Attack signature generation

Abstract

The present invention provides a method for generating from requests from a first data network attack signatures for use in a second data network having a plurality of addresses assigned to data processing systems, the method comprising receiving data traffic from the first data network addressed to a number of unassigned addresses in a third data network; inspecting several incidents of the received data traffic for a common data pattern, upon finding a said data pattern, determining from the corresponding data traffic the attack signature for use in detecting attacks for the second data network. The invention also provides an apparatus for generating from requests on a first data network attack signatures for use in a second data network having a plurality of addresses assigned to data processing systems. The present invention further extends to a computer program element comprising computer program code means which, when loaded in a processor of a data processing system, configures the processor to perform a method for detecting attacks on a data network as hereinbefore described. The present invention further extends to a method of supporting an entity in the handling of a detected attack.

Description

TECHNICAL FIELD [0001] The present invention generally relates to the generation of attack signatures for the use in detecting network attacks and particularly relates to methods, apparatus, and computer program elements for generating attack signatures on a data network. BACKGROUND OF THE INVENTION [0002] The Internet is a wide area data network formed from a plurality of interconnected data networks. In operation, the Internet facilitates data communication between a range of remotely situated data processing systems. Such data processing systems each typically comprise a central processing unit (CPU), a memory subsystem, and input / output (I / O) subsystem, and computer program code stored in the memory subsystem for execution by the CPU. Typically, end user data processing systems connected to the Internet are referred to as client data processing systems or simply clients. Similarly, data processing systems hosting web sites and services for access by clients via the Internet are ...

AI Technical Summary

Benefits of technology

[0007] In accordance with the present invention, there is now provided a method for generating from requests on a first data network attack signatures for use in a second data network, the method comprising a reception step for receiving data traffic from the first data network addressed to a number of unassigned addresses in a third data network; an inspection step for inspecting several incidents of the data traffic that has been received in the previous step, for a common data pattern, and upon finding a the data pattern, a determination step for determining from the corresponding data traffic the attack signature for use in detecting attacks on the second data network. This attack signature generation method makes use of the idea that network traffic directed against an unassigned address is a priori suspicious, and does provide a higher likelihood of being an actual attack. This higher likelihood is exploited to generate one or more attack signatures that are supposed to lead to a more precise detection of attacks.

[0011] If the incidents of data traffic are selected only from those of the sources replying to the spoofed answer and those sources that have not been subjected to the answer step, a reduction of the data used for generating an attack signature is achievable. This reduction is useful since it is deemed to concentrate the data on those incidents that have a higher likelihood of being real attacks and not innocent incidents of data traffic that at first sight look like attacks, also referred to as false positives. The selection is a way of reducing the number of false positives in the signature generation method.

[0030] It is particularly advantageous to provide the signature generation, forwarding of a signature and the attack identification for several entities and using technical data derived from the execution of the method for one of the entities for the execution of the same method for another of the entities. There is a significant saving in resources expectable, if the signature is generated not only for the use by a specific entity, such as the owner of the second network, but for a multitude of entities, especially if the networks of those entities are connected to the same or a substantially identical portion of the first, second, or third data network. The signature generation method can in a preferred embodiment comprise a selection step that selects the entities according to a selection criterion preferably derived from a degree of similarity in utility of the generated signature. The more similar the infrastructural components of several entities with respect to attackability are, the more likely it is that those entities are prone to the same type of attack and the more similar are the needs to receive the same type of attack signature.

Problems solved by technology

This attack signature generation method makes use of the idea that network traffic directed against an unassigned address is a priori suspicious, and does provide a higher likelihood of being an actual attack.

Images