intrusion detection method and system

专利摘要:
intrusion detection method and system an intrusion detection method to detect an intrusion in data traffic on a data communication network, the method characterized by the fact that it understands analyzing data traffic to extract at least one protocol field from a protocol message from the data traffic, associate the extracted protocol field with a model for that protocol field, the model being selected from a set of models, evaluate whether some extracted protocol field contents are in a safe region as defined by the models, and generate an intrusion detection signal if it is established that the contents of the extracted protocol field are outside the safe region. the model set may comprise a corresponding model for each protocol field in a set of protocol fields.
公开号:BR112014001691A2
申请号:R112014001691-7
申请日:2012-07-26
公开日:2020-10-27
发明作者:Emmanuele Zambon
申请人:Security Matters B.V.；
IPC主号:

专利说明:

[0002] [0002] In many data communication networks, detection systems are implemented to detect malicious intrusions. Such intrusions include data from hackers or infected computers that can affect the functioning of servers, computers or other equipment.
[0003] [0003] There are two main types of such intrusion detection systems: signature-based and anomaly-based intrusion detection systems.
[0004] [0004] A basic signature-based intrusion detection system (SBS) is based on standard matching techniques. The system contains a database of signatures, i.e. strings of data that are known from past attacks. These signatures are matched against the data tested. When a match is found, an alert is triggered. The signature database needs to be updated by experts after a new attack has been identified.
[0005] [0005] In a different way, an anomaly-based intrusion detection system (ABS) first builds a statistical model describing normal network traffic during a so-called "learning phase". Then, during a so-called “test phase” the system analyzes the data and classifies any traffic or action that, significantly, deviates from the models, as an attack. The advantage of an anomaly-based system is that it can detect zero days of attacks, i.e. attacks that have not yet been identified as such by the experts. To detect most attacks, ABSes need to inspect a network traffic payload. Existing models are based on analysis of n-gram,: which is either applied to the (raw) package payload of the package or portions of it.
[0006] [0006] However, in some data communication networks, malicious data is very similar to legitimate data. This may be the case in a so-called SCADA network (Supervisory Control and Data Acquisition) or another Industrial Control Network. In a SCADA or other Industrial Control network, network protocol messages are exchanged between computers, servers and other equipment in an application layer of a data communication network. These protocol messages can comprise instructions for controlling machines. The protocol message with a malicious instruction (“set rotational speed to 100 rpm”) can be very similar to a legitimate instruction (“set rotational speed to 10 rpm”).
[0007] [0007] When malicious data is very similar to legitimate data, malicious data can be classified as normal or legitimate data by the anomaly-based intrusion detection system, which could endanger the functioning of computers, servers and other equipment in a network. Summary of the Invention
[0008] [0008] An object of the invention may be to provide an improved intrusion detection system and / or method.
[0009] [0009] According to one aspect of the invention, an intrusion detection method is provided to detect an intrusion in data traffic on a data communication network, the method characterized by the fact that it comprises: - analyzing data traffic for extracting at least one protocol field from a data traffic protocol message; - associate the extracted protocol field with a respective model for that protocol field, the model being selected from a set of models; : - evaluate if some contents of the extracted protocol field are in a safe region as defined by the models; and - generate an intrusion detection signal if it is established that the contents of the extracted protocol field are outside the safe region.
[00010] [00010] Analyzing data traffic makes it possible to distinguish individual fields in a protocol (referred to as “protocol fields”) according to which data communication over the data network occurs. An association is then made (if successful) between the field (“the protocol field”) and a model. In addition, a set of templates is provided. A suitable model for the extracted protocol field is selected, as will be explained in more detail below. The protocol field is then evaluated using the model in order to establish whether or not the contents of the protocol field are within an acceptable, safe and normal range. In the first case, an appropriate action can be taken. By analyzing the protocol message, the individual protocol fields of the data traffic can be distinguished, and a suitable model for evaluating that particular protocol field, can be selected. And thereby, an appropriate assessment can be made, since different protocol fields can be evaluated by applying different models, for example, each protocol field applying a respective model that is suitable for that specific protocol field, for example, applying a model that is appropriate to the type and / or contents of the protocol field. The intrusion detection method according to the invention can be a computer-implemented intrusion detection method. The analyzer (i.e. the analysis) can make use of a pre-defined protocol specification. In addition, for example, in the case that the protocol is unknown, the protocol can be learned by monitoring the data traffic on a network and from there deriving a protocol specification.
[00011] [00011] In the context of this document, the term protocol can be understood as a set of rules that define the content of some l or all messages transmitted via the data network. A network protocol can comprise a definition of protocol messages, also known as Protocol Data Units (PDUs). A protocol message (PDU) can in turn comprise one or more fields. There can be many types of field. A field can comprise either another PDU, or an “atomic” data entity (for example, a number, a sequence, or an opaque binary object). As will be described in more detail below, the network protocol can be organized as a tree, in which nodes are PDUSs and tree leaves are atomic data entities (fields). For each field (or each relevant field) a separate template can be provided. As an example, assume that a protocol message comprises a person's personal data (characterized by the fact that it comprises, for example, name, address and personal settings): a protocol message that transmits personal data, could then comprise the fields “ name ”,“ address ”, and“ personal settings ”. The “name” field could, for example, in turn comprise the fields “surname”, “given name”, “record name”, etc. The “address” field could, for example, comprise the “home address” and “business address” fields. The field “home address can, for example, comprise“ street of home address ”,“ number of home address ”,“ postal code of home address ”,“ city of home address ”, while“ business address ”can, for example , understand the fields "business address street", "business address number", "business address code", "business address city", etc. A separate model can be built for each field. For example a respective
[00013] [00013] The term intrusion can be understood in order to understand any data that may be unwanted, possibly harmful to a computer system that receives the data, possibly harmful to an application running on a computer system connected to the data network, or possibly harmful to the operation of a device, installation, appliance, etc. connected to the data network.
[00014] [00014] In one embodiment, the set of models comprises a respective model for each protocol field in a set of protocol fields. And through this, more accurate results can be obtained since for each protocol field a model specifically suited - to that protocol field can be applied.
[00015] [00015] In one embodiment, the set of models comprises two models for a protocol field, a specific model of the two models for a protocol field being chosen based on the value of another field, in order to possibly further increase an accuracy of models.
[00016] [00016] Similarly, time sequence analysis of time sequence in the protocol field can be performed in a modality characterized by the fact that the set of models comprises at least two models for a protocol field, a first model of the two models being associated with a first time slot in which data traffic is observed, and a second model of the models being associated with a second time slot in which data traffic is observed, the second time slot, for example, does not overlapping the first time interval.
[00017] [00017] In one modality, the model for the field being determined in a learning phase, the learning phase characterized by the fact that it comprises: - analyzing data traffic to extract at least one protocol field from the protocol applied to traffic Dice; - associate the extracted protocol field with the model for that protocol field, the model being selected from the set of models and - update the model for the extracted protocol field using some contents of the extracted protocol field.
[00018] [00018] Therefore, data traffic can be observed in a learning phase, and the contents of the extracted protocol field can be applied to update the corresponding models with which the protocol fields are associated. If no association can be made - between the extracted protocol field and one of the models, a new model can be created for the extracted protocol field and added to the set | of models.
[00019] [00019] So, two phases can be broken down: a learning phase in which a model of protocol messages is built. These protocol messages in the learning phase can be built on the basis of a communication protocol or can be retrieved from data traffic on a data communication network.
[00020] [00020] Since protocol messages can be described by their structure and the values of the protocol fields, the model can be related to the protocol fields in the learning phase and the values of the same. Different protocol fields in the learning phase can have a different data type, 1.e. its value can be a number (such as an integer, a floating point number, etc.), a string, a Boolean or a binary value. This can be defined by a communication protocol. The model can be constructed according to the data type of at least one protocol field.
[00021] [00021] The determined protocol field and / or the determined value of the mentioned protocol field are compared with the model and classified on the basis of the comparison. The protocol message can be classified as an anomaly, i.e. outside the safe region defined by the model (and thus being a possible danger) on the basis of the comparison.
[00022] [00022] In the learning phase, the protocol messages that are applied to learn the model, can be obtained from data traffic on a network. Alternatively, or in addition to this, simulation data can be applied. In the learning phase, possibly intrusive protocol messages can be distinguished by methods
[00023] [00023] Alternatives for learning (i.e. training) the model (s), other than in the learning phase described above can be applied. For example, a model can be derived from inspection of the protocol and application, creating a set of protocol messages to be expected, their fields and / or their field values, and building the models, or a set of models their. In addition, a combination of such building model (s) from inspection, with a model learning (s) can be applied: for example first learning the model (s) in a learning phase, and then adapting the model (s) learned based on knowledge of known behavior and occurrence of consequence and / or the contents of the protocol messages, their fields and / or the values of the fields.
[00024] [00024] In one mode, the intrusion detection signal is still generated when the analysis cannot establish the field as being consistent with the protocol, such that an action can be performed also in the case that a field that is not consistent with the protocol ( for example, a malformed protocol message) is detected.
[00025] [00025] In one embodiment, the intrusion detection signal is still generated when the extracted field cannot be associated with any of the models in the model set, such that an action can also be performed in the case that the extracted field possibly matches the protocol, but for which no suitable model is provided. Often, only a subset of the possible protocol fields is used, for example, in control applications, allowing, for example, to trigger an alert when: a protocol field that matches the protocol, but is not normally applied, has been retrieved .
[00027] [00027] Communication between software can follow a specific communication protocol, in which the structure and possible values (parts of) of the protocol messages are defined. The structure of a protocol message can be further described by the protocol fields in the protocol messages. The software may not be able to process protocol messages that do not conform to a communication protocol.
[00028] [00028] In one embodiment, in response to generating the intrusion detection signal, the method still comprises at least one of: - removing the protocol field or a data packet containing the protocol field; and - develop and issue an intrusion alert message. Any other intrusion detection steel can be applied, such as, for example,
[00030] [00030] In one embodiment, the model for the protocol field comprises - a definition of acceptable letters, digits, symbols, and texts. In the case that the protocol field comprises a character or sequence of characters, a simple model can be provided in this way, which can allow testing the protocol field at a low data processing load.
[00031] [00031] In one embodiment, the model for the protocol field comprises a set of predefined intrusion signatures, such that knowledge about known attacks can be taken into account. A combination of a model as described above (characterized by the fact that it comprises, for example, a set of acceptable protocol field values, a definition of a range of acceptable protocol field values, a definition of letters, digits, symbols, and acceptable texts) with the predefined set of intrusion signatures can be highly effective, since for each specific field a model of its normal contents in combination with one or more intrusion signatures specific to that field, can be applied.
[00032] [00032] In one embodiment, the protocol comprises primitive protocol fields and compound protocol fields, compound protocol fields in turn characterized by the fact of comprising at least one primitive protocol fields, characterized by the fact that a respective model is provided in the set of templates for each field | primitive protocol. Therefore, efficient intrusion detection can be provided as protocol fields that are composed (ie protocol fields that themselves comprise protocol fields, such as "address" characterized by the fact that it comprises "street name", "number", “Postal code” and “city”), can be in their elementary (primitive) protocol fields, allowing to apply a suitable model for each of the primitive protocol fields.
[00033] [00033] Since the model for at least one protocol field in the learning phase and / or the value of at least one protocol field in the learning phase can be constructed according to the data type of at least one protocol field in the learning phase, the model may be more accurate in describing normal, legitimate or non-intrusive protocol messages than a model that does not take into account the data type of the protocol fields.
[00034] [00034] It may be the case that a model optimized for describing a protocol field with a data type of number may be less accurate in (or not applicable for) describing a protocol field with a type of binary or sequence data characters. Likewise, a model optimized for describing a protocol field with a string data type may be less accurate in describing a protocol field with a number or binary data type. Therefore, the accuracy of the model can be improved by taking the data type of the protocol field into account when building the models.
[00035] [00035] In one embodiment, a large number of model types are provided, a model type for the extracted protocol field being selected in the learning phase from a large number of model types on the basis of a characteristic of the field from: extracted protocol, and the model for the extracted protocol field being built on the basis of the selected model type.
[00038] [00038] The selection of the model type can be made using the data type of the value (s) of the protocol field, and / or the semantics of the analyzed protocol field (s). In one embodiment, the protocol field characteristic comprises the data type of the protocol field, the method characterized by the fact that it comprises: - determining the type of data from the extracted protocol field, and - selecting the type of model using the given data type.
[00039] [00039] The data type of the protocol field values (such as "number", "string", "matrix", "set", etc.) can, for example, be extracted from the protocol specification. Alternatively, the data type of the values in the protocol field can, for example, be inferred from the observation of network traffic. In one embodiment, field values are inferred using regular expressions. For example, the regular expression [0-9] + $ can be used to identify numeric integer field values. By choosing an appropriate model type to match the data type of protocol field values, a model that can result in more reliable detection results can be obtained.
[00040] [00040] The selection of the type of model can still, or instead of being based on the type of value data of the protocol field, be based on a semantic Y of the analyzed protocol field. So, in one modality, the characteristic of the protocol field comprises the semantics of the protocol field, the method characterized by the fact that it comprises: - determining the semantics of the extracted protocol field, and - selecting the type of model using the given semantics .
[00041] [00041] Semantics can be attributed to the analyzed protocol field. Assigning semantics can be done in a variety of ways: manually during the learning phase, inferring from the observed network data, extracting information from a protocol specification, etc. Semantics can be applied to select a more appropriate model type for example in the case that multiple types of models are available for a given type of protocol field value. For example, for a protocol field value of the numeric type, use may be made of a model type containing a range of such protocol field values, a model type containing a set of protocol field values, etc. Taking into account semantics, preferably taking into account both types of protocol field value as well as semantics, it may allow to assign an appropriate type of model more suitable for that particular protocol field.
[00042] [00042] An example of the use of semantics can be to determine how "strict" a numeric range is based on the importance of the field. In other words, if the semantics of the protocol field suggest that this field is important for security reasons, a stricter numeric range can be applied than in the opposite case, in which a looser range (eg twice the value maximum and half of the minimum value observed during the learning phase) would be applied.
[00043] [00043] By assigning a type of model to a protocol field according to the type of value of the protocol field and / or the semantics of the protocol, a type of model can be assigned that takes into account the: data contents in the field protocol, thus making it possible to adapt the model according to the contents of the protocol field. For example, if the field type is an integer numeric and the semantics is that this field contains the length of another field, a distribution model of the numeric type can be selected. On the other hand, if the field type is an integer numeric and the field semantics is a message type, then a set model of the numeric type can be selected. As a third example, if the field type is an integer numeric and the field semantics is a motor speed, then a model of the strict numeric range type can be applied.
[00044] [00044] In one embodiment, the set of models comprises a model for an operator protocol field and a model for an argument protocol field, the association and evaluation being carried out for the operator protocol field and the protocol field of argument. A protocol can comprise protocol fields containing operators (such as instructions, calls, etc.) and protocol fields containing operands (i.e. arguments) to which the operators apply. It is noted that, according to one embodiment of the invention, a respective model can be associated with protocol fields characterized by the fact that it comprises operators as well as with protocol fields characterized by the fact that it understands arguments. And thereby, on the one hand, not only intrusive values of arguments can be recognized, but also possibly intrusive operators. In addition, taking the operator into account it allows to assign a more appropriate model type, thus allowing a model to improve intrusion detection accuracy, as an operator will normally be followed by one or more arguments containing certain types of pre- determined.
[00045] [00045] In addition, a protocol message can be intended as the specification of an operation to be performed on the host (s) - receiving as required by the sending host. Consequently, a protocol message may comprise operator fields | (ie the specification of which operation is required), argument fields (ie the specification of how an operation is to be performed) and sorting fields (ie fields that are not directly related to the required operation, but contain a parameter required by the hosts to correctly receive and interpret a message or more generally to handle a network communication). Triage can be understood as the process of transforming an object's memory representation into a data format suitable for storage or transmission, and this is typically used when data needs to be moved between different parts of a computer program or program to another.
[00046] [00046] For example, an HTTP request contains a method field (eg GET, POST, PUT, etc.) specifying the operator, the URL field which contains arguments for the method (eg, / index. php id = 3) and some header number fields (eg Content-length: 100) that contain information that is not related to the operation itself, but is used by the hosts to communicate (eg the Content-length header : 100 specifies that the request message body is 100 bytes long).
[00047] [00047] As another example, a Modbus / TCP request message contains a function code field identifying which operation is to be performed on the PLC / RTU device receiving, a variable number of data records specifying the arguments for the desired operation and a number of other fields that are not directly related to the operation (eg the record count field, the data length field, etc.) that are needed by the receiving host to understand how to analyze a message (eg. how many records are being sent).
[00049] [00049] For example, a buffer overflow attack can be performed by injecting more characters into a string field than the buffer allocated by the receiving host. Such an attack can be detected because the string field contains unusual character values. On the other hand, a successful attack can be carried out that only uses perfectly valid textual characters as a malicious payload. The same attack can then be detected because another field, specifying the length of the string is longer than normal: this would necessarily be true, since the maximum allowed value for an authorized string length would be the size of the allocated buffer by the receiving host.
[00050] [00050] In addition, different, specific types of models can be used by operator fields, argument fields and screening fields in order to further increase the detection accuracy or lower the number of irrelevant alerts generated. For different operator fields, different models (of the same or different types of models) can be used. For different fields of argument, different models (of the same or different types of models) can be used. For different sorting fields, different models (of the same or different types of models) can be used. The types of models can be selected based on, for example: the data type and semantics as described above.
[00051] [00051] It is noted that the intrusion detection system and method of | according to the invention can be applied for any type of data traffic, such as text data traffic (i.e. a text protocol) or binary data traffic (ie. a binary protocol). In general, the specification of textual protocols does not convey a description of the type of most of its field values. For example, the HTTP protocol specification does not associate a type with header values or parameter values, which need to be analyzed as a text string. In such cases, it may be necessary to infer the type of field by inspecting the traffic. On the other hand, this behavior is not present in binary protocols, in which the specifications need to include the type of all protocol fields in order to allow appropriate analysis. For this reason, applying the present technique to a binary protocol may be even more accurate than applying it to a text protocol, since for binary protocols the uncertainty of inferring missing field value types. In particular when taking into account the type of data and semantics of the analyzed protocol field, the sequence of binary data can be given a meaning, in the sense that the analysis and selecting an appropriate model type for each protocol field based on the data type and / or semantics, allows taking into account the contents of the binary data. In a binary protocol, the term data type of a protocol field is to be understood as what data is represented by the (binary) data in the protocol field: the binary data, for example, representing another type of data, such as a number, a character string, etc.
[00052] [00052] In general, a protocol message can comprise primitive protocol fields and compound protocol fields. A composite protocol field comprises two or more protocol subfields, each of which may be a primitive protocol field or one. compound protocol field. A model for compound protocol fields may comprise of a field | protocol observed in a learning phase. In the case that the field was observed less than a certain number of times (limit), observing the compound protocol field during the detection phase can cause the generation of an intrusion detection signal. According to the semantics of a compound protocol field, its importance with respect to security may vary. Therefore, semantics can be used to specify a different type of model or a different sensitivity of the model according to, for example, the importance of a field in relation to security. For example, in the case of a compound field, which is not relevant for security, the limit of observed circumstances can be changed to limit the amount of irrelevant intrusion detection signals generated, and thus improve usage. In addition, the semantics of a compound field can be propagated to its subfields, to allow a more accurate selection of the model type and model settings. For example, a basic field of the numeric type contained in a composite field that is very relevant for security may be associated with a model of the type of numerical set, which can define a more strict safe region of values than one of the type of numeric range , and thus improving the accuracy of intrusion detection.
[00053] [00053] According to another aspect of the invention, an intrusion detection system is provided to detect an intrusion in the data traffic in a data communication network, the system characterized by the fact that it comprises: - an analyzer to analyze the traffic data to extract at least one protocol field from a protocol message from data traffic; - an association engine to associate the protocol field: extracted with a respective model for that protocol field, the model being selected from a set of models; i - a model handler to assess whether the contents of the extracted protocol field are in a safe region as defined by the models; and - an actuator to generate an intrusion detection signal in case it is established that the contents of the extracted protocol field are outside the safe region.
[00054] [00054] With the system according to the invention, the same or similar effects can be achieved as with the method according to the invention. In addition, the same or similar modalities can be provided as described with reference to the method according to the invention, achieving the same or similar effects. The analyzer, association engine, model handler and actuator can be implemented using appropriate software instructions to be executed by a data processing device. They can be implemented in the same software program that is to be executed by the same data processing device, or it can be executed in two or more different data processing devices. For example, the analyzer can be run locally at a location where data traffic passes, while the association engine, model handler and actuator can be remotely located, for example, in a secure location. In addition, data from different sites can be monitored, and through this, for example, an analyzer can be provided at each site, output analyzer output data from each analyzer being sent to a single association engine, model and actuator.
[00055] [00055] It is noted that the method and system described above can not only be applied for instruction detection.
[00056] [00056] Additional effects and characteristics of the invention will be described, by way of example only, with reference to the description below and attached schematic drawings in which non-limiting modalities are disclosed, | characterized by the fact that:
[00057] [00057] Figure 1, schematically, represents an example of a “data communication network characterized by the fact that it comprises an intrusion detection system according to a modality of the invention;
[00058] [00058] Figure 2, schematically, represents an overview of an intrusion detection system according to an embodiment of the invention;
[00059] [00059] Figure 3, schematically, represents an overview of a learning phase of a method according to an embodiment of the invention;
[00060] [00060] Figure 4, schematically, represents an overview of an intrusion detection phase of a method according to an embodiment of the invention;
[00061] [00061] Figure 5, schematically, represents a block diagram to illustrate an intrusion detection system and method according to an embodiment of the invention.
[00062] [00062] In the Figure | a schematic overview is shown of an example of a data communication network with an intrusion detection system for classifying a protocol message according to an embodiment of the invention. In this network, personal computers (or workstations) 14 and 15 are connected with a server 13. The network can be connected to the Internet 16 via a firewall 17.
[00063] [00063] In a data communication network an intrusion or attack can originate from the Internet 16 or a personal computer 14, when it was infected with malicious software.
[00065] [00065] A user can communicate with server 13 via software running on personal computer 14 or workstation 15 by exchanging protocol messages between software running on personal computer 14 or workstation 15 and software running on server 13 .
[00066] [00066] The intrusion detection system 10 can be positioned between RTU 11 and the rest of the network, as shown in figure 1, or between RTU 11 and machinery 12 (not shown). The intrusion detection system 10 can retrieve protocol messages from a data communication network, which can be exchanged between software running on personal computer 14 or workstation 15 and software running on server 13, between software running on server 13 and software running on RTU 11 or between software running on RTU 11 and software running on a machine 12 data processing device.
[00067] [00067] A communication protocol can be defined as a formal description of digital protocol message formats and the rules for exchanging those messages on it or between (software being executed) computing systems. A communication protocol can include descriptions for syntax, semantics, and synchronization of communication. Protocol messages in an application layer in a "data communication network can contain one or more fields, which can be characterized by their data types. For example, a field can i represent the entire length of a message, with a number value or a string value.
[00068] [00068] With more information about protocol messages, a model describing a normal, legitimate or non-intrusive protocol message can include more information about the normal or legitimate values of each protocol field of each protocol message that are exchanged on a network data communication. The model can then be used (eg in real time) to classify protocol messages from live data traffic on the data communication network in order to find anomalies, ie something that deviates from the normal behavior of the data network. data communication as described by the models.
[00069] [00069] Figure 2 shows a schematic overview of an embodiment of an intrusion detection system 10 according to an embodiment of the invention. The intrusion detection system 10 comprises a network protocol analyzer 21, arranged to retrieve at least one protocol field in a protocol message (for example) in an application layer of a data communication network. In the learning phase, protocol messages can be obtained from a network via input 25. The network protocol analyzer 21 can be used during an optional learning phase as well as during regular operation of the intrusion detection system. Information about the extracted protocol message can be transferred to an association engine 23.
[00070] [00070] The intrusion detection system still comprises the association motor 23, a set of models 26 and a model 24 handler. The association motor 23 is arranged to associate the extracted protocol field with a model of a certain type model as selected based on a data type and / or semantics of the protocol field. Furthermore: the association engine comprises or has access to a set of models 26. The associates the extracted protocol field with a model that is specific to that protocol field, for example specific to the type of data field and / or semantics. In addition, the set of models 26 comprises different models, each model for a specific field (or more) of the protocol fields. In a learning phase, the association engine can, in case no model is available yet for the extracted protocol field, create the model for the extracted protocol field and add it to the set of models. Information about the extracted protocol fields can be transferred to a handler 24.
[00071] [00071] Handler 24 then makes an assessment as to whether the extracted protocol field matches the models or not, in order to assess whether the contents of the extracted protocol field can be considered an intrusion or not. In the learning phase, the model can be updated using the contents of the extracted protocol field. The attendant can send the messages via exit 27.
[00072] [00072] The intrusion detection system may further comprise an actuator 22 for generating an intrusion detection signal in case the (value of) the protocol field has been identified as an intrusion, i.e. outside the safe region defined by the associated models. In response to generating the intrusion detection signal, an intrusion detection action can be performed e.g. characterized by the fact that it comprises triggering an alert, filtering the data packet or protocol field (and thereby, for example, removing the data packet or protocol field). The intrusion detection signal can also be generated in the case that the analyzer cannot identify the protocol field (which would imply that the data packet does not match the protocol), and / or in the case that the model handler during The intrusion detection operation could not associate the extracted protocol field with a model of the set (which would imply that the data packet does not - comprise the protocol fields that are normally transmitted).
[00073] [00073] For each protocol field, a specific model is used, | preferably using a different model for each different protocol field, such that a more optimal assessment can be made for each protocol field, since a model that is specifically dedicated to that protocol field, can be used to evaluate that protocol field.
[00074] [00074] In one embodiment, the models were built using at least two types of models, characterized by the fact that a first model type of at least two types of models is optimized for (or only works for) a protocol field with a first type of data and characterized by the fact that a second type of model of at least two types of models is optimized for a protocol field with a second type of data. This may be the case that the first model type is optimized for a protocol field with one of, a number data type, a string data type or a binary data type and the second model type is optimized for one protocol field with another for, a number data type, a string data type or a binary data type.
[00075] [00075] For example, for the value of a protocol field Al with a data type of number, the model M-I-Al can be constructed which is intended to describe number values. For the value of an A2 protocol field with a data type of number, the model M-I-A2 can be constructed which is similarly intended to describe number values. For the value of an A3 protocol field with a string data type, the M-S-A3 model can be constructed that is optimized or suitable for describing string values. Models for different protocol fields that have the same data type, for example, models M-I-Al and M-I-A2, can be built using a. same model architecture, but having different contents (eg different allowed range, different set of allowed values, etc.) in order to express the differences between the A1 and A2 protocol fields.
[00076] [00076] It can be understood that a model with a model type to describe number values and a model with a model type describing string values can be better or more accurate in describing the values of a protocol message characterized by fact that you understand both number values and string values in your protocol fields, than a single model that would be optimized to describe all the values, both number values and string values, of a message. protocol.
[00077] [00077] The intrusion detection system 10 can be arranged to build a model during the learning phase. The operation of the intrusion detection system 10 and method according to the modalities of the invention will still be described with reference to Figures 3 and 4. Figure 3, schematically, illustrates the learning phase and Figure 4, schematically, illustrates the intrusion detection phase.
[00078] [00078] In Figure 3, stages of the learning phase, schematically, were represented: step al: analyzing data traffic to extract at least one protocol field from a protocol applied to data traffic. Step a2: associate the extracted protocol field with the model for that protocol field, the model being selected from the set of models. Step a3: in case no association can be made with the existing models in the model set, create a new model for the extracted protocol field and add the new model to the model set. Step a4: update the model for the extracted protocol field using the contents of the extracted protocol field.
[00079] [00079] In general, the protocol message can understand. primitive protocol fields and compound protocol fields. A composite protocol field comprises two or more subfields of | protocol, which can each be a primitive protocol field or a compound protocol field. A primitive protocol field cannot be divided or separated into more protocol fields. In this way a protocol message can be said to comprise a tree structure of protocol fields. For example, in a protocol message the compound protocol field "msg body" comprises a primitive protocol field "msgjen" and compound protocol field "msg data". The compound protocol field "msg data" can comprise primitive protocol fields "msg typeA" and "msg typeB". The term protocol field in this document can refer to any primitive protocol fields at any level in such a tree structure.
[00080] [00080] Different types of models can be used. For example, a protocol field model type can, for example, be one of: a number model type, a string model type or a binary model type. In the case that it is found that the extracted protocol field comprises a number value, a type of number model can be applied to that protocol field. In the case that the extracted protocol field is found to comprise a string value, a type of string model can be applied to that protocol field. This may be the case that (for example, in text protocol), when in the learning phase the network protocol analyzer is unable to establish that the data type of the protocol field is a data type of number or a type of string data, a binary data model type is applied as a more universal model type.
[00082] [00082] Examples of different types of model types for different types of data types are explained below. For the number data type, two types of models can be applied, a first model for protocol fields representing lengths and a second model for protocol fields representing enumerations.
[00083] [00083] If the protocol field represents an enumeration (eg, a set of values), the model can comprise a set S with all the values of the protocol field that were retrieved in the learning phase. After starting with an empty set, during the learning phase each value that is identified for the protocol field can be added to the set. In an intrusion detection phase, the protocol message can be classified as anomalous, when the value of the corresponding determined protocol field, for example, is not part of set S.
[00084] [00084] If the protocol field represents a length, the model can be constructed in an approximation of a distribution of the values of the protocol field during the learning phase. During the learning phase, the mean u and the variance oº of the approximation of a distribution can be calculated on the basis of the sample mean and the
[00086] [00086] A model for a protocol field of the Boolean type can, for example, monitor an average Boolean value over a number of samples and compare the average value with a predetermined limit. An example of such a model is described below:
[00087] [00087] During the learning phase the Pt probability is computed so that a field value is true, and a Pf probability (1-Pt) is computed so that the field value is false.
[00088] [00088] 2 - During intrusion detection a sequence of n samples for the field value is considered and then a binomial probability of observing such a sequence of values, given Pt and Pf is computed. The probability is then compared to a certain limit t and an alert is triggered if p sample <t. For example, suppose that during the learning phase we observe an equal amount of true and false values. Then Pt - 1/2 and Pf— 1/2. We set a limit probability for sequences from 5 values to 0.1. Now, consider that during the intrusion detection phase we observe the sequence [false, false, false, false, false]. The binomial probability of p sample = P (true = 0) = 0.03125 <O, 1. In this case we trigger an alert. An example of a model type for strings that can handle ASCII and Unicode strings is described below. First, a model type for ASCII strings is described.
[00089] [00089] The model type for ASCII string comprises two Boolean values and a list. The first Boolean value: (letters) is set to true if we see letters, the second Boolean value (digits) is set to true if we see digits, and the | set (symbols) keeps track of all the symbols that we saw. Given a string field s, the function f (s) is defined that says whether the string contains letters, numbers and which symbols. For example, for the string “username *!” we have: letters: true FS ("userName 91") = | digits: false symbols: 1,4,
[00090] [00090] During the learning phase, a sequence of characters in the M model is updated as follows: letters: M letters vf (s) letters M =, digits: M digits vf (s) .digits [ax M symbols “roses |
[00091] [00091] The characters in the sequence are evaluated one after the other. For each character the association engine checks the type, and in the case that the character is either a letter or a digit, the association engine updates the model accordingly by setting the corresponding flag to “true”. In case the current character is a symbol, it is added to the current symbol set. In case the symbol is already present, it is not added twice.
[00092] [00092] During the intrusion detection phase, given a sequence of characters s, an alert can be triggered if: (f (s) letters º —M letters) y (f (s) .digits AM digits) v (f (s) .symbols & «M.symbols)
[00093] [00093] The characters in the sequence are evaluated again one after the other. The verification process is straightforward. If the current character is either a letter (or a digit), the association engine checks which letter characters (or digits) were observed before for the given field. When this check. failure, an alert is triggered. In the case that the character is a symbol, the association engine verifies that a given symbol has been observed before. When this check fails, an alert is triggered.
[00094] [00094] In the beginning, model M is defined as follows: letters: false M | digits: o) symbols: tó)
[00095] [00095] Another example of a model type for strings, as can be used for strings Unicode, is described below. For Unicode strings, the modeling and detection technique can be similar to modeling for ASCII strings. Unicode characters that are not ASCII are treated as ASCII letters, i.e. if a string contains a Unicode character, the Boolean “letters” value is set to true. In addition, the set of Unicode texts (eg Latin, Cyrillic, Arabic) as seen during the learning phase, is memorized. With this additional information, it is detected, for example, if strange Unicode characters (which probably belong to a different script than the characters seen in the learning phase) are present in a sequence of characters.
[00096] [00096] In some more details, given a Unicode string field s, we define the function f (s) which says whether the string contains letters, numbers, which symbols and which Unicode texts. For example, for the string “mu3soafa *!” we have: letters: true S ('mu3soafa t! ") = Es: ã & scripts: latin
[00097] [00097] For Unicode strings, the M model is started and updated by performing the same or similar operations as for strings. of ASCII characters and treating the additional “texts” field, similarly to the “symbols” field. i [00098] Here are some examples of a type of model for binary protocol fields is provided below:
[00099] [00099] For binary data types, a model can be applied from intrusion detection systems based on known anomalies based on a payload analysis.
[000100] [000100] An example of a binary model is based on 1-gram analysis. An n-gram in a sequence of n consecutive bytes.
[000101] [000101] Given a binary field b of length 1 bytes, we first compute a vector f containing the relative frequency of each byte. In other words, given a byte value v, the element of f corresponding to v is given by: TI = x see v
[000102] [000102] During the learning phase, a vector of relative frequencies is applied to compute an average and standard deviation for each byte value. Therefore, given a sequence of n binary fields bl.bn, and their associated relative byte frequency vectors (fl.fn), two u and u vectors are computed that contain respectively the mean and standard deviation of each byte value (from O 255). These two vectors in this example form the binary models.
[000103] [000103] During the thesis phase, given a binary field value s, an associated vector of relative frequencies fs is computed first. Then, an appropriate function F (eg a normalized Euclidean distance) is applied to determine the distance between fs and the model as constructed during the learning phase. If the resulting distance exceeds a predetermined limit, an alert can refer to triggered. To divide the learning set into subsets, an agglomeration algorithm, such as a Self Organization Map (SOM), can be applied to the input values (bl.bn). A separate model (i.e. a par 1, o matrix) can then be constructed for each subset.
[000105] [000105] A third example of a binary model is a so-called network emulation device. A network emulation device is an algorithm that is able to determine whether dangerous executable instructions are contained within a set of bytes. Given a sequence of bytes, the algorithm first translates existing byte values in the relative assembly instructions (disassembly). It then tries to find instruction strings that can be recognized as dangerous or suspicious (for example, long strings of NOP instructions, which are typically found inside malicious closed code from known attacks). In the event that such strings are found, an alert is triggered. Note that this type of binary model does not require a training phase.
[000106] [000106] In the case that a binary field contains a so-called Binary Large Object (BLOB) in which data is organized according to the structure that is not specified in a network protocol specification, the same approach described in this document can be applied to further divide the BLOB into its constituent fields, until basic fields are extracted and processed (eg numeric fields, string fields, Boolean fields, etc.). For example, a binary protocol field can contain a GSE or JPEG image, for which there is a specification, but that specification is not part of the network's protocol specification itself. In this case, the GSE or JPEG image specification could be used to further divide the field value into its basic constituent fields. A . model can then be selected and built accordingly for the constituent object fields. Another such case occurs when the binary field i contains an entire memory region of one of the hosts communicating, for example, the memory maps of PLCs exchanged as part of the Modbus protocol. The structure of this memory region can be defined in other documents (eg, in the specifications of the PLC vendor), or can be inferred by looking at a lot of data examples. Such information can be used to further divide the memory region and its basic fields that could then be processed according to the techniques illustrated in this document.
[000107] [000107] In addition, for the type of string data ã a model can be applied as described in “Bolzoni, D. and Etalle, S. (2008), Boosting Web Intrusion Detections Systems by infering Positive Signatures. In: Confederated International Conferences On the Move to Meaningful Internet Systems (OTM) ”. For the type of binary data, sub-models can be applied from the Intrusion Detection System based on known anomalies based on an analysis of the payload. An example can be found in “Anomalous payload-based nework intrusion detection” (RAID, pages 203-222, 2004) by Ke Wang and Salvatore J. Stolfo. In this work, the authors present a system, called PAYL, that leverages n-gram analysis to detect anomalies. An n-gram in a sequence of n consecutive bytes. The relative frequency and standard deviation of 1 -grams (1-byte sequences) are analyzed and stored in detection models built during the learning phase. Then, in the intrusion detection phase, an appropriate model is selected (using the payload length value) and used to compare incoming traffic.
[000108] [000108] Another example can be found in “POSEIDON: a 2-tier
[000109] [000109] An additional example can be found in Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Comprehensive Shellcode Detection using Runtime Heuristics. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC). December 2010, Austin, TX, USA. In this document, the authors present a "network emulation device". This software component implements heuristics and simulates a physical CPU via software. A network emulation device can test whether the input data contains executable (and harmful) code. In one embodiment, the analysis process can comprise the steps of: i) collecting data packets from a data communication network; ii) undo fragmentation of IP packets; ili) reassemble TCP segment; iv) recover application data; and v) retrieve protocol messages.
[000110] [000110] As stated before, it is possible to select different types of models according to the semantics of the field that the model is associated with. It is also possible to adjust one or more model parameters (specify for each model type) according to the semantics to enlarge or narrow the safe region defined by the models. Here some examples are provided to use the field semantics to select the model type or to adjust the model parameters.
[000111] [000111] In the case of a numeric field representing the type of protocol message, a model of the type numerical enumeration can be used. Such a model allows to be sure that only the types of | messages listed in the template are defined as the safe region. In the case that the model is built automatically during the learning phase, all types of messages observed are considered safe. In case the model is built manually, the set of allowed messages can be built according to specific security policies. For example, political security may impose that only read operations are performed on a given host. In this case, the set of allowed messages will contain only read messages.
[000112] [000112] In the case of a numerical field that represents the speed of an association motor, in the context of industrial process, a numerical range model can be used. Such a type of model allows to be sure that the speed of the association motor will not be set to a value lower or higher than what is considered safe. In the case that the model is built automatically during the learning phase, the minimum / maximum values allowed can be configured for the minimum / maximum speeds observed during the learning phase (exact interval). In case the model is built manually, the minimum interval and maximum values can be configured based on, but technical specifications of the association motor, to make sure that the speed remains in tolerable operating conditions.
[000113] [000113] In the case of a numeric field that represents the length of a security-related field (eg the length of a string buffer), a model of the type of numerical distribution can be used. Furthermore, since the field is very relevant to security,
[000114] [000114] In the case of a string field representing a person name, a string type template can be selected and the default limit for the number of symbol characters not included in the template can be set to a level very low. Since a person's name is not expected to contain many symbols, setting the default limit to a very low level ensures that an intrusion detection signal is generated immediately in the event that the observed value contains symbols that are present in the models. This may be the case with a so-called SQL injection attack that leverages special characters such as single or double wings, commas, etc.
[000115] [000115] Figure 4, schematically, represents the steps of the intrusion detection process: step bl: analyze the data traffic to extract at least one protocol field from a data traffic protocol message, step b2: associate the extracted protocol field with a model for that protocol field, the model being selected from a set of models, step b3: evaluate whether some contents of the extracted protocol field are in a safe region as defined by the models, and step b4: generate an intrusion detection signal (eg followed by filtering the extracted protocol field or protocol message characterized by understanding the protocol field, generating an alarm for a user, or any other detection action intrusion) if it is established that the contents of the extracted protocol field i are outside the safe region.
[000116] [000116] In one embodiment, the intrusion detection signal can still be generated when the analysis cannot establish the field as consistent with the protocol or when the extracted field cannot be associated with any of the models in the model set.
[000117] [000117] Figure 5, schematically, depicts, as an example, an overview of concepts proposed in this patent application. The process starts with analyzing a network traffic (500) to extract at least one protocol field from a protocol message. The second step comprises associating the extracted protocol field with a model for that protocol field (501), the model being selected from a set of models. The model set can comprise different types of models, the model set is represented in Figure 5 by 513. The selection of the model type for an extracted protocol field can be guided by both the type of protocol field value (represented by 511) and a semantics associated with the protocol field (represented by 512). The set of different types of templates (513) is also provided as input, different types of templates can include number range templates, number set templates (enumeration), number distribution templates, string templates ASCII, Unicode string models, Boolean models, n-gram based binary models, network emulation device, intrusion detection signature set, etc. The process of associating an analyzed protocol field with its corresponding model (of a given type of model) can also be improved by taking into account the dependence of a field that describes an operation with a field that describes such an argument. operation (as represented by 509). More generally, any dependence of a field value on another field value (as i represented by 510) can be taken into account when associating an analyzed protocol field with its corresponding models, in such a way that multiple models are built to the same field according to the value of another field in the same message. In a learning phase, if a model of the selected model type does not exist for an analyzed protocol field, such a model can be created (step 515). Similarly, if a model already exists, the model can be updated in the learning phase to include the current analyzed field value in the safe region defined by the model (step 516). In the case that the analysis cannot establish an observed field in a network data as being consistent with the protocol specification, an intrusion detection signal can be generated (step 508). During the detection phase, in case it is not possible to associate an existing model of the selected model type to the analyzed field, an intrusion detection signal can be generated (step 504). On the other hand, in the case it is possible to associate an existing model of the selected model type to the analyzed field, the field value is evaluated in relation to the safe region defined by the model (step 503). In the case that the value of the analyzed protocol field is not within the safe region defined by the models, an intrusion detection signal can be generated (step 505). Finally, in the event that an intrusion detection signal is generated because of any of the reasons described above, additional steps can be considered, such as removing the protocol message associated with the anomalous protocol field from network traffic ( step 506), or develop and issue an alert message (step 507).
[000118] [000118] It is to be understood that the disclosed modalities are merely exemplary of the invention, which can be incorporated in various forms. Therefore, specific structural and functional details here. disclosed are not to be construed as limiting, but merely as a basis for the claims and as a representative basis for teaching someone skilled in the art to variedly employ the present invention in virtually any appropriately detailed structure. In addition, the terms and phrases used here are not intended to be limiting, but appropriately, to provide an understandable description of the invention. Elements of the modalities mentioned above can be combined to form other modalities.
[000119] [000119] The terms "one" or "one", as used here, are defined as one or more than one. The term other, as used here, is defined as at least one second or more. The terms including and / or having, as used here, are defined as characterized by the fact of understanding (that is, not excluding other elements or steps). Any reference signs in the claims are not to be construed as limiting the scope of the claims or the invention. The mere fact that certain measures are cited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. The scope of the invention is limited only by the following claims.

权利要求:
Claims (18)
[1]
1. Intrusion detection method to detect an intrusion in data traffic on a data communication network, the method characterized by the fact that it comprises: - analyzing (bl) data traffic to extract at least one protocol field from a protocol message of data traffic; - associate (b2) the extracted protocol field with a respective model for that protocol field, the model being selected from a set of models; - evaluate (b3) if the contents of the extracted protocol field are in a safe region as defined by the models; and - generate (b4) an intrusion detection signal in case it is established that the contents of the extracted protocol field are outside the safe region, in which a large number of model types are provided, in which a model type for the extracted protocol field is selected from the plurality of model types based on a characteristic of the extracted protocol field, and in which the model for the extracted protocol field is built on the bases of the selected model type.
[2]
2. Intrusion detection method according to claim 1, characterized by the fact that the set of models comprises a model for an operator protocol field and a model for an argument protocol field, the association and evaluation being carried out for the operator protocol field and for the argument protocol field.
[3]
3. Intrusion detection method according to claim 2, characterized by the fact that the set of models further comprises the model for a screening protocol field, the association and further evaluation being carried out for the protocol field. screening.
[4]
4. Intrusion detection method according to any one of claims 1 to 3, characterized in that the characteristic of the protocol field comprises a data type of the protocol field, the method comprising: - determining a data type of the protocol field extracted protocol field, and - select the model type using the determined data type.
[5]
5. Intrusion detection method according to any of the claims | to 4, characterized by the fact that the characteristic of the protocol field comprises a semantics of the protocol field, the method comprising: - determining a semantics of the extracted protocol field, and - selecting the type of model using the given semantics.
[6]
6. Intrusion detection method according to any of the claims | to 5, characterized by the fact that the set of models comprises a respective model for each protocol field in the set of protocol fields.
[7]
7. Intrusion detection method according to any of claims 1 to 6, characterized by the fact that the model for the field is determined in a learning phase, the learning phase comprising: - analyzing the data traffic to extract at least at least one protocol field of the protocol applied to the data traffic; - associate the extracted protocol field with the model for that protocol field, the model being selected from the set of models and
- update the model for the extracted protocol field using some contents of the extracted protocol field.
[8]
8. Intrusion detection method according to claim 7, characterized by the fact that if no association can be made between the extracted protocol field and one of the models, - create a new model for the extracted protocol field and add the new model to the set of models.
[9]
9. Intrusion detection method according to any of claims 1 to 8, characterized by the fact that the intrusion detection signal is still generated - when the analysis cannot establish the field as consistent with the protocol, or - when the extracted field cannot be associated with any of the models in the model set.
[10]
10. Intrusion detection method according to any one of the claims | to 9, characterized by the fact that the protocol is at least one of, an application layer protocol, a session layer protocol, a transport layer protocol or a lower level protocol stack protocol.
[11]
11. Intrusion detection method according to any of claims 1 to 10, characterized in that the model for the protocol field comprises at least one of - a set of acceptable protocol field values, - a numerical distribution of protocol field values; - a definition of a range of acceptable protocol field values - a definition of acceptable letters, digits, symbols, and texts; and - a set of predefined intrusion signatures.
[12]
12. Intrusion detection method according to any of claims 1 to 11, characterized in that the set of models comprises two models for a protocol field, a specific model of the two models being associated with a protocol field based on worth another protocol field.
[13]
13. Intrusion detection system to detect an intrusion in data traffic on a data communication network, the system comprising: - an analyzer (21) for analyzing data traffic to extract at least one protocol field from a message protocol of data traffic; - an association engine (23) to associate the extracted protocol field with a respective model for that protocol field, the model being selected from a set of models; - a model handler (24) to assess whether the contents of the extracted protocol field are in a safe region as defined by the models; and - an actuator (22) to generate an intrusion detection signal if it is established that the contents of the extracted protocol field are outside the safe region, in which a large number of types of models are provided, characterized by the fact that the system is arranged to select a model type for the protocol field extracted from a large number of model types on the basis of a characteristic of the extracted protocol field, and to build the model for the protocol field extracted on the type bases selected model.
[14]
14. Intrusion detection system according to claim 13, characterized in that the set of models comprises a model for an operator protocol field and a model for an argument protocol field, the association engine being fixed to perform the association and evaluation for the operator protocol field and the argument protocol field.
[15]
15. Intrusion detection system according to claim 14, characterized by the fact that the set of models still comprises a model for a screening protocol field, the association engine being further arranged to perform the association and evaluation for the screening protocol field.
[16]
16. Intrusion detection system according to any one of claims 13 to 15, characterized in that the characteristic of the protocol field comprises a type of data from the protocol field, the system being arranged to: - determine a type of data from the extracted protocol field, and - select the model type using the data type determined.
[17]
17. Intrusion detection system according to any one of claims 13 to 16, characterized by the fact that the characteristic of the protocol field comprises a semantics of the protocol field, the system being arranged to: - determine a semantics of the field of extracted protocol, and - select the type of model using the given semantics.
[18]
18. Intrusion detection system according to any of claims 13 to 17, characterized by the fact that it is still arranged to determine the model for the field in a learning phase, the learning phase comprising: - analyzing the data traffic for extract at least one protocol field from the protocol applied to the data traffic; - associate the extracted protocol field with the model for that protocol field, the model being selected from the set of models and
- update the model for the extracted protocol field using some contents of the extracted protocol field.

类似技术:

---

公开号 | 公开日 | 专利标题

---

BR112014001691A2|2020-10-27|intrusion detection method and system

---

Maggi et al.2009|Protecting a moving target: Addressing web application concept drift

---

Hadžiosmanović et al.2012|N-gram against the machine: On the feasibility of the n-gram network analysis for binary protocols

---

Rieck et al.2007|Language models for detection of unknown attacks in network traffic

---

CN107918733A|2018-04-17|The system and method for detecting the malicious element of webpage

---

Krueger et al.2010|ASAP: Automatic semantics-aware analysis of network payloads

---

Jacob et al.2009|Malware behavioral detection by attribute-automata using abstraction from platform and language

---

Prasse et al.2017|Malware detection by analysing network traffic with neural networks

---

Prasse et al.2016|Malware detection by HTTPS traffic analysis

---

Kong et al.2013|Semantic aware attribution analysis of remote exploits

---

CN111049819A|2020-04-21|Threat information discovery method based on threat modeling and computer equipment

---

Serpanos et al.2018|Security testing iot systems

---

Todd et al.2007|Alert verification evasion through server response forging

---

Jacob et al.2009|Malware detection using attribute-automata to parse abstract behavioral descriptions

---

Deepa et al.2020|Detection of DOS and probe attacks based on snort with density clustering

---

US20220060491A1|2022-02-24|Malicious traffic detection with anomaly detection modeling

---

Al-Dhubhani et al.2015|A prototype for network intrusion detection system using danger theory

---

KR101557856B1|2015-10-06|Device for verifying log analysis system

---

Verbruggen et al.2014|Creating firewall rules with machine learning techniques

---

Johansson2019|Attacking the Manufacturing Execution System: Leveraging a Programmable Logic Controller on the Shop Floor

---

GB2581011A|2020-08-05|Anomalous network node behaviour identification

---

Dheeraj et al.2019|Design and Development of SCADA Firewall Security Features for Protecting Industrial Operations

---

JPWO2018131200A1|2019-04-18|Analysis device, analysis method and analysis program

---

Saber2019|Masquerade Detection in Automotive Security

---

CN114070899A|2022-02-18|Message detection method, device and readable storage medium

同族专利:

---

公开号 | 公开日

---

US20140297572A1|2014-10-02|

---

IL254829A|2018-06-28|

---

EA201490333A1|2014-06-30|

---

EA037617B1|2021-04-22|

---

CN103748853A|2014-04-23|

---

US20170195197A1|2017-07-06|

---

US20140090054A1|2014-03-27|

---

US9628497B2|2017-04-18|

---

CA2842465C|2021-05-04|

---

CN103748853B|2017-03-08|

---

JP6117202B2|2017-04-19|

---

IL230440A|2017-10-31|

---

US11012330B2|2021-05-18|

---

CA2842465A1|2013-01-31|

---

WO2013015691A1|2013-01-31|

---

IL254829D0|2017-12-31|

---

NL2007180C2|2013-01-29|

---

ES2581053T3|2016-08-31|

---

EP2737683A1|2014-06-04|

---

US20210344578A1|2021-11-04|

---

JP2014522167A|2014-08-28|

---

EP2737683B1|2016-03-02|

---

IL230440D0|2014-03-31|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

JPH09153924A|1995-11-28|1997-06-10|Nec Corp|Procedure error detection system for communication control system|

---

US6078874A|1998-08-04|2000-06-20|Csi Technology, Inc.|Apparatus and method for machine data collection|

---

US6925454B2|2000-12-12|2005-08-02|International Business Machines Corporation|Methodology for creating and maintaining a scheme for categorizing electronic communications|

---

US6898737B2|2001-05-24|2005-05-24|Microsoft Corporation|Automatic classification of event data|

---

US7225343B1|2002-01-25|2007-05-29|The Trustees Of Columbia University In The City Of New York|System and methods for adaptive model generation for detecting intrusions in computer systems|

---

US8205259B2|2002-03-29|2012-06-19|Global Dataguard Inc.|Adaptive behavioral intrusion detection systems and methods|

---

US7349917B2|2002-10-01|2008-03-25|Hewlett-Packard Development Company, L.P.|Hierarchical categorization method and system with automatic local selection of classifiers|

---

WO2004107706A1|2003-05-30|2004-12-09|International Business Machines Corporation|Detecting network attacks|

---

US7639714B2|2003-11-12|2009-12-29|The Trustees Of Columbia University In The City Of New York|Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data|

---

US7757283B2|2005-07-08|2010-07-13|Alcatel Lucent|System and method for detecting abnormal traffic based on early notification|

---

WO2008055156A2|2006-10-30|2008-05-08|The Trustees Of Columbia University In The City Of New York|Methods, media, and systems for detecting an anomalous sequence of function calls|

---

US7966660B2|2007-05-23|2011-06-21|Honeywell International Inc.|Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices|

---

CN100531073C|2007-08-24|2009-08-19|北京启明星辰信息技术股份有限公司|Condition detection based protocol abnormity detecting method and system|

---

CN101399710B|2007-09-29|2011-06-22|北京启明星辰信息技术股份有限公司|Detection method and system for protocol format exception|

---

WO2010011411A1|2008-05-27|2010-01-28|The Trustees Of Columbia University In The City Of New York|Systems, methods, and media for detecting network anomalies|

---

EP2200249A1|2008-12-17|2010-06-23|Abb Research Ltd.|Network analysis|

---

FI20096394A0|2009-12-23|2009-12-23|Valtion Teknillinen|DETECTING DETECTION IN COMMUNICATIONS NETWORKS|

---

US9100425B2|2010-12-01|2015-08-04|Cisco Technology, Inc.|Method and apparatus for detecting malicious software using generic signatures|

---

NL2007180C2|2011-07-26|2013-01-29|Security Matters B V|Method and system for classifying a protocol message in a data communication network.|

---

US9092802B1|2011-08-15|2015-07-28|Ramakrishna Akella|Statistical machine learning and business process models systems and methods|

---

US9672355B2|2011-09-16|2017-06-06|Veracode, Inc.|Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security|

---

US9189746B2|2012-01-12|2015-11-17|Microsoft Technology Licensing, Llc|Machine-learning based classification of user accounts based on email addresses and other account information|

---

US9292688B2|2012-09-26|2016-03-22|Northrop Grumman Systems Corporation|System and method for automated machine-learning, zero-day malware detection|

---

WO2014144893A1|2013-03-15|2014-09-18|Jones Richard B|Dynamic analysis of event data|

---

US10476742B1|2015-09-24|2019-11-12|Amazon Technologies, Inc.|Classification of auto scaling events impacting computing resources|NL2007180C2|2011-07-26|2013-01-29|Security Matters B V|Method and system for classifying a protocol message in a data communication network.|

---

US11126720B2|2012-09-26|2021-09-21|Bluvector, Inc.|System and method for automated machine-learning, zero-day malware detection|

---

US9292688B2|2012-09-26|2016-03-22|Northrop Grumman Systems Corporation|System and method for automated machine-learning, zero-day malware detection|

---

CN104685477B|2012-09-28|2018-01-19|慧与发展有限责任合伙企业|Application security is tested|

---

JP6273834B2|2013-12-26|2018-02-07|富士通株式会社|Information processing apparatus and logging method|

---

CN104270275B|2014-10-14|2018-04-10|广东小天才科技有限公司|A kind of aided analysis method of abnormal cause, server and smart machine|

---

CN105704103B|2014-11-26|2017-05-10|中国科学院沈阳自动化研究所|Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model|

---

US10572811B2|2015-01-29|2020-02-25|Splunk Inc.|Methods and systems for determining probabilities of occurrence for events and determining anomalous events|

---

US9953158B1|2015-04-21|2018-04-24|Symantec Corporation|Systems and methods for enforcing secure software execution|

---

TWI562013B|2015-07-06|2016-12-11|Wistron Corp|Method, system and apparatus for predicting abnormality|

---

US10015188B2|2015-08-20|2018-07-03|Cyberx Israel Ltd.|Method for mitigation of cyber attacks on industrial control systems|

---

CN105306436B|2015-09-16|2016-08-24|广东睿江云计算股份有限公司|A kind of anomalous traffic detection method|

---

US10033747B1|2015-09-29|2018-07-24|Fireeye, Inc.|System and method for detecting interpreter-based exploit attacks|

---

CN106657545B|2015-10-29|2021-06-15|中兴通讯股份有限公司|Method, device and terminal for intercepting push information|

---

US10955810B2|2015-11-13|2021-03-23|International Business Machines Corporation|Monitoring communications flow in an industrial system to detect and mitigate hazardous conditions|

---

WO2017119888A1|2016-01-07|2017-07-13|Trend Micro Incorporated|Metadata extraction|

---

US10419401B2|2016-01-08|2019-09-17|Capital One Services, Llc|Methods and systems for securing data in the public cloud|

---

US9998487B2|2016-04-25|2018-06-12|General Electric Company|Domain level threat detection for industrial asset control system|

---

CN106022129B|2016-05-17|2019-02-15|北京江民新科技术有限公司|Data characteristics extracting method, device and the virus characteristic detection system of file|

---

CN106209843A|2016-07-12|2016-12-07|工业和信息化部电子工业标准化研究院|A kind of data flow anomaly towards Modbus agreement analyzes method|

---

CN106603531A|2016-12-15|2017-04-26|中国科学院沈阳自动化研究所|Automatic establishing method of intrusion detection model based on industrial control network and apparatus thereof|

---

CN106790108B|2016-12-26|2019-12-06|东软集团股份有限公司|Protocol data analysis method, device and system|

---

RU2659482C1|2017-01-17|2018-07-02|Общество с ограниченной ответственностью "СолидСофт"|Protection of web applications with intelligent network screen with automatic application modeling|

---

US11165802B2|2017-12-05|2021-11-02|Schweitzer Engineering Laboratories, Inc.|Network security assessment using a network traffic parameter|

---

WO2019172762A1|2018-03-08|2019-09-12|Forescout Technologies B.V.|Attribute-based policies for integrity monitoring and network intrusion detection|

---

NL2020552B1|2018-03-08|2019-09-13|Forescout Tech B V|Attribute-based policies for integrity monitoring and network intrusion detection|

---

FR3090153B1|2018-12-17|2022-01-07|Commissariat Energie Atomique|Method and system for detecting anomaly in a telecommunications network|

---

EP3674823A1|2018-12-28|2020-07-01|Nozomi Networks Sagl|Method and apparatus for detecting the anomalies of an infrastructure|

---

US10802937B2|2019-02-13|2020-10-13|United States Of America As Represented By The Secretary Of The Navy|High order layer intrusion detection using neural networks|

---

KR102204290B1|2019-08-23|2021-01-18|고려대학교 세종산학협력단|Identification of delimiter and static field in protocol reverse engineering using statistic analysis|

---

CN110912908A|2019-11-28|2020-03-24|中国电子产品可靠性与环境试验研究所（（工业和信息化部电子第五研究所）（中国赛宝实验室））|Network protocol anomaly detection method and device, computer equipment and storage medium|

---

CN111585993A|2020-04-27|2020-08-25|深信服科技股份有限公司|Method, device and equipment for detecting communication of hidden channel|

---

CN111885059B|2020-07-23|2021-08-31|清华大学|Method for detecting and positioning abnormal industrial network flow|

---

CN111865723A|2020-07-25|2020-10-30|深圳市维度统计咨询股份有限公司|Network data acquisition system based on big data|

法律状态:
2019-04-09| B11Z| Dismissal: petition dismissal - article 216, par 2 of industrial property law|Free format text: PROMULGA-SE O ARQUIVAMENTO DA PETICAO DE ENTRADA NA FASE NACIONAL POR INTEMPESTIVIDADE DE APRESENTACAO DA PROCURACAO CONFORME APRESENTADO NO ART. 2162O DA LPI (LEI 9279/1996) E DA RESOLUCAO INPI-PR NO 77/2013, ART. 31. DESTA DATA, CORRE O PRAZO DE 60 (SESSENTA) DIAS PARA EVENTUAL RECURSO DO INTERESSADO CONFORME APRESENTADO NO ART. 212 DA LPI (LEI 9279/1996) E DA RESOLUCAO INPI-PR NO 77/2013, ART. 31, PARAGRAFO UNICO. |

---

2019-05-14| B11M| Decision cancelled [chapter 11.13 patent gazette]|Free format text: ANULADA A PUBLICACAO CODIGO 11.6.1 NA RPI NO 2518 DE 09/04/2019 POR TER SIDO INDEVIDA. |

---

2020-11-10| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]|

---

2021-06-01| B350| Update of information on the portal [chapter 15.35 patent gazette]|

---

2021-12-07| B350| Update of information on the portal [chapter 15.35 patent gazette]|

优先权:

---

申请号 | 申请日 | 专利标题

---

US201161511685P| true| 2011-07-26|2011-07-26|

---

NL2007180|2011-07-26|

---

US61/511685|2011-07-26|

---

NL2007180A|NL2007180C2|2011-07-26|2011-07-26|Method and system for classifying a protocol message in a data communication network.|

---

PCT/NL2012/050537|WO2013015691A1|2011-07-26|2012-07-26|Method and system for classifying a protocol message in a data communication network|

---