Site News  |   Monitor Keywords  |   Monitor Archive  |   Organizer  |   Account Info  |

Network attack signature generation

Network attack signature generation description/claims

The present invention generally relates to the generation of attack signatures for the use in detecting network attacks and particularly relates to methods, apparatus, and computer program elements for generating attack signatures on a data network.

The Internet is a wide area data network formed from a plurality of interconnected data networks. In operation, the Internet facilitates data communication between a range of remotely situated data processing systems. Such data processing systems each typically comprise a central processing unit (CPU), a memory subsystem, and input/output (I/O) subsystem, and computer program code stored in the memory subsystem for execution by the CPU. Typically, end user data processing systems connected to the Internet are referred to as client data processing systems or simply clients. Similarly, data processing systems hosting web sites and services for access by clients via the Internet are referred to as server data processing systems or simply servers. There is a client-server relationship established via the Internet between the end user data processing systems and the hosting data processing systems.

The Internet has become an important communication network for facilitating electronically effected commercial interactions between clients and servers. Access to the Internet is typically provided to such entities via an Internet Service Provider (ISP). Each ISP typically operates a network to which clients or servers subscribe. Each client is provided with an address on the network. Similarly, each server on the network is provided with an address. The network operated by the ISP is connected to the Internet via dedicated data processing systems usually referred to as routers. In operation, the router directs inbound communication traffic from the Internet to specified addresses, such as IP addresses, cellphone addresses (telephone number) on the network. Similarly, the router directs outbound communication traffic from the network in the direction of specified addresses on the Internet.

A problem faced by many users of data networks is the increasing frequency of electronic attacks to the networks they operate. Such attacks include computer virus attacks, “worm” attacks and denial of service attacks (DOS attacks). Worms and DOS attacks typically introduce significant performance degradation in networks. Infected systems connected to the network typically attempt to spread the infection within the network. Many users do not recognize that their systems are infected. For infected systems, an intrusion detection followed by a subsequent disinfection can be performed in the interest of increasing network performance. To detect an intrusion, an intrusion detection system can make use of so-called attack signatures that have been derived from analyzing known attacks and that characterize those attacks. Some intrusion detection systems utilize a database that contains several attack signatures and compares data traffic against such attack signatures to determine whether the data traffic is likely to pertain to an attack.

US 2002/0143963 A1 describes an apparatus for enhancing the security of a web server from intrusive attacks in the form of HTTP requests. This is accomplished by comparing an incoming request with a predefined list of attack signatures which may comprise at least files, file categories and addresses of known hackers. Action is then taken to reject requests wherein a positive comparison is determined. Further the web server is notified of relevant data provided in connection with a rejected request of potential future action in accordance with the severity of potential damage and frequency of rejected requests from a given requester.

A widely used solution for generating attack signatures is to monitor hacker mailing lists, and to manually craft attack signatures in response to the attacks that one desires to detect. Wenke Lee and Salvatore J. Stolfo in “A Framework for Constructing Features and Models for Intrusion Detection Systems” in ACM Transactions on Information and System Security (TISSEC), 3(4):227-261, 2000 describe a method of learning attack signatures from attack examples. However, this work usually assumes that examples of attacks exist, so one can learn their characteristics. This is generally not the case and it is still desirable to obtain suitable attack examples.

In accordance with the present invention, there is now provided a method for generating from requests on a first data network attack signatures for use in a second data network, the method comprising a reception step for receiving data traffic from the first data network addressed to a number of unassigned addresses in a third data network; an inspection step for inspecting several incidents of the data traffic that has been received in the previous step, for a common data pattern, and upon finding a the data pattern, a determination step for determining from the corresponding data traffic the attack signature for use in detecting attacks on the second data network. This attack signature generation method makes use of the idea that network traffic directed against an unassigned address is a priori suspicious, and does provide a higher likelihood of being an actual attack. This higher likelihood is exploited to generate one or more attack signatures that are supposed to lead to a more precise detection of attacks.

The term “unassigned” herein is meant as covering an address that is not assigned to a physical device other than an apparatus for detecting an intrusion or generating an attack signature. The apparatus that is designed to execute the method according to the invention will be the device those “unassigned” addresses are actually assigned to in order to make use of the invention. Those addresses are insofar unassigned as they are not assigned to any device that does have another functionality apart from signature generation or intrusion detection. Thereby data traffic that is addressed to such an unassigned address will be received by that apparatus and subjected to the claimed method.

In a preferred embodiment of the invention the method comprises an answer step for spoofing an answer to a source that sent a request contained in the data traffic received. Thereby more information can be obtained from the source of the request.

The answer step above can be executed selectively, using a selection criterion that is dependent on the type of protocol used by the received data traffic. In some protocols the request received already contains enough information to be able to perform the inspection for the common data pattern. In such cases there is no need for sending a spoofed answer to the source.

If the incidents of data traffic are selected only from those of the sources replying to the spoofed answer and those sources that have not been subjected to the answer step, a reduction of the data used for generating an attack signature is achievable. This reduction is useful since it is deemed to concentrate the data on those incidents that have a higher likelihood of being real attacks and not innocent incidents of data traffic that at first sight look like attacks, also referred to as false positives. The selection is a way of reducing the number of false positives in the signature generation method.

In a preferred embodiment of the invention the inspection step comprises sorting the incidents according to a connection attribute that can be one of the source address, the source port, the protocol type and the destination port of the data traffic. This clustering according to connection attribute values is a way of identifying data traffic as an attack, since the more incidents belong to a cluster the more likely it is that the data traffic is an actual attack.

In a preferred embodiment of the invention the determination step comprises counting the number of incidents with a common data substring and defining as an attack signature those data substrings whose number exceeds a predetermined number. Hence, the biggest clusters which represent the most frequently occurring data substrings are used to generate an attack signature. The frequency of data substring is here used as another indicator of likelihood of an attack being a true attack and not a false positive. At the same time, the biggest clusters do represent those attacks which due to their frequency do represent a higher risk to system users.

In a preferred embodiment of the invention the attack signature is sent to an intrusion detection system, also referred to herein as intrusion detector, assigned to the second data network. Such intrusion detector can then integrate the attack signature into its signature library and use it to compare it against data traffic for attack identification and handling.

In a preferred embodiment of the invention the first data network and the second data network are selected to be connected to each other, so that the data traffic that is used to generate the signature attack is at least part of the data traffic that goes to the second data network. In a preferred embodiment of the invention the two networks can be of unitary construction or even identical. Also the third data network can be connected to the second data network, or it can be identical with it. The first data network is connected to the third data network in a way that traffic can be directed from the first data network to addresses on the third data network. Any of the aforementioned data networks can also be a super- or subnetwork of the other.

In a preferred embodiment of the invention the method is combined with an attack identification procedure and also comprises steps of receiving data traffic on the second data network and addressed to an unassigned address; inspecting the data traffic received for data indicative of an attack; and, on detection of data indicative of an attack, generating an alert signal. Thereby, the attack signature generated is used for identifying attacks, wherein those data traffic incidents that are directed at an unassigned address are a priori seen as suspicious and subjected to a match test with the generated attack signature. The procedure of utilizing data traffic directed at unassigned addresses can hence be exploited twice for the ultimate purpose of attack identification.

In a preferred embodiment of the invention, on generation of the alert signal, data traffic originating at the address assigned to the data processing system originating the data indicative of the attack is routed to a disinfection address on the network. Therefor, the source of the attack is marked as a generic attack source and traffic arriving from it is rerouted to the disinfection server. The system originally targeted by that traffic is decoupled from that traffic and thereby protected.

In a preferred embodiment of the invention on generation of the alert signal, an alert signal is sent to the disinfection address, and the alert signal preferably comprises data indicative of the attack detected. The alert signal is of advantage since it can comprise further information for the disinfection server such as the type of attack, an instruction of how to handle this kind of attack. The alert signal could also comprise the computer program code for handling the attack or disinfecting the system that is the source of the attack.

Viewing the present invention from another aspect, there is now provided an apparatus for generating from requests from a first data network attack signatures for use in a second data network having a plurality of addresses assigned to data processing systems. The apparatus comprises a signature generator for receiving data traffic from the first data network addressed to a umber of unassigned addresses in a third data network and arriving at an input interface, inspecting several incidents of the data traffic received for a common data pattern, and upon finding such a data pattern, determining from the corresponding data traffic the attack signature for use in detecting attacks for the second data network.

In a preferred embodiment the apparatus comprises a memory for storing therein the attack signature at least temporarily. The apparatus is preferably designed to spoof replies to sources sending requests contained in the data traffic received. The replies can be sent via a first output interface to the first data network. The first output interface can be preferably combined with the input interface connected to that network.

• Provisional Patent
• Utility Patent

• What Is a Patent?
• What Is a Trademark or Servicemark?
• What Is a Copyright?
• Patent Laws