the attack detection unit 130 updates the learning model by receiving a learning model for detection (weight data, etc.) from the controller 20 at predetermined time intervals. This allows the attack detection unit 130 to detect attacks occurring in the RAN and abnormalities in accordance with the communication status.
  • the detection alert notification unit 140 creates a detection alert from the detection information acquired from the attack detection unit 130 and information based on the network environment, and sends it to the controller 20.
  • this detection alert includes information such as the communication source IP address, UE (user terminal) information, accommodation cell/communication device information, network route, etc. is included.
  • the countermeasure execution unit 150 executes inline countermeasures against attacks on communication data based on the countermeasure control policy acquired from the controller 20 . Specifically, the countermeasure execution unit 150 creates a countermeasure filter in the hardware accelerator 10 based on the acquired countermeasure control policy, and checks whether the filter matches the communication data input from the NIC (not shown). By doing so, it blocks attack communication data and performs defense.
  • the controller 20 is connected to the hardware accelerator 10 and executes a learning process for detecting a cyber attack, an attack detection process, and an attack countermeasure process in a separated manner from the hardware accelerator 10.
  • the controller 20 is constituted by a computer including a control section, an input/output section, and a storage section (all not shown).
  • the input/output unit inputs and outputs information to and from the hardware accelerator 10 and the like.
  • This input/output unit consists of a communication interface that sends and receives information via a communication line, and an input/output interface that inputs and outputs information between an input device such as a keyboard and an output device such as a monitor (not shown). configured.
  • the storage unit includes a hard disk, flash memory, RAM (Random Access Memory), and the like. This storage section temporarily stores programs for executing each function of the control section and information necessary for processing of the control section.
  • the control unit is in charge of overall processing executed by the controller 20, and is configured to include a learning unit 210, a learning model transmitting unit 220, and a response determining unit 230, as shown in FIG.
  • the learning unit 210 acquires preprocessed data from the hardware accelerator 10 and generates an AI learning model (a learning model for detecting an attack). For example, the learning unit 210 learns the normal state from normal data, and also acquires information determined to be attack data (detection alert) from the response determining unit 230 (described later), and learns the characteristics of the attack. Generate the model. The learning unit 210 re-learns the learning model by acquiring preprocessed data and attack data at predetermined time intervals, and updates the learning model.
  • an AI learning model a learning model for detecting an attack. For example, the learning unit 210 learns the normal state from normal data, and also acquires information determined to be attack data (detection alert) from the response determining unit 230 (described later), and learns the characteristics of the attack. Generate the model. The learning unit 210 re-learns the learning model by acquiring preprocessed data and attack data at predetermined time intervals, and updates the learning model.
  • the learning model transmitting unit 220 transmits the learning model generated by the learning unit 210 to the hardware accelerator 10.
  • the learning model transmitter 220 may transmit all of the information on the generated learning model, or may transmit only necessary weight data regarding the updated learning model. By doing so, the learning model transmitter 220 can reduce the amount of data transmitted to the hardware accelerator 10.
  • the response determination unit 230 receives the detection alert from the hardware accelerator 10 (detection alert notification unit 140), and determines whether or not attack response is necessary. Specifically, the response determination unit 230 determines the threat information (attack type, IP address, UE identification information) that has been set in advance and the degree of impact of the attack based on the threat information (for example, attack Whether or not to respond to attacks is determined based on the frequency of attacks and scope of impact (service delays, denial of service, etc.).
  • threat information attack type, IP address, UE identification information
  • the response determination unit 230 When determining that an attack should be dealt with, the response determination unit 230 creates a response control policy based on the threat information of the detection alert. Then, the countermeasure determination unit 230 transmits the created countermeasure control policy to the hardware accelerator 10 (countermeasure execution unit 150).
  • the countermeasure determination unit 230 can create a countermeasure control policy based on threat information unique to RAN (UE identification information, RAN attack, etc.).
  • threat information unique to RAN is information regarding attacks targeting RAN.
  • the countermeasure control policy includes information necessary for countering attacks with the hardware accelerator 10 and the like.
  • the information necessary to deal with attacks includes, for example, the type of attack, information on the source of the attack, information on the target of the attack, and countermeasures.
  • a method for dealing with an RRC protocol signaling DDoS attack in the hardware accelerator 10 will be described as an example.
  • the attack type includes the RRC protocol signaling DDoS attack and information about which signaling sequence is the DoS attack.
  • Information on the source of the attack includes UE identification information, information on the cell/communication base station that accommodates the UE, and information on the radio bearer used by the UE for communication.
  • the information on the attack destination includes information on the network on the attack destination and information on the impact of the attack.
  • countermeasures include packet blocking and steering (transfer) to a security analysis device (not shown). These pieces of information are compiled into an arbitrary data structure such as JSON (JavaScript Object Notation) as a countermeasure control policy, and transmitted from the controller 20 to the hardware accelerator 10.
  • JSON JavaScript Object Notation
  • FIG. 2 is a sequence diagram showing the flow of learning processing by the detection and response control system 1000 according to the present embodiment.
  • communication data input to the hardware accelerator 10 is preprocessed and transmitted to the controller 20.
  • the controller 20 generates a learning model using the preprocessed data and attack data, and transmits the generated learning model to the hardware accelerator 10.
  • the hardware accelerator 10 acquires and updates the learning model at predetermined time intervals. This will be explained in detail below.
  • the data acquisition unit 110 of the hardware accelerator 10 receives input of communication data (for example, U-plane and C-plane data) transferred from the access network communication device 30 (step S10). Then, the data acquisition unit 110 acquires communication data targeted for attack detection from among the received communication data, and outputs it to the data preprocessing unit 120.
  • communication data for example, U-plane and C-plane data
  • the data preprocessing unit 120 of the hardware accelerator 10 performs first-stage preprocessing on the acquired communication data (step S11). As a first-stage preprocessing, the data preprocessing unit 120 removes unnecessary data for attack detection and processes the acquired communication data. Then, the data preprocessing unit 120 determines whether a statistical execution period (for example, 60 seconds or 5 minutes) has elapsed (step S12). If the statistical execution time has not elapsed (step S12 ⁇ No), the process returns to step S10 and continues acquisition and preprocessing of communication data.
  • a statistical execution period for example, 60 seconds or 5 minutes
  • step S12 determines whether the statistical execution period has elapsed (step S12 ⁇ Yes).
  • the data preprocessing unit 120 executes statistical processing (average value calculation, regularization processing, etc.) on the processed data (step S13), transmitting the statistically processed data to the controller 20;
  • the learning unit 210 of the controller 20 generates an AI learning model using the received preprocessed data (statistically processed data) as learning data (step S14). Note that after executing the attack detection process (FIG. 3), the learning unit 210 updates the learning model by taking in information determined to be attack data (detection alert) as learning data and relearning.
  • the learning model transmitting unit 220 transmits the learning model generated by the learning unit 210 to the hardware accelerator 10 (step S15).
  • the learning model transmitter 220 may transmit all the data of the generated learning model to the hardware accelerator 10, or may transmit only the weight data of the learning model to the hardware accelerator 10.
  • the attack detection unit 130 of the hardware accelerator 10 acquires and sets a learning model from the controller 20 (step S16).
  • the attack detection unit 130 acquires the data of the learning model after already acquiring and setting the learning model from the controller 20, the attack detection unit 130 performs the setting based on the data (for example, the weight data of the learning model). Update the current learning model.
  • the learning process through cooperation between the hardware accelerator 10 and the controller 20 is completed. Note that this learning process is performed in advance before actually executing communication data attack detection processing and attack countermeasure processing. Further, even after the attack detection process and the attack countermeasure process are executed, the learning model is updated by executing the process at predetermined time intervals.
  • FIG. 3 is a flowchart showing the flow of attack detection processing by the detection and response control system 1000 (hardware accelerator 10) according to the present embodiment.
  • the hardware accelerator 10 performs preprocessing on the acquired communication data and then inputs the data to a learning model to detect an attack inline. This will be explained in detail below.
  • the data acquisition unit 110 of the hardware accelerator 10 receives input of communication data (for example, U-plane and C-plane data) transferred from the access network communication device 30 (step S20). Then, the data acquisition unit 110 acquires communication data targeted for attack detection from among the received communication data, and outputs it to the data preprocessing unit 120.
  • communication data for example, U-plane and C-plane data
  • the data preprocessing unit 120 of the hardware accelerator 10 performs first-stage preprocessing on the acquired communication data (step S21). As a first-stage preprocessing, the data preprocessing unit 120 removes unnecessary data for attack detection and processes the acquired communication data. Then, the data preprocessing unit 120 determines whether a statistical execution period (for example, 60 seconds or 5 minutes) has elapsed (step S22). If the statistical execution time has not elapsed (step S22 ⁇ No), the process returns to step S20 and continues acquisition and preprocessing of communication data.
  • a statistical execution period for example, 60 seconds or 5 minutes
  • step S22 if the statistical execution period has elapsed (step S22 ⁇ Yes), the data preprocessing unit 120 executes statistical processing (average value calculation, regularization processing, etc.) on the processed data (step S23), the statistically processed data is output to the attack detection unit 130.
  • statistical processing average value calculation, regularization processing, etc.
  • the attack detection unit 130 executes attack detection processing on communication data (statistically processed data) using the set learning model, and determines whether or not the communication data is an attack (attack communication data) (step S24). . If the attack detection unit 130 determines that it is not an attack (step S24 ⁇ No), the process ends.
  • the attack detection unit 130 determines that it is an attack (detects an attack) (step S24 ⁇ Yes), it generates detection information including the detection reason (exceeding a threshold, matching the attack and characteristics, etc.), It is output to the detection alert notification section 140.
  • the detection alert notification unit 140 creates a detection alert from the detection information acquired from the attack detection unit 130 and information based on the network environment, and transmits it to the controller 20 (step S25).
  • This detection alert includes, for example, a communication source IP address, UE (user terminal) information, host cell/communication device information, network route, and detection information (reason for detection, etc.). This completes the attack detection processing by the hardware accelerator 10.
  • FIG. 4 is a sequence diagram showing the flow of attack response processing by the detection response control system 1000 according to the present embodiment.
  • the hardware accelerator 10 blocks attack communication data by filtering based on the countermeasure control policy created by the controller 20. This will be explained in detail below.
  • the action determination unit 230 of the controller receives a detection alert from the hardware accelerator 10 (step S30). Subsequently, the response determination unit 230 determines whether or not attack response is necessary based on the threat information included in the detection alert (step S31).
  • the threat information is, for example, attack type, IP address, UE identification information, etc. Based on this threat information and the degree of impact of the attack (attack frequency, range of influence, etc.), the response determination unit 230 determines whether or not to respond to the attack. Here, if the response determination unit 230 determines that the attack should not be addressed (step S31 ⁇ No), the process ends.
  • the response determination unit 230 creates a response control policy based on the threat information included in the detection alert (step S32), and sends the response to the hardware accelerator 10. Send.
  • the countermeasure execution unit 150 of the hardware accelerator 10 creates a countermeasure filter in the hardware accelerator 10 based on the acquired countermeasure control policy (step S33).
  • the countermeasure execution unit 150 determines whether the communication data acquired from the access network communication device 30 or the data preprocessed (statistically processed) on the communication data by the data preprocessing unit 120 matches the filter. It is determined whether or not (step S34). If it does not match the filter (step S34 ⁇ No), the process ends without taking any action.
  • step S34 if it matches the filter (step S34 ⁇ Yes), the countermeasure execution unit 150 executes countermeasures and blocks the communication data as attack communication data (step S35).
  • the hardware accelerator 10 can block attack communication data by filtering based on the countermeasure control policy created by the controller 20.
  • an FPGA board (hardware accelerator 10) equipped with a NIC is connected to the access network communication device 30, and attack detection and attack response processing is performed on the FPGA board.
  • the communication device is executed in an inline format to achieve low latency and reduced consumption of resources used by the communication device.
  • the NIC-equipped FPGA board is, for example, an FPGA SmartNIC, and can be connected to a communication device (access network communication device 30) built on a general-purpose IA (Intel Architecture) server using an expansion interface such as PCIe.
  • FIG. 5 is a diagram showing the overall configuration of a detection response control system 1000A according to a modification of the present embodiment.
  • the access network communication device 30A includes a security processing unit 100 (for example, configured with FPGA SmartNIC) of the hardware accelerator 10.
  • a security processing unit 100 for example, configured with FPGA SmartNIC
  • Each function of the security processing unit 100 data acquisition unit 110, data preprocessing unit 120, attack detection unit 130, detection alert notification unit 140, countermeasure execution unit 150
  • the function of the security processing unit 100 shown in FIG. is the same as
  • the access network communication device 30A transfers the input communication data to the connected FPGA board (hardware accelerator 10).
  • the FPGA board (hardware accelerator 10) uses the input communication data as input to the built-in user logic, and uses this user logic to detect attacks and take countermeasures against them, thereby controlling the CPU of the access network communication device 30A. Attack detection and attack countermeasures can be executed inline without going through the network. As a result, the access network communication device 30A does not need to perform attack detection or attack countermeasure processing, making it possible to reduce delay time and resource consumption.
  • the contents and processing flow of each function within the security processing unit 100 are the same as those of the detection response control system 1000 according to the present embodiment, so a description thereof will be omitted.
  • the controller 20 of the detection and response control system 1000 is realized by, for example, a computer 900 configured as shown in FIG.
  • FIG. 6 is a hardware configuration diagram showing an example of a computer 900 that implements the functions of the controller 20 according to the present embodiment.
  • the computer 900 includes a CPU (Central Processing Unit) 901, a ROM (Read Only Memory) 902, a RAM 903, an HDD (Hard Disk Drive) 904, an input/output I/F (Interface) 905, a communication I/F 906, and a media I/F 907. have a CPU (Central Processing Unit) 901, a ROM (Read Only Memory) 902, a RAM 903, an HDD (Hard Disk Drive) 904, an input/output I/F (Interface) 905, a communication I/F 906, and a media I/F 907.
  • a CPU Central Processing Unit
  • ROM Read Only Memory
  • RAM 903 Random Access Memory
  • HDD Hard Disk Drive
  • I/F Interface
  • the CPU 901 operates based on a program stored in the ROM 902 or the HDD 904, and performs control by the control unit (learning unit 210, learning model transmitting unit 220, response determining unit 230).
  • the ROM 902 stores a boot program executed by the CPU 901 when the computer 900 is started, programs related to the hardware of the computer 900, and the like.
  • the CPU 901 controls an input device 910 such as a mouse or a keyboard, and an output device 911 such as a display or printer via an input/output I/F 905.
  • the CPU 901 acquires data from the input device 910 via the input/output I/F 905 and outputs the generated data to the output device 911.
  • a GPU Graphics Processing Unit
  • the like may be used in addition to the CPU 901 as the processor.
  • the HDD 904 stores programs executed by the CPU 901 and data used by the programs.
  • the communication I/F 906 receives data from other devices via a communication network (for example, NW (Network) 920) and outputs it to the CPU 901, and also sends data generated by the CPU 901 to other devices via the communication network. Send to device.
  • NW Network
  • the media I/F 907 reads the program or data stored in the recording medium 912 and outputs it to the CPU 901 via the RAM 903.
  • the CPU 901 loads a program related to target processing from the recording medium 912 onto the RAM 903 via the media I/F 907, and executes the loaded program.
  • the recording medium 912 is an optical recording medium such as a DVD (Digital Versatile Disc) or a PD (Phase change rewritable disk), a magneto-optical recording medium such as an MO (Magneto Optical disk), a magnetic recording medium, a semiconductor memory, or the like.
  • the CPU 901 of the computer 900 realizes the functions of the controller 20 by executing a program loaded onto the RAM 903. Furthermore, data in the RAM 903 is stored in the HDD 904 .
  • the CPU 901 reads a program related to target processing from the recording medium 912 and executes it. In addition, the CPU 901 may read a program related to target processing from another device via a communication network (NW 920).
  • NW 920 a communication network
  • the detection and response control system 1000 includes a controller 20 that performs network control in an access network, a communication device of the access network (access network communication device 30) and a hardware accelerator 10 connected to the controller 20, and is equipped with a controller 20 that performs network control in an access network.
  • Detection and response control system 1000 detects and responds to attacks, in which the hardware accelerator 10 connects a data acquisition unit 110 that acquires communication data from a communication device, and acquires predetermined data necessary for attack detection from the acquired communication data.
  • a data preprocessing unit 120 executes preprocessing to extract and perform statistical processing, and sends the preprocessed data to the controller 20.
  • a learning model for detecting an attack using communication data is acquired from the controller 20, and data is acquired.
  • An attack detection unit 130 that uses the learning model to determine inline whether or not the communication data acquired by the unit 110 is an attack; and detection information including a reason for detecting the communication data determined to be an attack.
  • a detection alert notification unit 140 generates a detection alert including network information regarding the communication data and sends it to the controller 20; and a data acquisition unit 110 based on a countermeasure control policy including information necessary to counter attacks acquired from the controller 20.
  • a countermeasure execution unit 150 that executes inline countermeasures against attacks on the communication data acquired by the controller 20, the controller 20 obtains preprocessed data and generates a learning model for detecting attacks by the communication data.
  • the learning unit 210 uses the acquired detection alert to determine whether or not attack countermeasures are necessary, and if attack countermeasures are necessary, creates a countermeasure control policy including the attack type and countermeasure method, and executes the hardware accelerator 10. and a countermeasure determining unit 230 that transmits the information to the user.
  • the hardware accelerator 10 and the controller 20 perform functional separation in learning, attack detection, and attack response, thereby reducing the delay time of attack detection and attack response, and
  • the resources used by (the access network communication device 30) can be reduced.
  • the detection and response control system 1000 can detect and respond to attacks with low latency and low resources, it is possible to analyze data, detect attacks, and respond to attacks in real time even in networks with strict latency requirements, thereby creating a secure network. enable operation.
  • the detection and response control system 1000 reduces the load on the communication device (access network communication device 30) by functionally separating security-related functions in learning, attack detection, and attack response between the hardware accelerator 10 and the controller 20. Security functions can be introduced without affecting services such as delays or delays.
  • the detection response control system 1000 can switch specific processing offload, share security functions with other functions, and It is possible to improve the resource usage and power efficiency compared to the previous operation.
  • the learning unit 210 of the controller 20 constructs a learning model using preprocessed data acquired at predetermined time intervals and information on detection alerts that require attack response. It is characterized in that relearning is performed, the relearned learning model is sent to the hardware accelerator 10, and the attack detection unit 130 of the hardware accelerator 10 updates its own learning model using the relearned learning model.
  • the detection response control system 1000 can update the learning model according to the communication situation, and can perform more appropriate attack detection.
  • the detection response control system includes a controller 20 that performs network control in an access network, and an access network communication device (access network communication device 30A) equipped with a hardware accelerator 10 connected to the controller 20.
  • a detection and response control system 1000A that detects and responds to cyber attacks, in which the hardware accelerator 10 includes a data acquisition unit 110 that acquires communication data input to a communication device (access network communication device 30A), and a data acquisition unit 110 that acquires communication data input to a communication device (access network communication device 30A);
  • a data preprocessing unit 120 extracts predetermined data necessary for attack detection and performs statistical processing on the communication data, and sends the preprocessed data to the controller 20.
  • an attack detection unit 130 that acquires a learning model for detecting an attack, and uses the learning model to determine whether or not an attack is an attack on the communication data acquired by the data acquisition unit 110;
  • a detection alert notification unit 140 generates a detection alert including detection information including the reason for detection of the determined communication data and network information regarding the communication data and sends it to the controller 20;
  • a countermeasure execution unit 150 that executes inline attack countermeasures against the communication data acquired by the data acquisition unit 110 based on a countermeasure control policy including information, the controller 20 acquires the preprocessed data,
  • a learning unit 210 that generates a learning model for detecting an attack using communication data, and determines whether or not an attack response is necessary using the acquired detection alert, and if an attack response is necessary, determines the attack type and response method.
  • the present invention is characterized by comprising a countermeasure determination unit 230 that creates a countermeasure control policy including the following and sends it to the hardware accelerator 10.
  • the hardware accelerator 10 installed in the communication device (access network communication device 30A) and the controller 20 perform functional separation in learning, attack detection, and attack response, and perform attack detection and response. It is possible to reduce the delay time for dealing with attacks and attacks, and to reduce the resources used by the communication device (access network communication device 30). Furthermore, since the detection and response control system 1000 can detect and respond to attacks with low latency and low resources, it is possible to analyze data, detect attacks, and respond to attacks in real time even in networks with strict latency requirements, thereby creating a secure network. enable operation. Further, in the detection response control system 1000A, communication data input to the communication device (access network communication device 30A) is transferred to the hardware accelerator 10.
  • attack detection and attack countermeasures can be performed in-line without going through the CPU of the server that constitutes the communication device.
  • the communication device does not need to perform attack detection or attack countermeasure operations, and the delay time and resources used in the communication device can be reduced.
  • the hardware accelerator according to the present invention is a hardware accelerator 10 that is connected to a controller 20 that performs network control in an access network and a communication device (access network communication device 30) of the access network.
  • a data acquisition unit 110 that acquires communication data from the communication device 30) executes preprocessing to extract and statistically process predetermined data necessary for attack detection on the acquired communication data, and sends the preprocessed data to the controller 20.
  • a learning model for detecting an attack using communication data is acquired from the data preprocessing unit 120 and the controller 20, and the learning model is used to detect an attack on the communication data acquired by the data acquisition unit 110.
  • the attack detection unit 130 executes inline determination as to whether or not the communication data is an attack, and generates a detection alert including detection information including the reason for detection of the communication data determined to be an attack and network information regarding the communication data, and sends it to the controller 20.
  • a detection alert notification unit 140 and a countermeasure execution unit 150 that executes inline countermeasures against an attack on communication data acquired by the data acquisition unit 110 based on a countermeasure control policy including information necessary for countermeasures against an attack acquired from the controller 20; It is characterized by comprising the following.
  • the hardware accelerator 10 performs functional separation with the controller 20 in learning, attack detection, and attack response, and performs attack detection using the learning model acquired from the controller 20.
  • Attack countermeasures can be executed based on the countermeasure control policy acquired from 20. As a result, it is possible to reduce the delay time for attack detection and attack response, and to reduce the resources used by the communication device (access network communication device 30).
  • the controller according to the present invention is a controller 20 that is communicatively connected to a hardware accelerator 10 connected to a communication device of an access network (access network communication device 30), and receives predetermined information necessary for attack detection from the hardware accelerator 10.
  • a learning unit 210 acquires communication data that has been subjected to preprocessing to extract data and perform statistical processing, and generates a learning model for detecting attacks using the communication data, and a hardware accelerator 10 uses the learning model. Acquires a detection alert for communication data that detected an attack, uses the acquired detection alert to determine whether or not an attack response is necessary, and if an attack response is necessary, creates a response control policy that includes the attack type and response method. It is characterized by comprising a countermeasure determination unit 230 that creates and transmits the generated information to the hardware accelerator 10.
  • the controller 20 performs functional separation between learning, attack detection, and attack response with the hardware accelerator 10, and generates a learning model for detecting an attack and a countermeasure control policy. It can be performed. As a result, it is possible to reduce the delay time for attack detection and attack response, and to reduce the resources used by the communication device (access network communication device 30).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
PCT/JP2022/022305 2022-06-01 2022-06-01 検知対処制御システム、検知対処制御方法、ハードウェアアクセラレータ、コントローラ、および、プログラム Ceased WO2023233580A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US18/870,124 US20250322066A1 (en) 2022-06-01 2022-06-01 Detection and response control system, detection and response control method, hardware accelerator, controller, and program
JP2024524071A JPWO2023233580A1 (https=) 2022-06-01 2022-06-01
PCT/JP2022/022305 WO2023233580A1 (ja) 2022-06-01 2022-06-01 検知対処制御システム、検知対処制御方法、ハードウェアアクセラレータ、コントローラ、および、プログラム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/022305 WO2023233580A1 (ja) 2022-06-01 2022-06-01 検知対処制御システム、検知対処制御方法、ハードウェアアクセラレータ、コントローラ、および、プログラム

Publications (1)

Publication Number Publication Date
WO2023233580A1 true WO2023233580A1 (ja) 2023-12-07

Family

ID=89026055

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/022305 Ceased WO2023233580A1 (ja) 2022-06-01 2022-06-01 検知対処制御システム、検知対処制御方法、ハードウェアアクセラレータ、コントローラ、および、プログラム

Country Status (3)

Country Link
US (1) US20250322066A1 (https=)
JP (1) JPWO2023233580A1 (https=)
WO (1) WO2023233580A1 (https=)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008507010A (ja) * 2004-06-25 2008-03-06 テロス, インコーポレイテッド ステートレス通信プロトコルにおけるサーバ状態推測
WO2015107862A1 (ja) * 2014-01-14 2015-07-23 株式会社Pfu 情報処理装置、方法およびプログラム
JP2018194880A (ja) * 2017-05-12 2018-12-06 株式会社Pfu 情報処理装置、不正活動分類方法および不正活動分類用プログラム
JP2019535068A (ja) * 2016-09-16 2019-12-05 オラクル・インターナショナル・コーポレイション 脅威を検出するための動的ポリシーの導入およびアクセスの可視化

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3077175A1 (fr) * 2018-01-19 2019-07-26 Orange Technique de determination d'une cle destinee a securiser une communication entre un equipement utilisateur et un serveur applicatif
CN110120928A (zh) * 2018-02-05 2019-08-13 北京智明星通科技股份有限公司 一种身份认证的方法、装置、服务器及计算机可读介质
US11910197B2 (en) * 2018-09-07 2024-02-20 Huawei Technologies Co., Ltd. Service processing method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008507010A (ja) * 2004-06-25 2008-03-06 テロス, インコーポレイテッド ステートレス通信プロトコルにおけるサーバ状態推測
WO2015107862A1 (ja) * 2014-01-14 2015-07-23 株式会社Pfu 情報処理装置、方法およびプログラム
WO2015107861A1 (ja) * 2014-01-14 2015-07-23 株式会社Pfu 情報処理装置、不正活動判定方法および不正活動判定用プログラム、並びに、情報処理装置、活動判定方法および活動判定用プログラム
JP2019535068A (ja) * 2016-09-16 2019-12-05 オラクル・インターナショナル・コーポレイション 脅威を検出するための動的ポリシーの導入およびアクセスの可視化
JP2018194880A (ja) * 2017-05-12 2018-12-06 株式会社Pfu 情報処理装置、不正活動分類方法および不正活動分類用プログラム

Also Published As

Publication number Publication date
US20250322066A1 (en) 2025-10-16
JPWO2023233580A1 (https=) 2023-12-07

Similar Documents

Publication Publication Date Title
US11671402B2 (en) Service resource scheduling method and apparatus
US12218937B2 (en) Packet processing method and apparatus, device, and computer-readable storage medium
JP6258562B2 (ja) 中継装置、ネットワーク監視システム及びプログラム
US7580974B2 (en) Systems and methods for content type classification
US9800593B2 (en) Controller for software defined networking and method of detecting attacker
US20150229669A1 (en) Method and device for detecting distributed denial of service attack
CN111787038B (zh) 一种提供边缘服务的方法、系统及计算设备
US11252184B2 (en) Anti-attack data transmission method and device
CN113518042A (zh) 一种数据处理方法、装置、设备及存储介质
CN111935108B (zh) 云数据安全访问控制方法、装置、电子装置及存储介质
CN114866310A (zh) 一种恶意加密流量检测方法、终端设备及存储介质
US20220311747A1 (en) Method and system for securing connections to iot devices
WO2019085923A1 (zh) 数据处理方法、装置及计算机
EP3819781B1 (en) Network device and method for processing data about network packets
WO2023233580A1 (ja) 検知対処制御システム、検知対処制御方法、ハードウェアアクセラレータ、コントローラ、および、プログラム
Dovzhenko et al. Comprehensive Analysis of Efficiency and Security Challenges in Sensor Network Routing
CN114553730A (zh) 一种应用识别方法、装置、电子设备及存储介质
CN118828500A (zh) 无人机网络的异步共识方法、装置、存储介质及电子设备
CN118694556A (zh) 用于对网络上的拒绝服务攻击进行检测的方法和系统
JP7824551B2 (ja) 攻撃検知装置、攻撃検知システム、攻撃検知方法および攻撃検知プログラム
CN112003839B (zh) 设备反身份识别方法、装置、电子装置和存储介质
Wang et al. Game based ddos attack strategies in cloud of things
Alapati et al. An Efficient Signal Processing Model for Malicious Signal Identification and Energy Consumption Reduction for Improving Data Transmission Rate.
Zheng et al. Detection of IoT Devices That Mine Cryptocurrency
JP2006311048A (ja) 帯域制御装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22944865

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2024524071

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 18870124

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22944865

Country of ref document: EP

Kind code of ref document: A1

WWP Wipo information: published in national office

Ref document number: 18870124

Country of ref document: US