System and method for real-time network traffic analysis
By combining power spectral density estimation and histogram data in a communication system to generate packet signatures, the problem of detecting malicious traffic flows is solved, enabling real-time monitoring and accurate analysis of malicious traffic flows.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- THE BOEING CO
- Filing Date
- 2021-12-15
- Publication Date
- 2026-06-05
AI Technical Summary
Detecting malicious traffic flows in communication systems is difficult, especially in environments where devices and network topologies are constantly changing, and communication flows are often encrypted, making it difficult for existing technologies to analyze and identify malicious behavior in real time.
By combining power spectral density estimation with histogram data, a signature of the group is generated, and the arrival interval and duration of the group are analyzed to identify abnormal flow patterns.
It improves the ability to detect malicious traffic flows, reduces the amount of data captured, enhances the resolution and accuracy of analysis, and enables real-time monitoring of network traffic.
Smart Images

Figure CN114650161B_ABST
Abstract
Description
Technical Field
[0001] This field generally relates to network traffic analysis, and more specifically to detecting malicious traffic flows in known, controlled, and changing environments. Background Technology
[0002] Communication systems, including communication satellites, are potential targets for malicious actors. Detecting intrusions by these malicious actors can be difficult because monitoring every single communication between satellites and other communication systems may not be practical, as the configuration and topology of devices and networks can change over time.
[0003] Furthermore, much of the communication flow between network devices (such as satellites) and other systems is encrypted, which can reduce transmission speed and potentially hinder the analysis of messages in transit. In many cases, intrusion detection systems need to be able to analyze messages in real time and handle intermittent or short messages. Therefore, additional security measures or systems that enhance the detection capabilities of communication systems would be beneficial.
[0004] This background section is intended to introduce the reader to various aspects of the art that may be related to the aspects of this disclosure, which are described and / or claimed below. This discussion is intended to help provide the reader with background information to facilitate a better understanding of the various aspects of this disclosure. Therefore, it should be understood that these statements should be interpreted in this context, and not as an admission of prior art. Summary of the Invention
[0005] In one aspect, a system for detecting malicious traffic flows in a network is provided. The system includes a computer system comprising at least one processor communicating with at least one memory device. Based on packet information received for multiple data packets transmitted over the network, the at least one processor is programmed to calculate the arrival interval time and packet duration of the multiple data packets. The at least one processor is also programmed to filter the packet information to remove noise. The at least one processor is further programmed to generate at least one histogram based on the packet information, arrival interval time, and packet duration. The at least one processor is further programmed to generate a power spectral density estimate based on the packet information, arrival interval time, and packet duration. Furthermore, the at least one processor is programmed to analyze the at least one histogram and the power spectral density estimate to detect one or more unexpected data flows. Additionally, the at least one processor is programmed to report one or more unexpected data flows.
[0006] On the other hand, a method for detecting malicious traffic flows in a network is provided. The method is implemented by a computer system including at least one processor communicating with at least one memory device. The method further includes the processor receiving packet information of multiple data packets transmitted over the network. The method also includes the processor calculating arrival intervals of the multiple data packets based on the packet information. Furthermore, the method includes the processor calculating packet durations of the multiple data packets based on the packet information. Additionally, the method includes the processor filtering the packet information to remove noise. Furthermore, the method includes the processor generating at least one histogram based on the packet information, arrival intervals, and packet durations. Furthermore, the method includes the processor generating a power spectral density estimate based on the packet information, arrival intervals, and packet durations. Furthermore, the method includes the processor analyzing at least one histogram and the power spectral density estimate to detect one or more unexpected data flows. Furthermore, the method includes the processor reporting one or more unexpected data flows.
[0007] On the other hand, a system for detecting malicious traffic flows in a network is provided. The system includes a computer system comprising at least one processor communicating with at least one memory device. The at least one processor is programmed to receive a security policy to be executed on the system, wherein the security policy includes configuration data. The at least one processor is also programmed to receive packet information of a plurality of data packets transmitted over the network. The at least one processor is further programmed to calculate the arrival interval time of the plurality of data packets based on the packet information and the security policy. Furthermore, the at least one processor is programmed to calculate the packet duration of the plurality of data packets based on the packet information. Furthermore, the at least one processor is programmed to filter the packet information to remove noise based on the security policy. Furthermore, the at least one processor is programmed to generate at least one histogram based on the packet information, the arrival interval time, and the packet duration. Furthermore, the at least one processor is also programmed to generate a power spectral density estimate based on the packet information, the arrival interval time, and the packet duration. Furthermore, the at least one processor is further programmed to analyze the at least one histogram and the power spectral density estimate based on the security policy to detect one or more unexpected data flows. Furthermore, the at least one processor is also programmed to report one or more unexpected data flows.
[0008] Various improvements exist to the features related to the above aspects. Additional features may also be incorporated into the above aspects. These improvements and additional features may exist individually or in any combination. For example, the various features discussed below that are related to any of the examples shown may be incorporated individually or in any combination into any of the above aspects. Attached Figure Description
[0009] The accompanying drawings described below depict various aspects of the systems and methods disclosed therein. It should be understood that each drawing depicts an example of a particular aspect of the disclosed systems and methods, and each drawing is intended to correspond to its possible examples. Furthermore, where possible, the following description refers to reference numerals included in the following drawings, wherein features depicted in multiple drawings are designated with consistent reference numerals.
[0010] The arrangement discussed herein is shown in the accompanying drawings; however, it should be understood that this example is not limited to the precise arrangement and means shown, wherein:
[0011] Figure 1 The illustration shows a block diagram of an example communication satellite system according to one example of this disclosure.
[0012] Figure 2 The diagram includes Figure 1 The diagram shows a block diagram of an example network in the first network configuration of an example communication satellite system.
[0013] Figure 3 The diagram shows from Figure 2 The diagram shows the transition from the first network configuration to the second network configuration.
[0014] Figure 4 The diagram illustrates the use of flow data analysis for detection. Figure 1 The system shown and Figure 2 Example algorithms for malicious data streams in the network shown.
[0015] Figure 5 The diagram illustrates the use of Figure 4 The algorithm shown presents the first curve of the first analysis of the flow.
[0016] Figure 6 The diagram shows... Figure 5 The first histogram of the first analysis of the flow rate is shown.
[0017] Figure 7 The diagram illustrates the use of Figure 4 The algorithm shown is used to perform a second analysis of the flow rate, resulting in a second graph.
[0018] Figure 8 The diagram shows... Figure 7 The second histogram of the second analysis of the flow rate is shown.
[0019] Figure 9 The diagram illustrates the use of Figure 4 The algorithm shown is used to perform a third analysis of the flow, resulting in a third curve.
[0020] Figure 10 The diagram shows... Figure 9 The third histogram of the third analysis of the flow rate is shown.
[0021] Figure 11 The diagram illustrates the use of Figure 4 The algorithm shown is used to perform a fourth analysis on the flow, resulting in the fourth curve.
[0022] Figure 12 The diagram shows... Figure 11 The fourth histogram of the fourth analysis of the flow rate is shown.
[0023] Figure 13 The diagram illustrates the use of Figure 4 The algorithm shown is performing a fifth analysis on the flow rate, resulting in the fifth curve.
[0024] Figure 14 The diagram shows... Figure 13 The fifth histogram of the fifth analysis of the flow rate is shown.
[0025] Figure 15 The diagram illustrates the use of Figure 4 The algorithm shown is used to perform the sixth analysis on the flow, resulting in the sixth curve.
[0026] Figure 16 The diagram shows... Figure 15 The sixth histogram of the sixth analysis of the flow is shown.
[0027] Figure 17 The diagram illustrates the analysis. Figure 2 A simplified block diagram of an example Communication Network Analyzer (“CNA”) system showing communication traffic on the network.
[0028] Figure 18 The analysis is illustrated. Figure 2 Communication traffic on the network shown and using Figure 17 Example procedure of the system shown.
[0029] Figure 19 An example according to this disclosure is illustrated in Figure 17 The system shown is an example configuration of the user computer equipment used in the system.
[0030] Figure 20 An example according to this disclosure is illustrated in Figure 17 The system shown is an example configuration of the server computer equipment used. Detailed Implementation
[0031] This field generally relates to intrusion detection, and more specifically to detecting malicious traffic flows within encrypted traffic streams in known, controlled, and constantly changing environments. In one example, a communication network analyzer (“CNA”) computer device determines a communication network based on the current time and available communication devices, activating an algorithm with security policies to monitor packets transmitted through the communication network. The systems and methods described herein are designed to monitor traffic in real time, independent of the communication protocols being used on the network.
[0032] In typical network traffic, various packet types (flows) may not arrive at a predetermined rate. This can cause problems when using standard techniques to distinguish between spoofed packet types that arrive less frequently. Furthermore, different packet types can have different durations, with shorter-duration packets potentially having lower energy and weaker signatures when using standard techniques.
[0033] The analytical technique described in this paper combines power spectral density (PSD) estimation with histogram data to enhance the energy of packet types (flows) with low arrival frequencies or short durations, thereby allowing for improved detection and analysis of these flows. This analytical technique generates distinct and visible signatures for all data packet types (flows) and enhances the signatures for aperiodic and spurious packet arrival times. The analytical technique also reduces the amount of data captured required for effective analysis. In most cases, the more accurate the analysis required, the more data needs to be supplied to the analysis. However, in many cases, such as in real-time analysis, there may not be enough data and / or processing time. By enhancing the signatures and visibility of data packets, the amount of data required for proper analysis of network traffic can be reduced. By combining PSD analysis with histogram data, the system can increase the resolution and / or accuracy of information about the analyzed packets, such as, but not limited to, the number of packets in each flow, packet type, packet size, frequency, and data rate.
[0034] The systems and methods disclosed herein are described as being performed by a CNA computer device. In one example, the CNA computer device is the data plane of a network communication device's switch when traffic is passing through a switch. In other examples, the CNA computer device may also be, but is not limited to, a network interface card (NIC), a repeater hub, a bridge, a switching hub, a bridging hub, a MAC bridge, a tapped port, or any other device configured to read messages (such as packets) inside or outside the data plane.
[0035] The CNA computer device determines information about packets arriving at and / or being transmitted to the network. This information includes packet arrival time (seconds), packet length (bits), and packet content bit rate (bits per second). Using this information, the CNA computer device analyzes the packets to identify unwanted packet sequences or sets by analyzing their presence, shape, form, and / or frequency.
[0036] CNA computer equipment generates histograms and PSD data based on information about packets to compare with expected flows, thereby detecting unexpected data flows in the traffic.
[0037] This document describes computer systems, such as CNA computer devices and related computer systems. As described herein, such computer systems include processors and memory. However, any processor referred to herein may also refer to one or more processors, wherein the processor may be in one computing device or multiple computing devices operating in parallel. Furthermore, any memory referred to herein may also refer to one or more memories, wherein the memory may be in one computing device or multiple computing devices operating in parallel.
[0038] Systems and processes are not limited to the specific examples described herein. Furthermore, components of each system and process may be practiced independently of and separately from the other components and processes described herein. Each component and process may also be used in conjunction with other assembly packages and processes.
[0039] Figure 1 A block diagram of an example communications satellite system 100 according to one example of this disclosure is illustrated. The example satellite system 100 includes a network processor 102, a storage unit 104, and a payload processor 106, all connected to an Ethernet switch 108. The Ethernet switch 108 is further connected to one or more bus controllers 110, which facilitate communication with a satellite bus subsystem 112 and a packet switch 114. In some examples, the packet switch 114 is a secure programmable data plane that allows algorithms to be executed to monitor multiple ports 116 used for communication connections 118 to and from the satellite 100. The multiple connections 118 may include, but are not limited to, inter-satellite links (ISL), downlinks (DL), and ports 116 that can act as ISLs or DLs.
[0040] Figure 2 The illustration shows an example communication satellite system 100 (e.g., Figure 1The diagram shows a block diagram of an example network 200 in a first network configuration 202. Network 200 includes multiple satellites 100. As shown in the first network configuration 202, the multiple satellites 100 are located in multiple orbits, such as geosynchronous orbit (GEO) 204, medium Earth orbit (MEO) 206, and low Earth orbit (LEO) 208. Network 200 may also include satellites 100 in highly elliptical orbits, lunar orbits, or any other non-geostationary (NGSO) orbits around celestial bodies, where their connections and positions are known and / or predictable.
[0041] Network 200 also includes multiple user equipment 210. User equipment 210 may include aircraft, spacecraft, ships, ground vehicles, ground stations and / or space stations, wherein user equipment 210 is connected to network 200.
[0042] As shown in the first network configuration 202, each satellite 100 has one or more ISL connections 212. There are also DL connections 214 from user equipment 210 to satellite 100. Although Figure 2 Although not shown as a direct connection, each DL connection 214 connects the user equipment 210 on network 200 to satellite 100.
[0043] Depending on the nature of the satellites 100, different satellites 100 orbit the Earth at different rates, causing the satellite 100 in network configuration 202 at time A to differ from the satellite 100 at time B. For example, satellite 100 in LEO 208 will orbit the Earth in 90 to 120 minutes, while a satellite in MEO 206 may require 12 hours to complete its orbit. This means that the satellites 100 that make up network 200 will change over time. Therefore, knowing when network configuration 202 of network 200 will change is important for the proper protection and monitoring of network 200.
[0044] Figure 3 The diagram illustrates a block diagram of transition 300 from a first network configuration 202 to a second network configuration 302. In transition 300, the ISL connection 212 between satellite #4 and satellite #7 is terminated, and a new ISL connection 212 is created between satellite #5 and satellite #8.
[0045] Each network configuration 202 and 302 represents a network 200 at a different point in time. Although the different network configurations 202 and 302 shown herein are satellite-related, the systems and methods described herein will also work with other types of computer networks 200 connected to multiple user devices 210.
[0046] Figure 4 The diagram illustrates the use of flow data analysis to detect system 100 (e.g., ...). Figure 1(as shown) and other similar systems and networks (such as Network 200 (e.g.) Figure 2 Example algorithm 400 for malicious data streams shown). The steps of algorithm 400 are performed by packet switch 114 (e.g., Figure 1 (As shown) This is performed. Packet switch 114 is programmed to monitor the data stream transmitted or received by port 116 (such as...). Figure 1 (As shown). Packet switch 114 uses algorithm 400 to monitor data flow on port 116. In one example, packet switch 114 stores one or more security policies, where the security policies are related to the configuration of network 200, such as configurations 202 and 302 (both are in...). Figure 3 (As shown in the diagram). In at least one example, the security policy includes information about network configuration and how traffic should flow. In some examples, packet switch 114 is located in the same location as another processor, which performs one or more steps of algorithm 400, such as analysis steps.
[0047] Packet switch 114 determines three different input packet characteristics based on received or transmitted data packets. These inputs include, but are not limited to, packet arrival time 402, packet length 404, and packet bit rate 406.
[0048] Using arrival time 402, packet switch 114 calculates arrival interval time 408, which is the duration between the arrival of data packets. Packet switch 114 determines the minimum gap length based on packet statistics or prior knowledge such as that provided in security policies. If the distance between the arrival of adjacent packets exceeds a predetermined criterion (e.g., a threshold amount), packet switch 114 identifies the gap and reduces the arrival interval time to the median arrival interval time. Packet switch 114 removes gap cycles because such gaps can introduce distortion in the analysis results. Packet switch 114 calculates arrival interval rate 412 and a median arrival interval rate 414. The arrival interval rate and the median arrival interval rate are combined at a non-linear ratio 416. The arrival interval rate represents the arrival rate of data packets associated with the corresponding flow.
[0049] Using a packet length of 404 and a packet bit rate of 406, packet switch 114 generates a ratio of 418 to calculate packet duration 420. Packet switch 114 calculates a maximum packet duration of 422 to generate a non-linear ratio of packet duration 420 to the maximum packet duration of 424.
[0050] The results of the arrival interval nonlinearity ratio 416 and the packet duration nonlinearity ratio 424 are combined and used to calculate 432 one or more histograms. Packet switch 114 applies detection criteria (e.g., thresholds) 434 to the histograms to reduce and / or overcome jitter or noise. In computer networks such as network 200, significant jitter can exist based on the number of repeater links traversed by each packet; the more links, the greater the jitter. By applying the detection threshold 434 to the histogram, anything above the detection threshold 434 is retained as actual data packets, while anything below the detection threshold 434 is discarded as jitter. The detection threshold 434 can be calculated by packet switch 114. The detection threshold 434 can also be pre-calculated and based on network configuration 202, and provided in security policies.
[0051] Next, packet switch 114 performs several steps to correctly apply the histogram-generated data for PSD analysis. These steps include, but are not limited to, determining the ratio 436 of the maximum number of data packets above the histogram packets, determining the relative packet gain 438, and determining non-linear sorting weighting and rounding 440. The goal is to maintain a positive signal-to-noise ratio for low-duration and bursty packets.
[0052] Then, packet switch 114 uses half of the minimum packet duration 442 as the sampling time to generate a rectangular sequence of 444 samples, which represents the enhanced data packets as a rectangular sequence of data packets, where the duration represents the actual data packets and the amplitude represents the energy allocated to the data packets.
[0053] Packet switch 114 analyzes power spectral density data to show the frequencies at which various packet sequences occur. In this example, a Welch periodogram is used to calculate a power spectral density estimate 446. Packet switch 114 combines the power spectral density estimate 446 with data packets exceeding a detection threshold 434 and a histogram 432 to determine the packet type (flow) detected 448. The histogram data includes the number of data packets in each flow. Security policies include expected flows. Packet switch 114 compares expected flows with detected flows to detect any unexpected flows. In one example, packet switch 114 removes expected flows from the flows detected in histogram 432 to determine if any unexpected flows exist in the altered histogram.
[0054] Since the topology of network 200 is known, anything outside of this topology is unexpected, therefore anomalous, and potentially malicious. When unexpected data is detected, packet switch 114 transmits a notification of the presence of an unexpected flow. Packet switch 114 may also provide the frequency, arrival time, duration, and / or number of anomalous data packets. Anomalous data packets may indicate a malicious threat or a misconfiguration of the security policy used by packet switch 114 for analysis. Packet switch 114 may notify the operations center, security center, or take action. Actions may include, but are not limited to, providing additional notifications, alerts, triggering another procedure, changing the network topology, and / or blocking traffic.
[0055] Figures 5 to 14 The diagram illustrates the use of algorithm 400 (e.g.) Figure 4 The results of the analysis of different example flows (shown and performed by packet switch 114) are shown in Table 1 below. Table 1 shows the different flows that may be included in each analysis. For the purposes of this analysis, flow 1 is the only expected flow. Flow 1 provides 128,000 1500B data packets at a frequency of 25kHz, with a flow data rate of 300Mbps.
[0056]
[0057] Table 1
[0058] Figure 5 The diagram illustrates the use of algorithm 400 (e.g.) Figure 4 The first graph 500 (shown) illustrates the first analysis of the flow. Graph 500 shows the power spectral density of flow 1. Graph 500 includes the frequencies of arrival of various packet types in kilohertz (kHz) on the x-axis and the power spectral density (PSD) in decibels (dB) on the y-axis. At the center of graph 500, flow 1 is shown at 25 kHz. Other components shown in graph 500 are arrival interval jitter, which is less than -70 dB.
[0059] Figure 6 The diagram shows Figure 5 The first histogram 600 shown is used for the first analysis of the flow rate. Based on algorithm 400 (e.g.) Figure 4For the purpose of (shown), the dominant flow is excluded from histogram 600. This allows packet switch 114 (or the co-location processor) to identify additional flows shown in histogram 600. Histogram 600 includes relative weights in dB on the x-axis and the number of packets on the y-axis. By excluding the dominant flow, histogram 600 can display information about other detected flows without being obscured by the dominant flow. For the purposes of this discussion, the dominant flow (flow 1) is the expected flow, while all other flows are unexpected and potentially malicious flows. Packet switch 114 removes all expected flows from histogram 600 to focus on unexpected flows. Ideally, histogram 600 would be empty because there are no unexpected flows.
[0060] Figure 7 The diagram illustrates the use of algorithm 400 (e.g.) Figure 4 The second curve 700 (shown) is used for a second analysis of the flow rate. Curve 700 shows the dominant flow (flow 1) at 25 kHz and the second flow that repeats every 2 Hz. The second flow is flow 2 in Table 1. Figure 8 The diagram shows... Figure 7 The second histogram 800 is shown for the second analysis of the flow. Histogram 800 shows flow 2 with 10 groups. The dominant flow (flow 1) is excluded from histogram 800. Therefore, for a total of 10 groups, the second flow is 2 groups per second.
[0061] Figure 9 The diagram illustrates the use of algorithm 400 (e.g.) Figure 4 The third graph 900 (shown) shows the third analysis of the flow rate. Graph 900 shows the dominant flow (flow 1) at 25 kHz, the second flow (flow 3) repeating every 20 Hz, and the third flow (flow 2) repeating every 2 Hz. Figure 10 The diagram shows... Figure 9 The third histogram 1000 is shown for a third analysis of the flow rate. Histogram 1000 displays 10 groups at 16dB, 1 group at 17dB, 10 groups at 19.5dB, and 100 groups at 21dB. For analytical purposes, data groups within 2dB of each other are considered parts of the same flow, but are affected by jitter. Therefore, the 1 group at 17dB is part of the data group at 16dB, and the 10 groups at ~19.5dB are part of the data group at 21dB. Figure 9 and Figure 10 As shown, the detection threshold of 434 removes most of the jitter, but some jitter remains. However, this is acceptable for analytical purposes, as the dominant stream is clearly visible on graph 900. Therefore, the second stream provides 100 packets at a rate of 20 packets per second, and the third stream provides 10 packets at a rate of 2 packets per second.
[0062] Although streams 1, 2, and 3 each contain 1500-byte blocks, Algorithm 400 can detect blocks of varying byte sizes. Figure 11 and Figure 12 In this process, packets in the dominant stream (stream 1) are 1500 bytes in size, while packets in the second stream (stream 4) are only 100 bytes long. Furthermore, Algorithm 400 detects different streams at different data rates. Stream 1 has a data rate of 300 Mbps, while Stream 4 has a data rate of 1.6 Kbps. Figure 11 The diagram illustrates the use of algorithm 400 (e.g.) Figure 4 The fourth curve (shown) is plotted for the fourth analysis of the flow rate. Plot 1100 shows the dominant flow (flow 1) at 25 kHz and the second flow (flow 4) that repeats at 2 Hz. Figure 12 The diagram shows... Figure 11 The fourth histogram 1200 is shown, representing the fourth analysis of the flow rate. Histogram 1200 illustrates three packets at 19.5 dB and seven packets at 21 dB. Therefore, the second flow provides 10 packets at a rate of 2 packets per second.
[0063] Figure 13 The diagram illustrates the use of algorithm 400 (e.g.) Figure 4 The fifth curve 1300 (shown) shows the fifth analysis of the flow rate. Curve 1300 shows the dominant flow (flow 1) at 25 kHz, the second flow (flow 5) that repeats at 20 Hz, and the third flow (flow 4) that repeats at 2 Hz. Figure 14 The diagram shows... Figure 13 The fifth histogram shown is the fifth analysis of the flow rate. Histogram 1400 illustrates 10 packets at 64 dB and 100 packets at 21 dB. Therefore, the second flow provides 100 packets at a rate of 20 packets per second, and the third flow provides 10 packets at a rate of 2 packets per second.
[0064] Figure 15 The diagram illustrates the use of algorithm 400 (e.g.) Figure 4 The sixth curve (shown) is the sixth curve of the flow analysis. Curve 1500 shows the dominant flow (flow 1) at 25 kHz and the second flow (flow 5) that repeats at 20 Hz. Figure 16 The diagram shows... Figure 15 The sixth histogram is shown, representing the sixth analysis of the flow rate. Histogram 1600 illustrates 3 packets at 19.5 dB and 97 packets at 21 dB. Therefore, the second flow provides 100 packets at a rate of 20 packets per second.
[0065] Figure 17 The diagram illustrates the analysis of network 200 (e.g., Figure 2 A simplified block diagram of an example Communication Network Analyzer (“CNA”) system 1700 for monitoring communication traffic on satellite 100 (as shown). In this example, the CNA system 1700 is used to control the communication traffic on satellite 100 (as shown). Figure 1 The algorithm operates in communication with other devices on network 200 (as shown). This algorithm monitors malicious data streams in communications on network 200 that may indicate network security threats and attacks, allowing other systems to potentially respond to identified and detected network security threats and attacks.
[0066] CNA system 1700 includes a CNA computer device 1710 that communicates with one or more communication ports 1705. The CNA computer device 1710 may be similar to satellite 100 in network 200 (both are as follows). Figure 1 (as shown) or user equipment 210 (e.g. Figure 2 The packet switch 114 or other processing unit (as shown) executes on the packet switch 114. In some examples, the packet switch 114 is associated with an algorithm 400 (such as...). Figure 4 One or more additional processors (as shown) coexist in one location for one or more steps. Communication port 1705 may be similar to port 116 (as shown). Figure 1 (As shown). One or more communication ports 1705 each communicate with communication device 1730. Communication device 1730 may be similar to satellite 100 and / or user equipment 210. In one example, the CNA computer device also communicates with network controller 1725, which provides security policies to CNA computer device 1710. CNA computer device 1710 may also communicate with database server 1715 for retrieving and storing data in database 1720.
[0067] CNA computer device 1710 is programmed to receive signature information and / or security policies regarding different configurations of computer network 200. Security policies may include information about the network topology, enabling algorithms analyzing traffic flows to identify expected data flows and detect unexpected data flows. In some examples, security policies include signatures of expected traffic flows based on the current network configuration. Security policies may include information such as, but not limited to, when users should connect, how long they will be connected, the MOD / COD of connection 118, the data rate of connection 118, the demand for connection 118 will be used to define the number of data flows, information about those data flows (such as packet size), how applications transmit those data packets, arrival time, protocols (if available), etc. All of this information is compiled on a per-connection-118 basis. Security policies may be based on network information, such as, but not limited to, satellites 100 in network 200 (e.g., satellites 100 in network 200). Figure 1(As shown) Knowledge at a specific point in time or during a defined time interval, including where satellite 100 is located, which device devices 100 and 210 are connected to, and which device devices devices 100 and 210 should connect to at each specific point in time or during a specified time interval and / or the duration of each connection 118. Network information may also include, but is not limited to, how user equipment 210 connects to network 200 and satellite 100, the type of connection 118 between satellite 100 itself and between satellite 100 and user equipment 210, MOD / COD (modulation and coding, where coding refers to FEC (forward error correction) overhead), data rate, and for each network configuration 202 and 302 (as shown respectively) Figure 2 and Figure 3 (As shown) Traffic profile along network 200 (what type of traffic the user expects to generate). In some examples, CNA computer device 1710 receives security policies from network controller 1725. In other examples, CNA computer device 1710 stores multiple security policies and uses different security policies at different times based on the configuration of network 200. In some examples, all connections 212 and 214 (both in...) Figure 2 (As shown in the examples) are all known in advance. In some of these examples, the algorithm controller 1725 transmits a signal indicating when to use each security policy. In other examples, the network controller 1725 transmits a schedule that informs the CNA computer device 1710 when to use which security policy. In some examples, the CNA computer device 1710 stores multiple different algorithms. In some of these examples, the network controller 1725 informs the CNA computer device 1710 when to use which algorithm and which security policy to use.
[0068] In other examples, one or more user devices 210 may connect to network 200 on an ad-hoc basis. In these examples, a new user device 210 negotiates a connection 118 to network 200. Information about the new user device is passed to network controller 1725 or CNA computer device 1710, which generates a new security policy for the new user device 210 and devices 100 and 210 with connection 118 to the new user device 210.
[0069] CNA computer device 1710 applies a security policy to communication port 1705, which has a connection 118 to communication device 1730. In this example, CNA computer device 1710 executes an algorithm for monitoring each connection 118, wherein the algorithm is configured to use a security policy to monitor communication port 1705 associated with one or more connections 118 for malicious traffic flows. When network 200 is configured accordingly, CNA computer device 1710 activates the appropriate algorithm and the appropriate security policy.
[0070] For example, based on network configurations 202 and 302, CNA computer device 1710 determines that first network configuration 202 will be valid from time A to time B, and second network configuration 302 will be valid from time B to time C. Furthermore, CNA computer device 1710 knows the security policy for each network configuration 202 and 302. This security policy may be stored in database 1720 or received from network controller 1725.
[0071] For each network configuration 202 and 302, CNA computer device 1710 determines which algorithm and security policy to use to monitor each connection 118. For example, in the first network configuration 202, CNA computer device 1710 associated with satellite #1 determines the algorithm to run on satellite #1 (e.g., Figure 4 The algorithm 400 shown determines which security policy to run for ISL connection 212 to satellite #2. CNA computer device 1710 can use different security policies to monitor ISL connection 212 to satellite 2. Furthermore, CNA computer device 1710 can execute multiple copies of the algorithm simultaneously, each copy corresponding to each communication port 1705 with active connection 118. Based on their connections and the configuration of network 200, different copies of the algorithm can each use different security policies. CNA computer device 1710 associated with satellite #2 determines which algorithm to run on satellite #2 for ISL connection 212 and which security policy to use to monitor ISL connection 212 for the algorithm on satellite #2. The algorithm and security policy executed on each satellite 100 may differ on different satellites 100 or even on different ports 116 of the same satellite 100. CNA computer device 1710 and / or network controller 1725 select the algorithm and security policy based on one or more attributes of the satellite in question and / or the configuration of network 200.
[0072] CNA computer device 1710 ensures that appropriate algorithms and security policies are activated on the corresponding satellites 100 at the correct times. In some examples, CNA computer device 1710 receives security policies and algorithms in advance from network controller 1725, along with a schedule instructing CNA computer device 1710 when to activate each algorithm and security policy. For example, CNA computer device 1710 may receive algorithms and security policies for a first network configuration 202 and a second network configuration 302. When time A begins, the CNA computer device 1710 associated with each satellite 100 activates the predetermined algorithms and security policies associated with the first network configuration 202. When time B arrives, the CNA computer device 1710 associated with each satellite 100 activates the predetermined algorithms and security policies associated with the second network configuration 302, and so on. In these examples, network controller 1725 may transmit algorithms and security policies to CNA computer device 1710 before the corresponding network configuration begins. Furthermore, in some examples, network configurations may be repeated at multiple time points. In these examples, each CNA computer device 1710 may store multiple algorithms and security policies, and the CNA computer device 1710 may receive signals from the network controller 1725 indicating which algorithm and security policy is activated at different times. In other examples, the network controller 1725 transmits one or more appropriate algorithms and security policies to the CNA computer device 1710 at the start of a new network configuration. Although the above description pertains to satellite 100, any communication device may be used with the systems and methods described herein. In some examples, instead of scheduling, each security policy includes an activity time attribute, and the computer device 710 activates the security policy at the appropriate time.
[0073] In this example, CNA computer device 1710 is such as packet switch 114 (e.g. Figure 1 The system (as shown) can execute algorithms and security policies to monitor port 116 (all as shown). Figure 1 Communication 118 is shown on the network controller 1725. In other examples, the CNA computer device 1710 may also be, but is not limited to, a network interface card (NIC), repeater hub, bridge, switching hub, bridging hub, MAC bridge, or any other device configured to transmit and receive messages (such as data packets). In this example, the CNA computer device 1710 communicates with the network controller 1725 to receive signals about when which algorithms and security policies are used. In this example, the network controller 1725 can communicate with the CNA computer device 1710 via ISL connection 212 and DL connection 214. The CNA computer device 1710 may also communicate with the network controller 1725, user equipment 210 (such as...), and other network controllers. Figure 2(As shown) or other communication devices 1730 provide information about detected potentially malicious data flows or other deviations from security policies. In other examples, algorithm 400 may be executed at a centralized location, where a computer device at the centralized location monitors communications (i.e., data flows) in network 200 and reviews these communications according to appropriate security policies. CNA computer device 1710 may be part of satellite 100 or user equipment 210, where connection 118 on port 116 can be used for monitoring.
[0074] In this example, communication device 1730 is a computer including a web browser or software application that enables client communication device 1730 to communicate with CNA computer device 1710 using the Internet, local area network (LAN), or wide area network (WAN). In some examples, communication device 1730 is communicatively coupled to the Internet through a number of interfaces, including but not limited to at least one of the following: the Internet, LAN, WAN, or Integrated Services Digital Network (ISDN), dial-up connection, Digital Subscriber Line (DSL), cellular telephone connection, satellite connection, and cable modem. Communication device 1730 can be any device capable of accessing a network (such as the Internet), including but not limited to desktop computers, laptop computers, personal digital assistants (PDAs), cellular phones, smartphones, tablets, phablets, or other web-based connected devices. In at least one example, one or more communication devices 1730 include a web browser that can be used to output information to network controller 1725 or CNA computer device 1710, such as providing contextual information about one or more configurations of network 200 or one or more warnings about malicious data streams. In some examples, communication device 1730 monitors or controls the path of satellite 100 and provides information about satellite 100. In other examples, communication device 1730 facilitates communication between CNA computer device 1710 and network controller 1725.
[0075] The application includes information about satellite 100 and user equipment 210 in network 200, and is capable of determining which algorithms and security policies are used to monitor data flows on computer network 200 at specific times or for specific network configurations. The application may be provided as a cloud-based web service via the Internet or other networks. In some examples, network controller 1725 includes at least one application running on network controller 1725 to perform network analysis.
[0076] Database server 1715 is communicatively coupled to database 1720, which stores data. In one example, database 1720 includes multiple satellite communication attributes, multiple algorithm attributes, multiple security policy information, and additional information about user equipment 210. In some examples, database 1720 is remotely stored from CNA computer device 1710. In some examples, database 1720 is distributed. In this example, a person can access database 1720 via user equipment 210 by logging into at least one of CNA computer device 1710 and network controller 1725.
[0077] At a high level, the algorithm executes on an FPGA or other processor that is part of the CNA computer device 1710. The algorithm generates data, such as statistics in log form. This algorithm can be co-located on satellite 100, user equipment 210, or communication equipment 1730, and can also run on computer devices such as network controller 1725. The computer device then interprets the logs. Based on the review of the algorithm logs, something can be detected. Based on the detection, network controller 1725, CNA computer device 1710, or other client devices can notify the operations center, security center, or take action. Actions may include, but are not limited to, providing notifications, alerts, triggering another program, changing the network topology, or blocking traffic.
[0078] Figure 18 The diagram illustrates the analysis of network 200 (e.g., Figure 2 Communication traffic on (as shown) and using system 1700 (e.g.) Figure 17 Example process 1800 (shown). The steps of process 1800 can be performed by satellite 100 ( Figure 1 ) or other equipment 210 ( Figure 2 ) and / or CNA computer equipment 1710 ( Figure 17 The packet switch 114 performs the procedure 1800. In at least one example, the packet switch 114 performing the procedure 1800 is located on satellite 100. In one example, the packet switch 114 communicates with another communication device 1730 (such as...). Figure 17 (as shown) to communicate 118 (e.g.) Figure 1 Each port 116 (as shown) Figure 1 (As shown) Execution process 1800. In some examples, the packet switch 114 executes a different instantiation of process 1800 for each active port 116. In other examples, the packet switch 114 executes one instantiation of process 1800 to monitor multiple ports 116.
[0079] CNA computer device 1710 or packet switch 114 communicates with one or more devices in network 200. Devices in the network may include, but are not limited to, satellite 100, user equipment 210, communication equipment 1730, and network controller 1725 (e.g., Figure 17 (As shown).
[0080] CNA computer equipment 1710 receives 1805 via network 200 (e.g.) Figure 2 (As shown) Packet information for multiple data packets transmitted. Packet information includes, but is not limited to, packet arrival time 402, packet length 404, and packet bit rate 406 (all within...). Figure 4 (As shown in the diagram). CNA computer device 1710 monitors data packets transmitted or received through one or more ports 116 in real time. CNA computer device 1710 determines packet information based on examining multiple data packets transmitted by computer system 100 or 210 through port 116.
[0081] CNA computer equipment 1710 calculates the arrival interval of multiple data packets based on packet information 1810 408 (e.g. Figure 4 (As shown). CNA computer device 1710 adjusts multiple arrival intervals of multiple data packets to remove gaps 410 (e.g. Figure 4 (As shown). CNA computer device 1710 calculates the arrival interval rate of multiple data packets based on packet information 412 (e.g. Figure 4 (As shown). CNA computer device 1710 calculates the median (or average) arrival interval rate of multiple data groups 414 (e.g. Figure 4 (As shown). Then, the CNA computer device 1710 adjusts multiple arrival interval times based on the median arrival interval rate 414 to remove one or more gaps 410.
[0082] CNA computer equipment 1710 calculates the duration of multiple data groups based on grouping information 1815 420 (e.g., ... Figure 4 (As shown). CNA computer device 1710 filters 1820 packets of information to remove noise and jitter. CNA computer device 1710 will detect a threshold of 434 (as shown). Figure 4 (As shown) is applied to multiple data packets to filter packet information, thereby removing noise. The CNA computer device 1710 generates at least one histogram 432 (as shown) based on packet information, arrival time 408, and packet duration 420. Figure 4 (As shown). The CNA computer device 1710 also generates a power spectral density estimate 446 based on packet information, arrival interval 408, and packet duration 420 (as shown). Figure 4 (As shown).
[0083] CNA computer device 1710 analyzes 1835 at least one histogram 432 and power spectral density estimate 446 to detect one or more unexpected data streams. CNA computer device 1710 detects one or more data streams 448 (e.g., ...) in at least one histogram 432 and power spectral density estimate 446. Figure 4 (As shown). CNA computer device 1710 compares one or more detected data streams with one or more expected data streams. CNA computer device 1710 detects one or more unexpected data streams based on the comparison. In one example, CNA computer device 1710 filters one or more expected data streams from at least one histogram 432 and analyzes at least one filtered histogram 432 to detect one or more unexpected data streams.
[0084] Based on the detection of one or more unexpected data flows, CNA computer device 1710 reports one or more unexpected data flows. CNA computer device 1710 may transmit a notification to network controller 1725. Furthermore, network controller 1725, CNA computer device 1710, or other client devices may notify the operations center, security center, or take action. Actions may include, but are not limited to, providing notifications, alerts, triggering another program, changing the network topology, or blocking traffic.
[0085] CNA computer device 1710 can receive and store security policies including one or more expected data streams. CNA computer device 1710 can also store multiple security policies. Each of the multiple security policies is associated with network 200 configuration 202 or 302 (both are in...). Figure 3 (As shown in the diagram) The CNA computer device 1710 activates the security policy associated with the current configuration 202 of network 200.
[0086] In some examples, the CNA computer device 1710 stores one or more security policies from the network controller 1725 (e.g., Figure 17(As shown) The CNA computer device 1710 receives a security policy to activate at that point in time. In another example where the CNA computer device 1710 stores one or more security policies, the CNA computer device 1710 receives a signal from the network controller 1725 instructing the CNA computer device 1710 to activate one of the stored security policies. In yet another example where the CNA computer device 1710 stores one or more security policies, the CNA computer device 1710 may also receive a schedule from the network controller 1725. The schedule contains the activity time to activate each algorithm and security policy. The CNA computer device 1710 activates the corresponding algorithm and security policy based on a script. For example, the script may include all algorithms and security policies that will be used during a day, an hour, or other time period on network 200. The security policy may include information about the expected data flow.
[0087] Figure 19 The illustration shows an example according to this disclosure, in a CNA system 1700 (such as...). Figure 17 Example configuration of user computer device 1902 used (shown). User computer device 1902 is operated by user 1901. User computer device 1902 may include, but is not limited to, satellite 100, packet switch 114 (both as shown) Figure 1 (as shown), User equipment 210 (e.g.) Figure 2 (as shown), communication device 1730 and network controller 1725 (both as shown) Figure 17 (As shown). User computer device 1902 includes a processor 1905 for executing instructions. In some examples, the executable instructions are stored in memory region 1910. Processor 1905 may include one or more processing units (e.g., in a multi-core configuration). Memory region 1910 is any device that allows storage and retrieval of information such as executable instructions and / or transaction data. Memory region 1910 may include one or more computer-readable media.
[0088] User computer device 1902 also includes at least one media output component 1915 for presenting information to user 1901. Media output component 1915 is any component capable of transmitting information to user 1901. In some examples, media output component 1915 includes an output adapter (not shown), such as a video adapter and / or an audio adapter. The output adapter is operatively coupled to processor 1905 and operatively coupled to an output device, such as a display device (e.g., a cathode ray tube (CRT), liquid crystal display (LCD), light-emitting diode (LED) display, or "e-ink" display) or an audio output device (e.g., a speaker or headphones). In some examples, media output component 1915 is configured to present a graphical user interface (e.g., a web browser and / or client application) to user 1901. The graphical user interface may include, for example, an interface for viewing monitoring data about network 200 (e.g., ...). Figure 2 (As shown). In some examples, user computer device 1902 includes an input device 1920 for receiving input from user 1901. User 1901 may use input device 1920 to input network configuration information, but is not limited thereto. Input device 1920 may include, for example, a keyboard, pointing device, mouse, stylus, touch-sensitive panel (e.g., touchpad or touchscreen), gyroscope, accelerometer, position detector, biometric input device, and / or audio input device. A single component such as a touchscreen may be used as both an output device for media output component 1915 and an input device 1920.
[0089] User computer device 1902 may also include a communication interface 1925, which is communicatively coupled to a remote device, such as CNA computer device 1710 (e.g., Figure 7 (As shown). The communication interface 1925 may include, for example, a wired or wireless network adapter and / or a wireless data transceiver for a mobile telecommunications network.
[0090] Storing in storage area 1910 are computer-readable instructions, for example, for providing a user interface to user 1901 via media output component 1915 and optionally for receiving and processing input from input device 1920. Among other possibilities, the user interface may include a web browser and / or a client application. A web browser enables a user, such as user 1901, to display and interact with media and other information typically embedded in web pages or websites from CNA computer device 1710. A client application allows user 1901 to interact with, for example, CNA computer device 1710. For example, instructions may be stored by a cloud service, and the output of the execution of instructions may be sent to media output component 1915.
[0091] Processor 1905 executes computer-executable instructions for implementing aspects of this disclosure.
[0092] Figure 20 The illustration shows an example of a CNA system 1700 (e.g., according to this disclosure) Figure 17 Example configuration of server computer device 2001 used (shown). Server computer device 2001 may include, but is not limited to, CNA computer device 1710, database server 1715 and network controller 1725 (all in... Figure 17 (As shown in the diagram). The server computer device 2001 also includes a processor 2005 for executing instructions. Instructions may be stored in memory region 2010. Processor 2005 may include one or more processing units (e.g., in a multi-core configuration).
[0093] Processor 2005 is operatively coupled to communication interface 2015, enabling server computer device 2001 to communicate with remote devices, such as another server computer device 2001, CNA computer device 1710, another network controller 725, or communication device 1730 (e.g., Figure 17 (As shown). For example, the communication interface 2015 can receive requests from the network controller 725 via the Internet, such as... Figure 17 As shown.
[0094] Processor 2005 is also operatively coupled to storage device 2034. Storage device 2034 is any computer operating hardware suitable for storing and / or retrieving data, such as, but not limited to, data associated with database 1720 (e.g., data related to database 1720). Figure 17 (As shown). In some examples, storage device 2034 is integrated into server computer device 2001. For example, server computer device 2001 may include one or more hard disk drives as storage device 2034. In other examples, storage device 2034 is located external to server computer device 2001 and is accessible by multiple server computer devices 2001. For example, storage device 2034 may include storage area network (SAN), network attached storage (NAS) system, and / or multiple storage units, such as hard disks and / or solid-state drives in a redundant array of inexpensive disks (RAID) configuration.
[0095] In some examples, processor 2005 is operatively coupled to storage device 2034 via storage interface 2020. Storage interface 2020 is any component capable of providing processor 2005 with access to storage device 2034. Storage interface 2020 may include, for example, an Advanced Technology Attachment (ATA) adapter, a Serial ATA (SATA) adapter, a Small Computer System Interface (SCSI) adapter, a RAID controller, a SAN adapter, a network adapter, and / or any component that provides processor 2005 with access to storage device 2034.
[0096] Processor 2005 executes computer-executable instructions for implementing aspects of this disclosure. In some examples, processor 2005 is converted into a special-purpose microprocessor by executing computer-executable instructions or otherwise by programming. For example, processor 2005 uses, for instance, computer-executable instructions. Figure 18 Use the instructions shown to program.
[0097] As used herein, a processor can include any programmable system, including systems using microcontrollers; reduced instruction set circuitry (RISC), application-specific integrated circuits (ASICs), logic circuits, and any other circuitry or processor capable of performing the functions described herein. The examples above are merely illustrative and are therefore not intended to limit the definition and / or meaning of the term "processor" in any way.
[0098] As used herein, the term "cybersecurity threat" includes unauthorized attempts to gain access to a subject system. A cybersecurity threat, also known as a cyberattack or cyber threat, attempts to exploit vulnerabilities in a computer system to compromise it. Some cybersecurity threats involve attempts to compromise or disrupt a subject system. These cybersecurity threats can include, but are not limited to, proactive intrusion, spyware, malware, viruses, and worms. Cybersecurity threats can compromise systems through a variety of pathways (also known as attack paths). These paths may include operating system attacks, misconfiguration attacks, application-level attacks, and shrink wrapper attacks. Cybersecurity threats can be introduced remotely by individuals or systems with direct access to computing devices, via communication networks or connected systems, or through associated supply chains.
[0099] As used herein, the term "database" may refer to a data volume, a relational database management system (RDBMS), or both. As used herein, a database may include any collection of data, including hierarchical databases, relational databases, flat file databases, object-relational databases, object-oriented databases, and any other structured collection of records or data stored in a computer system. The examples above are merely illustrative and are therefore not intended to limit the definition and / or meaning of the term "database" in any way. Examples of RDBMS include, but are not limited to, those mentioned above. Database, MySQL DB2, SQL Server And PostgreSQL. However, any database capable of implementing the systems and methods described in this article can be used. (Oracle is a registered trademark of Oracle Corporation, Redwood Coast, California; IBM is a registered trademark of International Business Machines Corporation, Armonk, NY; Microsoft is a registered trademark of Microsoft Corporation, Redmond, Washington; and Sybase is a registered trademark of Sybase, Dublin, California.)
[0100] In another example, a computer program is provided, and this program is embodied on a computer-readable medium. In one example, the system executes on a computer system without needing to connect to a server computer. In another example, the system... Running in an environment (Windows is a registered trademark of Microsoft Corporation, Redmond, Washington). In another example, the system runs in a mainframe environment and Running in a server environment (UNIX is a registered trademark of X / Open International Alliance Ltd., located in Reading, Berkshire, UK). In another example, the system is... Running in an environment (iOS is a registered trademark of Cisco Systems, Inc., a U.S. company located in San Jose, California). In another example, the system runs on a Mac. The system runs in an environment (Mac OS is a registered trademark of Apple Inc., located in Cupertino, California). In yet another example, the system runs in... On the operating system (Android is a registered trademark of Google Inc., Mountain View, California). In another example, the system runs on... On the operating system (Linux is a registered trademark of Linus Torvalds of Boston, Massachusetts). The application is very flexible and can run in a variety of different environments without affecting any of its main functions.
[0101] As used herein, elements or steps described in the singular and beginning with "a" or "an" should be understood to not exclude plural elements or steps unless such exclusion is explicitly stated. Furthermore, references to "example" or "an example" in this disclosure are not intended to be construed as excluding the existence of additional examples that also include the described features. Moreover, for the purposes of the use herein of the terms "includes," "including," "has," "contains," and variations thereof, these terms are intended to be included in a manner similar to the term "comprises" as an open transition word, without excluding any additional or other elements.
[0102] As used herein, the terms “software” and “firmware” are used interchangeably and include any computer program stored in memory for execution by a processor, including RAM memory, ROM memory, EPROM memory, EEPROM memory, and non-volatile RAM (NVRAM) memory. The memory types described above are merely examples and are not intended to limit the types of memory that can be used to store computer programs.
[0103] Furthermore, as used herein, the term "real-time" refers to at least one of the following: the time when a relevant event occurs, the time when predetermined data is measured and collected, the time when the data is processed, and the time when the system responds to the event and the environment. In the examples described herein, these activities and events occur essentially instantaneously.
[0104] The methods and systems described herein can be implemented using computer programming or engineering techniques, including computer software, firmware, hardware, or any combination or subset thereof. As disclosed above, at least one technical problem with existing systems is the need for systems for monitoring communication networks that can change over time. The systems and methods described herein address this technical problem. Furthermore, at least one technical solution to the technical problem provided by this system may include: (i) real-time monitoring of message traffic data; (ii) monitoring of encrypted message traffic; (iii) improved detection of infrequent or small data packet flows in other traffic; (iv) allowing message traffic monitoring without requiring significant infrastructure updates; (v) monitoring message traffic data of changing networks; and (vi) requiring fewer packet data to allow monitoring of message traffic data.
[0105] The methods and systems described herein can be implemented using computer programming or engineering techniques (including computer software, firmware, hardware, or any combination or subset thereof), wherein the technical effects are achieved by performing at least one of the following steps: a) calculating the arrival interval time and packet duration of multiple data packets received over a network based on packet information, wherein the packet information includes the arrival time associated with the multiple data packets, the length of the multiple data packets, and the bit rate of the multiple data packets, wherein the computer system is associated with a packet switch; b) filtering the packet information to remove noise; c) generating at least one histogram based on the packet information, arrival interval time, and packet duration; d) generating a power spectral density estimate based on the packet information, arrival interval time, and packet duration; e) analyzing at least one histogram and power spectral density estimate to detect one or more unexpected data streams; f) reporting one or more unexpected data streams; g) determining packet information based on reviewing multiple data packets transmitted by the computer system; h) adjusting multiple data packets... Based on the arrival interval time of packets, remove one or more gaps; i) calculate the arrival interval rate of multiple data packets based on packet information; j) calculate the median arrival interval rate of multiple data packets; k) adjust the arrival interval time based on the median arrival interval rate to remove one or more gaps; l) apply detection criteria to the histogram results of multiple data packets to filter packet information to remove noise; m) detect one or more data streams and power spectral density estimates in at least one histogram; n) compare one or more detected data streams with one or more expected data streams; o) detect one or more unexpected data streams based on the comparison; p) filter one or more expected data streams from at least one histogram; o) analyze at least one filtered histogram to detect one or more unexpected data streams; p) receive a security policy including one or more expected data streams; q) store the security policy; r) store multiple security policies, each of the multiple security policies being associated with the network configuration; and s) activate the security policy associated with the current configuration of the network.
[0106] In some examples, the technical effect can be achieved by performing at least one of the following steps: a) receiving packet information of multiple data packets transmitted over the network by a processor; b) calculating the arrival interval time of the multiple data packets by a processor based on the packet information; c) calculating the packet duration of the multiple data packets by a processor based on the packet information; d) filtering the packet information by a processor to remove noise; e) generating at least one histogram by a processor based on the packet information, arrival interval time, and packet duration; f) generating a power spectral density estimate by a processor based on the packet information, arrival interval time, and packet duration; g) analyzing at least one histogram and power spectral density estimate by a processor to detect one or more unexpected data streams; h) reporting one or more unexpected data streams by a processor; i) calculating based on review... The computer system transmits multiple data packets to determine packet information; j) adjusts the arrival interval time of the multiple data packets to remove one or more gaps; k) calculates the arrival interval rate of the multiple data packets based on the packet information; l) calculates the median arrival interval rate of the multiple data packets; m) adjusts the arrival interval time based on the median arrival interval rate to remove gaps; n) applies a detection threshold to the histogram results of the multiple data packets to filter the packet information, thereby removing noise; o) detects one or more data streams in at least one histogram and power spectral density estimate; p) compares one or more detected data streams with one or more expected data streams; q) filters one or more expected data streams from at least one histogram; and r) analyzes at least one filtered histogram to detect one or more unexpected data streams.
[0107] In some examples, the technical effect can be achieved by performing at least one of the following steps: a) receiving a security policy to be executed on the system, wherein the security policy includes configuration data; b) receiving packet information of multiple data packets transmitted over the network; c) calculating the arrival interval time of the multiple data packets based on the packet information and the security policy; d) calculating the packet duration of the multiple data packets by a processor based on the packet information; e) filtering the packet information to remove noise based on the security policy; f) generating at least one histogram based on the packet information, arrival interval time, and packet duration; h) generating a power spectral density estimate based on the packet information, arrival interval time, and packet duration; i) analyzing at least one histogram and power spectral density estimate based on the security policy to detect one or more unexpected data streams; j) reporting one or more unexpected data streams; and k) adjusting the arrival interval time of the multiple data packets based on the security policy to remove one or more gaps.
[0108] The computer-implemented methods discussed herein may include additional, fewer, or alternative actions, including those discussed elsewhere herein. These methods may be implemented by one or more local or remote processors, transceivers, servers, and / or sensors (such as processors, transceivers, servers, and / or sensors mounted on or associated with intelligent infrastructure or remote servers), and / or by computer-executable instructions stored on one or more non-transitory computer-readable media. Furthermore, the computer systems discussed herein may include additional, fewer, or alternative functions, including those discussed elsewhere herein. The computer systems discussed herein may be implemented, or via computer-executable instructions stored on one or more non-transitory computer-readable media.
[0109] As used herein, the term "non-transitory computer-readable medium" is intended to represent any tangible computer-based device implemented in any way or by any technique for short-term and long-term storage of information, such as computer-readable instructions, data structures, program modules and submodules, or other data in any device. Therefore, the methods described herein can be encoded as executable instructions contained in a tangible, non-transitory computer-readable medium, including but not limited to storage devices and / or memory devices. When executed by a processor, such instructions cause the processor to perform at least a portion of the methods described herein. Furthermore, as used herein, the term "non-transitory computer-readable medium" includes all tangible computer-readable media, including but not limited to non-transitory computer storage devices, including but not limited to volatile and non-volatile media, and removable and non-removable media, such as firmware, physical and virtual storage devices, CD-ROMs, DVDs, and any other digital sources, such as networks or the Internet, and digital constructs to be developed, with the sole exception of transient propagation signals.
[0110] Furthermore, this disclosure includes embodiments pursuant to the following provisions:
[0111] Clause 1. A system for detecting malicious traffic flows in a network (200), comprising a computer system (1710) including at least one processor (1905) communicating with at least one memory device (1910), wherein the at least one processor (1905) is programmed to:
[0112] Based on the packet information received for multiple data packets transmitted through the network (200), the arrival interval (408) and packet duration (420) of multiple data packets are calculated;
[0113] Filter grouped information to remove noise;
[0114] At least one histogram (600) is generated based on the grouping information, arrival interval time (408), and grouping duration (420);
[0115] Power spectral density estimates are generated based on grouping information, arrival interval (408), and grouping duration (420);
[0116] Analyze at least one histogram (600) and power spectral density estimate to detect one or more unexpected data streams; and
[0117] Report one or more unexpected data streams.
[0118] Clause 2. The system according to Clause 1, wherein at least one processor (1905) is further programmed to determine packet information based on examining multiple data packets transmitted by the computer system (1710).
[0119] Clause 3. The system according to Clause 1 or 2, wherein the packet information includes arrival time (402) associated with multiple data packets, length of multiple data packets (404) and bit rate of multiple data packets (406).
[0120] Clause 4. The system according to any one of Clauses 1-3, wherein at least one processor (1905) is further programmed to adjust the arrival interval (408) of a plurality of data packets to eliminate one or more gaps.
[0121] Clause 5. The system according to Clause 4, wherein at least one processor (1905) is further programmed to:
[0122] The arrival interval rate of multiple data packets is calculated based on the packet information (412);
[0123] Calculate the median arrival interval (412) for multiple data groups; and
[0124] Adjust the arrival interval time (408) to remove one or more gaps based on the median arrival interval rate (412).
[0125] Clause 6. The system according to any one of Clauses 1-5, wherein at least one processor (1905) is further programmed to apply detection criteria to the histogram results of multiple data groups to filter group information, thereby removing noise.
[0126] Clause 7. The system according to any one of Clauses 1-6, wherein at least one processor (1905) is further programmed to:
[0127] Detect one or more data streams in at least one histogram (600) and power spectral density estimation; and
[0128] Compare one or more detected data streams with one or more expected data streams.
[0129] Clause 8. The system according to Clause 7, wherein at least one processor (1905) is further programmed to detect one or more unexpected data streams based on comparison.
[0130] Clause 9. The system pursuant to Clause 7, wherein at least one processor (1905) is further programmed to:
[0131] Filter one or more expected data streams from at least one histogram (600); and
[0132] Analyze at least one filter histogram (600) to detect one or more unexpected data streams.
[0133] Clause 10. The system according to Clause 7, wherein at least one processor (1905) is further programmed to:
[0134] Receive security policies including one or more expected data streams; and
[0135] Storage security policy.
[0136] Clause 11. The system according to Clause 10, wherein at least one processor (1905) is further programmed to store a plurality of security policies, wherein each of the plurality of security policies is associated with a configuration of the network (200).
[0137] Clause 12. The system according to Clause 11, wherein at least one processor (1905) is further programmed to activate a security policy associated with the current configuration of the network (200).
[0138] Clause 13. A system pursuant to any of Clauses 1-12, wherein the computer system (1710) is associated with a packet switch.
[0139] Clause 14. A method for detecting malicious traffic flows in a network (200), the method being implemented by a computer system (1710) including at least one processor (1905) communicating with at least one memory device (1910), wherein the method comprises:
[0140] The processor (1905) receives packet information of multiple data packets transmitted through the network (200);
[0141] The processor (1905) calculates the arrival interval (408) of multiple data packets based on the packet information;
[0142] The processor (1905) calculates the packet duration (420) of multiple data packets based on the packet information;
[0143] The processor (1905) filters the grouped information to remove noise;
[0144] The processor (1905) generates at least one histogram (600) based on the packet information, arrival interval (408), and packet duration (420);
[0145] The power spectral density estimate is generated by the processor (1905) based on the grouping information, arrival interval (408), and grouping duration (420);
[0146] The processor (1905) analyzes at least one histogram (600) and power spectral density estimate to detect one or more unexpected data streams; and
[0147] One or more unexpected data streams are reported by the processor (1905).
[0148] Clause 15. The method described in Clause 14 further comprises adjusting the arrival interval (408) of multiple data packets to remove one or more gaps.
[0149] Clause 16. The method described pursuant to Clause 14 or 15 further comprises:
[0150] The arrival interval rate of multiple data packets is calculated based on the packet information (412);
[0151] Calculate the median arrival interval (412) for multiple data groups; and
[0152] The arrival interval time (408) is adjusted based on the median arrival interval rate (412) to remove gaps.
[0153] Clause 17. The method described pursuant to Clause 15 or 16 further comprises:
[0154] Detect one or more data streams in at least one histogram (600) and power spectral density estimation; and
[0155] Compare one or more detected data streams with one or more expected data streams.
[0156] Clause 18. The method described pursuant to Clause 17 further comprises:
[0157] Filter one or more expected data streams from at least one histogram (600); and
[0158] Analyze at least one filter histogram (600) to detect one or more unexpected data streams.
[0159] Clause 19. A system for detecting malicious traffic flows in a network (200), comprising a computer system (1710) including at least one processor (1905) communicating with at least one memory device (1910), wherein the at least one processor (1905) is programmed to:
[0160] Receive the security policy to be executed on the system, wherein the security policy includes configuration data;
[0161] Receive packet information of multiple data packets transmitted via the network (200);
[0162] The arrival interval of multiple data packets is calculated based on packet information and security policies (408);
[0163] The processor (1905) calculates the packet duration (420) of multiple data packets based on the packet information;
[0164] Filtering packet information based on security policies to remove noise;
[0165] At least one histogram (600) is generated based on the grouping information, arrival interval time (408), and grouping duration (420);
[0166] Power spectral density estimates are generated based on grouping information, arrival interval (408), and grouping duration (420);
[0167] Based on security policy analysis, at least one histogram (600) and power spectral density estimate are used to detect one or more unexpected data streams; and
[0168] Report one or more unexpected data streams.
[0169] Clause 20. The system according to Clause 19, wherein at least one processor (1905) is further programmed to adjust the arrival interval (408) of multiple data packets based on a security policy to eliminate one or more gaps.
[0170] This written description uses examples to disclose various implementations, including the best mode, and also enables those skilled in the art to practice various implementations, including making and using any device or system and performing any combined methods. The patentable scope of this disclosure is defined by the claims and may include other examples that would occur to those skilled in the art. Such other examples are intended to be within the scope of the claims if they have structural elements that are not different from the literal language of the claims, or if such other examples include equivalent structural elements that are not substantially different from the literal language of the claims.
Claims
1. A system for detecting malicious traffic flows in a network (200), comprising a computer system (1710) including at least one processor (1905) communicating with at least one memory device (1910), wherein the at least one processor (1905) is programmed to: Based on the packet information received for multiple data packets transmitted through the network (200), the arrival interval (408) and packet duration (420) of the multiple data packets are calculated; Filter the group information to remove noise; At least one histogram (600) is generated based on the grouping information, the arrival interval time (408), and the grouping duration (420); A power spectral density estimate is generated based on the grouping information, the arrival interval time (408), and the grouping duration (420); Analyze the at least one histogram (600) and the power spectral density estimate to detect one or more unexpected data streams; as well as The report describes one or more unexpected data streams.
2. The system of claim 1, wherein the at least one processor (1905) is further programmed to determine the packet information based on examining a plurality of data packets transmitted by the computer system (1710).
3. The system according to claim 1 or 2, wherein the packet information includes arrival time (402) associated with the plurality of data packets, length (404) of the plurality of data packets, and bit rate (406) of the plurality of data packets.
4. The system according to claim 1 or 2, wherein the at least one processor (1905) is further programmed to adjust the arrival interval (408) of the plurality of data packets to remove one or more gaps.
5. The system according to claim 4, wherein the at least one processor (1905) is further programmed to: The arrival interval rate (412) of the plurality of data packets is calculated based on the packet information; Calculate the median arrival interval rate (412) of the plurality of data groups; and The arrival interval time (408) is adjusted based on the median arrival interval rate (412) to remove the one or more gaps.
6. The system according to claim 1 or 2, wherein the at least one processor (1905) is further programmed to apply detection criteria to the histogram results of the plurality of data groups to filter the grouping information thereby removing the noise.
7. The system according to claim 1 or 2, wherein the at least one processor (1905) is further programmed to: Detect one or more data streams in the at least one histogram (600) and the power spectral density estimation; and The one or more detected data streams are compared with one or more expected data streams.
8. The system of claim 7, wherein the at least one processor (1905) is further programmed to detect the one or more unexpected data streams based on the comparison.
9. The system of claim 7, wherein the at least one processor (1905) is further programmed to: Filter the one or more expected data streams from the at least one histogram (600); and Analyze at least one filtered histogram (600) to detect the one or more unexpected data streams.
10. The system of claim 7, wherein the at least one processor is further programmed to: Receive security policies including the one or more expected data streams; and Store the security policy.
11. The system of claim 10, wherein the at least one processor is further programmed to store a plurality of security policies, wherein each of the plurality of security policies is associated with a configuration of the network.
12. The system of claim 11, wherein the at least one processor is further programmed to activate a security policy associated with the current configuration of the network.
13. The system of claim 1, wherein the computer system is associated with a packet switch.
14. A method for detecting malicious traffic flows in a network (200), the method being implemented by a computer system (1710) including at least one processor (1905) communicating with at least one memory device (1910), wherein the method comprises: The processor (1905) receives packet information of multiple data packets transmitted through the network (200); The processor (1905) calculates the arrival interval (408) of the plurality of data packets based on the packet information; The processor (1905) calculates the grouping duration (420) of the plurality of data packets based on the grouping information; The processor (1905) filters the packet information to remove noise; The processor (1905) generates at least one histogram (600) based on the packet information, the arrival interval (408), and the packet duration (420); The processor (1905) generates a power spectral density estimate based on the grouping information, the arrival interval time (408), and the grouping duration (420); The processor (1905) analyzes the at least one histogram (600) and the power spectral density estimate to detect one or more unexpected data streams; as well as The processor (1905) reports the one or more unexpected data streams.
15. The method of claim 14, further comprising adjusting the arrival interval of the plurality of data packets to remove one or more gaps.
16. The method of claim 14, further comprising: The arrival interval rate of the multiple data packets is calculated based on the grouping information; Calculate the median arrival interval rate of the plurality of data groups; and The arrival interval time is adjusted based on the median arrival interval rate to remove gaps.
17. The method of claim 15, further comprising: Detecting one or more data streams in the at least one histogram and the power spectral density estimation; and The detected one or more data streams are compared with one or more expected data streams.
18. The method of claim 17, further comprising: Filter the one or more expected data streams from the at least one histogram; and Analyze the filtered at least one histogram to detect the one or more unexpected data streams.
19. A system for detecting malicious traffic flows in a network, comprising a computer system including at least one processor communicating with at least one memory device, wherein the at least one processor is programmed to: Receive a security policy to be executed on the system, wherein the security policy includes configuration data; Receive packet information of multiple data packets transmitted through the network; The arrival interval of the multiple data packets is calculated based on the packet information and the security policy; The processor calculates the grouping duration of the plurality of data packets based on the grouping information; The packet information is filtered based on the security policy to remove noise; Generate at least one histogram based on the grouping information, the arrival interval time, and the grouping duration; A power spectral density estimate is generated based on the grouping information, the arrival interval time, and the grouping duration. Based on the security strategy, analyze the at least one histogram and the power spectral density estimate to detect one or more unexpected data streams; as well as The report describes one or more unexpected data streams.
20. The system of claim 19, wherein the at least one processor is further programmed to adjust the arrival interval of the plurality of data packets based on the security policy to eliminate one or more gaps.